Account Breach Monitoring
Date: 9/20/2017 3:36:00 PM
As a software developer that has to deal with user accounts, one of the topics always in my mind is security. Is the box/vm/host secured? Did we implement strong enough password/login rules? What ciphers are enabled? Have the rules changed? Are the users doing something crazy that could compromise the security of the system?
As with social engineering, the weakest link in a well designed security model is usually the users. So, what happens if one of the users (maybe one with elevated security rights) uses the same password on our system that they did on another system that was breached? Now there's the possibility that this user's email address (username) and password are out in the wild. It's just a matter of time and some snooping before a black hat or an AI realizes that user X is on our system and logs in.
One evening, I was on my Xbox shooting some baddies. All of a sudden I get this prompt from Microsoft that says I have to change my password because my Live email address was involved in a 3rd party data breach. My first thought was, "oh no!". Next it was, "way to go Microsoft for telling me this so I can protect my Xbox account!" And lastly, "wait?! how did Microsoft know that I was involved in a 3rd party breach??".
After some digging I realized that there are a few aggregation services out there that are constantly monitoring for new breach lists, pastebins, etc that are leaked which contain sensitive information such as email addresses, passwords, hashes, credit card data, etc. Obviously there have been people monitoring for this kind of data for years, but never had I seen it made publicly searchable without actually trying to aggregate all this data yourself.
I dug around and found that Mr. Hunt (Microsoft Regional Director and overall brilliant guy) had put up a site called HaveIBeenPwned.com that is aggregating the breach data, and has a brilliant API that allows you to search through it. (Thanks Troy! Just: Wow! Great stuff.)
Using the API, I built a simple class library that I can now use in my projects that frequently scans our user base to see if any of our users has been included in one of these data breaches. If a breach is found, we can then take action to force a password update for the user -- no different than my experience with my Xbox. We can also then have our team dig into activity logs for this/these users to check for suspicious access to the system in question.
Does this solve all our security woes? Certainly not! It's simply a tool to help us additionally monitor the system to make sure the user entry point stays as secure as possible.
As a proof of concept, I launched the breach detection tool at www.beenleaked.com. BeenLeaked is a simple tool that reports on the latest breaches out there and allows anyone a quick search of their email address to see if it was involved in a breach. Give it a shot yourself today at www.beenleaked.com.
If you're curious about my C# class library for doing these breach scans, drop me a line.
Happy coding,
Ted