Podcasts

019 - Security with Troy Hunt

Security legend Troy Hunt joins us to discuss the Jeff Bezos phone hack, election threats, Huawei, Have I Been Pwned and much more. Whether you’re a certified ethical hacker or just trying to improve your own security hygiene, this episode’s a can’t miss.


If you enjoy this episode, please consider leaving a review on Apple Podcasts or wherever you listen.

Please send any questions or comments to podcast@pluralsight.com.

Transcript

Daniel Blaser:
Hello and welcome to All Hands on Tech, where today's leaders talk tomorrow's technology. I'm Daniel blazer. In the world of security, few names are more well known than Troy Hunt, as a Microsoft MVP and Pluralsight author, he's committed his career to teaching others about the importance of pragmatic security, and how companies can best protect themselves. And this episode Troy joins us to discuss the Jeff Bezos phone hack, election threats, Huawei, Have I Been Pwned?, and much more, whether you're a certified ethical hacker or just trying to improve your own security hygiene, this episode's a can't miss.

Daniel Blaser:
My first question for you is what drew you to security in the first place? Was it something you were always interested in or was there like some formative moment, or experience that drew you into security?

Troy Hunt:
I just felt like there was a missing piece in terms of security that was made for developers. I guess the origins of where I kept at my niche shows was more around how do we create content that's aimed at the people actually building the systems rather than the people testing the systems, because security people do tend to live in a little bit of a different world. And I was finding, particularly if we go back sort of about eight years ago when I started doing Pluralsight courses, the content really just didn't, didn't serve the intended demographic that well. So that's just what kind of got me going in that direction. A little bit of a vacuum I reckon.

Daniel Blaser:
Cool. Tell me a little bit, and I you're going to have to correct me. Do I pronounce, is it, Have I Been Pwned? If I'm pronouncing this like I, it's one of those, I only ever see the word pwned like written. I never really say it. Is that how you usually pronounce it? Have I Been Pwned?

Troy Hunt:
This is a part of the joy of the project or I like just figuring out how people pronounce it and I've heard a lot of things. I've heard... one I heard and I ended up having to go and register domain names every time I hear different pronunciations, but I heard one reporter in the US referred to it as haveIbeenpruned.com, so I have, have I been prowned? Have I been preowned.com.

Daniel Blaser:
Oh wow!

Troy Hunt:
So you can go there. Otherwise, I say pwned, because it's meant to be a derivation of the word owned, so I owned, pwned, op.

Daniel Blaser:
Okay, that's great. Just tell me a little bit, and those that maybe haven't heard of this project. Talk a little bit about that project and how it's evolved over the past couple of years.

Troy Hunt:
Well, it started out in 2013 as a bit of a curiosity. I thought, "Oh, this will be a bit of fun. Like a few of my friends will use this. It'll be a good way of finding if you're in predominantly the Adobe data breach," because I had 150 million something records and then I grabbed a few other data breaches that was circulating around, I added them and I went, "That's it, job done this all this will last for a little while." Now like six and a bit years on I'm going to break through 10 billion records pretty soon, which is kind of crazy and I did not see any of this coming. Like this is not some grand master plan of mine. It was just literally doing stuff that seems like a good idea at the time.

Daniel Blaser:
And I've noticed there's now kind of an integration with 1password, correct?

Troy Hunt:
Well, there's a heap of integration. So 1password is one of them, which is great because that's my favorite password manager. I was using them for years before I even started Have I Been Pwned? So, that's super cool. I can now go into my 1password application and I can see if any of my passwords have appeared in data breaches before and I can also see if any of the accounts that I presently have, have had data breaches themselves, which is a really neat way of doing it I reckon because your password manager is sort of the place where you want to understand all this stuff.

Daniel Blaser:
It's cool. You know whenever I see a data breach or anything that happens, people are talking about it on Reddit, I usually see people say, "Oh, well just go to this website haveIbeenpwned.com, enter it in," like it's kind of become, I feel like this, this thing that just exists. It's like the step one.

Troy Hunt:
Yeah, it really is sort of the de facto standard now, which is kind of amazing because there are certainly other data breach services out there, but frankly there's a bunch of pretty dodgy ones. There's a bunch that have been taken offline because they've been doing stuff like literally trading in identity data, like buy someone else's personal information what could go wrong. But Have I been Pwned has just stood the test of time and just keeps getting bigger and bigger.

Daniel Blaser:
Very cool. Do you think, on the topic of password managers and checking your email to see if it's part of a breach. Do you think that the average person is more security minded than they were a few years ago and why or why not?

Troy Hunt:
I think they're more conscious of security simply because it is so pervasive in the mainstream media. So we see mainstream press probably every week talk about some sort of a data breach somewhere or other some security incident. I reckon 2016 was actually a big watershed moment there because we had the elections, and the DNC hacking, and all this sort of thing and it had just started to get into everyone's psyche. And then of course, just the nature of online life now, you get so many security notices, security advice, changes with your password, turn on the tour Fe. You just can't live in any sort of connected world these days with that security constantly jumping up into your face one way or another in both good and bad ways.

Daniel Blaser:
Yeah, exactly. I was just wondering if you could kind of provide a brief overview from your perspective of the recent Jeff Bezos phone hacking story.

Troy Hunt:
Look, I think it's fascinating and that's a really good example of where the mainstream media ends up covering InfoSec and it's something which now everyone is seeing, it's got everything from political intrigue, to sex, to affairs, to naughty photos, it's like this is a movie man. Like this could be five years from now we'll be watching, going to be like Bezos the movie or to that effect.

Daniel Blaser:
People that are looking at this, let's say the average person, they see this Jeff Bezos phone hacking story and maybe they think, "Oh my gosh, if it can happen to him, it can happen to anyone." What should be our top security kind of take away after we hear about that story?

Troy Hunt:
I am surprised that such a smart guy in the tech industry frankly did something so stupid and what I mean, I'm not even talking about any sort of questions where the infidelity and all that sort of thing, but I'm talking about digitizing and redistributing something that would obviously cause a huge amount of embarrassment and discomfort. Now I'm really cautious here as well because I've often said this before and because it's the internet, people get upset, and they say, "Oh, you can't say that he shouldn't take those photos because that's victim blaming." And like, "Whoa, hang on, hang on. Look, let's take a step back. All of us have control over our own security posture and the risks that we choose to take. And you almost need to do like a bit of a threat modeling, right? A little bit of threat modeling around each of our online activities."

Troy Hunt:
Now my threat model in a case like that would be if I was to digitize something such as the photos that he did, I would then be at a greater risk of them being redistributed than if I didn't have them. Now I might say that that's an acceptable risk. And this is just like the way we do threat modeling in application. So at an acceptable risk, I'm going to have some mitigating controls, which are, I'm only going to send it off to my partner, and that's going to be it and then I'm out deleted off the phone, whatever it may be. So I would have a very conscious process of considering that. But maybe he did that because if the presses right, and it was like, it was actually the Saudis hacking into his phone. So this is like state sponsored actors now, who have a lot of resources at their disposal. But I'll look, I would just fall back personally to the principle of, "You can't lose what you don't have." So I would avoid having something like that because for me personally, that's too greater risk.

Daniel Blaser:
Yeah, I think that's a great takeaway. Especially thinking in terms of threat modeling, like you're saying, keeping on kind of current events. What your take on some of the security concerns around Huawei?

Troy Hunt:
Well it's, it's interesting isn't it? Because it's, it's very contextual depending on which corner of the world you're in. So we sort of sit in the Western corner of the world, and we got another, the Chinese, if they're building equipment, putting in here, we've got to worry about that. The Chinese are sitting there going, "Oh, like American operating systems, if we put these in we got to worry about that." And I think there's probably a little bit of truth on each side. I kind of like the approach that's taking places like the UK where they're saying, "Look, we might have things like Huawei antennas and we use the antennas, which are for the most part passive devices, but a lot of the other critical infrastructure which could be used for things like traffic interception, were going to stick with let's say the classic Erickson gear," or something like that.

Troy Hunt:
The problem of course is that apparently the Huawei gear is really, really good and it's very cost effective as well. So you can see that the sort of conundrum that leaves people with, but there's obviously a lot of political brinkmanship going on. This then ties into things like tariffs and all this kind of stuff as well. I find that this is just one of those topics where it's really hard to know what the actual facts are because everyone's got a spin that they want to put on it.

Daniel Blaser:
Maybe you're related to that topic. How do you see the landscape of cybersecurity evolving over the next, let's say the next two years?

Troy Hunt:
If we sort of look at where we've come from and I can't see any reason why a lot of the trajectory we've been on is going to change. We've seen a lot more security related incidents and that's going to continue because we've simply got so many more devices, so many more people, so much more information that we're sharing. There is nothing that provides any compelling reason why we won't see these incidents continue. Then on the other hand, we're getting a population which is more digital natives and those who are born before a time of technology are eventually dropping off.

Troy Hunt:
So we're getting a society which is more in tune with how to use technology, but that's also changing our tolerances to privacy as well. I was an adult before I got to see the internet, or have a smartphone, or anything like that. My kids have never known a time without any of these things. So their willingness and propensity to share information and they've used their own privacy are quite different to mine. That's going to be a trend, I think that keeps changing as well. Where we'll just have more information, more things shared, and inevitably more data breaches as well.

Daniel Blaser:
Another reason to keep going back to Have I Been Pwned, I guess.

Troy Hunt:
Yeah, I think it's got a bright future ahead of it.

Daniel Blaser:
Have you kind of been following the current landscape of election security?

Troy Hunt:
Yeah, mostly what I see in the news and of course that's a fascinating thing that's so multifaceted because it's everything from hem history, trust electronic voting, which is a really good question. That is actually a really, really curious topic because as you're sort of saying, "Oh, look, if we did things electronically, we'd get a lot more efficiency in terms of being able to count votes and things like this. But then how do we respect privacy as well?" Because you want to track who's voted and who's hasn't. So in a place like Australia, it's legal. Does... Well, let me rephrase that. It's illegal not to vote. Like you get fined if you don't vote, so they've got to track who's voting, but then they can't track what the vote is. So how do you have the digital controls to be able to meet both those criteria?

Troy Hunt:
So I think that's fascinating outside, we've seen a lot of demonstrations of vulnerabilities with voting machines. And then of course you get to this other end of the spectrum, which is the sort of issues we had in 2016 with the US elections where it's like, foreign actors influencing public perception using things like social media platforms, because they're enormously powerful devices to be able to swing public sentiment in one direction or another. And I think that is an absolutely fascinating area and I've got no idea what the ultimate answer is or how weird stuff is going to get, let's say later this year as well. So it is a fun time, isn't it? Just stuff that we just haven't had to think about before.

Daniel Blaser:
Yeah, absolutely. Doing a little reading on blockchain technology and the promise that that can bring elections, but then also there's always a bunch of downsides as well. It will be interesting to see like how this pans out. Like you said later this year and subsequent election cycles, definitely.

Troy Hunt:
Totally, totally.

Daniel Blaser:
What are some security risks that you think are currently just being underestimated on the whole?

Troy Hunt:
I think risks that are being underestimated and it's a contextual question, right? So who is doing the underestimating? I think that you normally everyday folks massively underestimating the impact of reusing their passwords across services. So I actually just got off the phone call with a really large media company that everyone knows, but I can't name. And one of the problems they're having is they continually have their online assets being targeted by credential stuffing attacks. So this is like automated attacks, where attackers are just taking usernames and passwords from one data breach, and they're throwing them at the login page of this particular company's services.

Troy Hunt:
And as soon as someone's reused their account, it's like, "Oh, okay, cool, now you're logged in and now I can start to access things under the identity of that person." Yet clearly individuals keep doing this, they're just not thinking about the impact to them personally. And that to me is really worrying because there's just so much good, useful information available about people out there. If you can start to get into their other accounts and here we are at the same thing just over and over and over again.

Daniel Blaser:
The answer to this question might be the same as the last one, but is there a vulnerability that keeps you up at night?

Troy Hunt:
I don't know if keeps me up at night is the way I'd phrase it because the one that I think is just the most unnecessary but pervasive and damaging at the moment is literally just lack of authentication. I shouldn't laugh, but literally the number of databases out there that just sit there publicly facing, not behind a firewall, no password. So at the moment I'm seeing a lot of elastic search. I'm getting people popping up all the time going, "Hey, he is like literally tens, even hundreds of gigabytes worth of data from an unsecured elastic search instance." And not long before then there was] a lot of MongoDB. A couple of years ago, MongoDB was all over the place. There's a lot of open Amazon S3 buckets a couple of years ago as well. And then you get people like literally backing up their database, putting it in the root of their website, or maybe in a folder called backups, and that's where it goes. And it's just crazy how easy it is to discover all this stuff.

Daniel Blaser:
I just barely started learning about some of the security threats that could exist as quantum computing takes hold. Could you maybe just briefly go over, what we should kind of think about on the horizon with the rise of quantum computing?

Troy Hunt:
Well quantum is really fascinating because the thing, and then with the caveat that I know very about quantum computing because it kind of does my head in... If I'm honest, but it's always really impressive when I see other people talk about it. The concern we have is that quantum computing just fundamentally changes the ability to compute things such as prime numbers, which are used in cryptographic functions. So one of the concerns we've got now is, "Okay, well what happens when quantum computing is accessible enough, particularly to those who are well-resourced to be able to do things like break encryption?" Because if we get to that point, how do we rely on everything from the way our data is transmitted across the internet, to the way we store it, to the way our mobile devices keep information in discs.

Troy Hunt:
So I think that's going to be a really fascinating area as we sort of progress to the point of it being financially and commercially feasible. I mean, what happens? Because there's this, I don't know the time frames whether they let us, let's say it's like 30 years from now, I'm still going to be around, I hope I'm still going to be doing stuff in this industry. Do we then have to have like totally different algorithms? There's a lot of talk at the moment about we need quantum computing resilient algorithms. So does that have to be totally different? Like how many of the remnants from the 2020s will still be around?

Daniel Blaser:
Yeah, that looks kind of a mind boggler I feel like.

Troy Hunt:
I just feel like it's one of these things where we have not even begun to comprehend the extent of the impact.

Daniel Blaser:
Yeah, that's very true. This is pretty kind of practical question. We've talked about reusing passwords, we've talked about the importance of using a password manager. You know those are kind of table stakes I feel like. Right? If you're listening to this podcast and you think, I really want to recommit to my own personal security, I'm going to stop, we're using passwords, I'm going to get one password or whatever it is. What is kind of the next step? Do you think, as long as you've got those basic things taken care of? Is there something else that should be on people's radar to improve we'll call it like their security hygiene?

Troy Hunt:
Well I think first of all you got to kind of figure out where the needles sits on your own barometer in terms of... I'll try and say it the nice way than the not nice way. So the nice way in terms of like your own risk assessment, the less nice way is how tinfoil hat you want to be. I'll give you some examples. So you know, all the password manager stuff obviously, then going a step further and going, well look, let's make sure we have multifactor authentication on things. Go a step further, let's make sure we try and do MFA, not with SMS or even soft tokens, but we'll try and use a U2F keys, use YubiKeys and things like that. They're fantastic, and then you go a little bit further from there and go, well yeah.

Troy Hunt:
One of the things that makes a big difference is being a lot more selective about how much information you wish to share. Assume that everything you put on Facebook will be visible to other people, even if you set the privacy controls to only target your friends. So this sort of comes back to the Bezo's story then as well, like treat or practice this cause this kind of concept of data minimization. And then as you kind of go down more the tinfoil hat side of things, there are a lot of who are like, "I just won't run JavaScript in my browser," "So Whoa, good luck making much work on the internet if you do that."

Troy Hunt:
There are people who are convinced that you should never ever use Facebook, delete Facebook is the hashtag. I see a very good practical value for it, which is I get to see what my friends and family around the world are doing. Like I want to have Facebook because I want to be able to say that. But that's a conscious decision on me. It's not just like obey me, it's not just like a default thing. It's like let's always have Facebook and the consequences be damned.

Daniel Blaser:
Yeah, I like that. That concept of making these choices proactively and it's something that you're weighing and you're aware of the risks, but like you said, you do want to see friends and family. So it's, it's a risk that you're willing to take, but you're taking it consciously. I like that a lot.

Troy Hunt:
Yeah. That's it. And I don't like this sort of security or privacy absolutism, which decries that you should not put anything online or have any social media presence. So the other one that's come up a bit sometimes recently is people say, "I just do not want any record of my children online. I don't want a photo of them or anything like that." And it's just like, "Yeah, come on. Are people really going to inconvenience your kids in some way from that? If for instance the school has a blog post about a sports carnival," Again, privacy is a very personal thing. I get that everyone's going to make their own decision and so on and so forth. But there does seem to be sort of extreme ends of the scale there.

Daniel Blaser:
Yeah. And taking that absolute view, it kind of could turn people away. Right? They think, "Oh, if this is what is required to care about my security then this is not what I'm going to do." Which is not helpful either.

Troy Hunt:
Well it's, it's a bit of pragmatism, right? So where does it make sense? Like where is that, that sort of balance, which is not at an extreme end of scale because you find that most of the time, and I suggest this sort of extends beyond InfoSec as well. The extreme ends of the scale in any argument tend to be the ones that aren't really that sign, like somewhere in the middle is a very pragmatic, balanced decision.

Daniel Blaser:
So true. Take it to the next step. You have somebody that they're not just doubling down on their own security, but now they're saying, "I'm really interested in this topic for my professional career." What sort of advice would you give somebody who's interested in taking that step? Being in the security world for their profession?

Troy Hunt:
Good question. Someone asked me this question only about half an hour ago and I sent them a link to a blog post I wrote about InfoSec careers. So if you Google Troy Hunt information security careers, there's actually a big image up there of myself and Dal Meredith and other Pluralsight author standing in front of the Pluralsight sign. And I sort of give a whole bunch of different thoughts and ideas, but one of the things I suggested is that we built out this certified ethical hacker series in Pluralsight a few years ago. There's a heap of people I know that have come from development backgrounds that have gone and done the CH training, gone and sat the exam, got the CH and now they've got a piece of paper that says, "Hey look, this person has actually invested the time to go and learn a bunch of stuff." It's not the end of the journey, but it shows some serious commitment and it does have some value.

Daniel Blaser:
That's great. I like that because it's very practical. It's very concrete. Next step. Do you have maybe related to Pluralsight courses or anything else or are there any recent projects you've worked on that you're excited about that you want to talk about?

Troy Hunt:
Oh boys! So, they all got something in the works at the moment. I can't talk about yet, but I'm super excited about this as a 2020 thing. So, we'll have to come back at the end of the year maybe and talk about that one. Look, for now it's a lot of have urbane pine stuff. So there's, there's a whole bunch of announcements and things that'll come out shortly around that, which I'm very excited about. On a real tangential note, I've had my 10 year old son traveling with me and running a kid's code clubs at some of the events have been speaking at. So he was just over in Oslo, in London with me at the NDC conferences. And I actually want to try and start spending a bit more of my time making him my project, like tailoring or molding this kid into someone who can actually start to be a bit more outreaching and help other people learn to code. And it's seems to be something that he really loves at the moment. So maybe I'll start directing a bit more of a focus there as well.

Daniel Blaser:
That's very cool. I love that. Is there anything else that you wanted to throw out? There are any questions that I should have asked you, but I didn't.

Troy Hunt:
No, I think that's a, that's a pretty comprehensive set. There's, it's just a crazy broad topic even though it's this niche within technology, so I'm sure there's a million things we haven't chatted about, but hopefully what we did cover will be useful for people.

Daniel Blaser:
I really appreciate you taking some time to chat and I know that everyone will really enjoy hearing your take on some of these topical issues.

Troy Hunt:
Cool. No problems. Talk to you later.

Daniel Blaser:
Thank you for listening to All Hands On Tech. To learn more about what Troy is up to, you can visit troyhunt.com or search for his name on Pluralsight. If you enjoy this podcast, please rate it on your platform of choice. You can see show notes and more info at pluralsight.com/podcast.