Cloud Hosting

Troy Hunt's HaveIBeenPwned has become a phenomenal success.

Troy Hunt is busy. Hes been travelling across the world giving talks about security, and his much loved and lauded websiteHaveIBeenPwnedwent up for sale in June. But thats not before the sitewhich gives users the chance to see if their emails and passwords have been compromisedhad beenbaked into services such as Firefox and 1Password.

The acquisition is in its final stages, says Hunt. But he concedes that its just a huge amount of effort for one person: Even the acquisition itself.

To be fair to him, Hunt has done pretty well as one person. HIBP, as it has affectionately become known, has been a phenomenal success. As well as educating users on the importance of strong passwords, its raised awareness of credential stuffingwhere attackers will throw peoples credentials at a number of big services in the hope that the victim has reused their passwords.

Its due to this that Hunt could even be credited with improving the security of the web. The success of HaveIBeenPwned largely speaks for itself: Its a globally recognized tool adopted by millions of individuals, and its helped companies and individuals take an interest in their own online security posture, says security researcher Mike Thompson.

But despite the impending sale of HIBP, Hunts work is certainly not over.

On December 7 at 3 p.m. ET (8 p.m. GMT), Hunt will take part in a virtual conference organized by security researcher group The Beer Farmers,calledBeer Con One. The 24-hour event will see Hunt and other guests reflecting back on 2019 as well as the industry as a wholeto raisemoney for theElectronic Frontier Foundation (EFF)andMental Health Hackers.

As part of this, hell talk about one major attack vector that remains an issue: the so-called internet of things (IoT). Among the issues in IoT is the fact that product vendors so regularly fail to build in security from the start. Worse, when notified of a problem, vendors often fail to fix it.

Hunt cites the example of one of the biggest IoT issues this year: location tracking on childrens smartwatches. I bought my daughter one of these and found how she could be tracked, he says, explaining how he worked with security researcher Ken Munro at Pen Test Partners to solve the issue.He handled it so eloquently, but the vendor responded so badly. The PR made it out to be two hackers out to make money.

Another talking point that has dominated 2019 is data security and privacy practices of big tech companies such as Google and Facebook. So, as a security researcher who sees a lot of the issues firsthand, has Hunt deleted Facebook yet?

I think the privacy thing around this is fascinating, Hunt says. I havent deleted Facebook as my friends are on there. I use Google because its the best search engine, but its really interesting to see the challenges they have. They are told by authorities that they need to retain data for terrorismand then people want privacy.

There have been multiple breaches this year, so which were the worst? Hunt says one breach that affected him due to the scars it left was a zoophilia and bestiality site called Zooville. A vulnerability meant you could personally identify individuals. There were user names, email addresses, and IP addresses.

Before he even started, Hunt had some rather unexpected investigations to make. I had to work out: Is this legal? Different aspects of it are legal in different places. There was a little bit of me that was fascinated by how weird it was.

One of the biggest breaches of the year took place at the start of 2019. Revealed in January,Collection #1, saw more than a billion unique email address and password combinations posted to a hacking forum for anyone to see.

This mega-breach containing several data sets from different sources was first revealed by Hunt, and he says it was actually the catalyst for his sites sale. Predictably for a story so big, it gave HaveIBeenPwned a huge spike in customers.

However, many misinterpreted the story, and gave Hunt a hard time. It got interpreted by a number of people as the worlds largest data breachbut it was an amalgamation of different breaches.

Even so, it was important Collection #1 got the coverage: The exposed details could be used for credential stuffing attacks, seeing bots automatically testing millions of email and password combinations on a range of website login pages.

Credential stuffing has become massive this year, Hunt concedes.

This attack thrives on the chance that people reuse their passwords, which means hackers can throw these credentials at several services and bypass authentication on all of them.

Asked how people can be stopped reusing passwords, Hunt says: The only way you are going to not do that is using a password manager. Then two factor authentication (2FA).

Services can actually use thePwned Passwordservice on HIBP to prevent their users from using already breached passwords. People are using bad passwordswe need to save users from themselves, Hunt says.

But he points out that so far, stats show just 2% of people are using a password manager. In some cases, its because it is too complex. For this reason, Hunt doesnt discount using a physical password book.

You need to look at who your threat actor isits someone who can get the book. Its now someone who can break into your house, but then they dont want the book, they want the computer. The book is better than what 98% of people are doing: thats the discussion we want to be having.

Meanwhile, says Hunt, 2FA is a pain in the ass.

I am a proponent but the usability sucks. Or we end up with SMSyou can then do Sim swap attacks.

But at the same time, he says: People say using SMS for 2FA is like not having 2FA at all. Its always going to be bettercredential stuffing goes away.

Go here to see the original:
How To Secure The Internet: Troy Hunt Talks Breaches, Passwords And IoT - Forbes