We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Lessons from a quarter of a billion breached records

00:00

Formal Metadata

Title
Lessons from a quarter of a billion breached records
Title of Series
Number of Parts
96
Author
License
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
What motivates attackers to dump data publicly? How is it sold, traded and redistributed and for that matter, what even causes adversaries to go public with it? These are all questions I’ve dealt with over the years running the ethical data breach search service “Have I been pwned”. It’s also given me the opportunity to interact with everyone from the attackers breaching these systems to the impacted organisations to law enforcement agencies. In this talk, I’ll share the lessons learned from working with more than a quarter of a billion publicly dumped records as a result of major data breaches. The talk sheds light on how this class of adversary operates and the weaknesses within organisations they continually manage to exploit. It’s a unique inside look at security from a very real world and very actionable perspective.
VideoconferencingDenial-of-service attackEmailACIDHacker (term)QuicksortVideoconferencingTable (information)NumberWebsiteDifferent (Kate Ryan album)Type theoryWeb 2.0Zirkulation <Strömungsmechanik>BitRight angleFormal grammarRandomizationNormal (geometry)Multiplication signRow (database)Denial-of-service attackInformationMereologyInsertion lossData storage deviceConnected spaceProcess (computing)IP addressPhysical systemHacker (term)Message passingError messageArchaeological field surveySimulationArithmetic meanSpacetimeBridging (networking)Point (geometry)WritingGoogolGame theoryGame controllerMedical imagingSampling (statistics)JSONComputer animation
CuboidProjective planeMultiplication signHacker (term)TouchscreenRight angleProduct (business)Web browserVideoconferencingSystem callInformation securityGreen's functionPattern languageMedical imaging.NET FrameworkHecke operatorWave packetSound effectComputer animation
StrutLocal GroupInformationAtomic numberGroup actionTouchscreenHacker (term)BitVideoconferencingKeyboard shortcutPoint (geometry)Order (biology)Web browserHypermediaComputer clusterHecke operatorQuicksortMatching (graph theory)Digital photographyMultiplication signMedical imagingService (economics)Bridging (networking)Right angleSelf-organizationVulnerability (computing)Hardy spaceServer (computing)CybersexData centerComputer animationJSONMeeting/Interview
Local GroupCybersexHacker (term)Information privacyLeakWebsiteDatabaseQuicksortAddress spacePiMetropolitan area networkMoment (mathematics)Hacker (term)AreaWeb 2.0VideoconferencingTouch typingBitPhysical systemCircleDirection (geometry)Identity managementPasswordEndliche ModelltheorieCASE <Informatik>PlastikkarteDatabaseOffice suiteCase moddingMassData managementDisk read-and-write headHardy spaceThomas BayesTwitterEuler anglesEqualiser (mathematics)GenderGame theoryFreewareInternet forumPersonal identification number (Denmark)Shared memoryData conversionNumberInformationLevel (video gaming)Information securityMessage passingSign (mathematics)WebsiteCybersexComputer crimeRight angleSummierbarkeitMathematics
WebsiteDatabaseBulletin board systemCore dumpMetreComputer networkHacker (term)MotherboardRevision controlView (database)PasswordEmailLeakWindowAddress spaceWeb pageSoftwareInformation securityHacker (term)WebsiteFrame problemQuicksortRight angleEuler anglesWeb 2.0BitRow (database)Computer fileProgram slicingInternetworkingService (economics)PasswordMultiplication signSelf-organizationFreewareIncidence algebraAuthorizationReal numberCASE <Informatik>Web browserHypermediaInformationEmailDatabaseMessage passingLevel (video gaming)SequelNormal (geometry)Binary codeTouch typingProcess (computing)Disk read-and-write headMedical imagingContext awarenessDrop (liquid)Hecke operatorBridging (networking)Moment (mathematics)Control flowComputer animation
UsabilityLevel (video gaming)SequelTouchscreenVirtual machineSpherical capView (database)Hacker (term)Graph coloringHecke operatorCASE <Informatik>Self-organizationRight angleSound effectTouch typingSource code
Web pagePrice indexSelf-organizationQuicksortCASE <Informatik>Sign (mathematics)Web 2.0Web browserMultiplication signWebsiteServer (computing)Uniform resource locatorSource codeComputer animation
Linker (computing)Formal verificationService (economics)WebsitePasswordPoint (geometry)Internet service providerEmailInformationTerm (mathematics)Address spaceBridging (networking)Figurate numberQuicksortAttribute grammarIP addressLevel (video gaming)Multiplication signMereologyUniform resource locator2 (number)Real numberWeb 2.0Standard deviationWeb browserSensitivity analysisDressing (medical)Control flowHill differential equationCodeCohen's kappaLink (knot theory)Different (Kate Ryan album)Formal verificationSource codeComputer animation
WebsiteLattice (order)Online chatComputer clusterInternet forumPasswordEmailLink (knot theory)Formal verificationPasswordWeb pageLatent heatFacebookType theoryPiInformation privacyEmailAddress spaceService (economics)Field (computer science)TouchscreenEnumerated typeOrder (biology)CountingMotion captureWebsiteNumberPoint (geometry)Domain nameVapor barrierBounded variationQuicksortCASE <Informatik>Expected valueDressing (medical)Source codeComputer animation
Formal verificationQuicksortWebsiteDependent and independent variablesAddress spaceEnvelope (mathematics)DatabaseDifferent (Kate Ryan album)EmailPrice index
LoginDependent and independent variablesInternetworkingInternet service providerLaptopEmailHypermediaSystem callLocal ringVideo gameStatement (computer science)NumberPlastikkarteElectric currentDirected setDatabaseInformationPasswordHacker (term)Linker (computing)LeakSpywareParsingWebsiteInternet forumSoftwareEstimationInformation securityMultiplication signPasswordAddress spaceRow (database)DatabaseCombinational logicDigital photographyQuicksortTwitterDependent and independent variablesConfidence intervalHacker (term)LoginDegree (graph theory)WebsiteEmailResultantTraffic reportingRight angleTouch typingReal numberPlastikkarteBitGoodness of fitInheritance (object-oriented programming)Game theoryUniform resource locatorKey (cryptography)Streaming mediaProcess capability indexIn-System-ProgrammierungDirection (geometry)NeuroinformatikHypermedia1 (number)Moment (mathematics)Web applicationIP addressDifferent (Kate Ryan album)Service (economics)Pattern languageSelf-organizationSound effectHash functionInformationFormal verificationSource codeAlgorithmGoogolTerm (mathematics)Link (knot theory)Incidence algebraValidity (statistics)Video gameComa BerenicesMathematicsGenderNatural numberPhase transitionControl flowFamilyWater vaporLine (geometry)RobotMeasurementCycle (graph theory)Real-time operating systemWordDressing (medical)Software testingHecke operatorOnline helpDot productBridging (networking)NumberData miningWeb 2.0Endliche ModelltheorieComputer animation
QuicksortSocial classNumberOnline helpProcess (computing)Bit rateInformation securityComputer animation
Information securityIdentity managementHacker (term)WebsiteDependent and independent variablesSoftwareWebsiteDependent and independent variablesPasswordInformation securityObject (grammar)Vulnerability (computing)Information privacyUniform resource locatorCASE <Informatik>Natural numberWater vaporTraffic reportingImage registrationOrder (biology)QuicksortProcess (computing)Bit1 (number)System administratorSelf-organizationMemory managementInjektivitätYouTubeTelecommunicationNumberRow (database)Term (mathematics)Structural loadMultiplication signTouch typingDisk read-and-write headGraphics tabletDot productWeb 2.0PlanningVideoconferencingPoint (geometry)Video gameSoftware developerPhysical lawSequelGroup actionDamping
Software developerSoftware developerInformation securitySoftwareFrictionDifferent (Kate Ryan album)QuicksortVulnerability (computing)TwitterSlide ruleFocus (optics)Goodness of fitCollaborationismOrder (biology)BitSign (mathematics)Link (knot theory)Group actionComputer animation
Set (mathematics)Mechanism designCache (computing)Computer clusterState of matterQuicksortFacebookRow (database)SpacetimeTerm (mathematics)Multiplication signBitCASE <Informatik>Computer animationSource code
Doubling the cubeRow (database)Process (computing)Web 2.0SequelData storage deviceMatching (graph theory)QuicksortDigitizingWebsiteQuantum stateAxiom of choiceBlog1 (number)Dressing (medical)Moment (mathematics)Right angleMultiplication signScripting language2 (number)Computer configurationSingle-precision floating-point formatTable (information)Address spaceEmailDatabasePattern matchingMemory management
Normed vector spaceMultitier architectureQuicksortWeb 2.0Incidence algebraInformation securityNormal (geometry)BitWeb browserFilm editingData miningHash functionFlagComputer animation
EmailTotal S.A.Address spaceBitNumberMyspaceWeb browserWeightDialectSpacetimeRow (database)Data storage deviceTable (information)QuicksortInsertion lossWeb 2.0Moment (mathematics)Instance (computer science)Multiplication signProcess (computing)Server (computing)Web serviceComputer animation
SummierbarkeitDatabaseService (economics)Data storage deviceSystem callTable (information)Physical systemStructural loadSequelQuery languageQuicksortComputer clusterServer (computing)Range (statistics)1 (number)Web 2.0Process (computing)Moment (mathematics)Instance (computer science)WebsitePay televisionForcing (mathematics)Thomas BayesPattern languageComputer animation
EmailShared memoryTwitterQuicksortMyspaceWebsiteDifferent (Kate Ryan album)Physical systemMultiplication signSpacetimeComputer animation
TwitterMultiplication signQuicksortService (economics)WebsiteMoment (mathematics)Automatic differentiationINTEGRALControl flowComputer animation
SoftwareWebsiteAutomatic differentiationAddress spaceINTEGRAL10 (number)EmailBridging (networking)
Transcript: English(auto-generated)
Quick tutorial on how to DDoS. Now before I start I'd just like to say I'm not responsible for anything you do with The information I've provided in this video for you
So if you go and DDoS someone with this information, which I've given you I'm not responsible for nothing Absolutely nothing you do So yeah, now that I've got that out of the way, let's get started. So What we've got to do is we've got to load up command prompt, add my colour green
Then what we want to do is we want to type ping and Then I've got a bunch of random IPs here So ping And then just paste it or you can type it out
And then So this just a command it pings them and This is the IP it will ping This is how long we want it to do it for so I've put a limited timer This is how many this how many packets you want to send by?
So let's just hit that and as you can see it's already began the process of DDoSing the IP now there's one thing I'd just like to say like when You do this sometimes it will come up with like a timeout message. This means that the IP could be wrong or
in fact your connection is not strong enough to send packets or Could just be a general error because I it could do all this and then just say timeout and then carry on
so it could just be like the pings not actually sent so once you're done you hit ctrl C and Sent 43 packets. They received 43 packets. They lost nothing nothing on their computer. It's a zero percent loss So basically
They must have a strong connection You've got to do this for a while with this method Go outside and play while you DDoSing them or something like that Yeah
Running run. Thank you. Yeah, so, uh, did he learn something new out of that? I Learned something might not have been about DDoSing though. I like the bit where the guy goes While you're DDoSing you you might just have to go outside and play for a while
So you start to get a bit of a sense of the the sophistication of the adversary that you're dealing with sometimes Anyway moving on what I wanted to talk to about today is some things that I have learned from dealing with a large number of
breached records in data breaches and In fact, I wrote this talk earlier on in the year and when I write it I was dealing with 220 million breached records and Then by the time I went to actually do the talk the numbers had all changed quite a bit and suddenly we're at 235 By the time I actually got to this podium to do the talk it had gone up again
I just started rounding and I went ah, you know, we'll make it what about a quarter of a billion. That'll do And in fact, I did this same talk only a couple of weeks ago in Australia And I said, you know, this is this is old news. I used to say a quarter of a billion And now it's actually 510 million. Well, that's what I said two weeks ago
What we're going to see today is we're actually going to see this go through a billion because one of the things We're going to do is actually add a new data breach and I'll explain What it is and why are we doing it a little bit later? Who's actually used this site before? Wow, that's almost everyone who's actually been in there
Who's in Ashley Madison? Almost almost and that is the right answer by the way, you just go Ashley what? Never heard of it. So this is have I been poned? It's a free site that I've created That aggregates data breaches a couple of weeks ago when I did this there were a hundred and six different data breaches in there with
510 million records so when you see a site like Adobe in 2013 get hacked a hundred and fifty two million records leaked online. I Aggregate them together. I put them all in azure table storage I'm going to talk a little bit of azure stuff later on as well and I make them searchable for free here
So what I want to do in this talk is sort of breaking into two parts And I'm going to tell you about how these systems get hacked how the data Sort of circulates around the web's how I get it and then we're going to do this sort of ad hoc Not sort of normal formal talk stuff at the end which is I'll take you through how I'm going to actually load this breach and we'll make it live and
Everybody gets to see me go through the the 1 billion mark, which I honestly did not expect to see So where I thought we might start When we look at data breaches is to have a think about how we are picturing hackers Because we see a lot about hackers in the news right like we're always seeing this website's been hacked that website's been hacked
And it's really interesting to sort of see what the the sort of general societal perception is of hackers And when you look around you see a lot of stuff like this all right This is a hacker search on Google Images You may notice some patterns so here's what we know about hackers hackers have hoodies
Clearly I'm not a hacker Hackers like to work in binary interestingly enough You may have also seen the kid in the video before Had to put his screen into green before he started hacking green is hacking
So this is the perception that's being portrayed and and the image if you like that people get of hackers and You see this reflected in in many different ways so we see this as stock images on News stories a lot of the time we're gonna look at some more news stories later You also see it appear in places like this This is a little Kickstarter project called Cujo for what we would probably politely call security in a box
Less politely I'd call it something else Where they try to sell your product and so this is gonna fix all your things and They're trying to protect you from guys like this. You may not know it, but you've probably already been hacked
thousands of hacking attacks occur each day It's scary right because the guy's got a hoodie so we know he's a hacker He's working on a green screen so also we know he's a hacker However, there's something a little bit unusual about the way this guy is working I don't know if you saw this if we zoom in to the corner of his screen
He's hacking in a browser Now I'm going to show you how to hack in a browser as well And you this this will this is a skill that will take you far trust me So what we're gonna do is in the browser you go to a website called hacker typer dotnet now You gotta press f11 to put it in full screen
This is what the guy did wrong, and then as you match the keyboard How cool is that? now That is hilarious That is exactly what they use in the video I watched it through and I zoomed in a little bit and I did all the CSI enhanced kind of bullshit
And I matched it to this and he was using hacker typer in the browser in order to make the video about how scary hackers are So that the point there is that there is this sort of perception that the media portrays about hackers and how vulnerable and how everyone is out to get us and that they are really really scary and
The reality of it is is that they're a lot less scary than what they look except for this guy This was a stock photo in the news just the other day And he is spreading what we believe are dormant cyber pathogens within a data center This is how they come in they come in in a big sort of hazmat
bucket like that and they basically just spread them around they crawl up the servers and This was actually an image on a news story The reality of it is when we look at hackers is that they're more often like this There's Ryan Cleary 19 years old This was a member of the lull sec hacktivist collective He's turning up in court here with his mum
Look at his mum. She's so pissed He is grounded for a very very long time After he gets out of jail But he look he did go to court he did get himself in a lot of trouble Ryan Cleary 18 Jake Davies Sorry, Ryan was 19 Jake Dave's only 18, so
Not exactly legally children, but for most of us here. They're quite young so you know the kids right, but this is the reality they're very often like this and I guess that the interesting thing here is that most of the time When the media is portraying scary hackers with the hoodies and the binary and all this sort of thing
They're much more this sort of adversary that you see here Yeah, this is anonymous regrouping Look after them and It's interesting to sort of peel back the headlines a little bit and understand. What's actually going on with these breaches So for example we saw last year talk talk in the UK got hacked
So many of you probably saw this even in Australia. This was big news even though. It's a an English Organization so talk talk got hacked and This detective came out, and he said we believe that they were hacked by Russian Islamic cyber jihadis
Which is terrifying right like every single one of those what are there any Russians? Oh? crap I mean I Love the accent first of all and I think that's what does it right because people hear Russian, and they're like this guy's bad You Can cyber anything and it becomes scary so they've sort of got all the buzzwords in here Russian Islamic cyber jihadis
former cybercrime cop another cyber Anyway, what it turned out to be for talk talk? Is a 15 year old boy? In his bedroom because where else he gonna be right when you're 15 and hacking
Wasn't just him that there was an older gentleman involved as well. He was 16 There was a really really old guy He was 20 So they arrested these literally legally children as well as this older bloke who was who was 20 and
Very often this is the level of adversary and the video at the start is you know it's a little bit funny It's a bit of a joke, but it is very often kids of that sort of ability if you like that are breaking into these systems So keep that in mind as we go through this and as you see some of the Conversations I've had with people because I want to show you some of the things that people have said in private chat
I'm not going to identify them, but you'll sort of see the the level of sophistication they work at So one of the things that's really interesting when we look at these data breaches is How they're making money out of them right so yeah, what's all this about and? When you have a look at some of the discussions I've had so for example this guy he said
This is via Twitter direct message. I've obfuscated his identity, and it is basically always males I don't think we've even seen any arrests of females if you think it is male-dominated Security is just off the charts and kids hacking is insane Probably not an area. We really want gender equality on either if I'm honest
So anyway this guy said all right. I have got Nexus mods which was a forum for a gaming site and I would like to receive a sum of Bitcoin So they want they always want money so a lot of people come to me and say give me money I will give you a data breach and for me. I'm pretty straightforward about us. I look. I'm not giving you any money and
I'm not doing it because first of all I want to run have I been poned as a free community thing that that Does good things and not bad things and the last thing in the world? I want to do is incentivize anyone to go and break into more stuff by paying them a Lot of people do pay them though, and I'm going to show you some examples of that soon
Now usually in a case like this the data turns up anyway So Nexus mods is on have I been poned Because eventually someone that this guy shared it with turns around and gives it to me because this is what they do they share this data Just like they were baseball cards. You know let's swap some cards with each other So there's Nexus mods another example here OPM the office of personnel management in the u.s.
they had about 18 million government accounts hacked and This guy reckons is worth about a hundred bitcoin now a bitcoin is about 4,700 kroner So do the math it's a lot of money But if it was 18 million people with social security numbers and addresses and phone numbers and all the sort of info you need
To go and mount identity theft attacks It's valuable right people will pay this Because you don't have to do many successful identity theft attacks out of that lot of 18 million to make money out of it OPM now this one it was interesting so this is about a
website called triple-o web host in fact they were a hosting company and triple-o web host got hacked last year this that October date was 2015 and What happened with triple-o web host is that they got hacked Someone sent me the data, and I'm going to show you how they sent it to me in a moment
And I verified it. It was legit. I couldn't get in touch with them about a week of going backwards and forwards I wouldn't pay any attention They did pay attention once it was in the news and this guy got in touch with me and said The database is private Now what when he says private what he means is that someone had hacked it out
And they were sharing it between private circles You know private circles being a number of anonymous underground sort of characters like the kids we saw just before Sharing it between each other And they thought it was better kept that way better kept private because whilst it's private They can exploit the individuals that are in the database
So they can use the usernames and the passwords and the people that are in there and none the wiser they've got no idea that the accounts they created on triple-o web host are being used to break into their Twitter or their Gmail and Triple-o web host stored them all in plain text too, so there's no password cracking anything like that
Anyway he goes on he says the database is selling for upwards of $2,000 I can't understand which moron would be considering giving you a copy for free and This this is the attitude right like we can monetize this why would any idiot give it to you? and My hope is that that the moron who gave it to me Maybe just had a bit of a social conscience and went well hey
Maybe it's not good that all these people are getting taken advantage of maybe we should give Troy copy Let it go on to have I been pwned and then people get notified and they're aware and it's in the press and the damage gets reduced Now he said it was selling for upwards of $2,000 There's a website here, which had it for sale at about $1,500
Not too far off This particular site is a clear web website, so you can open up your browser on the normal internet It's not a tour hidden service. We're going to look at those though You can easily get there they are selling triple a web host and a bunch of other things $1,500 US dollars
After the data went live the price kind of dropped Because once it goes live the value of the data goes way down so once people know that they've been compromised And they start changing passwords It's harder to exploit them. I Like seeing this I like seeing the value of this data go through the floor when an incident that's already happened
becomes public knowledge Now it's really interesting to look at some of the headlines So this is a headline from only a few months ago, and we can see here this hackers broken into a porn network they're selling the data on the dark web and The hacker gives the journalist a comment. I want to publicly shame them and
You might look at that and go okay well, I can I can understand the sentiment some website has had a shitty practice and This guy wants to publicly shame them so he's in there for the greater good He's trying to help society by creating stronger security and websites Except then he says says the hacker who is selling the alleged author because they're all commercializing it, right?
They're trying to get money for it And what we're actually seeing is that they're using the press as a channel to try and advertise what they're doing I'm going to give you a really good example of that The media loves eating up these stories and it gives it a tension Which then helps them sell the data?
Now this is a question that comes up a lot So where do I get this data from? You know, how does it come to me? So we just saw how some people want to try and sell it to me Some people put it on websites where it's listed for sale Other people just email me So this is how that triple-a web host data came to me. This is the email the guy sent
Turns out this guy wasn't real bright Because what he said is I'm gonna send you two million records out of the 13 million record database and often they'll do this I'll say hey, there's this big breach. I'm gonna give you a slice like a little taster just so you can see what's in there He accidentally did give me the whole 13 million. So that that made that quite easy. So thanks very much for that
He's published it on mega. So mega is the service run by kim.com who's Had himself in all sorts of trouble for hosting lots of files in the past mega is very frequently used as the channel for which data is redistributed and
Mega will respond to take down requests. So if an organization finds their data there They can say look, please take it offline and then some hours later. It will disappear But often this is the channel by which it's redistributed especially privately all within that time frame before it's actually removed Now what I found interesting about this guy is that you know, he sent me this information
I said we sort of went through this process of trying to get in touch with them Everything end up going public and when this stuff goes public it gets a lot of press with hackers and hoodies and binary and things like that, but it ends up in the news and the guy right back to me and he was actually really scared and he was
He was really concerned that somehow this would catch up with him And what struck me when I read this is how much it sounds like a kid writing the message Right. I think I got myself involved too much into this. I have nothing to do with it. So on and so forth I'm afraid they would still look for me So people are not thinking through the consequences of what they're doing
It all seems like fun when they're in their bedroom pointing something like sequel map at a website and sucking out all the data But once it's real and it's in the press things start to change quite a bit So that's one way that data comes to me. Another way would be something like this So what we're looking at here is is actually kind of interesting and that the background is that
someone contacted me and I said I have a breach from it was actually a Dutch financial institution and I'd like to give you the data and I kind of like I like avoiding the question of did you hack it because then
Then I've got to sort of go and I go to your room and think about what you've done Which is usually the case with these guys. I Try and avoid asking that question and very often you're just getting a file redistributed. It's like a CSV file or something like that But when they actually send you a screen cap of their own machine running sequel map after they've put it into green before
They start hacking It's really hard to suspend belief that maybe it wasn't this person now Just in case you were thinking of doing any hacking and you thought well, this is really good Let's put the screen in green Just in case it's not immediately obvious if you jump into a command prompt You can just do a color a like this and now see that you're ready to hack
How easy is that and they actually do that right? This is the way they hack So this one was a legitimate breach and in fact in this particular case, I got in touch privately with the organization I said look someone's sent some data. You probably need to be aware of
The organization verified it. It was legit. They tried to sort of Deal with it in a discrete fashion and I actually said look I'm not going to load it I'm not going to make a fuss about it if you guys can sort of clean it all up quietly But in this case since then I've had all sorts of people send me the same data So it's just interesting that once it is out, it's very very hard to keep it contained
So often I get data like that Other times it'll be sites like this. Siphon. This is a ClearWeb website and I'm saying ClearWeb because we're going to look at DarkWeb shortly as well And ClearWeb just being you'll open it up in your browser you go to this URL and there's all these data breaches you download
Because it's ClearWeb we know where the server's hosted We can track down who owns it eventually depending on where it's hosted and where the law enforcement plays nice over there Because a lot of this stuff is in jurisdictions that are hard for say the US to get access to But it's a ClearWeb website anyone can go here and download data breaches very very easily
This is a good example of a DarkWeb website And we're actually going to have a browse through this site when we get into the sort of second part of this talk But this is a website called the real deal. It's accessible over Tor The level of sophistication required to access Tor is you need to download the Tor browser
It's probably the easiest way Download, run, now it's just it's literally a deviation of Firefox So now you're in there browsing around the dark web downloading things A lot of this data is posted up there Now many of you probably saw LinkedIn. Who was in the LinkedIn data breach? I was yeah a bunch of us
So LinkedIn got published only a few weeks ago. They were selling that for five Bitcoin on this real deal dark market site They kept dropping the price as more people bought it It's now down to only two Bitcoin, but it's starting to circulate very publicly, so it's pretty easy to now find and download anyway So I guess the point I want to make there in terms of the way data is
distributed is that there are many different channels where this information is floating around and It's almost always email addresses and passwords the passwords are almost always very very poorly protected and There are frequently other personal attributes as well IP address
So now you can start to match with other breaches and figure out which people live where and of course once you have an IP You know the hosting provider. You know the general geographic location Other times it's very sensitive so Ashley Madison for example What is your what's a nice way of putting this? What are your preferences once you're in the bedroom? And what is your preference for who you would like to be in the bedroom with you so really deeply sensitive things
So data breaches have got a lot of very personal info in them Now one of the tricks with data breaches is actually Verifying them and making sure they're not fraudulent because very often they're fabricated So probably about five or six weeks ago. There's a lot of news about around about
272 emails from Gmail, Yahoo, mail.ru, the Russian provider Had been hacked everyone should go and change their gmails now change your passwords Because you've been hacked and this was the press and
Reuters ran it and then everyone else picked it up and the this was the news Gmail's been hacked and the entire thing was fabricated but none of it was legit at all and Unfortunately people don't verify they find this data somewhere or others their kid sends it to them They contact the press and say hey, there's been this big breach
Want to show you a couple of ways that I do breach verification, and I thought the first one I might show you is A site that was hacked last year, and it's called adult friend find was anyone in that bridge Nervous laughs now When they say friend
It's a it's a very specific type of friend It's not Facebook Let's put it that way now what we could do with the dot friend finder is we could jump over to the forgot password Page and When we were on this page we could go through to the username or email field and we could fat-finger this and we could put
In anything we like you do have to solve a particularly hard capture before you can do anything else And what do you reckon it'll do? Invite email now. Let me use one of my research accounts. I did explain research accounts yesterday didn't I? Actually this this one's relevant NDC 2015 because I actually showed this here last year at not mailinator
Anyone know what mailinator is So just in case you don't I'll show you what happens after this not mailinator calm You can probably guess what's going to happen here 733 and It's going to come back. Hey look at that That has an account and what you'll find is that if you go over to mailinator.com
which is a service where you can send an email to anything you like at mailinator.com or One of about a hundred different variations of the domain which is why I just used not mailinator you can now go NDC 2015 like that and
There's the password reset Now this is actually quite handy in in a number of ways so first of all what I would do When something like adult friend finder happens is I'd go and grab a bunch of email addresses out of there And then go and see if there is an enumeration risk on the website So can I put in an email address and it comes back and says yes it exists Just like this green screen does over here I
Do it with mailinator accounts because people don't have an expectation of privacy They throw away accounts you create it just to get through a barrier that needs you to receive an email So this way it's not sort of upsetting anyone or breaching their privacy Even though theoretically any of us can go to any password reset page and put in any email address we like
The point is though for something like adult friend finder people were very upset Understandably that they got breached and the data was public and you could now discover if they had an account But most of these sites you don't actually need them to be breached in order to discover if an account exists or not because the
Site will tell you you just have to ask Another good example of that is actually Madison So Ashley Madison have an interesting situation well they they had an interesting one and now they have an even more interesting one Which is when you go and you do a password reset for some sort of invalid address like this one
you get a response like this and This at first glance is good Because the bold text under the send button says if that email address exists in our database You will receive an email yada yada yada, so it's very sort of non-committal It's like maybe you've got an address. Maybe you don't I don't know
I'm not going to tell you because that would be a disclosure risk. It would disclose someone's presence on the site Except when I used my research account I Got that response You see any difference, and I blogged about this because I thought well
This is this is kind of curious you know everyone's getting upset about being discoverable, but you're discoverable already And Ashley Madison fixed it which is good But what was interesting is that they left another little indicator there So here's what I did. I said okay. Let's try something different What I'm going to do is I'm going to see how long it takes to log in
So what I'm going to do is take my research account and try and log in 25 times so my Research account was the real one that actually existed on the site And you can see it's about 500 to 600 milliseconds each login I Then fabricated an account so just fat-fingered the email address and
I tried to log in with that so yeah anything interesting. Why do you reckon this happens? Hashing I hear hashing Ashley Madison Stored their passwords using the bcrypt hashing algorithm We know they stored them that way because all their source code got leaked in the hack as well
And and what that actually meant is that we could actually look at the source code and we could say okay They're using bcrypt and bcrypt is a slow Hashing algorithm such that if the passwords that are stored with this hash get leaked it's going to take a very long time to crack them and Because it takes a long time when you actually create the hash
We can observe it via this effectively a timing attack which tells us whether the passwords being hashed or not So the green ones you're entering an email address and a password the web app goes to the database It says get me the account for this email address Database returns one record and they say great a record exists. Let's now hash the password
You just gave me and we'll compare them the red ones. It's saying go to the database get me the record Oh, there's no database so we don't have to hash So they're effectively leaking the fact that they do or do not have an account this is what I've been doing more recently and
Effectively, this is sort of another level up if you like from just trying to see if an account exists on the site I've started emailing have I been pwned subscribers and asking them if they'll help me verify a breach I've got five hundred and fifteen thousand subscribers at the moment Probably because it's free where you just go in your email address and says look just verify your email
I'm going to send you it You just got to click on a link in there and then if you verify that and you appear in a data breach later On I'm going to send you a notification So what I do now is if I'm not sure about whether a data breach is legitimate or not I'll reach out to subscribers and I'll say hey, can you help me verify this and
They always say yes, and then what happens is I send them a little bit of information like this So this was related to the V tech data breach So this was the breach that had about four million adults and then hundreds of thousands of children in it. I Send them a bit of info here. It's nothing that was too sensitive or personal
So this is when you first logged in this is your location based on your IP address How did this poor lady was also using talk talk as an ISP so she wasn't having a real good time of it Because they just been hacked as well And she came back and responded and said yes all that's accurate I did actually register on V tech and
That gives me a high degree of confidence that the the data in the breach is actually real It's real people that had real accounts on these services So that's a couple of different ways of verification an Interesting sort of side effect of all of these breaches is to look at how different organizations respond
and as you can imagine, they're a bit varied, but there are also some patterns and One of the patterns that I find Enormously infuriating is this one now remembering that Ashley Madison was a site to have affairs with People killed themselves when they found their data in there
There are literally multiple suicides as a result of people being in Ashley Madison People had marriage breakups. They're not going to see the kids again The wife has taken off and it was the wife because it was like 90% men And then it was 9% fembots and then it was like 1% women
Imagine explaining that to your wife. Look I was having an affair online. It was a computer damn it But Ashley Madison's first priority here was to say look your credit cards. All right, you know the thing where the bank will give you the money back if it gets defrauded and Like the worst thing that happens when your credit card gets defrauded is you have to change your direct debits like it's not too bad
But they do this because they're worried about PCI the payment card industry Because if they lose card data, they lose the ability to take payments, which means they lose their revenue stream It's not just Ashley Madison. VTEC, same thing
Yes, your kids have been exposed. Your kid's names, your kid's genders, your kid's birthdate, the foreign key to the parent with the physical address and the kid's photos But good news your credit card is okay. And this is what they tend to focus on for the same reasons Another one recently, which I found quite unique was this one Lifeboat
Lifeboat is a Minecraft gaming site They had seven million accounts hacked out of their site and there was a really curious thing here so that they had them hacked out and they knew about it, but they didn't tell anyone and Months later the data came to me. I Worked with the reporter. The reporter got in touch with them and they came out and they said well
We were trying to protect people by not telling them Right. This was their answer We didn't want to let the hackers know they had limited time to act which is the most bullshit response ever Because what was actually happening was the hackers were trading the data and exploiting the accounts of the people in there And what Lifeboat said is look it's alright because what we did is we forced a password reset
so that the next time someone logged on to Lifeboat they had to change their password and After this went out into the press. There's all these tweets from people saying well, hang on a second I haven't used the site in ages and it's the same password as what's on my Gmail and everywhere else So Lifeboat left people really exposed as a result of the way they handled this
So that's just a few different responses The other thing that I find really interesting is the press coverage and before we looked at sort of some of the stock photos and things that the press uses and It's it's just very curious to sort of see a combination of how the press
Represents data breaches and then how the people actually breaching these sites and selling the data leverage that I'll give you an example This was after LinkedIn. So this is very recent. It's only a few weeks ago and And What was happening is after LinkedIn got breached and in fact
Let's let's go back a step because LinkedIn actually got breached in 2012, but the data only went public back in last month We were in May back in May so the data went public in May and what started happening is people were getting their Twitter accounts hacked and their other social media accounts hacked and The press had this story on there and I guess this is newsworthy. It's like big-name people getting their accounts hijacked
But after this happened That ad that we saw on the real deal before the one where they were selling the data for four something Bitcoin They updated the ad with a reference to the news story because what they're doing is they're using the news story as
Validation that the data is accurate. Hey, look, we're in the news because other people are getting their accounts hacked The data must be good. Can we please have some Bitcoin? So that was one recent press incident There was another one in the press just recently which I
Just shot to you because there's not really a subtle way of putting it now I'm not sure if in Norway This is a common term And it it is honestly not a headline that I expected to see my name in this year
Or in a year Imagine when I explain that to my wife Funny thing happened today. Actually. It was worse when my mother said I heard about this data breach recently No But of course when the press writes about these incidents they have to find stock photos
There were many stock photos of this nature, but there was one stock photo to rule them all and it's I
Was taught I was trying to be so serious about it Because the people involved in the site Imagine how hard it was for them when they saw their dad It was only like a hundred thousand records compared to these big multi-million ones But a hundred thousand people and now they're in this sort of data breach
So If you are not familiar with any of these terms don't Google them at least not here go home Turn down the lights get a very stiff drink That was that one On a more serious note one of the interesting things with these data breaches is that obviously law enforcement
Has to get involved in a lot of them Particularly when there's money involved particularly when there's children involved Less so the fisting site. I don't suspect that guy actually wanted to talk to the police about what was going on But very often they do get involved and as a result of that I've had quite a number of discussions with three-letter acronym departments in in the US and in Australia
and Something sort of struck me while I was talking to them Which is that there's often this fear of law enforcement particularly online And I guess it's perpetuated by a certain class of person online who probably should be fearful of them
But every single dealing I've had with the likes of the FBI and the Australian Federal Police Has been really really positive been really really nice people And I don't just think that they want me to think that they're nice They are they're actually doing a really genuinely valuable job and just like we have police that we want to stop You know burglar's breaking into our house
we need these guys helping us and What's interesting is is when you look at the headlines that? often read something like this you know security researcher found guilty and People will point to these headlines and say this is why you shouldn't report a vulnerability Well, this is why you should never contact law enforcement because just reporting something like this
You'll get thrown in jail Anyone know who this is? Good you don't want to He's not a friendly character He found a vulnerability in AT&T's iPad registration facility back in 2012 and this is what's called a direct object reference risk
so imagine you got a URL it's got a number in it and That number loads your record and then you change the number and it loads someone else's record. He found this risk and Just to make sure it wasn't an accident. He changed it another hundred and fourteen thousand times And gave the data to the press and that's why he's guilty, right?
So it is usually much more than just what the headlines suggest Another very recent one was here's a guy called Dave Levin. He's the guy on the left in the black shirt Who's actually a very nice guy security researcher, but there appears to have been some political motivation here
Because what's happened is he's found this particular website, which is an Elections Committee website he found a SQL injection vulnerability in there and Then what he did is he used Havage which is freely available SQL injection software. He pointed at the website He sucked out a whole heap of data including plain text credentials
He logged on to the website with the credentials of an administrator videoed the whole thing put it on YouTube And then got arrested You know, like this is the sort of process that has to happen in order for these guys to end up in hot water It is not simply I accidentally stumbled across something and now I'm going to jail
So I hope you keep that in mind if you do find security vulnerabilities or anything of that nature There are legitimate ways of getting in touch with organizations that won't mean that you go to jail So a few things to think about in terms of how I would like to fix this is what I'd like to do based on my experiences
So at number one, you know when these breaches happen very often we see very bad communication from organizations So we saw lifeboat took months to let anyone know You can't do that. In fact legally in many places. You can't do that Europe's getting the data protection laws, which are going to force mandatory disclosure
The US has had mandatory disclosure for years. We're going to get it in Australia soon You are going to be legally compelled to report data breaches and to do so in a timely fashion Even Forbes when they got hacked a couple of years ago, they lost a million records They took a week before they let people know So there's all these people watching the news about Forbes was hacked and they're going well, what's going on?
They haven't been told There's these people running around with the data exploiting the accounts people haven't been told so they're not changing their passwords So that early response is really important This one as well, which is closely related. I just mentioned mandatory disclosure. So actually legally obligating organizations to report
Because do you think companies really want to report that they've been breached? Like it's not a good look and I understand why they don't want to which is why we need that Legally compelling obligation Now the last one's a little bit interesting providing data to the victims
One of the the really astounding things I've found dealing with these data breaches is How often people say can you give me a copy of my data? This happened a lot with LinkedIn. Lots of people said just in the last couple of weeks. Can you give me my LinkedIn password? And you might think well, it's the one that you use on LinkedIn
Why do you want me to give it back to you? People don't remember what they've entered into sites. They don't remember the password they've used Plus they want to know their exposure. So think about Ashley Madison. A lot of people said I want to know What was in Ashley Madison about me? Because they want to know what other people are seeing. They want to see what their exposure is.
In the case of LinkedIn the other day, I ended up telling people Ask LinkedIn you want to know what your data was ask them and multiple people contacted LinkedIn and LinkedIn replied to them and a few people sent this on to me and said well, we don't have your old password anymore We don't know what it was that was hacked
Bullshit the data's floating around download it and send them the data I mean do so in a secure fashion, but provide people with the data that you've lost. It just seems like a no-brainer So I'd love to see organizations doing this Now one other thing as well and it kind of relates to this guy
Friend of mine tweeted this the other day and Let me actually ask first. So who's a developer or yeah, okay. Is anyone like primarily security pro? Interesting, so are you familiar? I mean basically security pros are a pain in the ass, right? Like they're always the guys who come down from the mountain on the horseback with the sword and
Tell you all the stuff that you've screwed up right And I thought this is a very good tweet because it's very true when I did this talk a couple of weeks ago it was sort of half half security and developers and And people agree like there is this friction between the two groups, which often means they don't get on well together
And I think what we really got to do is try and put this sort of friction aside The security guys have got to be yeah I sort of focus on their their draconian sort of your stuff is crap gun fix it approach and the developers have got to embrace the security side a little bit more as well and try and get their stuff in order because
Everyone is ultimately there for the same end goal Which is to try and create shippable software that works and isn't full of security holes So I'd like to see a much better collaboration between them All right, so that's all I'm going to do on slides I thought what we might do next is something a little bit different Very very different which is to make something live
so Recently, there's been a bunch of breaches which have happened many years ago sort of 2012 2013 era and have been very large so linked in hundreds of millions my space was like 360 million and the data is only just coming to light and One of them which came to light only in the last few days is VK which is the Russian Facebook for want of a better term
93 million records in the Russian Facebook Now I've loaded this data in in this sort of staging state today And I thought what we might do now is we'll make it go live And then it's going to take up to five minutes for the cache to flash through and for us to see it and while
That's happening. I can explain the mechanics of how I sort of get all this stuff working So this is running up in azure. We're going to set is active to one we're going to run that guy If we're still connected oh, yeah What will happen is? Won't be live just yet unless we have just timed this perfectly where are we there? We are at the moment. We've got nine hundred and seventy seven million records still
977 so let me talk for a few minutes and explain how this whole thing works When I get data breaches, I extract the email addresses from them now either I just run a script against it which sort of pattern matches and sucks them all out Sometimes they go into my sequel most of the breaches have come out of my sequel databases
There's another probably another talk there about why this keeps happening I? Get that data, and I zip it all up, and I load it into azure blob storage So everything you see here runs in azure I? then have a web job that picks up this azure blob and Extracts it and then creates all of these little
Q items to go through and process the data and ultimately what I end up with is I end up with a database a SQL database with a whole heap of data in it, and I end up with everything in table storage Anyone uses you a table storage before? All right cool So the reason I use azure table storage is it is super super super fast so even with a billion records in it
It's often only taking about four milliseconds to actually look up data So there's that it is also extremely cheap so with what is about to be over a billion records It's literally costing me in the single digit or double digit dollars per month for all of that data
Which makes it enormously cheap if you look it up by key It's awesome if you try and query it across any sort of other criteria. It's terrible. It's not made for that But I use the sequel azure database because it's very good at doing things like saying out of the five hundred and fifteen thousand subscribers I have which ones of those are in the what are we up to 93 million records from Vk?
So it effectively joins across them Now data like this Vk. I said I'd show you some dark market stuff comes from sites like this Right this is the real deal. I showed you this just before Just what you see here in my mind is actually quite interesting We can see linked in there second from the right
next to the cocaine The generic Viagra is there in the middle There's some hash on the left This is the company that data breaches keep and in fact if we scroll down a little bit The guy selling it called peace of mind He's got his own shop. He's actually a shady dark web web data dealer
Can drill down to his marketplace He's the one that's been selling all of this data Including selling the Vk data breach which I'm just lighting But as we know from earlier on I don't buy this stuff sooner or later a follower sends it And I load the data in
So that's that's an interesting sort of insight into where that data often comes from This is pieces shop peace of mind if you don't like Brian Krebs Brian does amazing work legitimate work in Looking into security incidents. He is much hated by people who don't like having security on the web
And he tends to feature in a lot of places like this So we've got all sorts of things that this guy's selling in here and as you can see I mentioned before Browsing the dark web. It's just a normal browser like that's all it is It's a tour browser, but it behaves just like a normal browser Then somewhere down here. I think we had there was fling we loaded it the other day linked in myspace tumblr
There's vk just there So this is where this data comes from They're selling vk for one bitcoin so about 4700 knock you can buy 93 million email addresses they say a hundred million accounts just here often you see data Represented as a total number of records, but then once you dedupe it and you take out all the crap it boils down to
Something less than that All right, let's actually see if this is flush through the cache, otherwise. We'll keep talking for a little bit Okay, still at 977 million records So one of the things I do when I load this data into azure is it can be pretty computationally expensive
So I've uploaded 97 million records. It's got to try and extract all this put it all into table storage Which isn't fast if you can't bulk insert and there are reasons I can't which is another story But what it means is I'm often spinning up all sorts of other resources on azure so for example I'm running 10
instances of a web server at the moment Because I use web jobs and they run on the web server if I have 10 web servers I run 10 times as fast as if I have one so this helped me get the data Into table storage in only about three hours today instead of what would otherwise be 30 hours But then when I'm done
What I'll do is spin this back down again And I might just set the maximum range to one so it forces it down straight away one there one there and we'll say okay to that and We'll save and this is one of the neat things about azure You just keep spinning stuff up and spinning it down as you need to The other thing that I will often need to do is scale up the database so when I go to my have I
been pwned DB one thing I've found about The azure sequel database so this is the sequel as a service database is That unless you're running pretty hefty ones they actually run kind of slow so at the moment I'm running on p4 premium, and I'll let this load the price so we can sort of see what goes into managing this system
But I'm running on p4 premium. Which is a pretty chunky database. That's costing me $2,300 a month Except they bill by the hour, so what are we down to now? That's less than $100 a day, which is about four dollars less than four dollars an hour Maybe let's call it 350 an hour. I've been running it for about four hours
So I've paid $14 to have this great big chunky database Which I can now scale back down, and I normally run it down here where it's only $38 a month Which is fine because all my data actually is queried out of table storage I only use the database when you go and sign up for notifications and things like that so they're very sort of small
lightweight queries Okay, let's see if we're good now. Not there here. Oh We're there past a billion Like is it is it a joyous mark? It's kind of sad as well, you know
But holy shit look what Azure did. It's scaled all the way down. So what I do then Is you go to Twitter, and I have a pre-prepared one So one of the things I always do when I tweet this is I share how many of the accounts were already in there Because one of the reasons I created have I been pwned in the first place is because I thought it was Interesting how many times the same people appear over and over again
9% is actually pretty low But we're talking about a Russian site going into a system That's full of stuff like MySpace and LinkedIn and that sort of stuff. So there's a sort of a geocentric difference here But we'll tweet that guy so he'll go out there and then I go and give it a little
Retweet over here. This accounts logged in as me. There we go that one just there and That is now past the billion and That is it Thank you very much. I do have time for questions though. I've left time
Yes, you sir So Adam is asking if I didn't have a job and if I didn't actually make money Would I be trying to monetize have I been pwned?
I Tell you that the thing that worries me about monetizing services like this and there are other services that monetize is that they become Incentivized to load data the more data breaches that happen the better they do And as much as we all sort of applaud when I text through the the 1 billion mark there I don't particularly want to see this keep happening
I don't I don't want the Circumstances to be such that I need to make money out of it because it means more people are getting breached and more bad Stuff is happening So I'm a little bit reticent about that the the other thing is I think that Integrity is really important with running this and this is why I also don't have ads So at the moment this site this sort of little have I been pwned site is servicing a hundred to two hundred thousand people a day
Just organically just coming by the site all still running on one medium Azure website to usually I Could put ads on there and probably do Reasonably, well, I don't know how much you'd make out of that It'd be tens of thousands a year, but I just feel that that
Compromises integrity and when you're asking people to come here and enter their own personal email address to see if they're in a data breach I don't think an ad and Frequently ad networks are compromised and they serve nasty things as well. I just don't think it's a good look So now I'm quite happy that it's running for free without commercialization that way
Now the questions is anyone in the vacay data breach you can check All right, well, thank you very much everyone for coming and thanks for sharing the the 1 billion mark with me