We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Lessons from 220 Million Breached Records

00:00

Formal Metadata

Title
Lessons from 220 Million Breached Records
Title of Series
Number of Parts
6
Author
License
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
We can learn a huge amount about security by reviewing the failures of those who have come before us. In maintaining the data breach notification service "Have I been pwned?", I've dealt with literally hundreds of millions of breached records over time and have seen some fascinating things. In this talk we'll look at the patterns organisations who suffered data breaches were using, the types of data that were exposed and the things they could have done to protect themselves from malicious actors.
Hecke operatorInformation securityPatch (Unix)BitGoogolBinary codeHacker (term)Order (biology)Row (database)Coma BerenicesDigital photographyDifferent (Kate Ryan album)AuthorizationMedical imagingSensitivity analysisPhysical systemCountingWebsiteWeb 2.0ResultantInformationMultiplication signGoodness of fitNumberBoss CorporationEmailPresentation of a groupMobile appBridging (networking)Point (geometry)MathematicsHypermediaReal numberTwitterEvent horizonQuicksortTouchscreenControl flowFeedbackPetri netSelf-organizationSingle-precision floating-point formatPasswordService (economics)DemosceneUniform resource locatorAuditory maskingGreen's functionPanel painting
Hacker (term)Web browserRadical (chemistry)Binary codeBitCartesian coordinate systemAuditory maskingRight angleQuicksortMusical ensembleWeightMaterialization (paranormal)TouchscreenComputer animation
DatabaseWeightHacker (term)TouchscreenQuicksortCodeKey (cryptography)WebsiteMetropolitan area networkHecke operatorBlock (periodic table)MereologyReal numberDigital photographyComputer animationSource codeMeeting/Interview
Local GroupCybersexHacker (term)Information privacyLeakWebsiteDatabaseComa BerenicesSystem callTwitterInternetworkingCASE <Informatik>Dependent and independent variablesRight angleMessage passingHacker (term)Touch typingMoment (mathematics)TouchscreenQuicksortWeb 2.0Multiplication signIncidence algebraCircleWebsiteGoodness of fitBitEqualiser (mathematics)MereologyInternet forumComputer iconService (economics)InformationLevel (video gaming)Information securityEmailIdentity managementTelecommunicationPhysical system1 (number)Case moddingBoss CorporationAttribute grammarPlastikkarteHeegaard splittingGenderComputer clusterDifferent (Kate Ryan album)Source codeDatabaseSummierbarkeitTrailCryptographySensitivity analysisUniform resource locatorHypermediaWeb browserInformation privacyPasswordPersonal identification number (Denmark)NeuroinformatikFraunhofer-Institut für Physikalische MeßtechnikOffice suiteData managementDatabase transactionWeightProcess (computing)Bridging (networking)Line (geometry)Endliche ModelltheorieHand fanControl flowPlanningDigital photographyPhase transitionElectronic program guideNormal (geometry)CountingWritingForm (programming)
PlastikkarteComputerImpulse responseWeb pageInclusion mapHacker (term)DatabaseEmailPasswordRevision controlLeakAddress spaceLie groupInformationMaxima and minimaNatural numberPhysical systemWeb 2.0MultiplicationCASE <Informatik>Touch typingRamificationMemory managementAddress spaceInformation privacyRight angleSet (mathematics)Moment (mathematics)Vulnerability (computing)Type theoryInformationMessage passingQuicksortSelf-organizationEmailLine (geometry)Online helpParameter (computer programming)TouchscreenUniform resource locatorInformation securityWebsiteLevel (video gaming)Service (economics)Point (geometry)Link (knot theory)Video game consoleRoundness (object)PressureFacebookHypermediaIncidence algebraFraction (mathematics)Shared memoryMereologyPasswordPlastikkarteMultiplication signResultantReading (process)WindowPrice indexSoftware developerBitOnline chatRevision controlScripting languageDependent and independent variablesDigital photographyDigitizingBlogNumberBoss CorporationSequelReal numberSound effectGoodness of fitPiSpacetimeKey (cryptography)Dressing (medical)GoogolBit rateCore dumpTesselationHost Identity ProtocolRoboticsMachine visionBasis <Mathematik>FamilyMechatronicsMetropolitan area networkBridging (networking)Computer fileDot productComputer animation
Lattice (order)Binary fileLeakDatabaseComputer fileComplete metric spacePlastikkartePoint (geometry)Formal verificationArithmetic logic unitEmailLoginWebsiteSoftware maintenanceServer (computing)Military operationClique-widthMaxima and minimaElement (mathematics)Loop (music)Convex hullTime zoneFormal languageSurjective functionInheritance (object-oriented programming)Arithmetic meanTraffic reportingInformationEmailCASE <Informatik>Address spacePasswordMultiplication signWebsiteSign (mathematics)Term (mathematics)Service (economics)BitAuthenticationQuicksortFormal verificationGoodness of fitLeakDependent and independent variablesParameter (computer programming)Web pageEncryptionIntrusion detection systemData structureCondition numberDatabaseLoginPerspective (visual)Mobile appCartesian coordinate systemDifferent (Kate Ryan album)PlastikkarteEnumerated typeRow (database)Physical systemMessage passingDegree (graph theory)Web 2.0Validity (statistics)RandomizationHash functionConfidence intervalNumberDivisorGoogolBridging (networking)WorkloadArchaeological field surveyAlgorithmNormal (geometry)MereologyAuthorizationFraction (mathematics)2 (number)Process (computing)Right angleIntelligent NetworkHecke operatorFamilyVirtual machineRational numberPower (physics)Dressing (medical)Computer-assisted translation
Reverse engineeringUsabilityOrdinary differential equationMiniDiscHash functionPasswordString (computer science)Pressure volume diagramPersonal digital assistantWebsiteEmailMilitary operationServer (computing)Normal (geometry)Asynchronous Transfer ModeDirection (geometry)Hash functionBridging (networking)CoprocessorGoogolAutomatic differentiationRow (database)RandomizationPlanningRevision controlPasswordPoint (geometry)CountingFormal verificationCASE <Informatik>Zoom lensPerspective (visual)Limit (category theory)QuicksortLine (geometry)Term (mathematics)Computer animationSource codeXML
EmailInternetworkingInternet service providerLaptopHypermediaPlastikkarteElectric currentNumberVideo gameStatement (computer science)Local ringInformation securityInformation engineeringAuthorizationAddress spacePlastikkarteContext awarenessService (economics)Dependent and independent variablesNumberInformationIncidence algebraSelf-organizationFormal verificationProcess capability indexEmailSensitivity analysisDegree (graph theory)In-System-ProgrammierungInternetworkingConfidence intervalHash functionGoodness of fitFeedbackRange (statistics)BlogDigital photographyTraffic reportingLink (knot theory)FreewareTablet computerWebsiteQuicksortRepository (publishing)PasswordArithmetic meanInterface (computing)Message passingBitFocus (optics)FrequencyProcess (computing)Inheritance (object-oriented programming)Graph coloringDivisorIP addressRow (database)Key (cryptography)GenderAveragePhysicalismDifferent (Kate Ryan album)Thomas BayesMaizeWeb pageBridging (networking)Phase transitionPattern languageVideo gameCryptographyMultiplication signGraphics tabletGradient descent
AuthorizationDatabaseInformation engineeringInformation securityAddress spaceServer (computing)PlastikkarteNumberInformationPasswordLatent heatRSA (algorithm)Group actionInformation privacyConvex hullVideoconferencingGrand Unified TheoryLocal GroupTwitterHacker (term)ExplosionPrice indexTablet computerOnline chatComputer configurationService (economics)Shared memoryNumberGroup actionPasswordQuicksortIdentifiabilityProduct (business)Public-key cryptographyTwitterInformationIncidence algebraRight angleSystem callEncryptionDependent and independent variablesIdentity managementRamificationMessage passingKey (cryptography)Address spaceMoment (mathematics)Hacker (term)Line (geometry)MassInformation securityMobile appWeight1 (number)CybersexData storage deviceSelf-organizationProcess (computing)Integrated development environmentTouch typingRSA (algorithm)Set (mathematics)PlastikkarteBitWebsiteHecke operatorTesselationBridging (networking)Dot productPiSoftware bugPetri netPanel painting
InformationInformation privacyQuicksortInformation securityEmailWeb 2.0Vulnerability (computing)Metropolitan area networkWebsiteWaveTouch typingComputer animation
Identity managementInformation securityHacker (term)Inheritance (object-oriented programming)Dependent and independent variablesDatabaseNetwork topologyFunction (mathematics)Standard deviationCore dumpTable (information)OracleSQL ServerSAP MaxDBError messageBoolean algebraQuery languagePasswordHash functionData dictionaryLatent heatExecution unitQuicksortMobile appIdentity managementBoolean algebraSelf-organizationMathematicsInformation securityNumberIncidence algebraInjektivitätLevel (video gaming)Process (computing)DatabaseInternetworkingPower (physics)PlastikkarteLeakIntegrated development environmentObject (grammar)Dependent and independent variablesVulnerability (computing)Database transactionGoodness of fitThread (computing)Form (programming)InformationResultantType theoryStatement (computer science)BlogPlanningMultiplication signState of matterRow (database)Point (geometry)Inheritance (object-oriented programming)Real numberDifferent (Kate Ryan album)Chief information officerCASE <Informatik>Moment (mathematics)Demo (music)HypermediaProcess capability indexMessage passingSequelGroup actionParameter (computer programming)Bridging (networking)GoogolObservational studyContent (media)TwitterAreaOrder (biology)Volume (thermodynamics)Numbering schemePhysical systemDigitizingScaling (geometry)Disk read-and-write headPanel painting
Self-organizationEmailPhysical systemVolume (thermodynamics)Service (economics)Vulnerability (computing)Software bugOrder (biology)QuicksortPoint (geometry)Parameter (computer programming)SequelWebsiteBoundary value problemAuthorizationSingle-precision floating-point formatInjektivitätWeb 2.0Row (database)Lecture/Conference
Control flowCASE <Informatik>BitRight angleLecture/Conference
Transcript: English(auto-generated)
You know I'm gonna start my presentation without the without the screen because otherwise we might be waiting here for quite a while so Let us have a look at this so what I'm going to talk about today is I
Run this service called have I been pwned. Does anyone use have I been pwned? Who's use it keep your hand up if you're in the data breaches All right Just the security guy. Oh one other guy. What are you guys in which ones? Adobe, Adobe, who was in Ashley Madison? That's exactly what you say when your significant other says were you in Ashley Madison darling no
Ashley what so I was in I was in Adobe Originally, I was in patreon so patreon for crowdfunding for fledgling artists I was supporting a guy who does a podcast about security where he talks about data breaches
And he asked me to sign up to patreon in order to give him like five dollars a month And then patreon got hacked which he got to talk about on the show because it all kind of Went around around so I was in that I was in triple-o web host as well So they had 13 million accounts which were leaked in about November 13 million accounts or with plain text passwords as well, which wasn't
Wasn't a real good look, but what's really interesting is a few months ago I realized as I was sort of going through and getting these data breaches and loading them into the system Is that I was saying some really really interesting things so really interesting discussions with everything from the
Organizations getting breached to the people trading the data to the hackers actually hacking into the system and even to authorities Oh, we're getting somewhere So while it warms up Even having some interesting discussions with the likes of the FBI and I thought let's make a really good talk because there's a lot of stuff that happens behind the scenes Which people don't normally get to see
And now I can actually show you what those discussions look like, which is good Now if you are interested in doing the slido thing That's what you need. So slido.com I think there's an app and you need that number 1853 and if you use that then you can ask questions that are related specifically to this event, which will work well
so Now getting into the original intention of the talk This is what I called it and this was some months ago, and I thought wow 220 million like this is a lot I'll do a talk and I'll call it what I learned from 220 million breach records And then while I was preparing the talk I had to change the name of it because everything changed again
And suddenly it wasn't 220 million. It was 235 million. So Okay, change the name of the talk and then a little bit more time went by and I had to change the name of the talk again And and it was getting so many I went I can't put an exact number on it We'll just say quarter of a billion and I think now it's actually 269 million
I did I did this talk in London last week as well And since then there's about another 10 million results in there So every time I go to do this talk the thing changes But I think that's sort of kind of the point as well, right? Everything is moving ahead really quickly So this is the system I mentioned have I been poned? That's out of date. There's two more data breaches now with about another 10 million odd records in there
And if you haven't seen it before It's very simple data gets hacked. It gets published publicly usually by the hackers. I Download it from publicly available locations and I make it searchable so you can go through and say where has my account been exposed?
Which is kind of neat because then you see all the different places your information gets leaked If it's a really sensitive data breach like Ashley Madison or adult friend finder Then I make sure that you only get to find out if you're in there if you can receive an email confirmation So you can't go and search for your significant other your co-workers your boss
Although there are other companies that encourage you to do that and that's one of the things I'm going to show you today so one of the things that's interesting when we talk about data breaches is the perception of hackers and We get a lot of feedback by the media about what hackers are like It's kind of curious you can learn a lot from Google if you go to Google images and you search for hacker
Now this is curious because there's a trend here, right? So hackers and you see this on like every single newspaper every single website that talks about hackers What we know of hackers is they have hoodies. They have Guy Fawkes masks They work a lot in binary as well curious fact. There's also a lot of green and
Then some news stories they sort of put all those things together and they go this is a hacker It's a guy Fawkes mask with a hoodie with binary and this is like sort of the ultimate personification of what the hacker is Now we also see a lot of stuff about hackers in
promotional material so a lot of companies making a lot of money out of the fact we get hacked and they want to make A lot of like I guess I want to make people kind of scared So they do stuff like this this is a Kickstarter for a little application a little device actually called Cujo and Here's what they do in their adverts. You may not know it, but you've probably already been hacked
thousands of hacking attacks occur each day Sounds scary doesn't it? Listen to the music. You may not know it. You've already been hacked and And he's got a hoodie because he's a hacker But here's here's the interesting thing right like have a look at what he's typing into This is a zoomed-in bit this is not a terminal
This is a browser He's hacking in the browser and I want to show you how you can impress your friends and colleagues about how you hack in The browser what you do is you go over to hacker typer dot net Okay, and what you also got to do is press f11 to put it in full screen because then it looks pretty serious And then this is how you hack
This is this is real you get a hacker type, and you just hit keys and it does this I zoomed in on the code block, and it is from hacker typer They are selling their device on the premise that a hacker is you can hack a typer to hack Anyway, there are all sorts of websites that do exactly this and all sorts of news articles and things
That basically prey on the fear of people by using resources such as hacker typer Basically just to scare people which is kind of sucky Now this is the reality of it right so this is the reality of who the hackers are
This is Jake Davis. He was 19 in that photo. He was part of lolsec in 2011 going around hacking lots of things Look at his mum How do you think his mum feels they're in court right? It's like a death stare He's so grounded He's really grounded
But he did a lot of damage. He's a 19 year old kid another kid same sort of deal Also in court also with his mum his mum doesn't look real happy either, but this is what happens right? it's these kids going around breaking into things and Clearly making their mothers very very upset and that the interesting thing about this is this is what hackers are normally like
This is anonymous right this is kind of the Sophistication level of the people that are breaking into these systems and we kind of lose track of this a little bit when we see the media and we see the scary hoodies and things and Including when we see the bravado the two kids in the previous shots were very much
Talking about how powerful they were how unbeatable they were how they could break into anything You know very very bravado sort of behavior and clearly didn't work out real well for them Now this was a really good example Did everyone say talk talk in the news just a little while ago, so talk talk is an English
telecommunications company and Talk talk had a major security incident So they had a whole bunch of data sucked out It was in the news is in the news a lot in Australia, so it must have been really really big in the UK And after the attack this detective came out, and he said okay. Here's what it was it was Russian Islamic
cyber-jihadis That's terrifying. It's like every single buzzword is anyone here Russian Alright good, so I get the impression that Russians are scary like they sound scary So we got that obviously in Islamic cyber-jihadi also sounds very scary as well So this was the news you know trying to get everyone scared about these Russian Islamic cyber-jihadis out there
Now here's what it really was 15 year old boy in his bedroom because where else is he gonna be right if he's hacking away on computers so there was him there was also 16 year old boy a little bit older and
Then there was this really really old guy It was like 20 you know this is the senior citizen of the hacking circles and The thing about it is that all these guys are the ones that broke into these systems It wasn't the scary Russian Islamic cyber-jihadis It was just bored kids and very frequently when I get data from people and get communications from people
I realize that it is just bored kids and they often turn into scared kids, too I'm going to give you an example of that Now monetization is a really interesting one because people want to make money out of data breaches You can go to online
Marketplaces and buy data You can buy credit cards. You can buy social security numbers for people in the US you can buy dates of birth You can buy all of these different attributes online Sometimes we're about a dollar each You can find these sites sometimes on the clear web Very often on tour you open up the tour browser you plug in a URL is a marketplace
The marketplace has sellers the sellers have ratings. There are transactions. There's feedback It's just a normal marketplace. It is like eBay, but for data breaches drugs guns all this sort of thing So all this sort of data has a value Now it's interesting when I say things like this, so I get messages from people saying I've got something I'd like to sell to you
So in this case the guy wanted to sell Nexus mods. It was a forum. I would like a sum of Bitcoin They're coming to me thinking I'm gonna pay the money and of course I never do Okay, okay I'm not gonna I'm not going to be part of your illegal activity and then document the whole thing on Twitter as well
Because you're sooner or later your accounts gonna be seized after you get caught if you're the one going around doing this sort of stuff Now curiously since I created this deck just last week Someone did actually give me Nexus mods. They said here you go. We've been trading this in the underground forums You might find it useful for your site. So eventually this sort of stuff turns up anyway
Now there's another good example, IPM Office of Personnel Management. This was a big breach in the US Have a look at how much they reckon it's worth more than a hundred Bitcoin Bitcoin now at the moments about three hundred US dollars. So maybe thirty thousand dollars I don't know like it's one guy on Twitter
but I've got other examples of the prices these things are being sold of and When you think about it the sort of data that was leaked about government personnel Pretty sensitive info. It's definitely got a price probably a high price So this sort of thing comes up quite a bit. This was after the triple-o web host So triple-o web host I got breached. It actually got traded quite significantly last year
It looks like you're breached in about March and eventually I got the data via a journalist later on in the year and I put a question on Twitter very vague question anyone have a an account on triple-o web host and This guy got in contact with me via direct message
And this I found really interesting because he says the database is private and it's better kept that way Now what he means by private is that someone had hacked into it and now trading and selling it between themselves That's what private was. They didn't want it to be traded and sold or publicized by anyone else
they wanted to keep it quiet and They want to keep these databases quiet because whilst they're quiet and the victims don't know about it. The victims can be exploited Once the victims know That triple-o web host is hacked and the password they use there has been exposed and remember it's plain text stored in plain text
So no cryptography whatsoever Same password they use on other accounts once the victims know the value goes down You also said this selling for upwards of $2,000 right now. I can't understand which moron would be considering just giving you a copy Maybe a moron with a conscience
Because this is the thing like basically what he's saying is we are going around exploiting the people that were compromised in this data breach What moron would want to stop that from happening? Like this is the level of sort of ethics and morality of a lot of the people that are dealing with this data Now triple-o web host was also for sale on other sites. This is a site that
Sells that sort of data. You can see it sells a few different things here. Triple-o web host was selling for $1,500 at the time that this Particular incident broke in fact just before it went public. Other guy said two grand triple-o web host here $1,500
After I made it public and there was also a long lead into this where I was trying to get in touch with the Company they wouldn't respond and eventually we made it all public. After it went public it went from $1,500 down to $200 Because suddenly the value goes right down So whilst it's private and the victims don't know about it They can exploit the victims once it's public and the victims know it goes down then went down even further
So that's now wiped off 90% of the value which I'm kind of happy about We have screwed the market for this data breach, which is good. We don't want it being monetized in that way Here's another good example of monetization. So this goes back to Ashley Madison again
And when the Ashley Madison breach happens, so we go back to July and in July Hackers come out and they say we have broken to Ashley Madison. We have all the data either shut the site down or we're going to dump it all publicly and Of course, they never shut it down. They were never going to shut it down So it did go public
went public in August and After it went public a bunch of companies started monetizing the data Now in the case of a data breach, there are things that can be legitimately monetized people are scared They need things like identity theft protection. It's not a bad thing to have anyway, let alone after a data breach
But then we had companies like this, Trustify Who took the data and the data was really broadly tormented It'd take any of you about five minutes to find that data and then about five hours to download it It was pretty big five hours on Australian broadband speed Maybe half an hour in Norway, but the data is really easily available So companies were downloading it and then creating services that made money from it
So what these guys are doing is saying hey check if you've been exposed and this is not dissimilar to what I do with Have I Been Pwned? The difference is Have I Been Pwned is all free people go in there I don't make any money out of the fact that the public can do that but what happened here these guys allowed you to search for anyone and
Then after you searched for them They sent an email to the person you're searching for So imagine this you've got a wife suspicious of her husband and this was the gender split There's no gender equality in Ashley Madison. It was almost all guys and fembots So a fembot is basically just computer code which engages in discussion
In fact, they'd even call them engages The engages would get them in to chat and pay more money to stay on there because they think they've got a chance of meeting a girl Who is not their partner who they're meant to be married to because the whole thing was meant to be about having affairs So anyway, you've got this situation
Wife searches for her husband gets an immediate confirmation on the screen that the husband was in the data breach Husband gets an email He's not the one who searched for it, but he gets an email. So the first the husband knows of Him being in the data breach is when he finds out that someone is actually searching for him in the data breach Imagine that so it sort of suspend your moral judgment for a moment regardless of how you feel about adultery
The very fact that his privacy is violated in this way where anyone can go and search for him and now he's getting an email could Have been his boss searching for him And he gets an email and of course what they're trying to do here is solicit business They're trying to sell private investigation services So that this guy can get his data removed from the internet
And that's what they're trying to do get your data removed from the internet How likely do you reckon that is when it's been tormented non-stop around the world never gonna happen So they did that that alone was shitty They also did this After you searched for someone and then you found them there were social icons that allowed you to tweet
That you'd found them now. This is bad, but you can almost understand it in so far as yeah I found my ex-husband. You know screw him but what about this I Found my friend These were pre loaded social messages
This wasn't the person going. I'm just going to type in I found my friend Trustify presented you with the buttons so that you could say I found my ex. I found my friend You can search too. They're encouraging other people to go through and search and find their ex and find their friend and
That the the privacy implications of this is just sort of mind-blowing It seems that once that data goes out It's like you know all bets are off you can do whatever you want with it So they were making money in a really really underhanded sort of way And they eventually did reverse quite a bit of this they got a lot of pressure a lot of public pressure I wrote something which is where I got some of those screenshots from saying how bad it was and
Then they started getting death threats Like that's how the community reacted they got some really really nasty messages back Fortunately none of them got killed as far as I know Which is I wouldn't want to feel partly responsible for that But it gives you an indication of just how bad this was perceived by the community as well
Very I mean on their behalf just a really poor reading of the market and how people respond to these incidents So that was that one the other thing that came out of Ashley Madison was stuff like this. This is a ransom email Now you ever think about it bunch of you are probably developers security professionals are used to writing scripts and things
How hard would it be to just enumerate through a great big file and do a mail merge? Because this is all it is. It's a mail merge It's a ransom message But it's also got a little bit of spear phishing to it because it's got information that is very particular about the victim their name their address
The last four digits of their credit card number If you got this and it's asking for five bitcoins as well, that's a lot that's like $1,500 and If you don't do that, they're going to let your Facebook friends know and your boss know and all that sort of thing Now of course that the thing about all this is that if you didn't pay nothing ever happened Because this is just like a random send 30 million odd emails to everybody and then
Some people will pay a fraction of 1% will pay and that will be a good earn For the 99 point whatever percent that don't pay nothing happens But what some of these messages were saying is they're saying this Bitcoin address is unique to you And I had a lot of people email me because I wrote a few things that got a lot of press
These people would email me and they'd say please don't share my Bitcoin address. I don't want anyone else to know So I'd Google it and you get all these results from all these other people saying I just got this ransom message So the Bitcoin address was not unique. They were not tracking payments. There was no recourse if you didn't pay
But they're scaring the hell out of people and these are still going on today So we're what like five six months on and these messages are still going out to victims because they're so easy It's just sending email Now one of the other things that I found very interesting when I thought about the experiences with have I been pwned is
How I actually find data breaches. So where do I get these things from and there's not one answer They come from multiple different places So a good example is often I'll get a message like this So this is how I got the triple-o web host data. This guy sends me an email and says hey five months ago This was in October. So we're back at about March or something. I've got this data
Would you like a copy of it and in fact what he said is he said I'll give you the two million version So there's actually 13 million. I'm gonna give you the two million Sends me a mega link. So mega kim.com His service often people share data breaches via mega because it's very easy to upload the data to there
They upload it anonymously. It's on a great big obfuscated URL If you don't have the URL, you're not going to find it very very easy for them to distribute data that way so he sends me this and Do not give me any credit for this So what he's actually saying is he doesn't want anyone to know that it was him who had the data
And I'll show you a follow-up message from him in a moment He had actually sent me the 13 million version So I got the full data set and this was kind of the first we knew of it back in October I'm 99% sure. They don't know they got hacked too. They didn't know they had no idea and I tried really really hard to get in touch with triple-o web host
I sent multiple email messages. I went through their ticketing system I had people respond to me on the ticketing system because I'm saying look I've got a serious security incident I want someone to talk to give me a security contact Because I don't know who's manning the help desk, you know some Low-paid worker on the other side of the world and an outsourcing center. Is that the person I want to give information on this too?
Anyway, eventually when we found we couldn't get in touch with them. That's when it went public but with this guy later on After it got a lot of press because once it did go public the media picked it up and the stories are all over the place I've got this and when I read this last line in particular I'm afraid they would still look for me. It sounds like a scared kid, right?
It's probably the same sort of kid as what we saw on those earlier photos Some kid in his bedroom in Northern Ireland or wherever He's just been handing this data around and what struck me with it is I don't think that they are aware of the ramifications of what they're doing They're sitting there in the comfort of their own bedroom, and they're sharing this information around
having chats without any sort of sense of the real-world consequences and Then when it hits the media and it's all over the press and suddenly they go, holy shit Look what I've done. I think that's when it hits home and they say wow, this is actually real So I almost feel a little bit. Sorry I do feel a little bit sorry actually for a lot of these kids because they don't know what they're getting themselves into they
Don't know what's the actual real-world ramifications of what they're doing Other ways data comes to me This is a pretty good example. So this guy just here Is saying he wants to know what his password is and one of the curious things that I'm finding with data breaches now is
That after a breach the victims of the breach really want to know what their data was. What was exposed and This is kind of natural right like I have just had personal information exposed Tell me what it is. So I want to know what it is and
I get heaps and heaps and heaps of emails like this I end up having to write a blog post which basically says no I can't share data Because I can't respond to individual requests go through try and find their data Then try and send it to them in a secure fashion because often it's passwords and things I don't want to be emailing But this happens all the time Now after I told him I couldn't share it. He was
You know sad face which I understand But I would really like to see organizations making this available and I'm talking about this more at the end as well But to me it seems to be their responsibility you lose the data You're responsible for telling people what you've lost not in one generic message. We're really really sorry We lost your things, but this is exactly what we lost
This was the name you had the password you had the credit card details that got exposed. It's public anyway. It's doing the rounds Company should just tell them. It's another way data comes to me. So this was someone who sent me some data about a Dutch financial institution and
What I find interesting about this particular picture is The fact that it's a console window with SQL map So the guy has basically sent me an email and said hey I've got some data you might be interested in and I'll show you the discussion we had after this in a moment But basically what he's done is he's gone like he's literally he's hacked into it using SQL map, which is an automated tool
You can see part of the command line up there You basically run SQL map pass a you switch with the URL that you want to hack There's a few other parameters You go outside and play I assume that's what they do and you come back and it's got all the data out It's really really really simple
So he's pulled all this information out of this system And then said hey Here it is and I said, okay Well, what I think you should do is you should disclose it privately to the company You should let the company know that they have a vulnerability because you're at this point now when no one actually knows about it You know once you make it public it like there's no going back now
It's public and you're gonna get yourself into a lot more hot water as well So I said disclose it privately and he said what's private disclosure? Like it just never crossed his mind that maybe he should get in touch with them and say hey, you've got a vulnerability and Even after I said that he's like, okay. Well, do you still want the data?
Go to your room think about what you've done don't do it again This is often the way with the kids, right? They're not thinking about the real-world ramifications So ultimately I said, okay, I'm not going to go and take this data I'm not going to publish it. You need to get in touch with them privately
And in fact what happened in this case is I got in touch with some Dutch security people I know Let them know they got in touch with the organization that was impacted There was a small amount of news on it, but basically the data never went public I hope they actually let their customers know because it is their customers on the previous screen But the whole thing ended up being a lot quieter than what it could have been otherwise
There's another good example of where I get data from so this is a public website It is it's on the clear web. This is not a Tor hidden service Anybody can just type in the URL go here and start downloading data breaches. It's that simple This data is floating around the web everywhere
This is just one site of many that are on the clear web. There are many more on Tor hidden services It's not even entirely clear why they run this I mean he's asking for Bitcoin donation Maybe he gets a few Bitcoin thrown at him every now and then But it goes on and on there's about
It's about 25 records per page. There's about nine pages as well So maybe a couple of hundred different data breaches just sitting here publicly searchable publicly downloadable And this is what some of them do So another way I find data breaches often we'll see information leaked on pastebin. Pastebin is a really popular means of
Leaking info because it's very very easy just to go and create a paste put whatever you want in it. It's anonymous There's no authentication. There's no sign up and then you share the URL and Pastebin in their terms and conditions say you shouldn't be sharing data breaches or things like this I don't think they're quite as explicit. It's like you shouldn't be sharing other people's sense of information
But I don't think they mean it because it happens all the time and they probably make the argument of look It's just a service people can use it for good. They can use it for bad but this sort of stuff happens a lot and What we often see is stuff like this where this guy's going okay, here is part one of the triple-o web host data breach
So people recycling the data breaches now Go and get the full thing at triple-o web host dash leak dot blogspot.com so you can get the whole thing So you go to get the whole thing and you end up somewhere like this and then it goes Okay, there's part one and part two download this one first go over here
So you go there and you got to fill out a survey, right? So now we're starting to see the monetization Because all of this sort of crap earns people fractions of a cent every time people go through into the survey So you go, okay, I'll download Alright, so now I've got to do this I've got to go back. I've got to do another survey and then it takes you to here now I've got to do another survey
So that I can get a gift card for $100 Guess what? You don't get a gift card for $100 and normally I get about to here and I go screw it Like you guys are just trying to make money out of it So again, it's the monetization thing They're trying to trick people into going through and filling this stuff out with the promise of getting bridge data
Just all the different ways this data is recycled and reused I find kind of fascinating Now this is another problem that I often have which is that data is leaked and Someone says here it is. It is the For example the triple-o web host data breach. Yeah, we want you to publish this data. It's serious
We hexed it and I've got to try and figure out if it's legitimate or not because a lot of the time when I See this data. It's not legitimate and there's a few different ways I can do this so I can do things like Google some of the hashes and If I find that the hashes in the data breach appear in many different other places under the names of other data breaches
Well, it's probably not going to be real But there's a few different ways that I do verification So here's one good way now This is actually Madison again. So again back in July when we first heard they'd been hacked, but the data hadn't been leaked one of the things I found quite fascinating about actually Madison is
Everyone got really really upset assuming everyone who was in the data breach got upset when that news came out. They said oh, no Now people can discover that I was on the site I thought well, this is curious. I wonder if you can discover if they're on the site anyway So I went to the password reset page and I said, okay. Well, I'm gonna put in an invalid email address and
Let's see what happens Came up and said this And when I saw this I thought okay This is pretty good because if we look at the piece in bold, it says if that email address exists in our database You'll receive an email to that address and I thought okay
That's good because it's non-committal, right? It's not saying yes You had an email and we've just let you know as opposed to no You don't have one adult friend finder, by the way, who was breached in May four million records They still do that today You can go to adult friend finder put in an email address and it will tell you Explicitly whether it exists or not exists. So they leak the presence of every person on that site via an enumeration risk
and curiously Just a little tip if you are going to sign up to one of these sites Don't use your normal email address. Don't use your work email address. Make something up. Do not use your .gov address there are a lot of .gov addresses in these things and
You could say that someone else signed you up Until your payment records are leaked as well, and then it's really really hard to make that argument So this is what they're doing. They're going okay If you had an email address we're going to or if you had an email in the system, we're going to send it to you Sounds good
Now this was invalid. Let's have a look at the message when you did have an email address in the system You see any difference there? It's not subtle is it? So I write about this and I said look you can find out anyway Why are you getting all upset?
I know why you're getting upset, but you could always do this anyway So Ashley Madison fixed it and I thought that sounds like a challenge I wonder if there is another way of finding out whether accounts actually exist on the site or not So I went over and I did this I thought what I'll do is I'll log on 25 times But what I'll do is I will use a valid account for research purposes
Number of times I've said that to my wife. She's walked in. What are you doing research? I do a lot of research Anyway, so I tried to log in 25 times valid email address invalid password and I timed it Okay, looks like this It's a reasonable spread. This is how long the HTTP response takes between issuing the request and getting a response back
Login fails fine, but it's an invalid account around about 500 to 600 milliseconds So then I said, okay what happens if I take an account that does not exist on the system And I try and log in with that
That's curious, isn't it? Anyone know what does this? Any guesses? Doesn't hash the passwords, right? So here's how it works. Actually often when I ask that some people say well Yes, because it's doing a database lookup
If your database lookup for an account takes 500 milliseconds you have a different problem It shouldn't be taking that long. So here's what happens, right? Ashley Madison used bcrypt with a work factor 12 They screwed it up really really badly and we later found we could get basically 90% plus of the passwords out Anyway, but however, they were using bcrypt work factor 12
So a fairly heavy workload in the hashing and what happens is when you provide a valid email address Regardless whether the password is valid or not valid email address It goes to the database and it says get me the record for this person The record comes back with the salt and the salted hash And then the new password gets added to the salt and everything gets hashed and because it was a high work factor
Algorithm it took several hundred milliseconds When the account doesn't exist The application goes to the database that says get me the account for this email address The database comes back with nothing and the app says well now I don't have to hash So this from an efficiency perspective is really good, but from a disclosure perspective
We have this so things like Enumeration risks are one way that I verify data breaches and if I can pick three random email addresses from a data breach Plug them into the password reset and it confirms whether the account exists or not I've got a really high degree of confidence that that data is legitimate
Now three people are going to get password reset emails three people out of a breach in this case of 30 million I'm not feeling too bad about that because now they've got bigger problems now They've had all of their data leaked publicly and it's taken me three emails to figure that out and then let
Potentially millions of people know what's happened because millions of people do find out whether they find out via Notifications on my have I been pwned service or whether they watch the news. You could not miss the news on Ashley Madison Here's another good one. So this is Stratfor. Stratfor was an intelligence agency They they did reports for particularly for governments on things like the political landscape of certain countries
And they got hacked in 2011 and they had all of their data leaked they went kind of offline for a little bit and They had to sort of send this message and say look we're hacked by an unauthorized party
Everything got suspended for a while I want to show you what that data breach looks like and a really easy way of verifying that so Again, this is a data breach that did get circulated pretty broadly looks like this It's a pretty sort of typical structure here. It's just comma delimited user IDs names passwords emails
These are the passwords. They're all MD 5 hashes just straight MD 5 hashes. No encryption No, salt nothing else. Just very very simple So the way I'd verify something like this is I'd search for hashes and I thought well look
Maybe one of the ways we can do this is I'll make it interesting and I will search for .gov Find someone with the .gov address and I'll take their hash and then I'll go to Google and Google is really good at cracking hashes because you can search for a hash When it's not salted because the salt adds randomness that should be unique for every record
But when it's just a straight hash you can go and search for Google and you can often find the plaintext version So this was the Stratfor data breach and that was one of the hashes first government official hash now What do you reckon the password was?
Stratfor, who would do that? Who would sign up on a website called Stratfor and Use the password Stratfor, but see this is verification for me Okay, this hash was a password which is likely to be used by those people Now what I could then do is I could
Turn my zoom it on because you're gonna need to see this one closely One one of the things I found curious is I thought okay Well, then how many people might have actually used that same password because once we're actually talking about A case where it's just a straight hash and there's no salt We can do this we can go back into here
We can do a find and we can do a count for that hash. How many hashes do you reckon we're gonna find? You got 12,000 people there are eight hundred and sixty thousand records in the breach 12,000 people use the password Stratfor on the website Stratfor
Now that's Stratfor all lowercase because if it was Stratfor with a capital S the hash should be completely different So we'd inevitably find a whole bunch of people did that as well So again going back to the point of this from a verification perspective These are the sorts of ways I try and figure out is this data breach legitimate or is it fabricated?
The other thing I started doing recently is this Because what I've realized is I have got a really good repository now of people that are interested in the have I been pwned service So I've got a little notification service. You can sign up for free. You put your email address in you get an email
It says you've signed up for notifications. Are you sure you want notifications and you click a link to say yes So it verifies you and it's done I've got about three hundred and thirty thousand people that have signed up for this So what happens now is when I have a new data breach That I can't verify using the means that is showed you is I start emailing subscribers
So a good example VTEC. VTEC is a toy maker Hong Kong based toy maker in October November period a reporter emailed me a reporter I'd worked with before and he said I've been given a data breach. I want you to help me verify it So I got the data breach and I couldn't find anywhere on their website to go through and do like a password reset
There was nothing in the data breach that would let allow me to do stuff like easily googling hashes. They were salted hashes and What VTEC actually did is they made made tablets for kids So think about like an iPad but it's all plastic and colorful and things like that
And you could give it to your kid and then the kids mate could have one as well And then they could chat via the magic of the internet So a lot of parents didn't realize these kids are chatting in different houses. It goes by the internet You just put your kids details on the internet and this is what was in the data breach four million adults with names email addresses
physical addresses phone numbers 280,000 kids with name gender age Average age is five years old and a foreign key to the parents record So if you had this data You could basically decide what child would I like in a convenient location and find them.
I didn't get the photos but the attacker later also gave the report of photos because the tablets had a camera you take your photo There's kids 280,000 later on after this all blew up VTEC said it wasn't 280,000 kids. It was six million Shit
It was a lot but anyway verification Because you signed up via a tablet and the tablet talked to an API I couldn't see an easily accessible interface anywhere where I could check things like password research So I did this I took the email addresses from the data breach and I found the most recent 20 subscribers to have I been pwned so people that were thinking about the service recently and I sent them this email and
I didn't tell them what the service was or where it was I just said hey look would you help verify this and I had about half the people respond and I'd get messages back Like this in fact. This is what I sent to the person so one person came back and said yes I would like to I'd like to know what the incident was
So I would send them a piece of information or three pieces of information Which would give them a degree of confidence that it was their data without being too sensitive So when did you first log in? It's not too bad. Where were you located? And your ISP I got the ISP from the IP address This poor lady was in talk talk and VTEC
She was real impressed when she emailed back, but you know like this is not sensitive data but it's enough to have a pretty high degree of confidence whether it's legitimate or not and she came back and said yes that's accurate and That gives me a high degree of confidence For one person and then I had about six actually come back and ultimately verify their data
So what I'm finding is that how I've been poned becomes a really really good verification channel All right, I actually get feedback from the individuals in the data breach before I make anything public that yes It was actually legitimate So that's been really useful This is also really interesting the way the
Organizations respond when these incidents happen and you probably see if you read the news a really broad range of responses But a lot of them are kind of like this this is the first thing a lot of companies say Don't worry about your credit card Now put this in context Ashley Madison a site designed for you to have affairs if your wife finds out
She might leave you you may never see your children again Like really really bad things are going to happen life-changing things, but don't worry your credit cards fine
Same here this is in VTEC Your children have been leaked people know where to find them. They know what they look like they know their names Don't worry credit cards. All right What are you worried about and Inevitably what we're doing here is we're trying to placate PCI
These organizations are worried that They're not going to be able to process credit card payments anymore. Their first concern is keeping the payment card industry happy Which is just really bad. It's just something that absolutely stinks about this So we often see these really evasive sort of messages focusing on things that ultimately are in the company's best interest
I've got many many examples. I wrote a blog post a while ago where I showed this initial responses focus on credit card data Who's had their credit card defrauded before? Wow You guys are lucky I wrote something where I talked about this and I said look
Who really cares about the credit card because if it gets compromised your bank gives you fraud protection They give you the money back that are there the next week and I'm sure it was coincidental But the next week my wife's card was defrauded. We found out on a Monday morning. We went into the bank The bank cancelled the card. We had the money back in the account by the end of the day
We had a new card in the mail at the end of the week The greatest inconvenience of the whole episode was that we had to change some of our direct debits Which were trying to debit the old card number. That's what credit card theft Means today bit different for debit cards, but credit cards For me as a consumer. It's kind of a non-event
This was a really good response. So patreon who I mentioned got hacked earlier on Patreon did a number of things really well So they did things like they stored all their passwords in be equipped with the work factor 12 They did something else that I have never seen any other company do in a data breach Which is that they encrypted the person identifiable info they encrypted addresses
They encrypted other aspects of your personal info That other companies never do and not only did they encrypt it But they managed not to lose the private key when they did get hacked because that's the other trick right you can encrypt It's no good if your key gets disclosed. So they actually got it right and I like this message it came from the CEO
What I like down here at the end of the third line. I'm so sorry to our creators He's actually apologetic a lot of companies. The first thing they do is go Evil cyber hackers these evil cyber hackers It's a legalist and they rant and they rave and they get angry at the people that breach them without focusing on the fact that they screwed up and
Yes, they are evil cyber hackers and they should have recourse legal recourse. They probably should end up in court if not jail But those companies companies like Avid Life Media that creates Ashley Madison vTech Really really screwed up vTech in particular did terrible things with their app design
It took me about 10 minutes to find out that I could create two accounts Log into one and pull the data out of all the other ones Took me 15 minutes, you know, and I'm not doing anything special. It's just hey, there's an HTTP request It has a number in it. I wonder if I add one could I get some different data back?
Yes, there you go job done So this from patreon patreon also said this they went on to say we don't store credit cards Alright they have to keep PCI happy But they also actually give some detail encrypted with two thousand forty eight bit RSA key No specific action required and then they go on and they give technical details. So there's transparency and
Finally again from the CEO another apology. I sincerely apologize for this breach Like this I think is about as good as you can do with the breach message and they did screw up They had debug settings in a publicly facing environment that had access to production data
They screwed up. They admitted it. They gave the details From that we saw that they did those other things. Well, they did the B crit. Well, they did the encryption Well, they had a good message These things happen, but this organization was prepared for it and they responded in the right way The other interesting thing that comes up is people often say a company gets hacked
But then they get over it and they move on and there's no sort of long-lasting impact It's not like they share price dives or anything like that And I find that curious for a couple of reasons. Number one is that data breaches are expensive Very often data breaches lead to having to do things like provide identity theft protection for everyone
It's a very standard response. Oh, we got hacked identity theft protection. There we go Yeah, and that's that happens. It ties up a lot of resources. It damages brand it keeps services offline VTEC had to take all their services offline after this incident happened. I
And there's a massive VTEC stand. I was like I'm gonna go and ask them about how secure these things are and they didn't have any of the tablets in stock and It wouldn't surprise me if they were just not able to sell them at the moment because the service is still offline Like their service. It's like a ground-up rebuild
So it does have impact and I wanted to find some examples of where it actually has real impact So I looked at things like this Now this one's curious This was a few months ago again. Someone sent me some data They contacted me by Skype and said I've got some data breaches that I didn't Compromise and I believe the guy because we had quite a long chat after that
But I've had them through sort of trading with other people and one was called Nutella Net teller not like Nutella the thing you put on your toast And the other one was called money bookers and these were gambling sites and the data dated back I think to about 2012 like it was quite old data and the interesting thing here was that
Now that those two organizations have been bought by another company and this other company was now responsible for it's a listed company and The interesting thing is is that we ended up sort of getting in touch with the company. They responded really really well I had quite a few chats with their security guys trying to figure out what was going on. The company's called pay safe and
Pay safe because they're listed as well. They have to disclose this sort of stuff like they can't hide it They've actually got to take it seriously so they had to put out a press release about it and Then this happened with their share price Now there's two curious things here. So number one is that if you look at it on the aggregate
nothing happened number two is They did lose 300 million pounds there 300 million pounds just for a moment. That's a lot of money 300 million pounds They dipped in direct response to that incident 300 million pounds that's like 20% of their share price
If you had prior knowledge of this Before it hit the news and you wanted to play the market that okay It would probably be a little bit obvious. You don't normally play the share market Well, you just had all these options out on something just before it dropped 20% but that did have a serious ramification and I wanted to show this because it it shows that even though they might not be
a lasting impact That's a lot of money 300 million pounds Another good example. This was a few years ago Associated Press had their Twitter account hacked Wasn't let's just be clear about the news here. It wasn't Twitter being hacked
It was AP having a shitty password or getting phished. It was one of those two things always is This is what the the tweet said when they got compromised this This did upset the market the market responded and the market did this
that is some number of billions of dollars on the Dow Jones and Again on aggregate like it all evened out. It was all good, but holy shit. Look at this hundreds of That's just a massive amount of money. So it does have an impact It might not be a lasting impact But it does have an impact out of that many people would have lost a lot of money many people would have made a lot
This is the other thing that got a little bit interesting last year. I had I had a phone call From a very nice American man from there and It was curious. In fact, it started with an email. So I got an email the FBI
I would like to talk to you about one of the data breaches and I said, okay fine You know, we'll have a chat and they sort of wanted more information on the background about you know, what was in there? What had I found in investigating it it also led to discussions with the Australian Federal Police who are also very nice All of them are always very nice. I
Hope they stay nice but when I thought about it, there are a few interesting things here and one of them is that Often the likes of the FBI the NSA etc are perceived as being evil Evil in the respect of particularly for those who's in the security industry We see a lot of news and things about how they cracking down on people doing ethical things disclosing vulnerabilities how they're
basically out there to do things that invade our privacy and When I thought about it more, you know one of the things about the likes of FBI federal police any sort of government security or intelligence agencies is
That we do want them. We want them stopping a lot of the sort of stuff we've seen I don't want things like triple-a web hosts being hacked into and leaked all over the place I want them to catch the people that did that I'm not going to disclose who have been talking to or violate Private discussions, but I want them to make sure these things don't happen
We need these guys and I guess it's like everyday place on the street We want them there to keep us safe. They play a really valuable role and It's curious when you look back at where there's been involvement in In that involve security people and the press has taken it really badly. It's interesting to look at the details
So for example, everyone remember this this guy weave If ever you follow him on Twitter, he's let's just say he's an interesting character and leave it there But he identified a vulnerability with AT&T where he could pass and identify from his iPad into one of their services and get back information about the account holder and
The news here is sort of going security researcher found guilty of conspiracy and you know, I'll get out of this I'll be okay. I'm alright. Yeah, it was a real sort of beat-up job, but The detail of it was is that basically he found a direct object reference risk He could pass an ID get a record back out and then just to make sure it wasn't an accident
He did it another hundred and fourteen thousand times And then gave it to the press That shouldn't happen It's the same here. This is an Aussie guy Happened with Australia first state superannuation. It's like our retirement plans. He found a vulnerability direct object reference vulnerability
found the risk just to make sure he did another seven hundred and seventy thousand times got all the data out and Then wondered why the police knocked on his door police took away all these toys for a while as It turns out it worked out really badly for first state super because basically it showed that they had really gaping security holes
And they're in negotiations. So it cost them a lot of money But often when we see headlines like this there's another story behind it and We want the FBI the Australian Federal Police Everyone else who's playing those sort of roles. We want them there to try and keep us safe from these sorts of incidents
So leads me to here three things that I would really like to see change with the way Data breaches are handled and the way organizations respond So number one is this a While ago must be about two years ago now Forbes got hacked Forbes had about a million records leaked It took them a week to let anyone know
It took me less than 24 hours to let every subscriber to have I been pwned know This should be an easy thing you get hacked. You've got to let people know quickly Because otherwise you get all this speculation in the media people are going Well, I don't know what's going on. Like are my details compromised? Do I need to go and get identity theft protection? Is that funny credit card transaction as a result of this?
Like this should just be fundamental This is the other one and I reckon this is actually really important and it goes back to that earlier point of people start asking me for their data The organization is the one that lost it
If I'm able to obtain this data because it's been spread out all over the internet Then surely they can obtain it and surely they can give it to their customers in a secure fashion This should be fundamental and I'd really really like to see organizations doing this and I'm not aware of any that have done it in the wake of a data breach and Finally this one. I
Just can't see this data breach environment changing until there's enough incentivization for organizations not to do it The primary organizer or the primary penalty that organizations have at the moment is the risk of the threats from PCI And that's why we saw those messages about payment cards
they don't want to lose the ability to process payments and they're scared of getting fines and That causes them to respond in a different way We need to see government penalties and it's going to be really interesting to see now with this news about the EU Potentially finding organizations up to is it four percent of their annual revenue
Potentially up to four percent of your annual revenue if you have a data breach now, it's early days We've got to see how that actually works but that is an incentive not to get compromised in the first place and Certainly to take it seriously if you do because what gets me is when we look at some of these recent breaches Okay, things like VTEC
now VTEC was only a couple of months ago and It had SQL injection I'm pretty sure it had SQL injection because when you logged on and You looked at the response that came back the response that came back in JSON included the SQL statement That was executed in the data. I just saved no idea why you do that Maybe someone was debugging and they thought you know, it would be helpful. Let's see the whole thing
They definitely had direct object reference risks. They had no transport layer security. They had all sorts of other serious issues They should get slapped with a fine I don't know what jurisdiction it happens in their Hong Kong based company They sell all over the world, but they should get hit with something Because how can a CIO CTO today sit there and not be aware of the likes of talk-talk and Ashley Madison all these things
They know and at no point have they said maybe we should get someone who knows what they're doing to look at our app They definitely haven't done that because it would have taken anyone about five minutes to find the risks So I don't know how this works, but I think until they get penalties
We're not going to see a lot change All right, so that brings me to the end and That is our first talk. That is the Slido info. So you guys can post questions and things Does anyone want to ask a question right now while we're here topical or you can put it into Slido. We can talk about it later
Yes So SQL map is actually really powerful I'll show you a quick overview because this is something that we're doing this week in one of my workshops as well
But if we go to SQL map org and you have a look at all the stuff it can do It's actually really really extensive the documentation got like to be honest. It's terrible documentation, but it just goes on and on and on and on and What you can do in its most basic form is
You can just point it at a URL and let it discover the type of database and then what the risk might be. You can also do things like get it to run Google searches and then attack the results. You can get it to extract just the schema. It will do error-based SQL injection, union-based SQL injection, blind Boolean SQL injection, blind time-based SQL injection.
It will do all these different styles of attack. And for people that actually know how to use this and can sort of use it properly in anger, it's enormously powerful. But what we often see, and I'm going to give you a demo of this in my next talk, we see kids running Google Docs, so Google searches to find very specific things,
copying the results, pasting it into a SQL map. Do we get data? Yes. Well, now we'll leak it and then we'll make up a reason why they deserved it. There'll be a reason. I'll give you an example that way too. And if they don't find anything, then they just move on to the next one. So the tools are very good at automating the process.
The kids that are using it have got absolutely no idea how SQL injection works. All they know is they copy URL, they paste into the tool, they get data out. Yes, good question. So I showed Trustify, which was making money out of the fact data was stolen.
And you're asking, would they get into any legal trouble? One of the things Trustify did is they had a Reddit thread. And in the Reddit thread, they said, the reason we're not getting shut down is that we've got more lawyers and employees.
True story. They then went through and they deleted all of their comments. But that was one of the comments, and in fact it's in my blog post, where I explain this is why they're probably not getting shut down. So basically they were just fighting off DMCA takedown requests. And this is sort of one of the other curious things that's happening now. We're seeing the Digital Millennium Copyright Act,
which is meant to stop copyrighted material from being distributed, used to try and take down publicised data breaches. Which is kind of, I don't think it's ever actually been tested in court, but it's kind of enough scare tactics that a lot of people do just take the data down. But in the case of Trustify, they just fought it with lawyers and said, no, we're not going to do it.
Lawyers. Yes. 770,000 times, that's all. Right, so I guess the question is at what point should you disclose a vulnerability?
Like how far do you need to go to establish it? The argument from the likes of the two guys I showed is that they need to get data out of the system, and they need to get volumes in order for the company to take it seriously. But the thing is, once you change an ID once and you get someone else's data,
and let's just imagine, let's just ignore how you did that or why you did that. But for whatever reason, you mistyped the URL, for example, and you got someone else's record. That's the point where you contact the company privately and you say, funny thing happened today while I was browsing the web.
Because that alone demonstrates the risk. And all it did by sucking all the other data out is it made impact, no doubt about that, but then they ended up in a huge amount of trouble. Even things like SQL injection, yes, it is a really impactful thing to give the organization the data that you've exfiltrated from the system, but that's going to make it really, really hard for you to stay on the ethical side of the disclosure.
So for me, as soon as I find that there is a risk, and again, you got to be careful about how you discover it as well. Because a lot of things like SQL injection, they take constant probing in order to find the risk. So you might find something and disclose it, but if you found it by hammering away at their system in an unauthorized fashion,
then that could be a problem. This is also another reason to have bug bounties. I really like the idea of bug bounties and I really like the idea of services like BugCrowd. And what these guys do is that they run bug bounties for organizations.
So you can say, I'm an organization, I would like it if someone finds a vulnerability that instead of dumping all the data publicly, they send me an email and we fix it privately. And maybe we give them a thousand bucks for it. A thousand bucks isn't much compared to the cost of public disclosure. So this sort of thing allows people to find vulnerabilities
and report them to you because they're incentivized to do it. So I really love this idea as well. Any other questions? Alright, so I think we're running just a little bit over, but what do we do, Jacob? Do we have a break?
Yeah. Okay, and 15 minutes? Awesome, okay, thanks everyone. Thank you.