Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 4

773M Credentials

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Morning, everybody. How you doing today in this episode of the show. I want to talk to you about the latest blog post from Premier security researcher Troy hunt for the time. He is the Creator and maintainer of the website have I been pwned I'm which is a credentials aggregator to put almost service to the community that Roy runs so see what he does.

He collects data breaches. He sanitize them organize them and put them into this massive database that's accessible from his website. Have I been pwned.com. I'm in that allows you to go in and check to see if your credentials have been breached. I'm as part of Darius hacks. So the latest post that Troy has up is about 773 million users credentials.

Now, this is also a sheet 8 773 million user credentials. There is some duplication in that data set has popped up on Tech meme. I'm it's getting a bit of attraction in Troy. What's a normal blog post up about it? I'm a link to that in the description below so that you can read about that in his details on processing the data set and how it came about it.

But the thing here is that this is an aggregate data set as opposed to other dating sites in the past where it's like there is breech from company a and here is the resulting data. This is a collection of multiple data breaches over an unknown. Of time. Now, some people are guavas a ton of user credentials.

This must have been a massive breaching. That's incorrect. Disney is a collection. Like I said of other data breaches. I meant it's not uncommon to see these sort of packages of data another wired article referred to as the Voltron of Tater breaches where separate things combined to build one massive thing.

I mean, that's not a bad way to look at it. I would look at it more as a giant fishing net where you know, that's apropos little foreshadowing but what happens is in the Digital Underground Cybercriminals will try to collect as many sets of credentials as possible because of the low cost of attacking.

That's really what I want to talk about today is that when I talked to Security Professionals when I talk to you the average user when I talk to the media about cyber security in both security breaches in the economics of cybercrime. What are the absolutely critical point is to understand that it is such a low cost to commit cybercrime especially wants to attack or a scheme has been designed once to execute it multiple times essentially cost almost nothing additional for the attacker is fun to pretend pretend remember I said pretend pretend we're bank robber bank and get away with some cash were quite proud of ourselves.

But if we try to do it again if we knock off a second Bank the risk is increasing significantly. The reason being is when we hit the First Bank we left evidence. There was a witnesses there is Video camera evidence that the police have investigated they've gathered up all of this information about how we conducted this crime and if we go to commit another crime the likelihood of us getting caught significantly increase the effort for us is the same as the first we need to case The Joint again, we need to plan it all out.

We need to put a huge amount of effort into this second crime just as much as ever it is into the first crime. However, our risk is increase. Our return is actually disproportionate to the first one, right? So the risk is now higher for the same return or potentially the same return cybercrime doesn't work that way if we're now going to commit a cybercrime we figure out design an attack or scheme to exfiltrate data, we figure out what we want to do and we point our tools at one target wall first appoint or tools that a second target were not increasing any risk because of the lack of data sharing because the fact that we can hit Targets in different countries is a whole bunch of things that combine together to say that you know, Increasing Risk by going to the second one, but for us the effort is actually less because we simply just repoint the tools.

We don't need to re case The Joint we don't need to do a lot of the same work. We've done it. Once we can take advantage of scale eventually. This will catch up with us as the cyber security Community. I will help build defenses and how people be aware of the crime, but the economics are fundamentally different and that's why we see breeches or data collections from breaches.

Like the one that Troy has been put into have I been phone and sharing with the community now is because I can take that as a cyber-criminal a big quotes. I'm not a cyber-criminal obviously. I have a timer, I can take all those 773 million credentials and put them into my tools to try to use them in breeches in the future because it doesn't cost me anything extra and it could increase my return.

That's why we see the sort of data Aggregates those with abnormally large for sure, but that's why you'll see this coming together and it's not the first it's not the last but I just wanted to share that out with you guys. Little clothes out for this episode. I want to give another shot of destroy like the work he's doing what have I been pwned is absolutely phenomenal.

Troy is also a well renowned public speakers beats around the world is based in Australia, but he does go through Europe a lot and they give Lovenox. There is also an active author on plural sight so go check out his courses there because I know that helps out Troy or make a direct donation to have I been pwned the work he's doing truly does lift up the rest of us on his tools and have I been pwned have been integrated into a whole bunch of password managers and which is phenomenal and which is what you should be using.

We've covered that ad nauseam to some of the older episodes where we talked about password safety down below. But again, he shut out to Troy's doing a phenomenal work and I as a security professional appreciate his work. I think you whether you know him or not indirectly appreciated by all means.

Please give him a shout out and we need people like him to help us raise the bar and his latest explanation of this Mega breach shower this make a data collection is I just another example Work that he's doing so as to destroy. Thanks a lot. We really appreciate it.

What do you guys think? Let me know as always. Hit me up online at Mark and see a and those even the blocks in the comments down below and after podcast listener is everybody else as always by email me at Mark n. CA. Hope you are set up for a fantastic day and I'll see you on the next show.

Morning, everybody. How you doing today in this episode of the show. I want to talk to you about the latest blog post from Premier security researcher Troy hunt for the time. He is the Creator and maintainer of the website have I been pwned I'm which is a credentials aggregator to put almost service to the community that Roy runs so see what he does.

He collects data breaches. He sanitize them organize them and put them into this massive database that's accessible from his website. Have I been pwned.com. I'm in that allows you to go in and check to see if your credentials have been breached. I'm as part of Darius hacks. So the latest post that Troy has up is about 773 million users credentials.

Now, this is also a sheet 8 773 million user credentials. There is some duplication in that data set has popped up on Tech meme. I'm it's getting a bit of attraction in Troy. What's a normal blog post up about it? I'm a link to that in the description below so that you can read about that in his details on processing the data set and how it came about it.

But the thing here is that this is an aggregate data set as opposed to other dating sites in the past where it's like there is breech from company a and here is the resulting data. This is a collection of multiple data breaches over an unknown. Of time. Now, some people are guavas a ton of user credentials.

This must have been a massive breaching. That's incorrect. Disney is a collection. Like I said of other data breaches. I meant it's not uncommon to see these sort of packages of data another wired article referred to as the Voltron of Tater breaches where separate things combined to build one massive thing.

I mean, that's not a bad way to look at it. I would look at it more as a giant fishing net where you know, that's apropos little foreshadowing but what happens is in the Digital Underground Cybercriminals will try to collect as many sets of credentials as possible because of the low cost of attacking.

That's really what I want to talk about today is that when I talked to Security Professionals when I talk to you the average user when I talk to the media about cyber security in both security breaches in the economics of cybercrime. What are the absolutely critical point is to understand that it is such a low cost to commit cybercrime especially wants to attack or a scheme has been designed once to execute it multiple times essentially cost almost nothing additional for the attacker is fun to pretend pretend remember I said pretend pretend we're bank robber bank and get away with some cash were quite proud of ourselves.

But if we try to do it again if we knock off a second Bank the risk is increasing significantly. The reason being is when we hit the First Bank we left evidence. There was a witnesses there is Video camera evidence that the police have investigated they've gathered up all of this information about how we conducted this crime and if we go to commit another crime the likelihood of us getting caught significantly increase the effort for us is the same as the first we need to case The Joint again, we need to plan it all out.

We need to put a huge amount of effort into this second crime just as much as ever it is into the first crime. However, our risk is increase. Our return is actually disproportionate to the first one, right? So the risk is now higher for the same return or potentially the same return cybercrime doesn't work that way if we're now going to commit a cybercrime we figure out design an attack or scheme to exfiltrate data, we figure out what we want to do and we point our tools at one target wall first appoint or tools that a second target were not increasing any risk because of the lack of data sharing because the fact that we can hit Targets in different countries is a whole bunch of things that combine together to say that you know, Increasing Risk by going to the second one, but for us the effort is actually less because we simply just repoint the tools.

We don't need to re case The Joint we don't need to do a lot of the same work. We've done it. Once we can take advantage of scale eventually. This will catch up with us as the cyber security Community. I will help build defenses and how people be aware of the crime, but the economics are fundamentally different and that's why we see breeches or data collections from breaches.

Like the one that Troy has been put into have I been phone and sharing with the community now is because I can take that as a cyber-criminal a big quotes. I'm not a cyber-criminal obviously. I have a timer, I can take all those 773 million credentials and put them into my tools to try to use them in breeches in the future because it doesn't cost me anything extra and it could increase my return.

That's why we see the sort of data Aggregates those with abnormally large for sure, but that's why you'll see this coming together and it's not the first it's not the last but I just wanted to share that out with you guys. Little clothes out for this episode. I want to give another shot of destroy like the work he's doing what have I been pwned is absolutely phenomenal.

Troy is also a well renowned public speakers beats around the world is based in Australia, but he does go through Europe a lot and they give Lovenox. There is also an active author on plural sight so go check out his courses there because I know that helps out Troy or make a direct donation to have I been pwned the work he's doing truly does lift up the rest of us on his tools and have I been pwned have been integrated into a whole bunch of password managers and which is phenomenal and which is what you should be using.

We've covered that ad nauseam to some of the older episodes where we talked about password safety down below. But again, he shut out to Troy's doing a phenomenal work and I as a security professional appreciate his work. I think you whether you know him or not indirectly appreciated by all means.

Please give him a shout out and we need people like him to help us raise the bar and his latest explanation of this Mega breach shower this make a data collection is I just another example Work that he's doing so as to destroy. Thanks a lot. We really appreciate it.

What do you guys think? Let me know as always. Hit me up online at Mark and see a and those even the blocks in the comments down below and after podcast listener is everybody else as always by email me at Mark n. CA. Hope you are set up for a fantastic day and I'll see you on the next show.