I found myself going down a previously unexplored rabbit hole recently, or more specifically, what I thought was “a” rabbit hole but in actual fact was an ever-expanding series of them that led me to what I refer to in the title of this post as “6 rabbits deep”. It’s a tale of firewalls, APIs…

I want to try something new here – bear with me here: Data breach processing is hard and the hardest part of all is getting in touch with organisations and disclosing the incident before I load anything into Have I Been Pwned (HIBP). It’s also something I do almost entirely in isolation, sitting here on…

I have a vehement dislike for misleading advertising. We see it every day; weight loss pills, make money fast schemes and if you travel in the same circles I do, claims that extended validation (EV) certificates actually do something useful: Why are you still claiming this @digicert? This is extremely misleading, anyone feel like reporting…

For many years now, I’ve lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It’s by far the single most time-consuming activity in processing breaches for Have I Been Pwned (HIBP) and frankly, it’s about the most thankless task I can imagine. Finding contact details is hard.…

111 years ago almost to the day, a murder was committed which ultimately led to the first criminal trial to use fingerprints as evidence. We’ve all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people have ever been found to have a matching set.…

When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago, I had a nightmare of a time getting in touch with the company. They’d left a MongoDB instance exposed to the public without a password and someone had snagged all their data. Within the data were references…

Today I’m really excited to announce a big piece of work 1Password and I have been focusing on this year, a totally free video series called “Hello CISO”. This is a multi-part series that launched with part 1 and when I say “free”, I don’t mean “give us your personal data so we can market…

More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the world’s largest websites that didn’t properly redirect insecure requests to secure ones. We updated it December before last and pleasingly, noted that more websites than ever were doing the right thing and forcing browsers…

Researchers have discovered a new attack named SysBumps, which targets macOS systems running on Apple Silicon processors. This attack leverages speculative execution vulnerabilities in system calls to bypass critical security measures such as Kernel Address Space Layout Randomization (KASLR) and kernel isolation. KASLR, a crucial defense mechanism, randomizes the memory layout of the kernel, making…

In a concerning development within cybersecurity, attackers have been leveraging DocuSign’s API capabilities to send out fraudulent invoices that closely mimic genuine documents. These campaigns have been rising in frequency, with reports over the past five months highlighting a significant uptick in incidents. In the context of cybersecurity, the abuse of DocuSign’s API represents a…