Black Hat Asia 2021 kicked off with an interesting opening keynote presentation by Troy Hunt, a security researcher and founder of “Have I Been Pwned”, a website that helps people check and see if their emails have been compromised.
Despite the pandemic wreaking havoc on the way we live, there is no surprise that security flaws, hacks and breaches continue to increase. Troy took attendees behind the scenes of why incidents happen and the reality of how data breaches can occur in his session titled, “Lessons from 11 billion breached records”.
According to Troy, most security organisations, businesses and even the media describe hackers as people in hoodies in a dark room staring at a green screen. He explained that the imagery of hackers and breachers that are carefully presented to create an emotion in people is in reality, far from the truth.
“Scary things sell security. This to me nails how the industry represents cybersecurity vs the reality”.
In fact, when he started his site, Troy said that people were immediately curious and unintentionally keyed in their email addresses in his site to check if they were breached. But by keying in their email addresses on the site, they are already submitting their data, which he jokingly said he could have used as well.
Going back to the issue of breaches, Troy pointed out that data can come from anywhere. No matter how much we try to minimise the use of our information or publishing our personal information online, it will find a way.
“Data breaches that have ended up being pwned, have literally come from organisations backing up their databases to publicly accessible locations”, explained Troy.
Troy used the example of how he found out that his own data was exposed when he donated blood at a blood donation centre. He had not done any registration online but the person who filled in the form offline had keyed in the data online, making it available as well.
“Regardless of how hard you try when handing over your data digitally, it’s kind of all over the place already. When we go out and do things, sometimes we hand out information”, said Troy.
The other thing that people often end up leaking is passwords. Troy pointed out that while passwords have been around since the 60s, passwords are a barrier to entry. Users create passwords that are simple to gain that access. Hence, most passwords are always made up of something that is easy to remember and type.
Fast forward to the 90s, passwords became too predictable, especially with the Internet and growing users. And soon, most organisations came up with password complexity criteria that required their users to create passwords with some complexity. But again, Troy pointed out that most users also made the complexity simple, which was normally the first letter of the password being in caps and the use of a non-alphanumeric character which is normally an exclamation mark at the end.
“If we know this, don’t you think hackers know this too? They have worked this out”, asked Troy.
People follow very predictable patterns and take shortcuts when setting up and memorising passwords. And Troy believes that most people still do this.
“Passwords are stuck with us forever. We need to look at strength and uniqueness. Password managers are the best possible answer we have at the moment. It expedites the process of doing things apart from giving strong and unique passwords”, added Troy.
At the same time, Troy also believed that password USB keys, tokens, and such can’t be phished, which is great. However, the barriers to this are that they must be physically with us and also can be costly to produce. Hence these barriers may lead to low adoption.