Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
06:15 PM
Connect Directly

Troy Hunt: Organizations Make Security Choices Tough for Users

The Have I Been Pwned founder took the virtual stage at Black Hat Asia to share stories about his work and industrywide challenges.

Data breach notification website Have I Been Pwned (HIBP) has processed more than 11 billion compromised records from breached websites and publicly accessible databases since it was launched in 2013, offering a window into attacks and security issues that put users' data at risk.

Founder and security expert Troy Hunt launched the site as a "fun little project" meant to index data breaches so people could search them, he said in a keynote at this week's virtual Black Hat Asia. HIBP started with 155 million records; years later, an "endless flow of data" from hundreds of breaches has brought stories and lessons on security incidents' underlying causes.

"What I've found particularly fascinating over the last seven-plus years is just the way this thing has grown and the places it's taken me," Hunt said. To underscore his point, he noted the FBI, along with Dutch and German law enforcement, have begun sending data to HIBP to help notify victims of the Emotet botnet.

In many cases, the deluge of breaches fueling HIBP can be linked to organizations' poor security practices, as Hunt discussed in a series of examples. Some make it easy for attackers to strike.

Credit: Ascannio via Adobe Stock
Credit: Ascannio via Adobe Stock

"Time and time again, we're seeing infosec incidents happen because the fruit is so low-hanging," he said in a story of the 2015 attack on British telco firm TalkTalk. The attack — first attributed to "Russian Islamic Cyber Jihadis" by an unknowing detective — was conducted by a 17-year-old who had little experience or sophistication but caused £77 million in damages (the equivalent today of approximately $107 million).

Some organizations leave databases exposed on the Internet, leaking personal information its owners never knew would be online. In 2016, a security researcher alerted Hunt to a publicly accessible database exposed by the Australian Red Cross Blood Service that contained data of some 550,000 donors. He had found the database while scanning IP addresses.

Hunt's information was in the database, though he had never digitally submitted it — he filled out a piece of paper one day when donating blood.

"I think the important lesson here is regardless of how hard you might try to avoid handing your data over in digital format, it's kind of all over the place anyway," he says, noting some people recommend avoiding entering data in websites to keep their digital footprint small. A leak like this could expose "extremely personal sensitive data" that its owners wouldn't want publicized.

A common piece of security advice is to avoid suspicious-looking websites; however, businesses may act suspicious without realizing it. Hunt showed an email from Australia's ANZ bank, which asked recipients to download and run an app; it redirected to the URL c00.adobe.com. He believed the email to be fake; however, it turned out to be a legitimate message from the bank.

"The industry as a whole is also making it very difficult for people to make good security decisions," he said. A problem Hunt sees often is legitimate organizations sending legitimate communications that are indistinguishable from phishing attacks. It's tough for people to make decisions about security posture when an official company email could potentially be a phish.

Hunt's stories of security incidents touched on the history of — and ubiquitous problems with — the use of passwords, which "have become, for many security professionals, the bane of their existence." As passwords became predictable, organizations introduced complexity criteria that mandated uppercase and lowercase letters, special characters, numbers, character limits.

"Part of the problem is when we mandate arbitrary password complexity criteria like this, we inevitably find that people follow very predictable patterns, and we also find that people take shortcuts to memorizing the password," like writing them on Post-it notes or increasing the last digit – i.e., changing "[email protected]" to "[email protected]" when prompted every 90 days, he added.

Now, Hunt said, more organizations are adopting multifactor authentication and user behavioral analytics to lessen their dependence on passwords.

Discovering Holes in Device Security
Another of Hunt's stories discussed the concerning security issues of the Australian TicTocTrack watch, a kids' GPS tracking watch that leaked its wearer's real-time location data to anyone and enabled anyone who called a target device to listen to its surroundings.

Hunt worked with Ken Munro of Pen Test Partners to research the devices. They found that someone could call a child's watch and, without any interaction from the wearer, the watch would automatically answer the call so the caller could listen. An API vulnerability in the watch could enable someone to learn a child's last location or change their location so it seems they are somewhere else. They could also delete the watch's real location, leaving no trace at all.

While the disclosure "wasn't the worst I've been involved in," it did take time to explain the vulnerabilities to the company, Hunt noted.

"Disclosure remains a really challenging issue in this industry," he said. "Doing it in a responsible fashion, which drives us toward a better security posture, this is the problem that we keep having."

To emphasize his point, Hunt used the example of a lockpicker with a popular YouTube account who found a vulnerability in a biometric padlock that simply fell apart when a screw on the side was removed. When he contacted the company behind the lock, the researcher was told "the lock was invincible to people who do not have a screwdriver."

"It perfectly illustrates the lack of understanding and responsible action taken by organizations building vulnerable things," Hunt said.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file