Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/6/2021
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Troy Hunt: Organizations Make Security Choices Tough for Users

The Have I Been Pwned founder took the virtual stage at Black Hat Asia to share stories about his work and industrywide challenges.

Data breach notification website Have I Been Pwned (HIBP) has processed more than 11 billion compromised records from breached websites and publicly accessible databases since it was launched in 2013, offering a window into attacks and security issues that put users' data at risk.

Founder and security expert Troy Hunt launched the site as a "fun little project" meant to index data breaches so people could search them, he said in a keynote at this week's virtual Black Hat Asia. HIBP started with 155 million records; years later, an "endless flow of data" from hundreds of breaches has brought stories and lessons on security incidents' underlying causes.

"What I've found particularly fascinating over the last seven-plus years is just the way this thing has grown and the places it's taken me," Hunt said. To underscore his point, he noted the FBI, along with Dutch and German law enforcement, have begun sending data to HIBP to help notify victims of the Emotet botnet.

In many cases, the deluge of breaches fueling HIBP can be linked to organizations' poor security practices, as Hunt discussed in a series of examples. Some make it easy for attackers to strike.

Credit: Ascannio via Adobe Stock
Credit: Ascannio via Adobe Stock

"Time and time again, we're seeing infosec incidents happen because the fruit is so low-hanging," he said in a story of the 2015 attack on British telco firm TalkTalk. The attack — first attributed to "Russian Islamic Cyber Jihadis" by an unknowing detective — was conducted by a 17-year-old who had little experience or sophistication but caused £77 million in damages (the equivalent today of approximately $107 million).

Some organizations leave databases exposed on the Internet, leaking personal information its owners never knew would be online. In 2016, a security researcher alerted Hunt to a publicly accessible database exposed by the Australian Red Cross Blood Service that contained data of some 550,000 donors. He had found the database while scanning IP addresses.

Hunt's information was in the database, though he had never digitally submitted it — he filled out a piece of paper one day when donating blood.

"I think the important lesson here is regardless of how hard you might try to avoid handing your data over in digital format, it's kind of all over the place anyway," he says, noting some people recommend avoiding entering data in websites to keep their digital footprint small. A leak like this could expose "extremely personal sensitive data" that its owners wouldn't want publicized.

A common piece of security advice is to avoid suspicious-looking websites; however, businesses may act suspicious without realizing it. Hunt showed an email from Australia's ANZ bank, which asked recipients to download and run an app; it redirected to the URL c00.adobe.com. He believed the email to be fake; however, it turned out to be a legitimate message from the bank.

"The industry as a whole is also making it very difficult for people to make good security decisions," he said. A problem Hunt sees often is legitimate organizations sending legitimate communications that are indistinguishable from phishing attacks. It's tough for people to make decisions about security posture when an official company email could potentially be a phish.

Hunt's stories of security incidents touched on the history of — and ubiquitous problems with — the use of passwords, which "have become, for many security professionals, the bane of their existence." As passwords became predictable, organizations introduced complexity criteria that mandated uppercase and lowercase letters, special characters, numbers, character limits.

"Part of the problem is when we mandate arbitrary password complexity criteria like this, we inevitably find that people follow very predictable patterns, and we also find that people take shortcuts to memorizing the password," like writing them on Post-it notes or increasing the last digit – i.e., changing "[email protected]" to "[email protected]" when prompted every 90 days, he added.

Now, Hunt said, more organizations are adopting multifactor authentication and user behavioral analytics to lessen their dependence on passwords.

Discovering Holes in Device Security
Another of Hunt's stories discussed the concerning security issues of the Australian TicTocTrack watch, a kids' GPS tracking watch that leaked its wearer's real-time location data to anyone and enabled anyone who called a target device to listen to its surroundings.

Hunt worked with Ken Munro of Pen Test Partners to research the devices. They found that someone could call a child's watch and, without any interaction from the wearer, the watch would automatically answer the call so the caller could listen. An API vulnerability in the watch could enable someone to learn a child's last location or change their location so it seems they are somewhere else. They could also delete the watch's real location, leaving no trace at all.

While the disclosure "wasn't the worst I've been involved in," it did take time to explain the vulnerabilities to the company, Hunt noted.

"Disclosure remains a really challenging issue in this industry," he said. "Doing it in a responsible fashion, which drives us toward a better security posture, this is the problem that we keep having."

To emphasize his point, Hunt used the example of a lockpicker with a popular YouTube account who found a vulnerability in a biometric padlock that simply fell apart when a screw on the side was removed. When he contacted the company behind the lock, the researcher was told "the lock was invincible to people who do not have a screwdriver."

"It perfectly illustrates the lack of understanding and responsible action taken by organizations building vulnerable things," Hunt said.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18442
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
CVE-2021-3604
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
CVE-2005-2795
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-32954
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
CVE-2021-32956
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.