Troy Hunt: Organizations Make Security Choices Tough for Users

  /     /     /  
Publicated : 23/11/2024   Category : security


Troy Hunt: Organizations Make Security Choices Tough for Users


The Have I Been Pwned founder took the virtual stage at Black Hat Asia to share stories about his work and industrywide challenges.



Data breach notification website Have I Been Pwned (HIBP) has processed more than 11 billion compromised records from breached websites and publicly accessible databases since it was launched in 2013, offering a window into attacks and security issues that put users data at risk.
Founder and security expert Troy Hunt launched the site as a fun little project meant to index data breaches so people could search them, he said in a keynote at this weeks virtual Black Hat Asia. HIBP started with 155 million records; years later, an endless flow of data from hundreds of breaches has brought stories and lessons on security incidents underlying causes.
What Ive found particularly fascinating over the last seven-plus years is just the way this thing has grown and the places its taken me, Hunt said. To underscore his point, he noted the FBI, along with Dutch and German law enforcement, have begun sending data to HIBP to
help notify victims
of the Emotet botnet.
In many cases, the deluge of breaches fueling HIBP can be linked to organizations poor security practices, as Hunt discussed in a series of examples. Some make it easy for attackers to strike.
Credit: Ascannio via Adobe Stock
Time and time again, were seeing infosec incidents happen because the fruit is so low-hanging, he said in a story of the 2015 attack on British telco firm TalkTalk. The attack – first
attributed
to Russian Islamic Cyber Jihadis by an unknowing detective – was conducted by a 17-year-old who had little experience or sophistication but caused £77 million in damages (the equivalent today of approximately $107 million).
Some organizations leave databases exposed on the Internet, leaking personal information its owners never knew would be online. In 2016, a security researcher alerted Hunt to a publicly accessible database exposed by the Australian Red Cross Blood Service that contained data of some 550,000 donors. He had found the database while scanning IP addresses.
Hunts information was in the database, though he had never digitally submitted it – he filled out a piece of paper one day when donating blood.
I think the important lesson here is regardless of how hard you might try to avoid handing your data over in digital format, its kind of all over the place anyway, he says, noting some people recommend avoiding entering data in websites to keep their digital footprint small. A leak like this could expose extremely personal sensitive data that its owners wouldnt want publicized.
A common piece of security advice is to avoid suspicious-looking websites; however, businesses may act suspicious without realizing it. Hunt showed an email from Australias ANZ bank, which asked recipients to download and run an app; it redirected to the URL c00.adobe.com. He believed the email to be fake; however, it turned out to be a legitimate message from the bank.
The industry as a whole is also making it very difficult for people to make good security decisions, he said. A problem Hunt sees often is legitimate organizations sending legitimate communications that are indistinguishable from phishing attacks. Its tough for people to make decisions about security posture when an official company email could potentially be a phish.
Hunts stories of security incidents touched on the history of – and ubiquitous problems with – the use of passwords, which have become, for many security professionals, the bane of their existence. As passwords became predictable, organizations introduced complexity criteria that mandated uppercase and lowercase letters, special characters, numbers, character limits.
Part of the problem is when we mandate arbitrary password complexity criteria like this, we inevitably find that people follow very predictable patterns, and we also find that people take shortcuts to memorizing the password, like writing them on Post-it notes or increasing the last digit – i.e., changing P@ssword1 to P@ssword2 when prompted every 90 days, he added.
Now, Hunt said, more organizations are adopting multifactor authentication and user behavioral analytics to lessen their dependence on passwords.
Discovering Holes in Device Security
Another of Hunts stories discussed the concerning security issues of the Australian TicTocTrack watch, a kids GPS tracking watch that leaked its wearers real-time location data to anyone and enabled anyone who called a target device to listen to its surroundings.
Hunt worked with Ken Munro of Pen Test Partners to
research the devices
. They found that someone could call a childs watch and, without any interaction from the wearer, the watch would automatically answer the call so the caller could listen. An API vulnerability in the watch could enable someone to learn a childs last location or change their location so it seems they are somewhere else. They could also delete the watchs real location, leaving no trace at all.
While the disclosure wasnt the worst Ive been involved in, it did take time to explain the vulnerabilities to the company, Hunt noted.
Disclosure remains a really challenging issue in this industry, he said. Doing it in a responsible fashion, which drives us toward a better security posture, this is the problem that we keep having.
To emphasize his point, Hunt used the example of a lockpicker with a popular YouTube account who found a vulnerability in a biometric padlock that simply fell apart when a screw on the side was removed. When he contacted the company behind the lock, the researcher was told the lock was invincible to people who do not have a screwdriver.
It perfectly illustrates the lack of understanding and responsible action taken by organizations building vulnerable things, Hunt said.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Troy Hunt: Organizations Make Security Choices Tough for Users