Have I Been Pwned (with Troy Hunt)
Advanced Persistent Security Podcast
Guest: Troy Hunt
September 19, 2016
If you enjoy this podcast, be sure to give us a 5 Star Review and “Love Us” on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, and YouTube.
NOTE: The opinions expressed in this podcast are ours alone and do not reflect those of our employers
Have I Been Pwned (with Troy Hunt) Show Notes
I introduced Troy and he discussed his background. We discussed Intel selling McAfee. Troy does not see any major impacts on the landscape of anti-malware. Joe talks about the decline of anti-virus and the rise of Endpoint (Incident) Detection and Response (EDR/IDR) software. Troy mentions User Behavior Analytics (UBA) and the resurgence we are seeing and why. We then moved onto a discussion about President Obama appointing a CISO for the United States. Troy talks about the level of relevance this puts on Information and Cyber Security and how it ties into Critical Infrastructure.
In terms of Critical Infrastructure, we discussed the problems with the voter registration databases and not being considered “protected information.” We transition to further discuss the Filipino election commission and Australian census attacks. We discussed how/why people around the age of 16 are successful in conducting cyber attacks.
We delve into how and why Troy created Have I Been Pwned. Troy was working to determine trends in data breaches. He reveals that he actually wrote most of it flying on a plane to the Philippines. He talks about flagging sensitive accounts and requiring verification before seeing if a user is on some breaches, like Ashley Madison or Brazzers. Troy reveals that he uses donations to keep Have I Been Pwned running. Troy talks about how he uses OSINT to discover information for Have I Been Pwned.
Troy tells Joe about the Dropbox data leak. He reiterates that it is a “mega leak” and talks about the correlation between it and the Tumblr, Myspace, and LinkedIn leaks also from 2012. He discusses differences in the hashing algorithms used in the Dropbox leak and how hard some hashes were to break while others were incredibly simple. Troy reveals that someone tried to DDoS his site.
The conversation transitions to a discussion about password managers/vaults and Troy’s thoughts about the NIST Password recommendations. We vent about issues with passwords on websites and errors in planning on web sites such as length discrepancies and restricting characters. We discuss the Brazzers leak and transition to talking about bug bounties.
Troy Hunt is an Australian Microsoft Regional Director and also a Microsoft Most Valuable Professional for Developer Security. He does not work for Microsoft, but they’re kind enough to recognize his community contributions by way of their award programs which he has been an awardee of since 2011. Troy gets to interact with some fantastic people building their best products and then share what he knows about creating secure applications for the web with the broader community.
Troy is a Pluralsight author of many top-rating courses on web security and other technologies. There’s no better way to get up to speed on a topic quickly than through professional training that you can take at your own pace. As both an author and a student, Troy has nothing but positive things to say about the breadth and quality of Pluralsight courses.
For fourteen years prior to going fully independent, Troy worked at Pfizer with the last seven years being responsible for application architecture in the Asia Pacific region. Time spent in a large corporate environment gave Troy huge exposure to all aspects of technology as well as the diverse cultures his role spanned. Many of the things Troy teaches in post-corporate life are based on these experiences, particularly as a result of working with a large number of outsourcing vendors across the globe. For more corporatey background, there’s always his LinkedIn profile.
About Have I been pwned
One of the key projects Troy is involved in today is Have I been pwned? (HIBP), a free service that aggregates data breaches and helps people establish if they’ve been impacted by malicious activity on the web. As well as being a useful service for the community, HIBP has given Troy an avenue to ship code that runs at scale on Microsoft’s Azure cloud platform, one of the best ways we have of standing up services on the web today.
Password Blog Links:
Wi-Fi Blog Link:
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.