Data breach notification website Have I Been Pwned (HIBP) has processed more than 11 billion compromised records from breached websites and publicly accessible databases since it was launched in 2013, offering a window into attacks and security issues that put users' data at risk.
Founder and security expert Troy Hunt launched the site as a "fun little project" meant to index data breaches so people could search them, he said in a keynote at this week's virtual Black Hat Asia. HIBP started with 155 million records; years later, an "endless flow of data" from hundreds of breaches has brought stories and lessons on security incidents' underlying causes.
"What I've found particularly fascinating over the last seven-plus years is just the way this thing has grown and the places it's taken me," Hunt said. To underscore his point, he noted the FBI, along with Dutch and German law enforcement, have begun sending data to HIBP to help notify victims of the Emotet botnet.
In many cases, the deluge of breaches fueling HIBP can be linked to organizations' poor security practices, as Hunt discussed in a series of examples. Some make it easy for attackers to strike.
Credit: Ascannio via Adobe Stock
"Time and time again, we're seeing infosec incidents happen because the fruit is so low-hanging," he said in a story of the 2015 attack on British telco firm TalkTalk. The attack – first attributed to "Russian Islamic Cyber Jihadis" by an unknowing detective – was conducted by a 17-year-old who had little experience or sophistication but caused £77 million in damages (the equivalent today of approximately $107 million).
Some organizations leave databases exposed on the Internet, leaking personal information its owners never knew would be online. In 2016, a security researcher alerted Hunt to a publicly accessible database exposed by the Australian Red Cross Blood Service that contained data of some 550,000 donors. He had found the database while scanning IP addresses.
Hunt's information was in the database, though he had never digitally submitted it – he filled out a piece of paper one day when donating blood.
"I think the important lesson here is regardless of how hard you might try to avoid handing your data over in digital format, it's kind of all over the place anyway," he says, noting some people recommend avoiding entering data in websites to keep their digital footprint small. A leak like this could expose "extremely personal sensitive data" that its owners wouldn't want publicized.
A common piece of security advice is to avoid suspicious-looking websites; however, businesses may act suspicious without realizing it. Hunt showed an email from Australia's ANZ bank, which asked recipients to download and run an app; it redirected to the URL c00.adobe.com. He believed the email to be fake; however, it turned out to be a legitimate message from the bank.
"The industry as a whole is also making it very difficult for people to make good security decisions," he said. A problem Hunt sees often is legitimate organizations sending legitimate communications that are indistinguishable from phishing attacks. It's tough for people to make decisions about security posture when an official company email could potentially be a phish.
Hunt's stories of security incidents touched on the history of – and ubiquitous problems with – the use of passwords, which "have become, for many security professionals, the bane of their existence." As passwords became predictable, organizations introduced complexity criteria that mandated uppercase and lowercase letters, special characters, numbers, character limits.
"Part of the problem is when we mandate arbitrary password complexity criteria like this, we inevitably find that people follow very predictable patterns, and we also find that people take shortcuts to memorizing the password," like writing them on Post-it notes or increasing the last digit – i.e., changing "[email protected]" to "[email protected]" when prompted every 90 days, he added.
Now, Hunt said, more organizations are adopting multifactor authentication and user behavioral analytics to lessen their dependence on passwords.
Discovering Holes in Device Security
Another of Hunt's stories discussed the concerning security issues of the Australian TicTocTrack watch, a kids' GPS tracking watch that leaked its wearer's real-time location data to anyone and enabled anyone who called a target device to listen to its surroundings.
Hunt worked with Ken Munro of Pen Test Partners to research the devices. They found that someone could call a child's watch and, without any interaction from the wearer, the watch would automatically answer the call so the caller could listen. An API vulnerability in the watch could enable someone to learn a child's last location or change their location so it seems they are somewhere else. They could also delete the watch's real location, leaving no trace at all.
While the disclosure "wasn't the worst I've been involved in," it did take time to explain the vulnerabilities to the company, Hunt noted.
"Disclosure remains a really challenging issue in this industry," he said. "Doing it in a responsible fashion, which drives us toward a better security posture, this is the problem that we keep having."
To emphasize his point, Hunt used the example of a lockpicker with a popular YouTube account who found a vulnerability in a biometric padlock that simply fell apart when a screw on the side was removed. When he contacted the company behind the lock, the researcher was told "the lock was invincible to people who do not have a screwdriver."
"It perfectly illustrates the lack of understanding and responsible action taken by organizations building vulnerable things," Hunt said.