Troy Hunt's HaveIBeenPwned has become a phenomenal success.
Troy Hunt is busy. Hes been travelling across the world giving talks about security, and his much loved and lauded websiteHaveIBeenPwnedwent up for sale in June. But thats not before the sitewhich gives users the chance to see if their emails and passwords have been compromisedhad beenbaked into services such as Firefox and 1Password.
The acquisition is in its final stages, says Hunt. But he concedes that its just a huge amount of effort for one person: Even the acquisition itself.
To be fair to him, Hunt has done pretty well as one person. HIBP, as it has affectionately become known, has been a phenomenal success. As well as educating users on the importance of strong passwords, its raised awareness of credential stuffingwhere attackers will throw peoples credentials at a number of big services in the hope that the victim has reused their passwords.
Its due to this that Hunt could even be credited with improving the security of the web. The success of HaveIBeenPwned largely speaks for itself: Its a globally recognized tool adopted by millions of individuals, and its helped companies and individuals take an interest in their own online security posture, says security researcher Mike Thompson.
But despite the impending sale of HIBP, Hunts work is certainly not over.
On December 7 at 3 p.m. ET (8 p.m. GMT), Hunt will take part in a virtual conference organized by security researcher group The Beer Farmers,calledBeer Con One. The 24-hour event will see Hunt and other guests reflecting back on 2019 as well as the industry as a wholeto raisemoney for theElectronic Frontier Foundation (EFF)andMental Health Hackers.
As part of this, hell talk about one major attack vector that remains an issue: the so-called internet of things (IoT). Among the issues in IoT is the fact that product vendors so regularly fail to build in security from the start. Worse, when notified of a problem, vendors often fail to fix it.
Hunt cites the example of one of the biggest IoT issues this year: location tracking on childrens smartwatches. I bought my daughter one of these and found how she could be tracked, he says, explaining how he worked with security researcher Ken Munro at Pen Test Partners to solve the issue.He handled it so eloquently, but the vendor responded so badly. The PR made it out to be two hackers out to make money.
Another talking point that has dominated 2019 is data security and privacy practices of big tech companies such as Google and Facebook. So, as a security researcher who sees a lot of the issues firsthand, has Hunt deleted Facebook yet?
I think the privacy thing around this is fascinating, Hunt says. I havent deleted Facebook as my friends are on there. I use Google because its the best search engine, but its really interesting to see the challenges they have. They are told by authorities that they need to retain data for terrorismand then people want privacy.
There have been multiple breaches this year, so which were the worst? Hunt says one breach that affected him due to the scars it left was a zoophilia and bestiality site called Zooville. A vulnerability meant you could personally identify individuals. There were user names, email addresses, and IP addresses.
Before he even started, Hunt had some rather unexpected investigations to make. I had to work out: Is this legal? Different aspects of it are legal in different places. There was a little bit of me that was fascinated by how weird it was.
One of the biggest breaches of the year took place at the start of 2019. Revealed in January,Collection #1, saw more than a billion unique email address and password combinations posted to a hacking forum for anyone to see.
This mega-breach containing several data sets from different sources was first revealed by Hunt, and he says it was actually the catalyst for his sites sale. Predictably for a story so big, it gave HaveIBeenPwned a huge spike in customers.
However, many misinterpreted the story, and gave Hunt a hard time. It got interpreted by a number of people as the worlds largest data breachbut it was an amalgamation of different breaches.
Even so, it was important Collection #1 got the coverage: The exposed details could be used for credential stuffing attacks, seeing bots automatically testing millions of email and password combinations on a range of website login pages.
Credential stuffing has become massive this year, Hunt concedes.
This attack thrives on the chance that people reuse their passwords, which means hackers can throw these credentials at several services and bypass authentication on all of them.
Asked how people can be stopped reusing passwords, Hunt says: The only way you are going to not do that is using a password manager. Then two factor authentication (2FA).
Services can actually use thePwned Passwordservice on HIBP to prevent their users from using already breached passwords. People are using bad passwordswe need to save users from themselves, Hunt says.
But he points out that so far, stats show just 2% of people are using a password manager. In some cases, its because it is too complex. For this reason, Hunt doesnt discount using a physical password book.
You need to look at who your threat actor isits someone who can get the book. Its now someone who can break into your house, but then they dont want the book, they want the computer. The book is better than what 98% of people are doing: thats the discussion we want to be having.
Meanwhile, says Hunt, 2FA is a pain in the ass.
I am a proponent but the usability sucks. Or we end up with SMSyou can then do Sim swap attacks.
But at the same time, he says: People say using SMS for 2FA is like not having 2FA at all. Its always going to be bettercredential stuffing goes away.
Go here to see the original:
How To Secure The Internet: Troy Hunt Talks Breaches, Passwords And IoT - Forbes
- Clear guidelines for remote work will boost security and control access - TechRepublic - June 5th, 2020
- Mozilla Funds Meething to Help Fix the Internet - GlobeNewswire - June 5th, 2020
- The Internet of Bodies is here. This is how it will change our lives - World Economic Forum - June 5th, 2020
- Crowdstrike CEO explains how the future of remote work and security will look - CNBC - June 5th, 2020
- Mocana Recognized as Industry Leader in Cybersecurity and the Industrial Internet of Things - GlobeNewswire - June 5th, 2020
- SC Awards Europe 2020 - CISO/CSO of the Year - SC Magazine UK - June 5th, 2020
- Spike in cryptojacking attempts on devices here, says cyber-security firm - The Straits Times - June 5th, 2020
- The impact of spycraft on how we secure our data - ComputerWeekly.com - June 5th, 2020
- 4 Common Online Frauds That You Need to Know - Techjaja - June 5th, 2020
- This $350 "Anti-5G" Device Is Apparently Just a USB Stick - WIRED - June 5th, 2020
- Cloud DDoS Mitigation Software Market Potential Growth, Share, Demand And Analysis Of Key Players- Analysis Forecasts To 2026 - Cole of Duty - June 5th, 2020
- India wants to be a 'partner of the global economy' in its manufacturing push, minister says - CNBC - June 5th, 2020
- Amid the COVID-19 crisis and the looming economic recession, the Web Content Filtering market worldwide will grow by a projected US$3 Billion, during... - June 5th, 2020
- Mozilla VP of IT: How to stay secure while remote working - BusinessCloud - June 5th, 2020
- 6 ways to delete yourself from the internet - CNET - June 5th, 2020
- Is COVID-19 Making the Internet Sick? - Government Technology - May 27th, 2020
- Thanks to Physics, This Chocolate Is Iridescentand Safe to Eat - Smithsonian.com - May 27th, 2020
- $100 million in bounties paid by HackerOne to ethical hackers - BleepingComputer - May 27th, 2020
- Types of Encryption: 5 Encryption Algorithms & How to Choose the Right One - Security Boulevard - May 27th, 2020
- Asian consumers worried about securing their data - BusinessWorld Online - May 27th, 2020
- Move online to survive businesss new mantra - BizNews - May 27th, 2020
- China Demands Us Withdraw Sanctions on Tech Suppliers - Manufacturing Business Technology - May 27th, 2020
- DDoS Protection Market Overview, Regional And Restraint Analysis By 2020 2026 - 3rd Watch News - May 27th, 2020
- Galaxy S20 security is already old hat as Samsung launches new safety silicon - The Register - May 27th, 2020
- Amid the COVID-19 crisis and the looming economic recession, the Electronic Bill Presentment and Payment (EBPP) market worldwide will grow by a... - May 27th, 2020
- Global Internet of Things (IoT) Security Market Research Studies Competitive Strategies, Regional Analysis Forecast 2025 - WaterCloud News - May 27th, 2020
- When COVID-19 and Economic Fallout Put Millions of Kids in Unsafe Places, Communities in Schools Went in After Them. - The 74 - May 27th, 2020
- DNS over HTTPS: How to activate it on Windows 10 Build 19628 - WinCentral - May 27th, 2020
- The lack of women in cybersecurity leaves the online world at greater risk - The Conversation US - May 17th, 2020
- COVID-19 Impact and Recovery Analysis | Internet of Things (IoT) Security Market 2020-2024 | Increasing Incidence of Cyberattacks to Boost Growth |... - May 17th, 2020
- Break On Through To The Other Side - Seeking Alpha - May 17th, 2020
- Post-COVID 19: The Virtual World And Digital Participation And Its Challenges In Ghana - Modern Ghana - May 17th, 2020
- Embracing Remote Learning and Working after COVID-19 as our New Reality - THISDAY Newspapers - May 17th, 2020
- The lack of women in cybersecurity leaves the online world at greater risk - Kiowa County Press - May 16th, 2020
- Internet security Market Research Report 2020 By Size, Share, Trends, Analysis and Forecast to 2026 - Cole of Duty - May 16th, 2020
- The best antivirus protection of 2020 for Windows 10 - CNET UK - May 16th, 2020
- Bill Proposes to Incentivize Cybersecurity Innovations With Cash Prizes - Nextgov - May 16th, 2020
- The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet - WIRED - May 16th, 2020
- Spains DGT Warns Of A New Scam Circulating Which Tricks Users Into Giving Their Data - Euro Weekly News - May 16th, 2020
- What is the Internet of Things? - Fox Business - May 16th, 2020
- Air Force aims to make secure mobile identity management the norm - FCW.com - May 16th, 2020
- Internet Security Market Analysis, Size, Regional Outlook, Competitive Strategies and Forecasts to 2027 - Cole of Duty - May 9th, 2020
- (2020-2026) Internet Security Audit Market to Witness Robust Expansion throughout the Forecast Period - Cole of Duty - May 9th, 2020
- OODAcast A Conversation With Lou Manousos, CEO of RiskIQ - OODA Loop - May 9th, 2020
- COVID-19 Crisis To Help Akamai Replicate $300 Million+ Revenue Growth From The Past 2 Years? - Forbes - May 9th, 2020
- Global Internet Security Market is Segmented by Applications, Technology, Product Type And Service and Region - TechnoVally - May 9th, 2020
- Google Releases May 2020 Android Security Patch; Fixes Bug That Allowed Remote Code Execution - Mashable India - May 9th, 2020
- Gregory Boehm | The Harvard Press | News | Obituaries - Harvard Press - May 9th, 2020
- Wifi/ Internet/ IoT Testing and Security Solutions Market 2020 by Company, Regions, Type and Application, Forecast to 2024 - Cole of Duty - May 9th, 2020
- More Salt in their wounds: DigiCert hit as hackers wriggle through (patched) holes in buggy config tool - The Register - May 9th, 2020
- Zoom's Rise, Reign and Era of Reform at the Top of the Teleconferencing Throne - BroadbandBreakfast.com - May 9th, 2020
- The Pleasures and Pitfalls of Motherhood on Instagram - ELLE.com - May 9th, 2020
- Global IT Security Spending in Government Market Expected to reach highest CAGR by 2025: Check Point Software Technologies, Cisco Systems, Fortinet,... - May 9th, 2020
- Millions of Android users need to update, or risk having attackers take over their phone - Express - May 9th, 2020
- Deal of the Month: 50% off Integos Mac Internet Security X9 bundle - 9to5Mac - April 20th, 2020
- COVID-19 impact: Internet Security Firewall Market: Promising Growth Outlook with a Steady CAGR of X% 2020-2026 Cole Reports - Cole of Duty - April 20th, 2020
- Russia And China Hijack Your Internet Traffic: Heres What You Do - Forbes - April 20th, 2020
- Internet security Market 2020 Break Down by Top Companies, Applications, Challenges, Opportunities and Forecast 2026 Cole Reports - Cole of Duty - April 20th, 2020
- Investor Paul Meeks overhauls tech strategy due to coronavirus risks, turns negative on two widely held stocks - CNBC - April 20th, 2020
- Authentic8's Front Line of Defense Tool Aims to Safeguard Government Agencies from Cyberthreats - WashingtonExec - April 20th, 2020
- Blockchain: The Most Awaited Ally For The Security Of The Internet Of Things - CoinCodex - April 20th, 2020
- The internet's battle against bots is heating up - The Hustle - April 20th, 2020
- Bot creates millions of fake eyeballs to rip off smart-TV advertisers - Naked Security - April 20th, 2020
- Where to buy Kaspersky Internet Security? - RecentlyHeard.com - April 17th, 2020
- Citing coronavirus disruptions, PhishCloud offers year of free service to prevent phishing scams - GeekWire - April 17th, 2020
- The Global Software Defined Perimeter Market size is expected to reach $10.7 billion by 2025, rising at a market growth of 23.7% CAGR during the... - April 17th, 2020
- Women are essential helpers during crises but they need access to the internet | TheHill - The Hill - April 17th, 2020
- How To Browse The Internet Privately on Your Phone (Our #1 Tips) - Know Your Mobile - April 17th, 2020
- Faster Internet and protection against cyberattacks: UPC Business offers customers free additional services during the coronavirus crisis -... - April 17th, 2020
- Teaching your kids to surf the internet safely - The Star Online - April 17th, 2020
- No, the Internet Is Not Good Again - The Atlantic - April 17th, 2020
- Cyberattacks on endpoints will rise by up to 40 per cent unless we act quickly - Techerati - April 17th, 2020
- RBR's CyberPatriots Continue their Winning Ways - The Two River Times - April 17th, 2020
- The Weaponization of Dogs on the Internet - Lawfare - April 17th, 2020
- Investment opportunities in the internet sector - Times of Malta - April 17th, 2020
- Matt Hancock has no answers for anything but he does have a six-point plan and a very small badge - The Independent - April 17th, 2020
- Best internet security suites of 2020: anti-virus and anti-malware cyber security - TechRadar - April 17th, 2020
- The security conundrum of 5G network slicing - Urgent Communications - April 13th, 2020
- How to Make Sure that Antivirus is on your Endpoints - Security Boulevard - April 13th, 2020
- Why you can't trust your vote to the internet - CyberScoop - April 13th, 2020