WHY THIS MATTERS IN BRIEF
Many of your online accounts have already likely been compromised but very few companies own up to the fact, putting you and your data at risk,but now a bot can tell you which companies have been hacked – even if they don’t want you to know.
2017 was always going to be a year that cyber attacks made the front pages, and a year where the attacks would be bigger and bolder than the years gone by, because that’s going to be the trend, arguably, forever from here on in. And the same can be said for 2018, especially as we start seeing the emergence of new Artificial Intelligence “autonomous” Robo-Hackers, and new AI fuelled cyber attacks. This year the Equifax hack that affected 146 million US consumers was only raised in conversation months after the attack took place, and elsewhere Uber grudgingly admitted that it had paid hackers $100,000 to conceal a data breach that affected over 34 million of its customers, and they’re far from being alone.
Remember Yahoo’s spectacular world record breaking breach that affected over a billion users that took a couple of years for them to announce and admit to? And here’s the problem. You trust companies with your credit card details, social security numbers, other data, login and password details, and if there’s a breach, because of a lack of proper regulatory oversight, many companies never report them, and, more importantly, and potentially unforgivably, never tell you about them meaning that in the event of a breach criminals can make off with your details, use them to hack into your other accounts, rip off your identity and max out your credit cards. Thanks guys, remind me to strike you off the Christmas card list.
The real victim in all this? You. And let’s face it, companies are never going to want to ‘fess up to having their cyber defences breached and their information stolen, so are you in a loose loose situation here? Well, as it turns out, no, and you have the researchers at the University of California San Diego (UCSD) to thank, because they’ve found a way to figure out if a company’s data has been hacked even if the company never admits to it, or, get this, even if it doesn’t know it’s been hacked. I love a White Knight story.
In order to pull of what many people would think to be a minor miracle the researchers created a bot called “TripWire” that automatically registered accounts on thousands of websites, and each of those accounts shared a password with a unique associated E-Mail address.
Working with a “major E-Mail provider,” the researchers were then notified if there was a successful login on any of the E-Mail accounts, and since the accounts were only created for the study, any login was assumed to be the result of a security breach on the website associated with that account.
“While Tripwire can’t catch every data breach, it essentially has no false positives, everything it detects definitely corresponds to a data breach,” Joe DeBlasio, a Ph.D student of Jacobs School of Engineering at UCSD and an author on the research paper, “Tripwire triggering means that an attacker had access to data that wasn’t shared publicly.”
As part of the study, the researchers monitored over 2,300 sites from January 2015 through February of this year, and found that 19 of the sites, or one percent, had been compromised. The study notes that the system found “both plain text and hashed password breaches,” if your password is hashed, it is indecipherable to a hacker. Arguably the most damning finding of the study was that, at the time it was published, all but one of the compromised websites failed to notify their users that they’d suffered a breach, and only one site told researchers they would force a password reset.
“The very clever and novel approach by UCSD researchers shows that such attacks may be occurring on a wider scale than previously known, and even worse, that the enterprises being breached may not even be aware of the intrusions,” said computer security firm UpGuard CEO and Co-Founder Mike Baukes.
While the researchers are unwilling to disclose the names of the websites, with the exception of bitcointalk.org, which publicly disclosed its breach in 2015, they did include some information about the nature of them in the study.
They note “the most popular site compromised is a well known American start up with more than 45 million active customers as of the quarter they were compromised,” and according to the study, several people have griped about the breach on social media. The researchers note that they could find only one publication that covered the breach, which the company denied.
Other sites included a “large gaming services company known within online gaming communities,” “a top 500 site in India” that reportedly has millions of app downloads as well over 60 million site visits a month, a porn site in Germany, and “a company with a large portfolio of travel recommendation websites” that reportedly has 40 million monthly views across its sites.
The researchers also reached out to all of the websites they found had been compromised, excluding the one that had already been publicized.
“We disclosed our identities, methodology, and findings, and engaged with each site to the extent that they were willing,” said the researchers, but only six of the sites responded, one confirmed there was a breach that they had already known about, and some “acknowledged that security was not their highest priority.”
Baukes went on to say that “password reuse attacks are a majorly overlooked vector for serious cybercrime, and can be as damaging as more vaunted methods of assault,” pointing to the 2012 Dropbox hack where the details of more than 60 million user accounts were leaked on the Dark Web. The hacker was able to reuse an employee’s password from a LinkedIn breach to obtain information from the Dropbox network.
Baukes said that the UCSD researchers’ system “is a welcome addition to the security community’s toolbelt and if adopted by independent organizations, could greatly enhance the accuracy and validity of data breaches detected in this manner.”
Today companies do their best to chase us for our business while hoovering up as much data as they can about us, but as we’ve seen all too often many have little to no regard for our welfare and the downstream consequences that can happen to us when our information is stolen, so it’s about time that we had an independent tool that could fight our corner and call out those organisations that are all too happy to play Russian Roulette with our lives and livelihoods, and that’s why I for one would love the researchers at UCSD publish a “Name and Shame” list.
Score one for the little guys.