Do you know the website: haveibeenpwned.com?
You can try it youself: Enter an email address of a friend and see some of the accounts your friend owns. Do they have an account with jobandtalent.com, jobstreet.com, linkedin, new york voter database, ancestry.com, adultfriendfinder.com, MeetMindful or Manhunt? All were breached in the past and the user accounts/passwords are for sale on the dark web.
Links to sensitive information
When a website gets hacked and the account/password information leaks, a database with passwords often finds its way onto the darkweb. They could then be offered for sale, for example, you will find a live list here: (remove the stars)
http://le***akedfuk6ls6ctol7a4k3m2uqsptkhf3yb3mbqnkjrhyt3n62g47cid.onion
The website haveibeenpwned.com buys these databases and can check if an email is present in any of them. Thus confirming the account exists in the database. You can check any email or phone number you like. This in itself is interesting information and a small example of how a well meaning security related effort can lead to information leaks.
Security measures can add to insecurity.
As a matter of fact, even security policy can lead to insecure situations.
Security Policy
When Uber was hacked in the summer of 2022, the hackers first made their way into the systems using social engineering. Once on the network, they actually found a database with all known-and-to-be-addressed technical vulnerabilities. Uber created and kept this database as part of their security policy. Using any of these vulnerabilities, the hackers now had many ways of getting back in future.
According to ISO, NEN, GDPR, CISM and other security standards, a company needs to document their IT systems for security reasons. As a policy, a larger company is mandated to keep up-to-date documents, usually as a minimum including things like the password policy, a list of systems and also network diagrams. If not, this information will also be drawn up during a ISO27001 security audit and stored somewhere on the network.
A data-leak-register is mostly mandated and security breaches need to be documented. This then constitutes a treasure trove of information if a hacker ever gets access to it. Keep it safe!
Security Scripts
A smart idea would be to automatically audit access to the security related documents as described here above. This can be done, for example, by using standard Windows audit policy. They then become a honeypot and could reveal hacker-activity if accessed. However, be aware that the script to do the auditing will need admin privileges. If a hacker is able to change the script, the hacker is admin.
This would then be another security breach caused by security measures.
Strong passwords
Strong passwords are an excellent way and also the most commonly accepted way of making brute force password attacks more difficult. However, as we are all aware by now, strong passwords are very difficult to remember and nowadays a user will have many accounts with many different websites.
Having a different strong password for each one of them just makes it impossible to remember all. People will (not unreasonably) resort to writing them down on paper, storing them in files or using the same password everywhere. This then becomes the next security risk, caused by “good” security policy.
Security Bulletins
So where do hackers actually gain the knowledge for hacking? My guess would be that a beginning hacker will start using Google. Doing searches like “known vulnerabilities” or “0day vulnerabilities”, they will quickly learn and get to one of many well meaning websites listing technical details of exploits.
As not all companies always have all the latest software updates installed, in many circumstances, these listed exploits will simply work.
A hacker-to-be could even subscribe to one of many email alerts that notify them immediately when a new vulnerability is found. This will beat system updates in many companies on speed. If they find a list of known vulnerabilities on the network somewhere, they’ll be back. Most of this security or ethical hacking information is meant to do good, but actually increases insecurity.
in conclusion
Some security measures can actually, as in the examples above, provide important information to hackers. A badly designed security policy, password policy or carelessness in the technical implementation may give a hacker an advantage and in the end make the system less safe than it was before.
Like in the Uber case, this is now happening in many professional IT environments. Even a security audit can cause vulnerabilities. There are unfortunately many examples of that too.
Making the pivotal documents into a well designed honeypot should be a minimum.
