- Jul 22, 2014
- 2,525
A team of three researchers from the University of California, San Diego (UCSD) has created a tool that can detect when user-registration-based websites suffer a data breach.
The tool, named Tripwire, works on a simple concept. Researchers say that Tripwire registers one or more accounts on websites by using a unique email address that they do not use for anything else.
Each email account and the website profile used the same password. Tripwire would check at regular intervals if someone used this password to access the email account, which would indicate the website suffered a breach and an attacker used the stolen account data to log into the associated email account.
Tripwire finds 19 data breaches during test run
In a live test, researchers said they registered accounts at over 2,300 sites. At the end of the study's period, scientists said that attackers accessed email accounts for 19 of these sites, including one with a userbase of over 45 million.
..
...
"I was somewhat surprised no one acted on our results," Snoeren added, saying his team won't disclose the websites' names. "The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose."
...
...
The tool, named Tripwire, works on a simple concept. Researchers say that Tripwire registers one or more accounts on websites by using a unique email address that they do not use for anything else.
Each email account and the website profile used the same password. Tripwire would check at regular intervals if someone used this password to access the email account, which would indicate the website suffered a breach and an attacker used the stolen account data to log into the associated email account.
Tripwire finds 19 data breaches during test run
In a live test, researchers said they registered accounts at over 2,300 sites. At the end of the study's period, scientists said that attackers accessed email accounts for 19 of these sites, including one with a userbase of over 45 million.
..
...
"I was somewhat surprised no one acted on our results," Snoeren added, saying his team won't disclose the websites' names. "The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose."
...
...
