Every now and then researchers come up with a security insight so simple you wonder why nobody has noticed it before.
If there was an award for such discoveries, a contender for this year’s prize would surely be a data breach early warning tool called Tripwire, the work of engineers at the University of California San Diego (UCSD).
In real-world tests, not only did Tripwire detect a number of unknown or undisclosed breaches, the team believes it could be used to detect many breaches long before organisations realise they’ve happened or stolen data appears on the dark web.
Too good to be true? Not if you harness the power of inference.
As anyone who studies data breaches knows, the first thing cybercriminals do when they steal and unscramble credentials is to try to them on lots of other sites, particularly the email services that underpin people’s online identity.
For instance, passwords taken from breaching small sites will be used to attack larger and more valuable ones (Gmail, say) in the hope that users have re-used the same passwords.
As numerous incidents show, it’s a strategy criminals use to amplify the effect of almost every breach.
The team’s reasoning was to detect when re-use attacks were happening by creating multiple honeypot accounts on each of 2,302 different online organisations, each tied to single email addresses at an unnamed email provider who’d agreed to collaborate with them.
If a honeypot account was breached, it followed that this would become apparent when the cybercriminals used the stolen credentials to access its accompanying email address.
This approach allows a wide array of Internet sites to be efficiently monitored for compromises and admits no false positives – presuming the email provider itself is not compromised.
The clever bit is it worked.
19 of the test sites were breached and passwords reused in the nine months to February 2017, including one at a “well-known American startup” with 45 million customer accounts.
Sixteen of these were unknown breaches, either because the organisation affected was keeping that fact secret or, very possibly, didn’t know it had been breached at all.
A further three, including the site with 45 million users, showed minor public indications of compromise, that had not been confirmed (one was eventually confirmed during the study period).
To account for some sites storing passwords more securely than others, the researchers registered honeypot accounts with an “easy” password (8-character, containing a dictionary word), and a “hard” one (10-character, alpha-numeric, mixed case).
This meant that if Tripwire subsequently detected a breach on a given account, it could infer the level of security being used to secure passwords (i.e. a breach of a hard password might imply it was stored as a simple hash, or even as plain text).
One criticism might be to question how representative the test sites (adult, classified, gaming, wallpapers, BitTorrent, etc.) are of the internet more widely.
Which misses the point – the fact a breached account is at a small, obscure online company matters not if the user reuses the same password to secure their Gmail, Yahoo or Facebook accounts.
How might attackers evade Tripwire?
Only by choosing not to try password reuse attacks on big email providers, or by targeting smaller numbers of accounts in the hope the honeypot account wasn’t among them.
But, as its creators acknowledge, Tripwire’s biggest hurdle might simply be convincing breached providers to take its evidence seriously.
Too many don’t care or don’t want to know about breaches, viewing it as a private concern. Until this changes, or governments enforce better behaviour, Tripwire could find itself with plenty of work ahead of it.