Skip to content
Data breach
Naked Security Naked Security

Simple research tool detects 19 unknown data breaches

A security insight so simple you wonder why nobody has noticed it before.

Every now and then researchers come up with a security insight so simple you wonder why nobody has noticed it before.

If there was an award for such discoveries, a contender for this year’s prize would surely be a data breach early warning tool called Tripwire, the work of engineers at the University of California San Diego (UCSD).

In real-world tests, not only did Tripwire detect a number of unknown or undisclosed breaches, the team believes it could be used to detect many breaches long before organisations realise they’ve happened or stolen data appears on the dark web.

Too good to be true? Not if you harness the power of inference.

As anyone who studies data breaches knows, the first thing cybercriminals do when they steal and unscramble credentials is to try to them on lots of other sites, particularly the email services that underpin people’s online identity.

For instance, passwords taken from breaching small sites will be used to attack larger and more valuable ones (Gmail, say) in the hope that users have re-used the same passwords.

As numerous incidents show, it’s a strategy criminals use to amplify the effect of almost every breach.

The team’s reasoning was to detect when re-use attacks were happening by creating multiple honeypot accounts on each of 2,302 different online organisations, each tied to single email addresses at an unnamed email provider who’d agreed to collaborate with them.

If a honeypot account was breached, it followed that this would become apparent when the cybercriminals used the stolen credentials to access its accompanying email address.

Which means:

This approach allows a wide array of Internet sites to be efficiently monitored for compromises and admits no false positives – presuming the email provider itself is not compromised.

The clever bit is it worked.

19 of the test sites were breached and passwords reused in the nine months to February 2017, including one at a “well-known American startup” with 45 million customer accounts.

Sixteen of these were unknown breaches, either because the organisation affected was keeping that fact secret or, very possibly, didn’t know it had been breached at all.

A further three, including the site with 45 million users, showed minor public indications of compromise, that had not been confirmed (one was eventually confirmed during the study period).

To account for some sites storing passwords more securely than others, the researchers registered honeypot accounts with an “easy” password (8-character, containing a dictionary word), and a “hard” one (10-character, alpha-numeric, mixed case).

This meant that if Tripwire subsequently detected a breach on a given account, it could infer the level of security being used to secure passwords (i.e. a breach of a hard password might imply it was stored as a simple hash, or even as plain text).

One criticism might be to question how representative the test sites (adult, classified, gaming, wallpapers, BitTorrent, etc.) are of the internet more widely.

Which misses the point – the fact a breached account is at a small, obscure online company matters not if the user reuses the same password to secure their Gmail, Yahoo or Facebook accounts.

How might attackers evade Tripwire?

Only by choosing not to try password reuse attacks on big email providers, or by targeting smaller numbers of accounts in the hope the honeypot account wasn’t among them.

But, as its creators acknowledge, Tripwire’s biggest hurdle might simply be convincing breached providers to take its evidence seriously.

Too many don’t care or don’t want to know about breaches, viewing it as a private concern. Until this changes, or governments enforce better behaviour, Tripwire could find itself with plenty of work ahead of it.


10 Comments

Snip>>>
Too many don’t care or don’t want to know about breaches…
<<<Snip
How sad a state we are in. With the internet being almost a ***necessity*** for everyone (What you don't have a computer??) the internet should be as secure as your Land Line.
If companies are not up to the task of securing their client data perhaps they should not be in business (or at least not on the web).

Reply

i mean its true, detection isn’t really the hard part, its fixing the holes that no one wants or cares about (most of the time!)

Reply

> For instance, passwords taken from breaching small sites will be used to attack larger and more valuable ones (Gmail, say) in the hope that users have re-used the same passwords.

> the fact a breached account is at a small, obscure online company matters not if the user reuses the same password to secure their Gmail, Yahoo or Facebook accounts.

Trying to profit financially by tediously combing through someone’s emails (Gmail, Yahoo) or social media (Facebook) is not going to get anyone rich quickly. It would seem to be much more effective to try the cracked passwords on banks (CitiBank, Ally, BofA) and retail merchants (Amazon, eBay) to transfer funds or order pawnable merchandise. Curious as to why these weren’t considered.

Reply

Cracked email accounts are well worth combing through (something that can be automated for future incoming mails by using mail rules) if you’re a crook into whaling, a.k.a. business email compromise or BEC.

That’s where you use someone’s email account to trick their colleagues into sending huge sums of money to false bank accounts. By combing through the victim’s emails you learn how to sound just like the CFO or accountant, and you know enough about how the company works and the terminology it uses to be believable.

BEC crooks can afford the time to dig deep into email accounts – they’re probably aiming to scam 10 companies at a time for $100,000 each rather than taking $10 each off 100,000 victims.

Here’s a fascinating tale of BEC:

https://nakedsecurity.sophos.com/2016/10/21/why-you-should-be-cautious-of-emails-from-friends-or-colleagues/

Reply

A compromised email account or authentication provider (e.g. Facebook) is like a skeleton key.

If you have access to the mailbox used on another service’s account, you can use that for a password reset. This means you can access many more services, even if they used different passwords.

Signing in with Facebook is even better, since this essentially uses the same credentials to access many possible sites, avoiding the possible issue of the victim noticing the password reset notifications.

Reply

1. Laurence Marks you [mis-spelled slightly rude word redacted], the point is that this software lets you know if your network has been compromised. 2. Why weren’t Amazon, eBay, etc used in this initial test? It’s harder to create honeypot accounts on these sites than on “adult, classified, gaming, wallpapers, BitTorrent, etc.”.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!