Have you been pwned?

In this digital age data breaches have sadly become and everyday occurrence. Well, technically they have become a multiple time a day occurrence. In fact, by September of 2017 there were over 1000 publicly disclosed data breaches (http://breachlevelindex.com/data-breach-database) alone in the calendar year, and some reports suggest the number is more than double.  There is, in all likelihood,  1000’s more that have not been disclosed or even known to the compromised companies. 2017 has also seen the worst data breach known to date, that of course is the Equifax breach that was made publicly known in September (https://krebsonsecurity.com/2017/09/equifax-breach-setting-the-record-straight).

Much of the data from these breaches can be downloaded for free off the web. Anyone with a white belt in Google-Fu should have no issues accessing the most popular of these databases (LinkedIn and Exploit.in), and if you have a blue belt you can still access the majority these without having to know anything about, or go to the dark web.

Since these databases are so easily accessible, they are a great place for an attacker to start their infiltration attempts. They will usually try the username and passwords in these dumps to try and gain access to email accounts, domain accounts, financial information and other potentially useful information since password reuse is still the norm among the general workforce.

If the attacker is not interested in trying to gain access to a corporate network, the might be more interested in spreading malware or ransomware.  Having access to a real email account and going through that accounts corporate mail server pretty much guarantees that their malicious messages will get delivered, even if the recipient is using a “sophisticated” antispam system.

We cannot overlook the option that the attacker might have something more malicious in mind. If they realize that they have gained access to the mailbox of an influencer in the organization (CEO, CFO or their assistance) they have everything that they need to make a quick hit for big gains with some basic social engineering and a wire transfer account.

So, with data breaches happening multiple times a day, what can you do to better protect yourself, your employers and the users who unknowingly entrust their digital lives to you, the average overworked, underpaid and under respected IT Pro.

Well, there are the usual things that you can do. You can suggest that they use a unique password for all their sites, a password manager such as lastpass.com will be your friend there.  You can also implement TFA/OTP (two-factor authentication or One Time Password) in every place that you can do so. You can even implement various forms of end-user training to try and educate them of the dangers, hoping that they will heed your advice.

Another thing you can do is subscribe to Troy Hunt’s free Have I Been Pwned service. Troy has created a service where you can enter you username or email address (https://haveibeenpwned.com) to see what known data breaches it has been a part of, or check to see if the passwords you use have been found in the breaches (https://haveibeenpwned.com/Passwords).

Obviously, if accounts are listed in any of the breaches you should change your passwords ASAP, and have a unique password for every site. If your usernames are clear of any known breach but you find that the password you use is in those databases you should also change that immediately since it is guaranteed to also be part of the word list files that attackers use to brute force credential.

I recommend signing up for the free “Notify me” service for all your personal accounts (https://haveibeenpwned.com/NotifyMe) and well as signing up your company’s domain for notification (https://haveibeenpwned.com/DomainSearch).  The corporate service is also free; however, it will require you to perform a few additional tasks to prove that you are the domain owner/admin.  Once verified you will receive a full list of your corporate accounts that were part of a breach as well as what breaches they were listed in so that you can take the appropriate actions. Moving forward you will also be notified if any accounts matching your domain that are found in new breaches.

Of course, haveibeenpwned.com does not contain every single data breach as many of them are not publicly available or for sale on the dark web, so you should always be following password and identify best practices. For some light reading on those checkout https://pages.nist.gov/800-63-3/sp800-63b.html 🙂