Sensitive data that has been compromised through hacking or or exposure via human and technology errors often results in the information being posted anonymously on public forms like Pastebin and similar venues.
Often it is only because an alert security practitioner or other “nice guy” notices and reports such data dumps that the compromised organization is ever alerted to the breach. The the entity usually scrambles to assess the level of compromise, and begins the laborious task of notifying those who may have been affected, particularly if the breached data includes information about consumers, clients, or business partners.
The good thing is that sites like Pastebin are fairly quick to take action and delete the offending post. While this helps to some degree in protecting those exposed from potentially being victimized, the problem is that the Internet is not so easily scrubbed of such data, as it is often cached or otherwise preserved.
Complicating matters, there are more than a few “dump services” that seek to alert anyone and everyone of the posting of sensitive data my malicious actors. Depending on your point of view, these automated web scraping bots may be seen as helpful in disseminating the information, or may be seen as doing more harm than good by propagating data that should not be broadcast widely.
A friend of mine, security researcher/instructor/consultant J. Oquendo of EFENS!VE Security Strategies, takes the latter position, and has taken it upon himself to create his own automated system that similarly scours the web for data dump sites, but then takes the further step of notifying the affected parties if the leaked data happens to include email contact information.
“So I was bored (ADD/ADHD) and annoyed by these dump accounts (primarily twitter.com/dumpmon),” Oquendo told me in an email. “So I decided to write a program that looks for data dumps, parses out the email addresses of those affected, then generate a template message: Hey… Your data has been leaked, this is the site that was associated with the leak, and this is the site posting the leak –I call it CounterDump.”
According to an explanation posted by E-FENS!VE regarding CounterDump, the service “aims to notify affected users of data breaches that contain information relevant to them. This can include usernames, e-mails, passwords, social security numbers, credit cards. We offer this service as a form of Internet Public Service. There is no charge, there are no strings, there is nothing to sign up for, there is no spam, no sales. Nothing other than the desire to create a form of watchdog service for netizens who may be unknowingly affected by a data breach.”
Oquendo went on to explain how creating and deploying the service has not come about without more than a few headaches for himself and his company.
“Trying to do something nice, I set myself up as a target for those doing the hacking, as they will likely find out about CounterDump, and breach victims/companies will likely think I had something to do with the compromise, and so on,” Oquendo said.
“I also spoke with lawyers at Stanford University and law enforcement officials to make sure I was not breaking any laws by accessing the data and notifying the victims. I was told to spell it all out clearly, so hopefully that page on our company website is worded correctly,” Oquendo continued.
Now that the service has been up and running for a short time, I asked Oquendo if he had received any feedback on the notifications.
“Well, we notified one company about their data being breached, and I guess someone didn’t completely read the message we had sent them,” Oquendo said.
“They replied with something like: Thanks a lot you [redacted nastiness], you didn’t secure your site and now my credit card information is owned! To which I responded: Uh, you really need to read your email better.”
So much for trying to be the ‘nice guy’…
Image courtesy of ShutterStock