My last talk for the conference, it was pretty tough choosing between this talk and one given by Brendan Scarvell, who claims to be able to cook 2 minute noodles in 1 minute and 57 seconds. However, I've been following Troy Hunt's blog for a while now, so in the end, I decided to see him in the flesh for the first time.
If you haven't heard of him, he's an internet security specialist, probably most famous for his website https://haveibeenpwned.com/, where you can enter your email address, and find out if it has been included in a data breach. At first, I thought this website was spawned from this XKCD comic about password reuse, but Mr Hunt is very well respected in the security community and he doesn't ask for a password or anything other than your email address. You don't even need to sign up to see if your email address has been included in a hack, but if you do sign up, you will be emailed if your address is found in a new hack.
I did get a picture of him, but it wasn't very good.
He started by talking about hacker perception in the media. As you can see in the background of that image, they always seem to be portrayed as a shadowy, hoodie wearing figure with green text (usually binary, or the matrix rain) in the background. Which is ironic given the speaker wouldn't look out of place in the air force. Or it's blamed on Russia, North Korea, or China.
Not all hackers are like that, in fact, the hack on TalkTalk, costing £42 million, was reportedly attributed to Islamic cyber Jihadists (whatever they are), but turned out to be a couple of people in their 20s.
The media does need something to use for pictures depicting hackers that's sensationalist though, because hacking can do a lot of damage, but actual hacking looks quite boring. (Side note: I love the way the TV show Limitless handles it. Whenever Brian needs to hack something, he'll say that rather than showing footage of him hacking, he'll show videos of cute kittens and puppies instead.)
Since people know about viruses, this seems like a good way to do it, right?
(Note: not what hacking looks like.)
And what happens when the hackers are Russian? How can you tell that the shadowy figure in the hoodie is Russian and not the same as some other generic hacker?
With bears, of course.
And what do you do when the website that was hacked was full of data on anal-fisters....?
(It's OK, it's SFW.)
Or the more creative version:
On to the meat of his talk.
How does he get access to the hacked data?
80% of the data from data breaches ends up on mega.nz. Hackers also seem to like to hoard and trade breached data, kinda like the IRC days where you would share movies / music.
Some of them even contact him directly when they get access to something he doesn't already have. As I said, he's well-respected, and he said a lot of people support his project! When asked if he has ever been required to name his source by law enforcement, he said that he's fortunate that they've ever asked. I guess it's one of those things where they'd rather he remained someone hackers can contact without the fear of repercussions, and the benefits of him being able to access this kind of data makes up for the cost of not being able to get closer to the hackers through him.
Verifying the data
Forgot your password links are a great way to verify if the email address that is said to be in the data actually exists on that website. How can he do that without knowing the password, too? Well, some websites will actually reveal if an email address has an account on the site by the different way it shows the response when you try to retrieve a forgotten password. Some will actually say, "Invalid email", so you know that account doesn't exist.
Others will be more clever, and the response will be "The account and / or password isn't valid." So you can't tell if the password was wrong, or whether the account doesn't exist at all. However, some websites will respond slower when trying to verify a password for an account that exists, versus one that doesn't.
For instance, the difference in response time for a login attempt for an account that exists versus one that doesn't on the Ashley Madison website is quite different - probably because if the account does exist, it has to run the password hashing algorithm on it to check the password, but for accounts that don't exist, it just returns an invalid response, so it's much faster.
(If you didn't understand that comment on password hashing, quick primer: It's considered bad security practice to store passwords in plain text. Mostly because if your data is hacked, the attacker can just read all the credentials easily. A better solution is to hash the password (usually with a salt (some random codeword) and store that instead. So if my password was "password", they would do "password" and add the salt (e.g. "dragon") to get "passworddragon", and then run the hashing algorithm on that, getting something like "3d768d226b9245a68e3668c94ce3af79" which is what they store. The attacker doesn't know the salt is "dragon", so it's not easy for them to work out that the original password was "password". But the great thing is that you never even have to reverse it. When it comes to password verification, all you need to do is take the password the user entered, add your salt and hash it. Since the hash returns the same value each time for the same input, and each hash is unique for a given input (for that given hashing algorithm), if you get the same result as "3d768d226b9245a68e3668c94ce3af79", then you know the password is correct.)
The other thing you can check is whether the account gets locked out. In order to stop someone from trying to access your account by trying to login a million times with different passwords, most services will lock you out after X attempts (usually between 3 and 5). If you try to login with junk passwords for a given email address, and you don't get locked out, then it's likely that the account doesn't exist. You can sign up for a fake account yourself to see how many failed attempts it takes to get locked out.
Mailinator is a great website for these throwaway accounts. You can create any email address you want, and it has an inbox you can check, for registering for accounts you don't care about. The don't care about part is important, because the account has no password, so anyone who knows which name you picked will be able to login and view any emails that get sent there. If any mailinator accounts are listed in a breach, it's pretty easy to check that they are valid accounts and they have a registration email in their inbox. (Note: some websites purposely block mailinator, but it seems you can just use "notmailinator" as the domain, and the address will still work - at least that's the case at the time of writing.
If all of these fail, Mr Hunt tends to try and contact some of the people who are listed in the breach, and will ask if they mind helping him with verification. Usually, some of them will respond and help him out.
If you do find that your credentials have been included in a hack, it's not just the account for that website that matters - it also means that any places in which you've used the same username / password combination is also compromised. Again, I'll stress the importance of using a password store / generator, and I'll write up a guide for it on Tuesday.
I really enjoyed the talk, and although I'm sad I missed the 1 minute 57 second noodle guy, I'm glad I went to this one.
No comments:
Post a Comment