Videos uploaded by user “Troy Hunt”
Your logon form posts to HTTPS, but you blew it when you loaded it over HTTP
Here's an often held conversation between concerned website user and site owner: User: "Hey mate, your website isn't using SSL when I enter my password, what gives?!" Owner: "Ah, but it posts to HTTPS so your password is secure! We take security seriously. Our measures are robust." (and other random, unquantifiable claims) Loading logon forms over HTTP renders any downstream transport layer security almost entirely useless. Rather than just tell you what's wrong with this, let me show precisely why with a site that implements this pattern. This video is part of a blog post at: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html
Views: 18950 Troy Hunt
Happy birthday! Now anyone can login to your Betfair account
Following a very obnoxious response to a concerned customer, I thought I'd take a look at just what's needed to login to a Betfair account. Turns out you can simply reset the password with an email address and a birth date and that's it - you're in! This video is part of a blog post at http://www.troyhunt.com/2015/04/happy-birthday-now-anyone-can-login-to.html
Views: 34982 Troy Hunt
Here's Why Your Static Website Needs HTTPS
This is part of the blog post at https://www.troyhunt.com/heres-why-your-static-website-needs-https
Views: 11928 Troy Hunt
Weekly update 1
The corresponding blog post and notes are over at https://www.troyhunt.com/weekly-update-1
Views: 3581 Troy Hunt
How I got XSS'd by my ad network
Recorded by a friend who found my ad network was serving content from a resource at risk of XSS. Full blog post is here: http://www.troyhunt.com/2015/07/how-i-got-xssd-by-my-ad-network.html
Views: 11535 Troy Hunt
Here's why you can't trust SSL logos on HTTP pages (even from SSL vendors)
A couple of days ago I wrote about Why I am the world's greatest lover (and other worthless security claims) and it really seemed to resonate. In short, whacking a seal on your website that talks about security awesomeness in no way causes security awesomeness. So let's check out exactly what's going on here and you really need video to understand the fatal flaw in the logic of SSL logos coming down over HTTPS. This video is part of a blog post at: http://www.troyhunt.com/2013/05/heres-why-you-cant-trust-ssl-logos-on.html
Views: 7318 Troy Hunt
The Australian Taxation Office scam call
This is part of a blog post at: http://www.troyhunt.com/2016/03/the-australian-taxation-office-scam-call.html
Views: 17298 Troy Hunt
Exploiting XSS: What Tesco doesn't understand about web security (but you probably should)
Cross site scripting (XSS) is one of those website vulnerabilities that a lot of people don't seem to take too seriously. Certainly Tesco didn't when I passed on information which was privately shared with me so I thought a little demo on a sample site would be a good illustration of why one of the web's most prevalent security risks really needs to be taken seriously. This video is part of a blog post located at http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html
Views: 16865 Troy Hunt
5 minute wonders: The ASP.NET membership provider
The ASP.NET membership provider makes implementing registration and login features in .NET apps an absolute breeze. It does it quickly, securely and it's genuinely only a 5 minute job. The related blog post can be found here: http://www.troyhunt.com/2011/10/5-minute-wonders-aspnet-membership.html
Views: 32985 Troy Hunt
Weekly update 6
The corresponding blog post and notes are over at https://www.troyhunt.com/weekly-update-6/
Views: 1675 Troy Hunt
Weekly update 4
The corresponding blog post and notes are over at https://www.troyhunt.com/weekly-update-4
Views: 1588 Troy Hunt
Understanding CSRF, the video tutorial edition
This is part of a blog post of the same name here: https://www.troyhunt.com/understanding-csrf-video-tutorial/
Views: 42116 Troy Hunt
Weekly update 3
The corresponding blog post and notes are over at https://www.troyhunt.com/weekly-update-3
Views: 1587 Troy Hunt
Weekly update 50
It's spring! Dodgeball injury, Melbourne workshop, MASSIVE spam list, Symantec Norton Secured sponsoring https://www.troyhunt.com/weekly-update-50/
Views: 1423 Troy Hunt
Weekly update 10
The corresponding blog post and notes are over at https://www.troyhunt.com/weekly-update-10/
Views: 1321 Troy Hunt
Weekly update 5
The corresponding blog post and notes are over at https://www.troyhunt.com/weekly-update-5
Views: 1897 Troy Hunt
Scammers keep scamming
Same old scam, same old tools used to exploit it and same old clueless operators who get pretty cranky once they realise they're not going to be able to steal anything from you. Warning: By the end it all descends into “creative” suggestions of how I can better enjoy my own company.
Views: 19619 Troy Hunt
Weekly update 9
The corresponding blog post and notes are over at https://www.troyhunt.com/weekly-update-9/
Views: 1176 Troy Hunt
Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I've become so attached to. I was running my usual “Hack Yourself First” workshop which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about. I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. And that’s where things got interesting. This video is part of a blog post at http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Views: 109097 Troy Hunt
Alfresco UniFi Install - Behind the Scenes
This is a casual background video showing the Alfresco restaurant and the environment in which Ubiquiti's UniFi equipment was installed. The equipment was provided by Ubiquiti as part of a course I created for them which is now freely available online and is introduced here: https://www.troyhunt.com/heres-what-this-ubiquiti-unifi-stuff-is-all-about/
Views: 6931 Troy Hunt
"Type www." -- "Ok, w-w-w-d-o-t"; antagonising call centre scammers
Follow me on Twitter @troyhunt for more scammer updates. I continue to be plagued by call centres phoning up and attempting to convince me I have viruses on my PC. This problem appears to be occurring all over the world and their offshore base means there's very little any local authorities in Australia or other countries can do to prevent it. I've previously captured the scam in a couple of other videos on this channel, this time I thought I'd give them a go at my Windows 8 Consumer Preview virtual machine. Once I got to the second operator at the 29 minute mark (after I'd already disconnected the network), I decided it was time to turn the tables and antagonise them for a change. The related blog post can be found here: http://www.troyhunt.com/2012/04/type-www-ok-w-w-w-d-o-t-antagonising.html
Views: 359048 Troy Hunt
Weekly update 57
South Africa "Master Data", Pluralsight & IoT, HTTPS "Happy Path", Barkly Sponsoring https://www.troyhunt.com/weekly-update-57/
Views: 4113 Troy Hunt
Weekly Update 69 (Boat Edition)
Last Day in the Sun, Travel is Hard, Indian Aardhaar System, Gold Security Sponsoring https://www.troyhunt.com/weekly-update-69/
Views: 936 Troy Hunt
5 minute wonders: Finding lazy loading nasties with ANTS Profiler
Identifying the n+1 lazy loading condition is dead simple with ANTS Performance Profiler. This video is part of a blog post at: http://www.troyhunt.com/2013/02/5-minute-wonders-finding-lazy-loading.html
Views: 3586 Troy Hunt
Weekly Update 70 (NDC London Edition)
I'm at NDC London, Data Breach Disclosure, Tech Fabric Sponsoring https://www.troyhunt.com/weekly-update-70/
Views: 1073 Troy Hunt
Scamming the scammers -- catching the virus call centre scammers red-handed
Follow me on Twitter @troyhunt for more scammer updates. Ever have one of those calls from the other side of the world where the person at the other end of the phone claims your PC has got a virus and they can fix it up for you? I had one recently and played along with the operator while recording the episode, right up until they want to take remote control of the machine. But it left me wondering; what happens once they get control? So I decided to call them back and let them do *whatever* they wanted while recording both screen and audio. The related blog post can be found here: http://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html
Views: 1144399 Troy Hunt
Bloody galah scammers still not getting the message
As viewers will know by now, I'm not real fond of virus call centre scammers. You know, the ones who call you up while you're making dinner or bathing and kids and tell you they're from Microsoft and that your PC is infected with blah blah polymorphic blah? There's a bunch of material on this channel already where I've captured the experience and shared it for fun and education. Thing is, the bloody galahs keep calling me so I worked out a little scenario for them... In this latest call from only a couple of hours ago I allow them into my "Scammer Honeypot" virtual machine decked out with Crocodile Dundee wallpaper (you know -- "That's not a knife, this is a knife") and a nice array of Aussie wildlife noises to keep things interesting. Problem is those bloody dingos kept pulling out the ethernet cable so every time the scammers got control things would drop out shortly after. Plus an array of angry cockatoos, loud mouthed kookaburras and a pissed off koala (may have been a drop bear) keep things interesting for my new mates from Calcutta. Enjoy :) There is an associated blog post here: http://www.troyhunt.com/2013/07/bloody-galah-scammers-still-not-getting.html
Views: 33726 Troy Hunt
Weekly update 16
The corresponding blog post and notes are over at: https://www.troyhunt.com/weekly-update-16/
Views: 868 Troy Hunt
Weekly update 22 (Golden Gate Bridge edition)
RSA, Best blog post of 2016, Microsoft Ignite, Qantas and HTTPS, AUS mandatory disclosure, Netsparker https://www.troyhunt.com/weekly-update-22/
Views: 1037 Troy Hunt
Weekly update 17
The corresponding blog post and notes are over at: https://www.troyhunt.com/weekly-update-17/
Views: 1001 Troy Hunt
Hacking is child's play - SQL injection with Havij by 3 year old
Find me on Twitter @troyhunt You know what really strikes me about a lot of the hacks we've seen lately? It just seems too easy. I mean we're seeing a huge number of attacks (an unprecedented number, by some figures) and all too often the perpetrator is a kid. I don't mean that in a relative fashion to myself as I get older, I mean literally a child. The problem, of course, is that many of these "hacks" have become simple point and shoot affairs using freely available tools. In the case of SQL injection, tools such as Havij mean that even if you don't know your indexes from your collations or your UDFs from your DMVs, so long as you can copy and paste a URL you can be an instant "hacker". In fact I reckon it's so easy that even my 3 year old can be a successful hacker. Turns out that's not far from the truth. This video is part of a blog post located at: http://www.troyhunt.com/2012/10/hacking-is-childs-play-sql-injection.html
Views: 149015 Troy Hunt
The world's greatest Azure demo
Thank you to everyone that left such positive feedback on this demo! It was so well-received that I went ahead and turned it into a full-blown Pluralsight course titled "Modernizing Your Websites with Azure Platform as a Service". This is five and a half hours of focussed training specifically on Azure Websites and the Azure SQL Database service. There's a huge amount of content in there not seen in the tutorial here as a bunch of new stuff has launched in the year since this video, there's an all new management portal and, well, it's four times as long! http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure ------------------------ This video is part of a blog post at: http://www.troyhunt.com/2014/03/the-worlds-greatest-azure-demo.html I do a lot of demos. I write a lot of blog posts. Thing is though, none of them really sell the whole Azure picture; the BIG picture. The superdemo was designed to cover as much as possible in one hour. (Ok, it wouldn't all fit in an hour so you get an hour twenty something.) It's the demo for people who don't quite know what this Azure thing is and probably aren't quite up to speed on the whole cloud idea either. This is an hour and a bit of barely-edited "making real stuff happen" back-to-back demos of the important things you need to understand about websites, VMs and SQL Azure.
Views: 363918 Troy Hunt
Scammer identifies "viruses" in a brand new Windows Azure VM then asks for porn
I thought I'd seen it all when it comes to cold call virus scammers, you know, the guys who call you up from "Windows" because they've had reports of viruses from your machine? I've recorded their audio, recorded their video, antagonised them, interviewed one of the blokes behind it, tried to convince them I was Dutch and even convinced them that I was Mick Dundee. But this was the first time one of them asked me to buy him porn. After showing it to me. The whole thing was recorded (and appropriately censored) and is available for your education and amusement here. For those that don't want to sit through the entire thing, the key points in the timeline are: 06:30 -- Got through to the first scammer 23:00 -- They take remote control of the machine 52:30 -- They ask for my personal info 56:30 -- I pull the pin on the facade 1:03:30 -- It all descends into porn There is an associated blog post here: http://www.troyhunt.com/2014/01/scammer-identifies-viruses-in-brand-new.html
Views: 202709 Troy Hunt
HTTPS Is Easy Part 1: Adding HTTPS
Let's start by getting HTTPS configured on the site and all non-secure requests redirecting to the secure scheme. https://httpsiseasy.com/
Views: 4789 Troy Hunt
Weekly Update 98
Fashion Nexus Breach; GitHub and Pwned Passwords; Cloudflare Caching on Free Plans; Updates to “Why no HTTPS”; The Reddit breach; Sponsored by Tech Fabric https://www.troyhunt.com/weekly-update-98/
Views: 870 Troy Hunt
Understanding the risk of mixed content warnings
Ever see one of those "mixed content" warnings in the browser? You know, the ones on an HTTPS page that either tell you some content wasn't loaded or you need to explicitly opt into it? Here's what it's all about and ironically it's the Social Security Administration's fraud report page which demonstrates the risk. This video is part of a blog post located at: http://www.troyhunt.com/2013/06/understanding-risk-of-mixed-content.html
Views: 7115 Troy Hunt
Weekly update 15 (the poolside edition)
The corresponding blog post and notes are over at: https://www.troyhunt.com/weekly-update-15/
Views: 1123 Troy Hunt
Discovering Mobile App Traffic
You know how all those apps on your phone talk to stuff on the web? All of that is easily discovered, intercepted and manipulated. How's a walkthrough of how to get started and the sort of stuff you can find just by looking at how your apps are talking to the web. This is part of a blog post that you can find here: http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html
Views: 5116 Troy Hunt
Understanding account enumeration, the video tutorial edition
This is part of a blog post of the same name here: https://www.troyhunt.com/understanding-account-enumeration-the-video-tutorial-edition
Views: 4758 Troy Hunt
Weekly Update 83
Thread Hijacking is Spam, New Pluralsight Course, Is Enumeration Hacking, Terbium Labs Sponsoring https://www.troyhunt.com/weekly-update-83/
Views: 769 Troy Hunt
Weekly Update 92
European Trip Done; Workshops by Scott; MyHeritage Data Breach; 15k Requests per Second on Report URI; Estonian Police and HIBP; Big News Next Week! Sponsored by Tech Fabric https://www.troyhunt.com/weekly-update-92/
Views: 585 Troy Hunt
Strawberrynet privacy insanity
This video is part of a blog post at https://www.troyhunt.com/strawberrynet-privacy-insanity/
Views: 5793 Troy Hunt
Weekly Update 63 (US Congress Edition)
I’ve just spoken in front of Congress. Whoa. https://www.troyhunt.com/weekly-update-63/
Views: 1961 Troy Hunt
HTTPS Is Easy Part 4: Encrypting Everything
Secure all the traffic not just between the browser and Cloudflare, but all the way back to the server. https://httpsiseasy.com/
Views: 1974 Troy Hunt
HTTPS Is Easy Part 2: Optimising HTTPS
Let's now configure HTTPS to be as secure as possible, surpassing "bank grade security" in just a few clicks. https://httpsiseasy.com/
Views: 2754 Troy Hunt
HTTPS Is Easy Part 3: Fixing Insecure References
Insecure references in the HTML can take away browser indicators and put users at risk - let's fix them! https://httpsiseasy.com/
Views: 1943 Troy Hunt
Weekly Update 73
Upcoming Events, Pwned Passwords, Minimum Password Lengths, Gold Security Sponsoring https://www.troyhunt.com/weekly-update-73/
Views: 669 Troy Hunt
Weekly Update 72
Coders' Oath, "The Dark Web", Scott & Workshops, CSP on troyhunt.com, DigiCert Sponsoring https://www.troyhunt.com/weekly-update-72/
Views: 984 Troy Hunt
5 minute wonders: From zero to hero with AppHarbor
AppHarbor is one of the hottest things to hit .NET since, well, just about ever. It packages up the entire app lifecycle of source control, build, deployment and hosting and makes it dead simple; in fact it couldn't be easier. It then adds a comprehensive collection of add-ons to do everything from persisting data (MS SQL, MySQL, MongoDB) to caching services (Memcacher) to load testing (blitz). Here's how to get up and running in only 5 minutes flat. The related blog post can be found here: http://www.troyhunt.com/2011/10/5-minute-wonders-from-zero-hero-with.html
Views: 11244 Troy Hunt
The security futility that is embedding secure login forms within insecure pages
I've been writing a bunch of content around HTTPS lately and recording videos to demonstrate the ease with which insecure implementations of SSL can be broken. For example, there was the piece on why you can't trust SSL logos, then how loading login forms over HTTP but posting to HTTPS is pointless and most recently, why those mixed content warnings mean easy pickings for attackers on the transport layer. All of these involve working demonstrations against real sites who just don't quite get HTTPS. Today's example is about what happens when a login page is loaded securely, albeit embedded within an insecure page. This is a common security anti-pattern and you'll see it on many sites. The example in the video is from Countdown in New Zealand but again, there are countless others out there. Take a look at the video then refer to the associated blog post if you'd like to see the detail of how the attack was mounted: http://www.troyhunt.com/2013/06/the-security-futility-that-is-embedding.html
Views: 5421 Troy Hunt