Questions linger as data breach trading site LeakBase disappears

Share on Twitter
Share on Google+
更新吧,唯有不断地更新才能进步,唯有不断地更新才能安全,也唯有不断地更新才能赚钱。
Share on LinkedIn
Share on Reddit
If account credentials stolen during a data breach are posted on public servers, is it ever legitimate business to make money trading access to this data?

It sounds dubious, but this is precisely what a small group of websites started doing two years ago to almost no applause.
The claim was that turning breaches into a business would aid notification because it would help advertise them quickly once the data appeared online somewhere, usually on the dark web.
The counter argument was that low-level connected criminals less savvy with dark web sources would also be enthusiastic subscribers, which would turn sites into databases fuelling more online crime.
Now with the news that a prominent name in the sector, LeakBase.pw, went silent last weekend, it appears breach-as-a-service might be on its last legs.
On 2 December LeakBase started redirecting to Troy Hunt’s campaigning breach site Have I Been Pwned? (HIBP), confirming an earlier message from the site’s Twitter feed that something was up:
This project has been discontinued, thank you for your support over the past year and a half.
Which, to anyone who thinks that selling credentials stolen during data breaches is not a legitimate activity in the first place, will count as a good day for security.
Earlier this year, another breach site called LeakedSource disappeared with identical suddenness, reportedly after being raided and having its servers seized by the FBI.
This should have cleared the way for LeakBase to dominate the market but now it too has succumbed to unspecified troubles. The nature of those troubles, which ironically started in April when the site was itself breached, defaced, and subsequently changed ownership, still interests a lot of people.
Sophos Home
提高信息安全保密意识防范军事间谍活动
Free home computer security software for all the family
Learn More
According to security blogger Brian Krebs, one of the site’s founders may have links to an illegal dark web drugs website, Hansa, taken over by Dutch police in July in order to covertly monitor its customers and users.
Not to mention that handling breached data was always likely to attract the attention of police, Troy Hunt of HIBP told another news site.
Is their demise a simple cause for celebration?
It might appear so if it weren’t for the knack some of these sites had of discovering unknown breaches, typically old ones nobody knew about. A good example was the 2016 Dropbox breach affecting 68 million users, which LeakBase brought to light years after it happened in 2012.
Recently, the site was at it again, telling a news site about a breach at Taringa affecting another 28 million users.
As LeakedSource summed it up in 2016:
For the most part, the reason all of these mega breaches are coming to light now is because we’ve gone out and found the data exists.
Clearly these sites were uncovering breaches. The problem was that they sold access to this data, telling journalists about it to attract attention to their services.
Public service sites such as HIPB and Vigilante.pw are the obvious alternatives whose recent success in making unknown breaches public might in any case have rendered the whole idea of paid breach databases obsolete.
What remains unsettling is that something as critical as data breach discovery is being left up to small and under-resourced sites to do off their own bat.  Software vulnerabilities eventually turned into a thriving area of independent research – for profit as well as public service – why can’t the same be the case for data breaches?
IT员工背叛组织的故事比比皆是,人是技术的管理者和使用者,做好“人”的安全管理,加强信息安全意识教育,是易被忽视和最困难的。

猜您喜欢

170731 小豆丁今日录制《SIMPILY KPO
缺失的信息安全方针政策
Security-Frontline-安全前线
南京大屠杀幸存者携家人祭奠罹难亲人
ROMANS HITDOMAIN
安全基础理论课程助力培养全民网络安全意识