A team of researchers designed a prototype system that could allegedly uncover any website security breaches.
Computer scientists from the University of California San Diego have successfully built and tested a tool that could help detect potential website security breaches. Dubbed as Tripwire, the system was designed to determine if a site has been hacked by monitoring all email accounts associated with it.
The researchers conducted a study from January 2015 to February 2017 to test their tool. During the said period, they monitored over 2,300 websites and were surprised to learn that around 1 percent, or approximately 19 sites of the websites they observed, were compromised.
“No one is above this—companies or nation states— it’s going to happen; it’s just a question of when,” Alex Snoeren, senior author of the paper and professor of computer science at UCSD, said.#UCSD researchers designed a tool to detect website security breaches!Click To Tweet
What’s even more interesting was that the researchers also uncovered a security breach at an Alexa top-500 site that has over 45 million active users. Unfortunately, none of the 19 sites that were apparently hacked disclosed the breach to their customers.
How the Tool Detects Website Security Breaches
According to the study, the prototype system detects website security breaches by keeping track of attackers attempting to use old passwords of email accounts that were used to register on the website.
The researchers created a bot that automatically crawled and registered the accounts from over 2,300 websites. Each account was said to share a password with a unique associated email address, apparently using the same password when registering on a website as the password for the corresponding email account.
The researchers then waited for an outside party to use the password to access the email account, an indication that the account information from the website has been leaked.
To ensure that any detected compromise will be related to a hacked website, the team worked with a “major email provider” and used 100,000 of its email accounts that were created but were not used to register on any website. This portion acted as a control group to ascertain that any breach will not be associated with the email provider. Surprisingly, none of the accounts in the control group were accessed by the hackers.
“While Tripwire can’t catch every data breach, it essentially has no false positives—everything it detects definitely corresponds to a data breach,” Joe DeBlasio, a Ph.D student of Jacobs School of Engineering at UCSD and one of the authors of the research paper, told Gizmodo. “Tripwire triggering means that an attacker had access to data that wasn’t shared publicly.”
In the end, the team was able to determine 19 websites that have been compromised, including a well-known American startup that they refused to name. Among the hacked sites were a porn site in Germany and an alleged “company with a large portfolio of travel recommendation websites” that reportedly has 40 million monthly views across its sites.
According to the computer scientists, once their tool detected the website security breaches, they immediately got in touch with sites’ security teams to warn them.
“I was heartened that the big sites we interacted with took us seriously,” Snoeren said. However, none of the websites informed their customers of the hack.
“I was somewhat surprised no one acted on our results.”
While the companies that were allegedly hacked chose not to disclose the situation to the public, Snoeren pointed that none of them volunteered to be a part of their study.
“The reality is that these companies didn’t volunteer to be part of this study,” he explained. “By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose.”
On their paper, Snoeren and his team noted that Tripwire found both plaintext and hashed-password breaches. Also, the researchers found that only a few of the accounts were used to send spam after being breached. DeBlasio speculated that the cybercriminals were just monitoring the emails to harvest valuable information like bank accounts and credit card details.
The researchers also emphasized that website security breaches happen every year and it can happen to any website, regardless of how big the companies’ reach and audience are. While 1 percent of the over 2,300 websites may not seem like much, the researchers argued that it could mean tens of millions of websites that could be breached yearly out of the existing billions of sites on the Internet.
The paper entitled “Tripwire: Inferring Internet Site Compromise” was presented by the UCSD researchers at the ACM Internet Measurement Conference held in London last November. A repository for the registration crawler was also made available on GitHub.