Cybersecurity remains a trending topic in the channel, given the number of high-profile data breaches in the past year and the introduction of legislation in Australia and the European Union to address them.
At the CRN Pipeline conferences in Melbourne and Sydney, cybersecurity expert Troy Hunt discussed his experiences with data breaches as the founder of Have I Been Pwned?, a website that tracks if your email address has been exposed in any data breaches.
“We have a lot of data breaches, as you all know. Very often these breaches result in a lot of data being spread out there into the public space — for example Dropbox, Linkedin and Ashley Madison,” Hunt said.
“These data breaches happen very frequently, the data is leaked publicly. And what Have I Been Pwned? does, is it aggregates these data breaches and it makes them searchable.”
Users can enter their email addresses to the website to search through more than five billion records of breached email addresses. He said about 100,000 plus people a day used the service, with some two million people subscribed for notifications in case they get involved in another breach.
People still use the same password for everything
The Have I Been Pwned? website also has a passwords feature, where users can check if their password has been exposed as part of a breach.
Hunt shared a few instances of breaches involving passwords stored in plain text instead of more secure methods such as cryptographic hashing.
Lifeboat and Leet, both providers of servers for the popular video game Minecraft, saw a combined 13 million records breached with the users’ passwords exposed. Cash-for-survey site CashCrate also had passwords saved in a plain text file, storing about 2.2 million of them.
“People reuse the same passwords over and over and over again. And it doesn’t matter whether it’s your bank or your email or your social media or a gaming server, they’re going to use the same passwords,” he said.
“When hackers get this sort of data, they want to exploit it immediately. They’re not going to sit and wait around.”
The stereotypes are wrong
Hunt discussed how the media often portrays hackers with hoodies, green text on screens and a lot of binary. “Hackers love binary,” he joked.
He added that such representations were often far from the reality. When looking at the actual hackers and data breaches, the demographic “gets interesting”.
One example was a 2015 data breach of UK telco TalkTalk, which reportedly cost the company £42 million.
The person behind it was a 17-year-old boy who found the telco’s vulnerability through the use of free software, contrary to a statement from a detective who blamed “Russian Islamic cyber jihadi’s”.
Data is just stored carelessly
During the Red Cross Blood Service data breach in 2016, someone approached Hunt on Twitter offering data for Have I Been Pwned?. As he got hold of the 1.3 billion records, what stood out was that it had information on blood type, in addition to the typical name and email address records.
“I’m not sure why I feel uncomfortable about our blood types having been leaked,” Hunt said. “What does an attacker do once they know my blood type? I’ve got no idea, but it feels very personal to me.”
The infosec professional and the mystery man from Twitter both ended up deleting their copies of the records, and they did not make it to Have I Been Pwned’s database. Hunt explained that the original data was backed up and just sitting in an SQL file hosted on the Red Cross website.
“We later learned a partner of the Red Cross had backed the data up, and after migrating into another server, they didn’t think anyone would find it,” Hunt said.
“That partner is called Precedent, they recently went bankrupt. I don’t know how much of it is related to this or not, but there’s just a little bit of me that’s kind of like, ‘Yeah, you really needed some serious retribution as a result of this’.”
Hunt recounted a similar incident with recruiting firm Michael Page, involving tens of gigabytes of data lost by IT services giant Capgemini.
“So even the scale of the organisation doesn’t seem to matter. Trivial mistakes like this happen again and again.”
The right way to respond to breaches
After the data from the Red Cross breach was reported to him, Hunt approached AusCERT, a cyber emergency response team based at the University of Queensland, which also happened to have the Red Cross as a customer.
“It took 72 hours from the time I first got the data and contacted AusCERT to when they had the CEO making press releases, SMSes going out, emails going out,” Hunt said.
He pointed out that was less than 10 percent of the time required under the Notifiable Data Breaches (NDB) scheme to notify the Office of the Australian Information Commissioner (OAIC).
“Their communication was enormously good. They were very, very clear about it. Here’s what happened, here’s what we know.”
In comparison, the Michael Page disclosure involved “a lot of lawyers sitting around” trying to figure out how to spin it.
“You know when you get these data breach notifications and it’s like, ‘Well your credit cards are okay, and nothing else really mattered. It’s all alright. It’s nothing too sensitive’,” Hunt added. “And people are going, ‘Well this is my personal data. I’m not happy about this’.”
The future of breaches is frighteningly personal
Moving on from traditional systems, Hunt also talked about the internet of things and how those devices need to be secured as they start to become more ubiquitous.
He talked about a recent trip to Japan and his experience with the high-tech toilets there.
“One of the things they have is this smart toilet, with a companion app so that you can Bluetooth to the toilet,” Hunt said.
“And you’re probably thinking why? Why would you want to connect your phone to your toilet?”
He added that we may have to prepare for the fact that the connected toilet is going to have data breaches and we would potentially have to deal with “a new level of horror that we have never had before”.