A team of three researchers from the University of California, San Diego (UCSD) has created a tool that can detect when user-registration-based websites suffer a data breach.
The tool, named Tripwire, works on a simple concept. Researchers say that Tripwire registers one or more accounts on websites by using a unique email address that they do not use for anything else.
Each email account and the website profile used the same password. Tripwire would check at regular intervals if someone used this password to access the email account, which would indicate the website suffered a breach and an attacker used the stolen account data to log into the associated email account.
In a live test, researchers said they registered accounts at over 2,300 sites. At the end of the study's period, scientists said that attackers accessed email accounts for 19 of these sites, including one with a userbase of over 45 million.
UCSD researchers reached out to each website, but to their astonishment, none notified users of the breach.
"I was heartened that the big sites we interacted with took us seriously," said Alex C. Snoeren, professor of computer science at the Jacobs School of Engineering at the University of California San Diego, and one of Tripwire's four authors together with Joe DeBlasio, Stefan Savage, and Geoffrey M. Voelker.
"I was somewhat surprised no one acted on our results," Snoeren added, saying his team won't disclose the websites' names. "The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose."
But the research didn't end here. The simple concept behind Tripwire also exposes when websites store passwords in plaintext, researchers said.
For example, researchers say someone could use Tripwire to record multiple honeytrap accounts on the same websites, some with a simple password, and others with very complex and lengthy passphrases.
If an attacker accesses both, this means the website stores password information in plaintext, or another easy-to-break password hashing system like MD5.
If only accounts with the simple passwords are accessed, this means the website stores passwords in a secure manner, and an attacker might have used a basic brute-force dictionary attack to guess some user passwords.
In addition, researchers said they also carried out extra tests to determine if the breach took place at the actual website or the email provider that hosted the email address.
They said they created more than 100,000 email accounts to serve as control accounts. If an attacker accessed only the email addresses associated with online profiles, but not any of the other 100,000 test accounts, then this meant the breach took place at the third-party website, and not the email provider.
UCSC researchers published the source code for the Tripwire tool on GitHub, and they hope that companies would deploy it internally as an additional breach detection system.
The research team also presented their work on Tripwire at the ACM Internet Measurement Conference in London, this November. Their work on Tripwire is documented in a research paper titled "Tripwire: Inferring Internet Site Compromise."