Tool developed to detect website security breaches

A tool has been designed by researchers at the University of California San Diego to detect when websites are hacked by monitoring the activity of email accounts associated with them.

02/21/2018


A tool has been designed to detect when websites are hacked by monitoring the activity of email accounts associated with them. Almost one percent of the websites researchers tested had suffered a data breach during an 18-month study period, regardless of how big the companies' reach and audience are, said computer scientists at the University of California San Diego.

"No one is above this—companies or nation-states—it's going to happen; it's just a question of when," said Alex C. Snoeren, the paper's senior author and a professor of computer science at the Jacobs School of Engineering at the University of California San Diego.

One percent might not seem like much. However, there are over a billion sites on the internet, this means tens of millions of websites could be breached every year, said Joe DeBlasio, one of Snoeren's Ph.D. students and the paper's first author.

Researchers found popular sites were just as likely to be hacked as unpopular ones. This means out of the top-1000 most visited sites on the internet, ten are likely to be hacked every year.

"One percent of the really big shops getting owned is terrifying," DeBlasio said.

The concept behind the tool, called Tripwire, is relatively simple. DeBlasio created a bot that registers and creates accounts on a large number of websites—around 2,300 were in their study. Each account is associated with a unique email address. The tool was designed to use the same password for the email account and the website account associated with that email. Researchers then waited to see if an outside party used the password to access the email account. This would indicate the website's account information had been leaked.

To make sure the breach was related to hacked websites and not the email provider or their own infrastructure, researchers set up a control group. It consisted of more than 100,000 email accounts they created with the same email provider used in the study. But computer scientists did not use the addresses to register on websites. None of these email accounts were accessed by hackers.

Websites breached

Researchers determined 19 websites had been hacked, including a well-known American startup with more than 45 million active customers.

Once the accounts were breached, researchers got in touch with the sites' security teams to warn them of the breaches. They exchanged emails and phone calls. "I was heartened that the big sites we interacted with took us seriously," Snoeren said.

Image courtesy: Ilya Pavlov/UnsplashNone of the websites chose to disclose to their customers the breach the researchers had uncovered. "I was somewhat surprised no one acted on our results," Snoeren said.

The researchers decided not to name the companies in their study.

"The reality is that these companies didn't volunteer to be part of this study," Snoeren said. "By doing this, we've opened them up to huge financial and legal exposure. So, we decided to put the onus on them to disclose."

Very few of the breached accounts were used to send spam once they became vulnerable. Instead, the hackers usually just monitored email traffic. DeBlasio said the hackers could have been monitoring emails to harvest valuable information such as bank and credit card accounts.

Researchers went a step further by testing password strength. They created at least two accounts per website. One account had an "easy" password-strings of seven-character words with their first letter capitalized and followed by a single digit. These kinds of passwords are usually the first passwords hackers will guess. The other account had a "hard" password—random 10-character strings of numbers and letters, both in lower and upper case, without special characters. Seeing which of the two accounts got breached allowed researchers to make a good guess about how websites store passwords.

If the easy and hard passwords were hacked, the website likely just stores passwords in plain text, contrary to typically-followed best practices. If the account using the easy password was breached, the sites likely used a more sophisticated method for password storage: An algorithm turns passwords into a random string of data—with random information added to those strings.

The computer scientists had a few pieces of advice for internet users: Don't reuse passwords; use a password manager; and ask yourself how much you really need to disclose online. "Websites ask for a lot of information," Snoeren said. "Why do they need to know your mother's real maiden name and the name of your dog?"

DeBlasio was less optimistic these precautions would work.

"The truth of the matter is that your information is going to get out; and you're not going to know that it got out," he said.

Snoeren and colleagues are not planning to pursue further research on Tripwire.

"We hope to have impact through companies picking it up and using it themselves," he said. "Any major email provider can provide this service."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See related stories from ISSSource linked below.

Click here to register to download the report.



Top Plant
The Top Plant program honors outstanding manufacturing facilities in North America.
Product of the Year
The Product of the Year program recognizes products newly released in the manufacturing industries.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
June 2018
2018 Lubrication Guide, Motor and maintenance management, Control system migration
May 2018
Electrical standards, robots and Lean manufacturing, and how an aluminum packaging plant is helping community growth.
April 2018
2017 Product of the Year winners, retrofitting a press, IMTS and Hannover Messe preview, natural refrigerants, testing steam traps
June 2018
Machine learning, produced water benefits, programming cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
Spring 2018
Burners for heat-treating furnaces, CHP, dryers, gas humidification, and more
April 2018
Implementing a DCS, stepper motors, intelligent motion control, remote monitoring of irrigation systems
February 2018
Setting internal automation standards

Annual Salary Survey

After two years of economic concerns, manufacturing leaders once again have homed in on the single biggest issue facing their operations:

It's the workers—or more specifically, the lack of workers.

The 2017 Plant Engineering Salary Survey looks at not just what plant managers make, but what they think. As they look across their plants today, plant managers say they don’t have the operational depth to take on the new technologies and new challenges of global manufacturing.

Read more: 2017 Salary Survey

The Maintenance and Reliability Coach's blog
Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
One Voice for Manufacturing
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Maintenance and Reliability Professionals Blog
The Society for Maintenance and Reliability Professionals an organization devoted...
Machine Safety
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
Research Analyst Blog
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Marshall on Maintenance
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
Lachance on CMMS
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
Electrical Safety Update
This digital report explains how plant engineers need to take greater care when it comes to electrical safety incidents on the plant floor.
Maintenance & Safety
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Randy Steele
Maintenance Manager; California Oils Corp.
Matthew J. Woo, PE, RCDD, LEED AP BD+C
Associate, Electrical Engineering; Wood Harbinger
Randy Oliver
Control Systems Engineer; Robert Bosch Corp.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me