A case-study on the quality of infosec reporting
A case-study on the quality of infosec reporting
Earlier this week, respected information security researcher and operator of haveibeenpwned.com Troy Hunt released a blog post outlining a new leak of passwords he discovered during the course of his work. In this briefing, we will take a look at the contents of the original report, how the narrative changed in subsequent re-reporting, and what actual risks exist for end-users.
What happened?
According to Hunt’s report, a combined password dump weighing in at almost 90GB was discovered by him during his research. The dump contains some 773 million records. The word “combined” is important here however: Password leaks happen on smaller or larger scales on an almost week basis. The reason that the “combined dumps” keep increasing in size is that the newer dumps always contain all the information contained in the previous ones.
So if a “combined dump” in 2017 contained 700 million records and the year 2018 sees around 70 million new individual records leaked, a combined dump at the end of the year will contain 770 million records. Still, only a fragment (or possibly none) of these records will be new information that can be abused by attackers.
Mr. Hunt points all of this out in his blog post. He goes on to draw some valid meta-conclusions on the state of organized crime, password hijackings and the need for unique passwords.
Further research published by Brian Krebs indicates that the leaked data has been sold on the black market for as little as $45 for almost 3 years.
In short, the dump may have made some credentials available to the general public for the first time, but the vast majority of the records had been leaked before and was definitely available to cyber-criminals with minimal resources for years. This makes the leak relevant but by no means unusual in scale or exceptionally dangerous at the present time. If your password was included in the leak, there is a reasonable possibility that criminals may have had it for years.
What was made of it?
Unfortunately, much of this nuance was lost in subsequent reporting.
Mashable offered a somewhat factful report on the matter, quoting directly from Hunt and pointing out the old nature of many of the records. This is what we’d expect tech reporting to be like.
Gizmodo on the other hand calls the leak the “mother of all breaches” and claims that it “should make you sit up and pay attention”.
Technology news site Wired titles that Hunt had discovered a “monster breach” and goes on to state that the incident was “pretty darn serious” for its “historic scale alone”.
Last but not least, the Daily Mail titled that Hunt had discovered “Biggest EVER collection of breached data including more than a BILLION email addresses and passwords is posted online to a hacking forum”.
There are many shades between the condensed yet factual reporting seen in Mashable and progressively increasing scaremongering in the other example articles. It is also important to note that the various levels of reporting accuracy shown in this instance do not necessarily demonstrate a pattern. The non-sensationalistic nature of an article, including the above sources, often depends more on the individual author rather than on the publication itself.
Nevertheless, it highlights an important issue in information security reporting; With revenue driven by ads through clicks on articles, there is a strong incentive to sensationalize headlines and contents. This combined with lack of knowledge among the general population (and some reporters) when it comes to security matters can (and does) lead to a large portion of IT news covering information security to over-sensationalize, distort the story by omission, or outright confuse the facts.
What can end users do?
First and foremost: Don’t panic. In the vast majority of cases when news about breaches and leaks hit the news cycle, criminal actors will have had access to the information for days (or as in this case, years). While these incidents are significant, they are seldom cause for immediate alarm.
Secondly, when you see an article, try to click your way to the original source. In this case that would be the report published by Hunt and the subsequent research performed by Krebs. These reports will almost always be more dry, but more accurate than the re-reported versions.
Lastly, none of this invalidates the need to follow good password practices. Don’t re-use your passwords, don’t use regular words as passwords, and use password-managers and two-factor authentication where possible.
While we believe that the over-sensationalization in reporting is an issue, we do agree with all of the sources we visited today on one important point: If your password is a standard word such as “sunflower” or “greenhouse” or if you have been using the same password for most of your accounts for the past decade, it is pretty much a given that criminals have access to your data.