Categories
Development Security

Using a Custom Key for Encrypted Cast Model Attributes in Laravel

This is the first security tip from my Laravel Security in Depth newsletter, sent out on Monday to all subscribers. Please sign up if you’d like these tips delivered weekly. Laravel allows you to cast model attributes as encrypted strings, when stored in the database. This gives you added security for any values that are […]

Categories
Security

Introducing Laravel Security in Depth

I’d like to introduce a new project I’ve just started: Laravel Security in Depth. It’s something I’ve never tried before, or even considered as an option until recently, and I’m very excited to dive into it and see how it grows. What is Laravel Security in Depth? Laravel Security in Depth is a paid mailing […]

Categories
Security

The Security Risk of SMS Two Factor Authentication

The often talked about security risk of using SMS-based Two Factor Authentication (2FA) isn’t actually as big of a security risk that everyones makes it out to be. It’s much more of a security risk in SMS-based Account Recovery. It’s a subtle but incredibly important difference that I keep seeing news sites and security blogs completely overlook. […]

Categories
Privacy Security

What are you doing with my data?

My wife and I¹ were filling out a rental house application the other night, and we noted the incredibly invasive nature of the personal information the form was asking for. For example, it wanted to know our car registration number and pet microchip details – both of which have absolutely nothing to do with us […]

Categories
Security Development

CSRF Is Dead, Long Live SameSite=Lax! (or is it?)

In the original version my talk “Think Like a Hacker and Secure WordPress, live on stage“, I demonstrated a Cross-Site Request Forgery (CSRF) attack. While this attack worked perfectly during WordCamp Brisbane 2019, in-progress changes to Google Chrome (version 80) are bringing about the end of CSRF. (Well, sort of…) In light of this change, […]

Categories
Security

Usernames Are Not Secrets

A common misconception that I have observed a lot online is the belief that usernames should be secret, unique and hard to guess. While there are some limited cases where having a secret username is a good idea, most of the time it has no real benefit. Usernames are not secrets and should not be […]

Categories
Development Security Tutorials

Sign Git Commits With A Keybase GPG Key

A relatively unknown and underused feature of Git is the ability to cryptographically sign commits. It is an optional feature that provides a way for the author of a commit to prove ownership. It uses the author’s GPG key to leave a signature in the commit that can be checked later. If you’re a Keybase […]

Categories
Security

Mosh and UFW, without 1000 open ports

Anyone who works with Linux servers will have used SSH. It’s the stable of server management and cannot beat a GUI.The only downside with SSH is when you’re on a slow or intermittent connection, and your SSH connection keeps droppingout or locking up. It’s not fun at all…