Deep Dive — Have-I-Been-Pwnd Domain Search Revamped
This is very much glass-half-empty-glass-half-full news. On the one hand, domain searches and domain monitoring have gotten way easier (you had to re-validate your domain for each search before), on the other hand, it’s now a subscription service, but with a generous free tier.
What this feature has always allowed you to do is to search the entire HIBP database of breaches for all records related to email addresses on your domains, and, to set up automated alerts for when an address on your domain shows up in a newly added breach. The new system gives this same functionality but adds an improved API for integrating the searches into other systems or scripts.
An API existed before, but you’ve needed to pay for that for some time now. This new system integrates it all into one account.
With this new system, you use an email address to create a Domain Dashboard (Domain search on the site menu), then you add one or more domains to that dashboard. Authentication is via email loop, so you don’t set a password.
Once you’re on your dashboard you can add domains to search/monitor. You obviously have to verify your ownership of the domain which you can do in one of four ways:
- With a link emailed to one of the special reserved addresses on the domain (
hostmaster@domainetc.). - By adding a special
<meta>tag to the website hosted on your domain. - By uploading a special text file to the root of your domain.
- By setting a special DNS
TXTrecord at the top level of your domain (my preferred method, same as used for iCloud/Google Apps/Office365 domain validation).
Your subscription tier depends on the number of compromised accounts across all the domains you add, and the free tier is up to 10. Any Nosillacastaways who own their own domain should consider setting this up IMO.
I set up two dashboards this morning, one for my personal domains, and one for my business domains, and I had them both set up with a total of 8 verified domains in less than half an hour!
Links
- Troy Hunt’s original post announcing the details of the new system — www.troyhunt.com/…
- Troy’s post announcing the tiers — www.troyhunt.com/…
❗ Action Alerts
- Last Tuesday was Patch Tuesday, and Microsoft’s patches includes two that are already being exploited, so don’t delay on these patches! — isc.sans.edu/… & krebsonsecurity.com/…
- NightOwl App (used to auto-switch light/dark modes in macOS) was purchased and changed terms of service to put your device into a botnet with no opt out. Apple has since revoked the developer certificate. robins.one/…
Notable News
- Zoom updates terms of service to clarify that it won’t use your calls to train AI — arstechnica.com/…
- A timely reminder that in some contexts, privacy can be very expensive: Banks fined $549M after senior execs found secretly texting on Signal, WhatsApp — arstechnica.com (and iMessage)
- Note by Bart: this does not mean end-to-end encryption or good security are illegal in these kinds of regulated environments, it means the corporate end of the encryption must securely store a copy for the legally mandated time. Messaging tools with enterprise plans like Slack & Teams provide this functionality, usually with pre-sets for common regulatory frameworks.
- A timely reminder that the baddies are getting ever more interested in the Mac — Today’s Hacker interest in macOS ten times that of 2019 — appleinsider.com/… (Based on an analysis of dark web activity by Accenture — 2019 there were 202 dark web actors targeting macOS, now there are 2,295.)
Interesting Insights
- A considered and balanced look at a recent report that’s gotten some very unfair clickbaitey coverage recently: Stanford Study on CSAM on Mastodon — daringfireball.net/…
Palate Cleansers
- A double from Bart:
- If you prefer your media in audio form, then the recent Business Movers podcast mini-series on General Magic, a company that nearly invented the iPhone over a decade before Apple did, and where many of the big movers in today’s tech industry cut their teeth is an excellent listen — Overcast.fm/…
- If you prefer the same story as a movie, check out the film simply named General Magic — generalmagicthemovie.com/…
- Another podcast recommendation from Bart – A fascinating interview with the open source advocate lawyer who helped save Ed Sheeran in a recent law suit. The music stuff is cool, but the AI stuff later in the interview literally changed my opinions on AI ingesting published works and Microsoft’s Copilot ingesting GitHub: [FLOSS Weekly 744: A Chill Pirate Lawyer – Damien Riehl, Open Source and Legal Rights — overcast.fm/…] (https://overcast.fm/+Zb8PCDMWw)
- If you don’t believe there are only so many melodies, listen to Pachebel Rant: youtu.be/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |
[…] Security Bits — 13 August 2023 […]