POPULARITY
7 episodes with scott helme
4 episodes with scott helme
2 episodes with scott helme
2 episodes with scott helme
Live with Scott Helme from an *epic* cabin in the Norwegian mountains; Sponsored by 1Password https://www.troyhunt.com/weekly-update-431/See omnystudio.com/listener for privacy information.
This interview was recorded at GOTO Copenhagen for GOTO Unscripted.http://gotopia.techRead the full transcription of this interview hereScott Helme - Security Researcher, Hacker & Founder of Report URI & Security HeadersSebastian Brandes - Senior Principal Product Manager at F5RESOURCESScotthttps://twitter.com/Scott_Helmehttps://linkedin.com/in/scotthelmehttps://scotthelme.co.ukhttps://github.com/ScottHelmeSebastianhttps://twitter.com/br4ndeshttps://www.linkedin.com/in/sebastianbkhttps://github.com/sebastianbkLinksSebastian: https://youtu.be/BX0TVzHOJgQhttps://crawler.ninjahttps://docs.report-uri.com/setup/wizardScott: https://youtu.be/K9MwaSRdA94https://research.checkpoint.com/2019/hacking-fortniteTroy: https://youtu.be/pxPEdUFdayAJim: https://youtu.be/nvzMN5Z8DJIScott pt. 1: https://youtu.be/zvCXUozuI2AScott pt. 2: https://youtu.be/8PlCfYflz_ADESCRIPTIONGet deep into the realm of application security, debunking myths around filters and emphasizing the power of a comprehensive defense strategy. Sebastian Brandes and Scott Helme share practical tips, highlight valuable resources, and underscore the critical role of organizational commitment in securing applications effectively.Watch this interview to revamp your security approach with their actionable insights!RECOMMENDED BOOKSLiz Rice • Container SecurityAndy Greenberg • Tracers in the DarkThomas J. Holt, Adam M. Bossler & Kathryn C. Seigfried-Spellar • Cybercrime and Digital ForensicsAaron Parecki • OAuth 2.0 SimplifiedErdal Ozkaya • Cybersecurity: The Beginner's GuideTwitterInstagramLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!
Have you upgraded to TLS 1.3? While at NDC in London, Richard chatted with Scott Helme about his work moving companies onto the latest version of TLS. But do you need to? Scott talks about how SSL 2 and 3 were used until they were broken by the black hats, leading to a panic to update quickly. While there is no evidence that TLS 1 and 1.1 are breached, they are already deprecated - and are slower than the later versions. Want a performance boost? Move to TLS 1.3!LinksKeybaseAPI Root Certificate ExpiryLet's EncryptBrownout Notice at GitHubWhen Logging Causes Security IncidentsDeprecation SHA-1Google Post Quantum EncryptionRecorded February 1, 2024
This interview was recorded at GOTO Copenhagen for GOTO Unscripted.http://gotopia.techRead the full transcription of this interview hereAndy Greenberg - Author of "Sandworm" & "Tracers in the Dark" and Award-winning Senior Writer for WIREDScott Helme - Security Researcher, Hacker and Founder of Report URI & Security HeadersRESOURCESAndyhttps://twitter.com/a_greenberghttps://linkedin.com/in/andygreenbergjournalisthttps://andygreenberg.nethttps://www.wired.com/author/andy-greenberghttps://infosec.exchange/@agreenberg@agreenberg.bksy.socialScotthttps://twitter.com/Scott_Helmehttps://linkedin.com/in/scotthelmehttps://scotthelme.co.ukhttps://github.com/ScottHelmeDESCRIPTIONAndy Greenberg and Scott Helme explore the ever-evolving landscape of cyber crimes, discussing the anonymity of cryptocurrencies, the transition from cryptojacking to ransomware, and the enduring impact of blockchains on the realm of cyber security. They expose some of the most famous crytpojacking attacks of all time and reason about the unlimited potential of crime organizations that leverage cryptocurrencies.RECOMMENDED BOOKSAndy Greenberg • Tracers in the DarkAndy Greenberg • SandwormAndy Greenberg • This Machine Kills SecretsThomas J. Holt, Adam M. Bossler & Kathryn C. Seigfried-Spellar • Cybercrime and Digital ForensicsTwitterInstagramLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!
We caught up with Troy Hunt and Scott Helme at NDC Security Oslo 2024 to talk about best practices when it come to decoding TLS, password security and data breaches in cloud and AI. Troy Hunt, known for his work with haveibeenpwned.com, spoke to us about the complexities of cloud deployment and paradox of data input versus privacy risk in Large Language Models (LLMs), Cloud. Scott Helme, a security researcher and founder of securityheaders.com, spoke about the importance of early security training in the development lifecycle for applications built in 2024. We dissected the critical yet often overlooked aspects of cybersecurity in cloud and ai. Guest Socials: Troy Hunt + Scott Helme Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (01:37) Evolving Landscape of Password Management (04:17) Analyzing Data Breach Trends: (05:48) Latest Security Protocols with TLS and Encryption (08:24) Debating Encryption Key Management (10:59) AI's Role in Data Breaches: (13:59) Best Practices for Enterprise Password Management (16:01) Best Practices for Password Management in Small to Medium Sized Businesses (18:04) Top 5 security best practices (19:58) Understanding Security Headers (27:14) The Fun Section
Live from Rome with Scott Helme; Blaming Users for Password Reuse; Controlling Deleted Email Addresses; Controlling Lapsed Domains; Sponsored by Kolide https://www.troyhunt.com/weekly-update-381/See omnystudio.com/listener for privacy information.
We're live from Paris with Scott Helme! Sponsored by Kolide https://www.troyhunt.com/weekly-update-380/See omnystudio.com/listener for privacy information.
Scott Helme is a Security Researcher, Entrepreneur and International Speaker. He is the creator of the Report URI and Security Headers Web site. More details: https://scotthelme.co.uk/
In episode 72 of the We Hack Purple Podcast host Tanya Janca brings Scott Helme back on because she just cannot get enough when it comes to security headers! You can watch and listen to his first episode here (https://wehackpurple.com/podcast/episode-69-with-scott-helme/). In this episode we focus on the “new” security headers from Scott's great blog article where he first introduced the public to them (https://scotthelme.co.uk/coop-and-coep/). The new security header's focus on protecting us from side-channel attacks like Spectre and Meltdown, and we really honed in on how to configure each one, and why we would need or want them. The features are powerful, and we discussed building up to using them, for best results. Part of the reason that Scott built SecurityHeaders.com was to contribute to solving the problem of ‘how do we get the message out there'. SecurityHeaders.com is an educational tool rather than any kind of definitive or perfect security assessment tool, but it's still incredibly useful. He's working hard to raise awareness, and podcast episodes like this can help. One of the most striking things Scott hears when teaching his and Troy Hunt's ‘Hack Yourself First' course when they talk about headers like CSP and HSTS, is: “Wow, I didn't know this existed!” There is a huge gap that we need to bridge in security between these things existing, and people knowing they exist and then actually using them. This is a bug hurdle for folks like us.We also talked a bit about how all of these security headers are able to create reports and tell you what's up with your app. Lucky for us, Scott built Report-URI so we can receive those reports with ease! Scott also has another free tool he created: https://crawler.ninja/ too, where he scans the top 1 million sites every day and looks at various things, including their use of security headers. As an example, you can see this list of sites using a CSP from today: https://crawler.ninja/files/csp-sites.txtScott also creates reports using his crawler data that showing trends over time and changes in the usage of security features like various security headers: https://scotthelme.co.uk/tag/crawler-report/Very special thanks to our sponsor: Women's Society of Cyberjutsu! Women's Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
In episode 69 of the We Hack Purple Podcast Host Tanya Janca speaks to the only person on earth who is more excited about security headers than she is: Scott Helme of Report URI! Scott talked about all the different security headers, how some are ‘new', when and why we would use them. We spoke about why some security headers stopped being used, rogue certificate authorities, and so much more. In fact, at the end, we felt that didn't get to finish all the things we wanted to say. There was so much more to dive into, meaning this is part 1 of a 2 part episode! Scott's Bio:Hi, I'm Scott Helme, a Security Researcher, Entrepreneur and International Speaker. I'm the creator of Report URI and Security Headers, and I deliver world renowned training on Hacking and Encryption. Scott's Links:https://scotthelme.co.ukhttps://report-uri.com/https://scotthelme.co.uk/tag/crawler-report/https://crawler.ninja/ https://crawler.ninja/files/csp-sites.txt Very special thanks to our sponsor: The Diana Initiative! A conference committed to helping all those underrepresented in Information Security: Monday August 7, 2023 In-Person at The Westin Las Vegas Hotel & SpaJoin We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
Live From the Norwegian Mountains with Scott Helme; Cookie Warning Craziness; Musk and Twitter; CoinTracker and Gemini Data Breaches; Sponsored by Kolide https://www.troyhunt.com/weekly-update-326/See omnystudio.com/listener for privacy information.
Live from Copenhagen with Scott Helme; Oslo Wedding Celebrations; HIBP's 9th Birthday; Medibank Ransom; Data Breach Fines; Sponsored by Kolide https://www.troyhunt.com/weekly-update-324/See omnystudio.com/listener for privacy information.
Joining Charles this week is Security Researcher and blogger, Scott Helme. Scott is the founder of the popular securityheaders.com and report-uri.com, free tools to help you deploy better security. You can find his blog at his website scotthelme.co.ukOriginally published on 17/12/2018
IoT with Scott Helme; The Fragmented IoT Landscape; Cameras & Privacy; Security & Outbound Requests; The TP-Link Situation; Sponsored by 1Password https://www.troyhunt.com/weekly-update-219/ See omnystudio.com/listener for privacy information.
For this episode of The Secure Developer Podcast, we welcome Scott Helme to chat with us about front end security. Scott is the force behind Security Headers and Report URI and he is also a Pluralsight author and an award-winning entrepreneur! We get to hear about Scott's professional trajectory since leaving college, the interesting developments and changes he has made along the way, and his current work with his different projects. Scott then explains the service that Security Headers provides, something that he created to effectively scratch his own itch. The educational value it offers is quite remarkable and our guest does a great job of explaining exactly how it functions and its ease of use. From there he turns to Report URI and explains how this company compliments the services of Security Headers. Our conversation progresses onto the topic of HTTPS and the encouraging increases that have been happening for years now in terms of adoption and ultimately, security. This is something that Scott has been very excited about and happy to see, as it shows a general trend in the industry towards better, safer practices and standards. The last part of our conversation is spent with Scott sharing some thoughts on organizational approaches to security and what he sees in the near future for the space. For all this and then some, tune in today!
Scott Helme’s “Hack Yourself First” Workshop; Googling Your Password; Charging to Change Your Password; 1Password’s Cash Injection; IVPN Sponsoring https://www.troyhunt.com/weekly-update-165/
I’m in Oslo; Scott Helme’s “Hack Yourself First” UK Tour; Have I Been Pwned and Project Svalbard; Sponsored by Twilio https://www.troyhunt.com/weekly-update-143/
GUEST BIO: Michal Spacek is a developer who builds breaks and tests web applications. He has a specific interest in web application security and likes to pass on his knowledge and experience to others, having spoken at more than 100 conferences and events to date. Michal says that he is on a mission to teach web developers why and how to build secure and fast web applications. EPISODE DESCRIPTION: Phil’s guest on today’s show is Michal Spacek. He has been working in the IT industry for nearly two decades. Michal started his career as a web developer. But, has since taken on engineering roles in particular those related to web application security. He believes in sharing his knowledge with anyone who wants to listen. Over the years he has become a well-known conference speaker, teacher and mentor. Michal is passionate about turning the internet into a safer place. KEY TAKEAWAYS: (1.05) – So Michal, can you perhaps expand on that intro and tell us a little bit more about yourself? Michal explains that he works mainly from home. Right now he is combining freelancing with working on Report URI with Troy Hunt and Scott Helme. He is also breaking some sites. (2.10) – Can you please share a unique career tip with the I.T. career audience? Michal’s unique tip is – if you want to learn something, go teach it to others. It sounds a bit weird, but, works surprisingly well. The act of preparing for presentations and classes forces you to do your research, dig deep and learn. Having to present something makes you structure things logically, so you are less likely to skim over or miss something that is important. It also makes you think about it from several different perspectives. This is because you have to come up with the answers to the questions you are likely to be asked. Preparing for a presentation or class switches you from work to creative mode. This subtle change in perspective leads to you uncovering lots of little details that you would have otherwise missed. Putting yourself under this sort of pressure is a great way to learn. Plus, anyone can do it. You do not have to be a trained teacher to pass your knowledge on to others. (3.28) Phil asks Michal if the fact that you have to put yourself into the mindset of your audience has an impact on the way you learn. Michal agrees that does happen. About 10 years ago, he became very active on a Czech development forum. During his time on there, he wrote about 20,000 emails and a similar number of replies. Doing this taught home to solve problems he did not have, at the time. Michal found that this really opened up his mind. People kept coming up with interesting questions that he had never thought to ask. Plus, of course, in the process, he learned how to use all kinds of tools he would not have otherwise touched. Later in his IT career, he found the knowledge that he had built up during his time on the forum to be invaluable. Often, if he had a problem he would be able to quickly find the solution using something he had uncovered while helping others. (4.56) – Can you tell us about your worst career moment? And what you learned from that experience. The incident that Michal feels the worst about occurred when he had the perfect job. Everything about the work was perfect, the team, the project, the way the company operated, the money...absolutely everything. Unfortunately, he had become distracted and started dropping the ball in. He would turn up late, not finish things and could not be relied upon. Michal had kind of drifted into these bad habits. So, did not realize there was an issue until a friend pointed out he had become reliable and asked if he was OK. That conversation opened Michal’s eyes to what he had been doing. The next day he quit the job he loved. It felt bad, but he wanted to make things right and to preserve some of the friendships he had with people who worked there. Now, every now and again, Michal pauses and does a reality check. He finds that doing this stops him from getting complacent and drifting into bad habits. (7.36) – What was your best career moment? For Michal that was when Scott Helme the founder of securityheaders.com and Report URI called him and asked him to work on a project. Scott is one of the world’s top security experts and researchers. So, getting asked to work with him was a big deal. (9.03) Phil asks Michal how he ended up being in a position to work for such an important IT figure. Michal explains that he started by following Scott on Twitter. Over time, he built up a rapport with him and made it clear that he would love to work with him on making the world a safer place, which is exactly what happened. (9.42) – Can you tell us what excites you about the future of the IT industry and careers? The fact that you can change the lives of millions of people just by writing code is very exciting. Your skin color, sex, religion education or world view does not matter. Regardless, of who you are you can bring about change. (10.26) – Is there any particular tech that you are especially excited about? Michal is pleased to see firms consulting their data properly. Using it to determine what direction to move in, what to do next. Making truly informed decisions. (11.21) – What first attracted you to a career in IT? For Michal, it was games. (11.30) – What is the best career advice you have ever received? That advice came from his father. He said – Don’t you even dare to think that you actually know something. There is always something new to learn. So, make sure that you keep learning. The point at which you think that you actually know something is when you stop advancing. This is the case regardless of what you are doing. (12.10) On the flip side, what is the worst piece of career advice you have ever received? When Michal left the job he was speaking about earlier, he shared the fact he was worried about what he would do next with one of his friends. Their advice was not to worry. They said someone was bound to get in touch and offer him a job. Unfortunately, that call never came. That experience taught Michal that he needed to create his own opportunities. (13.02) – If you were to begin your IT career again, right now, what would you do? Michal jokes that when something goes wrong with computers it is always related to DNS. So, he wishes he knew more about it. But, he is partly serious. Michal actually does recommend that people who are starting out in the business learn about DNS. (13.37) – What are you currently focusing on in your career? Michal wants to make the internet a safer place. (14.17) – What is the number one non-technical skill that has helped you the most in your IT career? The non-technical skills Michal values the most are his empathy, emotional intelligence and his habit of questioning reasons. (14.35) - What do you do away from your IT career to keep yourself energized? Five months ago Michal’s daughter was born. So, right now, his only focus, outside of work, is taking care of her. However, he finds receiving feedback from people about the work he has done in the past to be energizing. He enjoys knowing that he has written something worthwhile and made a positive difference in people’s lives. That lifts and energizes him. BEST MOMENTS: (2.25) MICHAL – "If you want to learn something, go and teach it." (10.04) MICHAL – "Nobody cares about your religion, skin color, education or world ideas. Through coding you can change the lives of millions." (11.43) MICHAL – "Don't you even dare to think that you actually know something? Always keep learning." (12.43) MICHAL – "You need to create opportunities for yourself and always be on the lookout for opportunities." (13.42) MICHAL – "I want to make the internet a safer place." CONTACT MICHAL: Twitter: https://twitter.com/spazef0rze LinkedIn: https://www.linkedin.com/in/spaze/ Website: https://www.michalspacek.com
This episode, we enjoy "Facebook Breach Time" and discuss some crazy vulnerabilities found in Tesla vehicles. We also breakdown our Big Topic of the week: What's a VPN? Special guest Scott Helme, talks VPNs, Content Security Policy and bringing Hack Yourself First to the UK. Tweet us @1Password. We talked about... Latest Facebook security breach finds millions of records on Amazon servers Zuckerberg eats toast! Researchers trick Tesla’s Autopilot into driving into oncoming traffic Enter our giveaway! Tweet us a phrase for our next show with #wanttheshirt Follow Scott Helme on Twitter here. Find out more about Hack Yourself First UK here. What the phrase?! I will show you where lobsters spend the winter • A Russian way of threatening someone. To enter our giveaway tweet us a phrase for the end of our next show and hashtag #wanttheshirt
Summary Security researcher Scott Helme tells me how Content Security Policy and Subresource Integrity are used to fight cross site scripting. Details Who he is, what he does. What cross site scripting is; well known examples; how it works; crypto mining with cross site scripting (XSS). Input validation, output encoding, more frameworks are handling validation. Content Security Policy (CSP), what it is, how it works; trusting CDNs; how to use CSP on a site, CSP Wizard, browser support; future changes. Subresource Integrity, what it is, how it works; trusting third party scripts; what happens if script fails validation. NoScript, browser extensions, DNS filters and VPNs. Scott's upcoming events; training. Full show notes
Joining Charles this week is Security Researcher and blogger, Scott Helme. Scott is the founder of the popular [securityheaders.com](securityheaders.com) and [report-uri.com](report-uri.com), free tools to help you deploy better security. You can find his blog at his website [scotthelme.co.uk](https://scotthelme.co.uk/)
Does your employer want to turn you into a cyborg? Was this phishing test devised by an evil genius? And how did a cinema chain get scammed out of millions, time and time again...? Oh, and the subject of erasable pens comes up again. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Scott Helme. Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes. Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening! Warning: This podcast may contain nuts, adult themes, and rude language. Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Special Guest: Scott Helme.
Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era. In this keynote, you’ll learn: Real world examples of both current and emerging threats How threats are evolving and where to put your focus How to stem the flow of data breaches and protect against malicious activity and much more! Transcript Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity. Troy Hunt: Then moving on another one I think is really fascinating today is to look at the supply chain, the modern supply chain. And what we're really talking about here is what are the different bits and pieces that go into modern-day applications? And what risks do those bits and pieces then introduce into the ecosystem? There's some interesting stats, which helps set the scene for why we have a problem today. And the first that I want to start with, the average size of webpage, just over 700 kilobytes in 2010. But over time, websites have started to get a lot bigger. You fast forward a couple of years later and they're literally 50% larger, growing very, very fast. Go through another couple of years, now we're up to approaching 2 megabytes. Get through to 2016 and we're at 2.3 megabytes. Every webpage is 2.3 megabytes. And when you have a bit of a browse around the web, maybe just open up the Chrome DevTools and have a look at the number of requests that come through. Go through on the application part of the DevTools, have a look at the images. And have a look at how big they are. And how much JavaScript, and how many other requests there are. And you realize not just how large pages are, but how the composition is made up from things from many, many different locations. So, we've had this period of six years where we've tripled the average size of a webpage. And of course, ironically, during that period we've become far more dependent on mobile devices as well. Which very frequently have less bandwidth or more expensive bandwidth, particularly if you're in Australia. So, we've sort of had this period where things have grown massively in an era where we really would have hoped that maybe they'd actually be a little bit more efficient. The reason I stopped at 2016 is because the 2.3-megabyte number is significant. And the reason it's significant is because that's the size of Doom. So, remember Doom, like the original Doom, like the 1993 Doom, where if you're a similar age to me or thereabouts, you probably blew a bunch of your childhood. When you should've been doing homework, just going through fragging stuff with BFG. So, Doom was 2.3 megabytes. That's the original size of it. And just as a reminder of the glory of Doom, remember what it was like. You just wander around these very shoddy looking graphics, but it was a first-person shoot-em-up. There were monsters, and aliens, and levels, and all sorts of things. Sounds. All of that went into two floppy disks and that's your 2.3 megabytes. So, it's amazing to think today when you go to a website, you're looking at the entire size of Doom, bundled into that one page, loaded on the browser. Now, that then leads us into where that all goes. So, let's consider a modern website. The U.S. Courts website. And I actually think it's pretty cool looking government website. Most government websites don’t look this cool. But, of course, to make a website look cool, there's a bunch of stuff that's got to go into it. So, if we break this down by content type, predictably images are large. You've got 1.1 megabytes worth of images, so almost half the content there is just images. The one that I found particularly fascinating though when I started breaking this apart is the script. Because you've got about 3/4 of a megabyte worth of JavaScript. Now keep in mind as well, JavaScript can be very well optimized. I mean, we should be minimizing it. It should be quite efficient. So, where does 726 kilobytes worth of script go? Well, one of the things we're seeing with modern websites is that they're being comprised of multiple different external services. And in the case of the U.S. Courts website, one of those web services is BrowseAloud. And BrowseAloud is interesting. So, this is an accessibility service made by a company called Texthelp. And the value proposition of BrowseAloud is that if you're running a website, and accessibility is important to you...and just to be clear about what we mean by that, if someone is visually impaired, if they may be English is second language, if they need help reading the page, then accessibility is important. And accessibility is particularly important to governments because they very often have regulatory requirements to ensure that their content is accessible to everyone. So, the value proposition of a service like BrowseAloud is that there's this external thing that you can just embed on this site. And the people building the site can use all their expertise to sort of actually build the content, and the taxonomy, and whatever else of the site. They just focus on building the site and then they pull in the external services. A little bit like we're pulling an external library. So, these days there's a lot of libraries that go into most web applications. We don't go and build all the nuts and bolts of everything. We just throw probably way too much jQuery out there. Or other themes that we pull from other places. Now, in the case of BrowseAloud, it begs the question, what would happen if someone could change that ba.js file? And really where we're leading here, is that if you can control the JavaScript that runs on a website, what would you do? If you're a bad dude, what could you do, if you could modify that file? And the simple answer is is that once you're running JavaScript in the browser and you have control over that JavaScript, there is a lot you can do. You can pull in external content, you can modify the DOM. You can exfiltrate anything that can be accessed via client script. So, for example, all the cookies, you can access all the cookies so as long as the cookies aren't flagged as HTTP only. And guess what? A lot of them which should be, still are. So, you have a huge amount of control when you can run arbitrary JavaScript on someone else's website. Now, here's what went wrong with the BrowseAloud situation. So, you've got all of these websites using this exact script tag, thousands of them, many of them government websites. And earlier this year, Scott Helme, he discovered that the ICO, the Information Commissioner's Office in the UK, so basically the data regulator in the UK, was loading this particular JavaScript file. And at the top of this file, was some script which shouldn't be there. And if you look down at about the third line and you see Coinhive, you start to see where all of this has gone wrong. Now, let's talk about Coinhive briefly. So, everyone's aware that there is cryptocurrency and there is crypto currency mining. The value proposition of Coinhive...and you can go to coinhive.com in your browser. Nothing bad is going to happen. You can always close it. But bear with me, I'll explain. So, the value proposition of coinhive.com is you know how people don't like ads. You know because you get a website, and there's tracking, and they're obnoxious, and all the rest of it. Coinhive believe that because they don't like ads, but you might still want to monetize your content, what you can do is you get rid of the ads, and you just run a crypto miner on people's browser. And what could go wrong? And in fairness, if there's no tracking and you're just chewing up a few CPU cycles, then maybe that is a better thing, but it just feels dirty. Doesn't it? You know, like if you ever go to a website and there's a Coinhive crypto miner on there, and they usually mine Monero, and you see your CPU spiking because it's trying to chew up cycles to put money in someone else's pocket, you're going to feel pretty dirty about it. So, there is a valid value proposition for Coinhive. But unfortunately, when you're a malicious party, and there's a piece of script that you can put on someone else's website, and you can profit from it, well then obviously, Coinhive is going to be quite attractive to you as well. So, what we saw was this Coinhive script being embedded into the BrowseAloud JavaScript file, then the BrowseAloud JavaScript file being embedded into thousands of other websites around the world. So, U.S. Courts was one. U.S. House of Representatives was another. I mentioned the Information Commissioner's Office, the NHS in Scotland, the National Health Service, so all of these government websites. Now, when Scott found this, one of the things that both of us found very fascinating about it is that there are really good, freely accessible browser security controls out there that will stop this from happening. So, for example, there are content security policies. And content security policies are awesome because they're just a response killer, and every single browser supports them. And a CSP lets you say, ''I would like this browser to be able to load scripts from these domains and images from those domains.'' And that's it. And then if any script tries to be loaded from a location such as coinhive.com, which I would assume you're not going to whitelist, it gets blocked. So, this is awesome. This stops these sorts of attacks absolutely dead. The adoption of content security policies is all the sites not using it. And that's about 97%. So, it's about a 3% adoption rate of content security policies. And the reason why I wanted to flag this is because this is something which is freely accessible. It's not something you go out and spend big bucks on a vendor with. When I was in London at the Infosecurity EU Conference, loads of vendors there selling loads of products and many of them are very good products, but also a lot of money. And I'm going, ''Why aren't people using the free things?'' Because the free things can actually fix this. And I think it probably boils down to education more than anything else. Now, interestingly, if we go back and look at that U.S. Courts website, here's how they solved the problem. So, they basically just commented it all out, and arguably this does actually solve the problem. Because if you comment out the script, and someone modifies it, well, now it's not a problem anymore. But now you've got an accessibility problem. I actually had people after I've been talking about this, say, ''Oh, you should never trust third-party scripts. You should just write all this yourself.'' This is an entire accessibility framework with things like text to speech. You're not going to go out and write all that yourself. You're actually got to go and build content. Instead, we'd really, really like to see people actually using the security controls to be able to make the most of services like this, but do so in a way that protects them if anything goes wrong. Now, it's interesting to look now at sites that are still embedding BrowseAloud but are doing so with no CSP. And in case anyone's wondering, no Subresource Integrity as well. So, things like major retailers, there are still us government sites, there are still UK government sites. And when I last looked at this, I found a UK transportation service as well. Exactly the same problem. And one of the things that that sort of makes me lament is that even after we have these issues where we've just had an adversary run arbitrary script and everyone's browser, and let's face it, just Coinhive is dodging a bullet. Because that is a really benign thing in the scope of what you could have done if you could have run whatever script you wanted in everyone's browser. But even after all that these services are still just doing the same thing. So, I don't think we're learning very well from previous incidents. ...
Websites still using HTTP are marked as "not secure" by Chrome, 85,000 Google employees haven't been phished for a year, and if you're buying drugs via PayPal’s Venmo app you should say goodbye to privacy. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Scott Helme. Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes. Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening! Warning: This podcast may contain nuts, adult themes, and rude language. Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Special Guest: Scott Helme.
##Guests Scott Helme ##Hosts Todd Gardner DavidWalsh This episode is sponsored by TrackJS JavaScript Error Monitoring. Find and fix the bugs in your web application with the context to see real user errors. Start your free trial at TrackJS.com.
It’s not fair to describe what happened at Facebook and Cambridge Analytica as a data breach - it’s much worse than that. An autonomous Uber vehicle kills a pedestrian. And sextortion continues to be a serious problem. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by researcher Scott Helme. Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes. Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening! Warning: This podcast may contain nuts, adult themes, and rude language. Special Guest: Scott Helme.
Hackers could change emails in your inbox after they are delivered, the web is getting more and more encrypted, and hacked robots can be commanded to umm... stab you. All this and more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by researcher Scott Helme. Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes. Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening! Warning: This podcast may contain nuts, adult themes, and rude language. Special Guest: Scott Helme.
© 2020-2025 Ivy Podcast Discovery LLC
