Hacked text overlaid on top of a world map

A team of three researchers from the University of California, San Diego (UCSD) has created a tool that can detect when user-registration-based websites suffer a data breach.

The tool, named Tripwire, works on a simple concept. Researchers say that Tripwire registers one or more accounts on websites by using a unique email address that they do not use for anything else.

Each email account and the website profile used the same password. Tripwire would check at regular intervals if someone used this password to access the email account, which would indicate the website suffered a breach and an attacker used the stolen account data to log into the associated email account.

Tripwire finds 19 data breaches during test run

In a live test, researchers said they registered accounts at over 2,300 sites. At the end of the study's period, scientists said that attackers accessed email accounts for 19 of these sites, including one with a userbase of over 45 million.

UCSD researchers reached out to each website, but to their astonishment, none notified users of the breach.

"I was heartened that the big sites we interacted with took us seriously," said Alex C. Snoeren, professor of computer science at the Jacobs School of Engineering at the University of California San Diego, and one of Tripwire's four authors together with Joe DeBlasio, Stefan Savage, and Geoffrey M. Voelker.

"I was somewhat surprised no one acted on our results," Snoeren added, saying his team won't disclose the websites' names. "The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose."

Tripwire can expose sites storing passwords in cleartext

But the research didn't end here. The simple concept behind Tripwire also exposes when websites store passwords in plaintext, researchers said.

For example, researchers say someone could use Tripwire to record multiple honeytrap accounts on the same websites, some with a simple password, and others with very complex and lengthy passphrases.

If an attacker accesses both, this means the website stores password information in plaintext, or another easy-to-break password hashing system like MD5.

If only accounts with the simple passwords are accessed, this means the website stores passwords in a secure manner, and an attacker might have used a basic brute-force dictionary attack to guess some user passwords.

Tripwire open-sourced on GitHub

In addition, researchers said they also carried out extra tests to determine if the breach took place at the actual website or the email provider that hosted the email address.

They said they created more than 100,000 email accounts to serve as control accounts. If an attacker accessed only the email addresses associated with online profiles, but not any of the other 100,000 test accounts, then this meant the breach took place at the third-party website, and not the email provider.

UCSC researchers published the source code for the Tripwire tool on GitHub, and they hope that companies would deploy it internally as an additional breach detection system.

The research team also presented their work on Tripwire at the ACM Internet Measurement Conference in London, this November. Their work on Tripwire is documented in a research paper titled "Tripwire: Inferring Internet Site Compromise."

Related Articles:

Timehop Security Breach Affects the Company’s Entire 21 Million Userbase

Macy’s Locks Small Number of Accounts Following Suspicious Logins, Fraud Reports

Ticketmaster Announces Data Breach Affecting 5% of All Users

Hundreds of Hotels Affected by Data Breach at Hotel Booking Software Provider

Malware Infection at HR Company Triggers Flurry of Data Breach Notifications