Heartbleed, the massive flaw in web encryption recently made public, is just one of the unending stream of vulnerabilities that enables hackers to steal personal details and passwords from companies with which you do business.
Of recent, a number of websites have opened up shop to alert users when such attacks happen.
For example, haveibeenpwned.comallows you to enter in an email address to see if hackers have compromised it. For example, a check of one email address I use only with companies showed that it had been breached in October – along with 153 million others — when Adobe’s accounts were hacked.
A check of an email address I use just for Forbes.com (and one I knew had an issue earlier this year) also showed it had been breached, with a useful explanation below. “In February 2014, the Forbes website succumbed to an attack that leaked over 1 million user accounts,” the site said. “The attack was attributed to the Syrian Electronic Army, allegedly as retribution for a perceived ‘Hate of Syria.’”
Another site, PwnedList, found those where both email addresses had been hacked and gave a date of the hack, but did not say where the issues occurred.Shouldichangemypassword.com offers a similar service. All are free and offer to notify users in the future if an email address is compromised.
These sites may see more traffic in coming weeks if theHeartbleed security flaw leads to a whole new series of hacked sites, as many experts forecast.
“If this issue isn’t fixed immediately at all companies (which it won’t be), then we can expect to see a large number of breaches and leaks enabled by this vulnerability,” said Steve Thomas, the co-founder of PwnedList. “We are preparing our database for a rapid increase in the number of compromised credentials, which Heartbleed will certainly contribute to.”
PwnedList makes its money by alerting corporate clients to hacking attacks, which in many cases affect not the firms themselves but their outside vendors. It says its clients include publisher Reed Elsevier RUK -0.43%, password service LastPass, one of world’s largest social networks, and one of largest aeronautics and personal appliance firms.
It catches wind of new breaches by hanging around Internet hacker sites. “Once we join those we get access to everything that is getting passed around,” says Thomas. “Primary hackers will say ‘I just broke into XYZ company, here is their user list.’” Sometimes hackers broadcast their accomplishments on Twitter, but some boasts have not actually occurred.
He estimates that PwnedList learns of about a dozen different data leaks every day, with 100,000 to 500,000 compromised credentials.
The site haveibeenpwned.com, set up late in 2013, is the pet project of Troy Hunt, an Australian who works as an architect at a large company by day. He concentrates on the larger data breaches, and adds one to two different data sets a week to his site. “It is a bit of a laborious process,” he said. “It doesn’t make any money. I guess it is a hobby and public service.”
Hunt would like to see companies whose systems are breached be more responsive in reaching out to their affected customers. Often, he said, there is a long lag time before they own up to what has happened.
“People, sort of rightly say, ‘Wait, hang on a second, why didn’t these guys tell me?’” he said. “What surprises me a little about it is when there is a compromise, the company that is being compromised is in the best position of all to say whether it is legitimate or not. The vacuum of information from companies that are alleged to have been compromised is not a healthy thing.”
“One thing we have got to be cautious about is there is a lot of people go out and beat the drums and say we’ve just compromised the NSA, for example, here’s all their passwords, and it’s just fraudulent.”
After processing so many breaches through his site, Hunt has strengthened his own personal security drill and recommends the same for others: he uses only strong, unmemorable passwords for each account, and turns to a secure password manager to keep track of all that information.
No comments:
Post a Comment