Data Breaches Harder to Understand

[This was originally published on Credant, now a Dell company, under my OSF byline. Archived on]

On the off chance you missed any news outlet the last 30 days, an .anti security. movement has been reborn. Started in 1999, the Antisec Movement focused on encouraging security consultants and hackers not to disclose vulnerabilities to vendors. The recent resurgence of this movement has also morphed it into a campaign focusing on demonstrating the current weaknesses of security on the Internet. This is being brought to light via mass intrusion and the subsequent publishing of sensitive data such as e-mails, customer information and database details.

The most recent rash of high-profile compromises can be tracked to a group known as LulzSec, a splinter group from the bigger Anonymous collective. Along with other recently formed groups such as “Uberleaks” (@uberleaks on Twitter), we saw dozens of small breaches a day that resulted in private information being exposed. Even with “Uberleaks” apparently calling it quits, the Antisec movement is still going strong.

While the general trend of increasing data breaches is easier to understand, some of the breaches themselves become problematic to, a project designed to track such breaches. If a breach is problematic to a group of volunteers that have been tracking breaches for years, it spells trouble for consumers. Take for example the afore mentioned .Uberleaks. group. Starting out on Twitter and quickly creating their own web site to flaunt their breaches, their own cataloging of their activities was confusing.

On June 24, the DatalossDB team discovered their Twitter feed and immediately began investigating their declared breaches. Their .Releases. web page showed a list of breaches without any numbering. The associated Pastehtml pages (a site they used to dump the pilfered information) numbered the breaches. That day, we discovered what they called breach #19, yet their own Releases page only showed 17. Incidents #6 and #14 could not be found. Further, incident(s) #9 and #10 were two different breaches, but both were attributed to (our investigation suggested one was actually Incident #12 was attributed to in some places, but in others. With such discrepancies, tracking these incidents becomes a challenge.

By the next day, “Uberleaks” had posted incident #27, but appeared to have an extra one thrown in that was not numbered ( Later that day, another DatalossDB moderator had done additional digging to determine one incident did not have PII, found incident #14 was not going to be disclosed but involved a university and that several of the breached sites appeared to be old and no longer used by members. She contacted some of the sites warning the of the breach, but did not hear back.

Taking all of the above into account, how is the average consumer supposed to deal with these types of breaches? With so many incidents occurring, the mainstream media simply cannot write an article for every single one. That leads to the question if these organizations had any idea they had been breached and their information thrown out to the world. If an organization isn.t aware, they cannot warn their customers and begin to take additional precautions for data security. We cannot find any evidence these attacks were anything but so-called “low hanging fruit”, sites that had very simple vulnerabilities that were easily exploited. This helps to explain how one small group (guessed to be 2 or 3 people) could compromise so many sites in short order.

Is this the tip of the iceberg? The Open Security Foundation (OSF) believes so! Unfortunately for consumers and ourselves, this will only mean more headache in the near future. When we have to spend time researching who was breached in the first place, rather than simply cataloging a list of organizations, it spells disaster. On one hand, at least we know an incident occurred and have leads on tracking it down. On the other, without mainstream disclosure and customer notification, the published information becomes that much more vulnerable until details are established and corrective measures taken.

In the coming months, data breach tracking will become more challenging and time consuming. Consumers will come under increasing risk for having their information exposed, while companies irrationally rely on “there are juicier targets than us” as a means of defense. In the mean time, consumers should be that much more diligent in pressing companies to take data security seriously, but also be mindful of what information they give companies as they establish new relationships.

Guest Blogger Brian Martin of the Open Security Foundation (OSF)

Open Security Foundation provides independent, accurate, detailed, current, and unbiased security information. Open Security Foundation runs the Open Source Vulnerability Database (OSVDB) and the DataLossDB. DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation.s, asks for contributions of new incidents and new data for existing incidents. OSVDB.s goal is to provide accurate and unbiased information about security vulnerabilities in computerized equipment. The core of OSVDB is a relational database which ties various information about security vulnerabilities into a common, cross-referenced data source. Data is acquired from common security industry sources, entered into the OSVDB database, and cross referenced with existing information.

Whoever Fights Monsters: Aaron Barr, Anonymous, and Ourselves

I was part of a panel scheduled with Aaron Barr and Josh Corman that was moderated by Paul Roberts at DEF CON 19 in 2011. Due to legal concerns regarding HBGary, Barr had to bow out last minute and Kryptia stepped in to participate. He began wearing a disguise so the audience thought it might be Barr.

Download: Video of Slides (via
Download: Video of Speakers & Slides (via
Download: Audio of Panel (via