Research

A Case-Study on the Quality of Infosec Reporting

Written by Reflare Research Team | Feb 23, 2022 5:02:00 PM

There are few things that infosec professionals hate more than having their work misrepresented, misunderstood, or sensationalised to the point that it loses all semblance of truth.

First Published 18th January 2019  |  Latest Refresh 23rd February 2022

Fair and balanced?

5 min read  |  Reflare Research Team

Media, Media, Media

Respected information security researcher and operator of haveibeenpwned.com Troy Hunt released a blog post outlining a leak of passwords he discovered during the course of his work. In this briefing, we will take a look at the contents of the original report, how the narrative changed in subsequent re-reporting, and what actual risks exist for end-users.

What happened?

According to Hunt’s report, a combined password dump weighing in at almost 90GB was discovered by him during his research. The dump contains some 773 million records. The word “combined” is important here, however: Password leaks happen on smaller or larger scales on an almost weekly basis. The reason that the “combined dumps” keep increasing in size is that the newer dumps always contain all the information contained in the previous ones.

So if a “combined dump” in 2017 contained 700 million records, and the year 2018 sees around 70 million new individual records leaked, a combined dump at the end of the year will contain 770 million records. Still, only a fragment (or possibly none) of these records will be new information that can be abused by attackers.

Mr. Hunt points all of this out in his blog post. He goes on to draw some valid meta-conclusions on the state of organized crime, password hijackings and the need for unique passwords.

Further research published by Brian Krebs indicates that the leaked data has been sold on the black market for as little as $45 for almost 3 years.

In short, the dump may have made some credentials available to the general public for the first time, but the vast majority of the records had been leaked before and were definitely available to cyber-criminals with minimal resources for years. This makes the leak relevant but by no means unusual in scale or exceptionally dangerous at the present time. If your password was included in the leak, there is a reasonable possibility that criminals may have had it for years.

What was made of it?

Unfortunately, much of this nuance was lost in subsequent reporting.

Mashable offered a somewhat factful report on the matter, quoting directly from Hunt and pointing out the old nature of many of the records. This is what we’d expect tech reporting to be like.

Gizmodo on the other hand calls the leak the “mother of all breaches” and claims that it “should make you sit up and pay attention”.

Technology news site Wired titles that Hunt had discovered a “monster breach” and goes on to state that the incident was “pretty darn serious” for its “historic scale alone”.

Last but not least, the Daily Mail titled that Hunt had discovered the  “Biggest EVER collection of breached data including more than a BILLION email addresses and passwords is posted online to a hacking forum”.

There are many shades between the condensed yet factual reporting seen in Mashable and progressively increasing scaremongering in the other example articles. It is also important to note that the various levels of reporting accuracy shown in this instance do not necessarily demonstrate a pattern. The non-sensationalistic nature of an article, including the above sources, often depends more on the individual author rather than on the publication itself.

Nevertheless, it highlights an important issue in information security reporting; With revenue driven by ads through clicks on articles, there is a strong incentive to sensationalize headlines and contents. This combined with lack of knowledge among the general population (and some reporters) when it comes to security matters can (and does) lead to a large portion of IT news covering information security to over-sensationalize, distort the story by omission, or outright confuse the facts.

Meeting the press (for IT professionals)

Should you be approached to speak to a journalist, you should definitely reach out to your external communications / public relations department (should you be lucky enough to have one) prior to accepting the request, and take their guidance. If not, then you really need to be on your toes to ensure you are minimising the opportunity for the journalist to spin your words into something that would 'drive clicks'.

Should you be speaking to a journalist who is not steeped in technical knowledge, try to avoid tech jargon and industry speak. Take your time before answering their questions to really think through your words before you speak them. Communicate clearly, and in layman's terms.

Do not over sensationalise your perspective with your assumptions and biases. Instead, speak to the facts. Should you be commenting on aspects of the story that are unknown or surrounded by ambiguity, state clearly (and repeatedly) which of your comments are 'known', and which comments are 'unknown'.

And whatever you do, don't get dragged into answering hypothetical "what if" questions. You are an IT security professional, not Nostradamus.

Reading the press (for users)

If you were to encounter something like Troy Hunt's work in the media, your focus is how to consume and react to it.

First and foremost: Don’t panic. In the vast majority of cases when news about breaches and leaks hit the news cycle, criminal actors will have had access to the information for days (or as in this case, years). While these incidents are significant, they are seldom the cause for immediate alarm.

Secondly, when you see an article, try to click your way to the original source. In this case, that would be the report published by Hunt and the subsequent research performed by Krebs. These reports will almost always be drier, but more accurate than the re-reported versions.

Lastly, act on the relevant information presented, which in Troy's case, is 'password strength and sophistication'. None of your emotive responses to sensationalised reporting invalidates the need to follow good password practices. Don’t re-use your passwords, don’t use regular words as passwords, and use password-managers and two-factor authentication where possible.

While we believe that the over-sensationalization in reporting is an issue, we do agree with all of the sources we visited today on one important point: If your password is a standard word such as “sunflower” or “greenhouse” or if you have been using the same password for most of your accounts for the past decade, it is pretty much a given that criminals have access to your data.