Risky Business #488 -- Stop users recycling passwords with the pwned passwords API

Troy Hunt talks about the v2 release of pwned passwords...
28 Feb 2018 » Risky Business

On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP.

It’s making some waves already. It’s a genuinely interesting, free service.

In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it.

JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine.

Adam Boileau, as always, is this week’s news guest.

The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes

Cisco's Talos Intelligence Group Blog: Who Wasn’t Responsible for Olympic Destroyer?
Winter Olympics hack shows how advanced groups can fake attribution
Russia accused of “false flag” attack on Olympic opening | Ars Technica
U.S. and U.K. blame Russia for infamous 'NotPetya' cyberattacks
US grand jury indicts 13 Russian nationals for election meddling
The Feds Can Now (Probably) Unlock Every iPhone Model In Existence
Apple Tackles Cellebrite Unlock Claims, Sort Of | Threatpost | The first stop for security news
Apple moves to store iCloud keys in China, raising human rights fears
New SEC guidance: Please don't sell your stocks if you have insider info about a breach
WhatsApp Co-Founder Brian Acton Injects $50 Million in Newly Formed Signal Foundation | WIRED
SEC.gov | SEC Charges Former Bitcoin-Denominated Exchange and Operator With Fraud
Kyle Torpey on Twitter: "The $10 Billion lawsuit against Craig Wright claims Wright used a computer-generated font called Otto to forge Dave Kleiman's signature and acquire hundreds of thousands of bitcoins. https://t.co/vFA6uowMZa"
Australian 'bitcoin founder' Craig Wright accused of stealing billions of dollars worth of bitcoin
Attorney General Sessions Announces New Cybersecurity Task Force | OPA | Department of Justice
Jordan ⚡️ Eldredge on Twitter: "Holy moly. You can write a key logger in pure CSS. I wonder if @reddit custom themes would be vulnerable. https://t.co/yfxrLLhOvT https://t.co/WKsrBLCQv5"
US Border Agents Didn't Verify Any e-Passports Since 2007 Because They Didn't Have the Software
In-the-wild DDoSes use new way to achieve unthinkable sizes | Ars Technica
One-stop counterfeit certificate shops for all your malware-signing needs | Ars Technica
A Hacker Has Wiped a Spyware Company’s Servers—Again - Motherboard
Hacker Returns $26 Million Worth of Ethereum Back to Hacked Company
Josh Pitts on Twitter: "I found this interesting code signing bug in macOS. I took the 2011/2012 flashback malware and 'signed' it with a cert from Apple. VirusTotal and WhatsYourSign (@patrickwardle's @objective_see tool) both agree that it's signed by Apple. I have some bug reporting to do... 🤓 https://t.co/vMb9SVSf8a"
Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | Duo Security
Flight Simulator Add-On Tried to Catch Pirates By Installing Password-Stealing Malware on Their Computers - Motherboard
uTorrent vulnerabilities allow information disclosure and remote code execution
People Are Blasting iOS 'Text Bombs' on Twitter to Crash iPhones - Motherboard
Troy Hunt: I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download
Cybersecurity Enforcers Wake Up to Unauthorized Computer Access Via Credential Stuffing – Big Law Business
Automated bugfinding for the blockchain - YouTube