Abstract
The amount of identity data leaks in recent times is drastically increasing. Not only smaller web services, but also established technology companies are affected. However, it is not commonly known, that incidents covered by media are just the tip of the iceberg. Accordingly, more detailed investigation of not just publicly accessible parts of the web but also deep web is imperative to gain greater insight into the large number of data leaks. This paper presents methods and experiences of our deep web analysis. We give insight in commonly used platforms for data exposure, formats of identity related data leaks, and the methods of our analysis. On one hand a lack of security implementations among Internet service providers exists and on the other hand users still tend to generate and reuse weak passwords. By publishing our results we aim to increase awareness on both sides and the establishment of counter measures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
DataLossDB - http://datalossdb.org/.
- 2.
BSI Security Check - https://www.sicherheitstest.bsi.de/.
- 3.
Survela - https://survela.com/.
- 4.
BreachAlarm - https://breachalarm.com/.
- 5.
PwnedList - https://pwnedlist.com/.
- 6.
HPI Identity Leak Checker - https://sec.hpi.de/leak-checker.
- 7.
PasteBin - http://pastebin.com.
- 8.
AnonFiles - https://anonfiles.com.
- 9.
LeakedIn - http://www.leakedin.com/.
- 10.
PHPass - http://www.openwall.com/phpass/.
- 11.
hashcat - http://hashcat.net/hashcat/.
- 12.
John the Ripper - http://www.openwall.com/john/.
- 13.
bcrypt library - http://bcrypt.sourceforge.net/.
References
Important Customer Security Announcement. http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
Symantec Corporation. Internet Security Threat Report (2014)
Data Breach QuickView: An Executive’s Guide to 2013 Data Breach Trends. Presentation, Risk Based Security, February 2014
Parno, B., McCune, J.M. et al.: CLAMP: practical prevention of large-scale data leaks. In: 2013 IEEE Symposium on Security and Privacy 0, pp. 154–169 (2009). doi:http://doi.ieeecomputersociety.org/10.1109/SP.2009.21. ISSN: 1081–6011
Mirante, D., Cappos, J.: Understanding Password Database Compromises. Technical report TR-CSE-2013-02, Department of Computer Science and Engineering Polytechnic Institute of NYU (2013)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. In: Commun. ACM 47(4), 75–78, April 2004. doi:10.1145/975817.975820, url:http://doi.acm.org/10.1145/975817.975820, issn: 0001–0782
Castelluccia, C., Chaabane, A., et al.: When privacy meets security: leveraging personal information for password cracking. In: ArXiv e-prints, April 2013
High-Tech Bridge. 300,000 Compromised Accounts Available on Pastebin: Just the Tip of Cybercrime Iceberg. Web site, February 2014. https://www.htbridge.com/news/300_000_compromised_accounts_available_on_pastebin.html. Accessed on January 07 2014
Krebs, B.: Adobe Breach Impacted At Least 38 Million Users. Web Site, October 2013. http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/. Accessed on January 07 2014
Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: a case-study of keyloggers and dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)
Krebs, B.: Adobe To Announce Source Code, Customer Data Breach. Web Site, October 2013. http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/. Accessed on January 07 2014
Nadji, Y., Antonakakis, M. et al.: Beheading hydras: performing effective botnet takedowns. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 121–132. ACM, New York (2013)
Stone-Gross, B., Cova, M. et al.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. CCS 2009, pp. 635–647. ACM, New York (2009)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium, August 2004
The Tor Project. Tor: Hidden Service Protocol. Web Site. https://www.torproject.org/docs/hidden-services.html.en. Accessed on January 07 2014
Bonneau, J., Xu, R.: Character encoding issues for web passwords. In: Web 2.0 Security & Privacy 2012 (W2SP) (2012)
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)
Hillerup, J.C.: Cryptanalysis and its Applications to Password Hashing. MA thesis. KTH Information and Communication Technology (2013)
Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (2005)
Teat, C., Peltsverger, S.: The security of cryptographic hashes. In: Proceedings of the 49th Annual Southeast Regional Conference, March 2011
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Jaeger, D., Graupner, H., Sapegin, A., Cheng, F., Meinel, C. (2015). Gathering and Analyzing Identity Leaks for Security Awareness. In: Mjølsnes, S. (eds) Technology and Practice of Passwords. PASSWORDS 2014. Lecture Notes in Computer Science(), vol 9393. Springer, Cham. https://doi.org/10.1007/978-3-319-24192-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-24192-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24191-3
Online ISBN: 978-3-319-24192-0
eBook Packages: Computer ScienceComputer Science (R0)