Five Continents, Five Voices: Troy Hunt, Oceania

The past year marked the end of the 2010’s and a dynamic period in cybersecurity’s growth from espionage tools, massive data breaches, and ransomware impacts, to government, law enforcement and regulators taking notice of the development in the sector.

To mark the end of this year and decade, Infosecurity talked to a series of people from around the globe, each from a different continent, to gauge their perspective on which trends affected their region, and how cybersecurity impacted local businesses and culture in their view.

Representing the Oceania region is Troy Hunt, founder of HaveIBeenPwned and this year’s Infosecurity Europe Hall of Fame Inductee. I started off by asking him if he felt that there had been positives from the past year, and asked me back if “we ever get to the end of the year, and go, yeah, that was a good year?”

He said that the trend that stood out for him was around data aggregators, as “there are more organizations scooping up more of our data in ways that we never expected, and then losing it, and that’s sort of a concerning trend that is constantly changing.” This included the recent PDL breach, as well as other cases.

The other trend he pointed at was around credentials and credential stuffing, which he said could ultimately allow “strangers to talk to my children in their bedroom through the camera, because they use the same password everywhere.”

He said that he believed that is a trend that we’re going to continue to see ramping up next year, “because it’s just a hard problem to solve without starting to really impact on usability as well.”

The changing point here, Hunt said, is the ubiquity of credential pairs that are floating around the web, which are accessible by anyone. He pointed at the ease of doing this sort of offensive attack by minors. “They’ve got no sophistication whatsoever, but they know how to watch YouTube, and they know how to download stuff, and to make it worse, they don’t have the moral compass yet to know that that can be dangerous.”

Follow this with the recent selling of Disney+ accounts, Hunt acknowledged that there’s obviously a business model to be had there. He said to imagine ourselves in the shoes of the corporate credential stuffing victims that they’ve got: to imagine you’re Disney, and you have to detect the fact that someone is logging onto your system with the correct username and password, but they’re not the real owner of it, and you have to stop that person – how do you do that?

“That’s not an easy problem to solve; again, not without spending heaps of money or impacting usability,” he said. “By impacting usability, I mean anti-automation, which is going to have false positives; verification of identity via back channel like email; enforcement of 2FA, which no-one in their right mind is going to do, because 2FA is just such a massive blocker to certain people, and you kind of live with this really tricky situation.”

Meanwhile, the FTC is saying that “just because you’re the corporate victim of a credential stuffing attack, it doesn’t mean we’re not going to bring a case against you.” Hunt acknowledged that this is hard for both consumers and businesses, and this is “a shared problem and a shared responsibility to fix.”

Looking a bit closer to home, Hunt said that he felt one of the biggest news stories for Australia was the launch of the first Notifiable Data Breach Scheme in 2018, which he said contained “weak disclosure laws, but it’s something.” These include a month to notify a regulator; and unless you are an organization with AUS$3 million of revenue or more, you’re not subject to the scheme. “That means that more than 90% of Aussie businesses are excluded,” he said.

The third factor is a self-assessment process to establish whether or not the breach is likely to cause serious harm to individuals, and if it’s not, you don’t have to disclose.

Hunt said: “These three things just make it feel super watered down and they really weigh the onus on the individual rather than the organization, so the government’s sort of saying ‘we don’t want to make it too hard on businesses’.

“The impact that it is having, and what I’ve heard from a number of different CISOs I’ve spoke to is they said ‘it might be watered down, but now that there is legislation, we get to go and talk to the board, and tell them that there is legislation that they have to follow, and before we didn’t have that, so it’s giving them leverage that didn’t exist before the scheme’.”

Hunt believed that as time passes, he believed that the scheme can be better aligned with other parts of the world, but for the interim, “it’s better than what we had before.”

What’s Hot on Infosecurity Magazine?