Information Management Today

Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

Troy Hunt

AUGUST 3, 2022

Following, I've added the "HTTP" connector which enables me to make an outbound request: All this request does is makes a POST to an API on Password Purgatory called "create-hell" It passes an API key because I don't want just anyone making these requests as it will create data that will persist at Cloudflare.

Passwords

Passwords IT

Google disrupts the Glupteba botnet

Security Affairs

DECEMBER 7, 2021

TAG also partnered with CloudFlare and others take down servers. Google partnered with Internet infrastructure providers and hosting providers, such as CloudFlare, to take down servers used by the gang. Glupteba disruption over last year: 63M Google Docs 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts.

Blockchain

Blockchain Mining Cloud Access

Quebec shuts down thousands of sites as disclosure of the Log4Shell flaw

Security Affairs

DECEMBER 12, 2021

IT giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, and NetEase are running servers potentially affected by the issue. Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. Tags available to all users and customers now.

Libraries

Libraries Digital transformation Education Government

Webinars

Peak Performance: Continuous Testing & Evaluation of LLM-Based Applications

MORE WEBINARS

A zero-day exploit for Log4j Java library could have a tsunami impact on IT giants

Security Affairs

DECEMBER 10, 2021

IT giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, and NetEase are running servers potentially affected by the issue. Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. Open-source projects like ElasticSearch, Elastic Logstash, Redis, and the NSA’s Ghidra also use the library.

Libraries

Libraries IT Cloud Data breaches

HTTPS Is Easy!

Troy Hunt

JUNE 27, 2018

If you are a tech pro and you want to go deeper on HTTPS, have a browse back through the dozens of posts on the SSL tag or go and watch 3 and a half hours of Pluralsight training on the subject. Next, you'll see that this is all very Cloudflare-centric and you may be wondering "why not use Let's Encrypt instead?"

Encryption

Encryption Security IT Access

Weekly Update 96

Troy Hunt

JULY 20, 2018

The most unexpected outcome of those discussions was a real flat-earther chiming into the Twitter discussion after someone made the innocent mistake of using the #FlatEarth hash tag to describe people decrying HTTPS. Plus there's my post on a whole bunch of nifty Azure Function and Cloudflare Workers bits. Enjoy: References.

GDPR

GDPR IT Security

My Blog Now Has a Content Security Policy - Here's How I've Done It

Troy Hunt

FEBRUARY 1, 2018

I also can't add custom headers via Cloudflare at "the edge"; I'm serving the HSTS header from there because there's first class support for that in the GUI , but not for CSP either specifically in the GUI or via custom response headers. Another reoccurring issue was the presence of onClick events on some tags.

IT

IT Security Libraries Analytics

Mmm. Pi-hole.

Troy Hunt

SEPTEMBER 26, 2018

No HTML tags. I set my desktop to manually resolve through Cloudflare's 1.1.1.1 Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. Companies I choose to partner with get to appear there and they get themselves 140 characters and a link. That is all. No tracking.

Analytics

Analytics Risk IT Security

Fighting API Bots with Cloudflare's Invisible Turnstile

Troy Hunt

AUGUST 21, 2023

There had to be a better way, which brings us to Cloudflare's Turnstile : With Turnstile, we adapt the actual challenge outcome to the individual visitor or browser. The final step is to validate the token and for this I'm using a Cloudflare worker. Here's how it works: Get it?

IT

IT Authentication Access

Tuning up my WordPress Install

Roger's Information Security

JUNE 23, 2018

I also disabled the Better Tag cloud plugin. Tags are better than categories in my opinion. But Tag Clouds are really a think of the past. Lastly, I made some changes to caching at Cloudflare following the cloudflare site settings listed in an article on W3 Total Cache and Cloudflare. Yet here I am.

Cloud

Cloud Information Security IT Security

Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

Troy Hunt

JUNE 30, 2022

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature used by Mozilla, 1Password and a handful of other paying subscribers.

Passwords

Passwords IT Mining Consumer Services

I'm Open Sourcing the Have I Been Pwned Code Base

Troy Hunt

AUGUST 7, 2020

Many of the services that HIBP runs on are provided free by the likes of Cloudflare. For free, because he's a good bloke and Cloudflare supported him. The very second blog post on that tag was about how I used Azure Table Storage to make it so fast and so cheap.

Passwords

Passwords IT Privacy Libraries

Why No HTTPS? Here's the World's Largest Websites Not Redirecting Insecure Requests to HTTPS

Troy Hunt

JULY 23, 2018

Cloudflare makes it easy! SecureOnChrome [link] pic.twitter.com/r2HWkfRofW — Cloudflare (@Cloudflare) July 23, 2018. Continuing that growth rate would take the number to something similar to Cloudflare's above as of now. Make sure your site redirects to #HTTPS , so you don’t have the same problem.

Security

Security IT Government Communications

It's End of Life for ASafaWeb

Troy Hunt

NOVEMBER 5, 2018

Getting back to the Cloudflare error, a cursory review of the service didn't show any obvious issues. Besides, the ASafaWeb tag on my blog contains many posts that do a great job of explaining the rationale behind the scans.

IT

IT Analytics Marketing Cloud

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

Troy Hunt

NOVEMBER 14, 2018

Some brief background first as I'll be sharing this post with a bunch of folks for which this may be new: A CSP is a response header or meta tag that allows you to declare a policy for your website declaring what sorts of content can be loaded from where.

Security

Security IT Libraries Access

A Decade of Have I Been Pwned

Troy Hunt

DECEMBER 3, 2023

And that's precisely what this 185th blog post tagging HIBP is - the noteworthy things of the years past, including a few things I've never discussed publicly before. And now, a 10th birthday blog post about what really sticks out a decade later. You know why it's called "Have I Been Pwned"? requests in a single day.

Data breaches

Data breaches Passwords Sales IT

Have I Been Pwned Domain Searches: The Big 5 Announcements!

Troy Hunt

JUNE 15, 2023

We can't add a meta tag. Something else I've been working away on in the background is to better leverage Cloudflare's WAF to minimise the impact on the origin services. We don't have any of those 4 aliases on our domain. We can't upload a file. We can't touch DNS.

IT

IT Cloud Mining Metadata

The Legitimisation of Have I Been Pwned

Troy Hunt

MARCH 21, 2018

Transparency has been a huge part of that effort and I've always written and spoken candidly about my thought processes, how I handle data and very often, the mechanics of how I've built the service (have a scroll through the HIBP tag on this blog for many examples of each).

Data breaches

Data breaches Passwords Government IT

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Troy Hunt

FEBRUARY 11, 2018

This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. You can safely use an integrity attribute on your script tag because if ever we want to change the implementation, we'll simply rev the version. from its current state.

Libraries

Libraries Risk Government IT

Information Management Today

Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

Google disrupts the Glupteba botnet

Webinars

Trending Sources

Quebec shuts down thousands of sites as disclosure of the Log4Shell flaw

Webinars

A zero-day exploit for Log4j Java library could have a tsunami impact on IT giants

HTTPS Is Easy!

Weekly Update 96

My Blog Now Has a Content Security Policy - Here's How I've Done It

Mmm. Pi-hole.

Fighting API Bots with Cloudflare's Invisible Turnstile

Tuning up my WordPress Install

Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

I'm Open Sourcing the Have I Been Pwned Code Base

Why No HTTPS? Here's the World's Largest Websites Not Redirecting Insecure Requests to HTTPS

It's End of Life for ASafaWeb

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

A Decade of Have I Been Pwned

Have I Been Pwned Domain Searches: The Big 5 Announcements!

The Legitimisation of Have I Been Pwned

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Stay Connected