How Do I Tell You, You've Been Hacked?
25 August 2017 00:00
Whilst Paste Sites are becoming increasingly popular for privacy and anonymity reasons, they often hold a wealth of compromised data.
Often when online services are compromised, the first signs of it appear on "paste" sites like Pastebin. Attackers frequently publish either samples or complete dumps of compromised data on these services. Monitoring and reporting on the presence of email addresses on the likes of Pastebin can give impacted users a head start on mitigating the potential fallout from a breach. [source: https://haveibeenpwned.com/Pastes]
Whether it’s a URL containing indecent images of celebrities, or hacktivists posting confidential government documents – there’s always something going on.
Recently, I stumbled on a data dump showing IT managers discussing projects with a potential supplier - which showed internal plans and projects being revealed. The anonymous submitter hacked a LinkedIn account and posted the information to a paste site.
Trying to contact the Company.
Email is a great method of communication, however sending links to paste websites out of the blue doesn’t go down too well, especially when you work for a cyber educational and simulated phishing company.
Phone? I’m guessing getting through to an IT director from reception isn’t going to happen. Only to leave an awkward voicemail. Do many organisations have a process for this type of thing?
Since the Breach Detection Gap [BDP] is on average 146 days, it can take nearly half a year before an organisation has realised sensitive information has been stolen. Which could be limited to a matter of days if discovered early enough.
But what incentives are there for people to let these companies know? Often white-hat hackers are often persecuted for pointing out vulnerabilities or flaws. Organisations like BugCrowd provide a service finding bugs and vulnerabilities within systems, but for vulnerabilities in policies – it seems like we are way off the mark. Organisations need to actively understand if they spot early signs of a breach before the damage becomes severe.