Tool developed to detect website security breaches

A tool has been designed by researchers at the University of California San Diego to detect when websites are hacked by monitoring the activity of email accounts associated with them.


A tool has been designed to detect when websites are hacked by monitoring the activity of email accounts associated with them. Almost one percent of the websites researchers tested had suffered a data breach during an 18-month study period, regardless of how big the companies' reach and audience are, said computer scientists at the University of California San Diego.

"No one is above this—companies or nation-states—it's going to happen; it's just a question of when," said Alex C. Snoeren, the paper's senior author and a professor of computer science at the Jacobs School of Engineering at the University of California San Diego.

One percent might not seem like much. However, there are over a billion sites on the internet, this means tens of millions of websites could be breached every year, said Joe DeBlasio, one of Snoeren's Ph.D. students and the paper's first author.

Researchers found popular sites were just as likely to be hacked as unpopular ones. This means out of the top-1000 most visited sites on the internet, ten are likely to be hacked every year.

"One percent of the really big shops getting owned is terrifying," DeBlasio said.

The concept behind the tool, called Tripwire, is relatively simple. DeBlasio created a bot that registers and creates accounts on a large number of websites—around 2,300 were in their study. Each account is associated with a unique email address. The tool was designed to use the same password for the email account and the website account associated with that email. Researchers then waited to see if an outside party used the password to access the email account. This would indicate the website's account information had been leaked.

To make sure the breach was related to hacked websites and not the email provider or their own infrastructure, researchers set up a control group. It consisted of more than 100,000 email accounts they created with the same email provider used in the study. But computer scientists did not use the addresses to register on websites. None of these email accounts were accessed by hackers.

Websites breached

Researchers determined 19 websites had been hacked, including a well-known American startup with more than 45 million active customers.

Once the accounts were breached, researchers got in touch with the sites' security teams to warn them of the breaches. They exchanged emails and phone calls. "I was heartened that the big sites we interacted with took us seriously," Snoeren said.

Image courtesy: Ilya Pavlov/UnsplashNone of the websites chose to disclose to their customers the breach the researchers had uncovered. "I was somewhat surprised no one acted on our results," Snoeren said.

The researchers decided not to name the companies in their study.

"The reality is that these companies didn't volunteer to be part of this study," Snoeren said. "By doing this, we've opened them up to huge financial and legal exposure. So, we decided to put the onus on them to disclose."

Very few of the breached accounts were used to send spam once they became vulnerable. Instead, the hackers usually just monitored email traffic. DeBlasio said the hackers could have been monitoring emails to harvest valuable information such as bank and credit card accounts.

Researchers went a step further by testing password strength. They created at least two accounts per website. One account had an "easy" password-strings of seven-character words with their first letter capitalized and followed by a single digit. These kinds of passwords are usually the first passwords hackers will guess. The other account had a "hard" password—random 10-character strings of numbers and letters, both in lower and upper case, without special characters. Seeing which of the two accounts got breached allowed researchers to make a good guess about how websites store passwords.

If the easy and hard passwords were hacked, the website likely just stores passwords in plain text, contrary to typically-followed best practices. If the account using the easy password was breached, the sites likely used a more sophisticated method for password storage: An algorithm turns passwords into a random string of data—with random information added to those strings.

The computer scientists had a few pieces of advice for internet users: Don't reuse passwords; use a password manager; and ask yourself how much you really need to disclose online. "Websites ask for a lot of information," Snoeren said. "Why do they need to know your mother's real maiden name and the name of your dog?"

DeBlasio was less optimistic these precautions would work.

"The truth of the matter is that your information is going to get out; and you're not going to know that it got out," he said.

Snoeren and colleagues are not planning to pursue further research on Tripwire.

"We hope to have impact through companies picking it up and using it themselves," he said. "Any major email provider can provide this service."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

See related stories from ISSSource linked below.

Click here to register to download the report.

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2017 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Welding ergonomics, 2017 Salary Survey, and surge protection
2017 Top Plant winner, Best practices, Plant Engineering at 70, Top 10 stories of 2017
Pipe fabrication and IIoT; 2017 Product of the Year finalists
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Setting internal automation standards
Knowing how and when to use parallel generators
PID controllers, Solar-powered SCADA, Using 80 GHz radar sensors

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me