How long does it take to get owned?
The goal of this project is to gain a better understanding as to how cyber criminals make use of stolen credentials from data breaches. In particular, to see how long it takes for a report of unauthorised access after a data breach is published, and whether this unauthorised access spreads to connected accounts through password re-use and/or a single point of trust.
In order to achieve this goal, I have set the following main objectives:
- Understand the concept and make up of a digital identity.
- Develop a system to create fake digital identities (“honey identities”).
- Develop a framework to monitor access and usage of these honey identities.
- Generate several different honey identities, publish some of their credentials online, and monitor access and usage over a period of time.
In other words, I will be creating a number of fake identities and registering for a number of popular web services with these accounts. I will then leak the username/password for one of the services via pastebin (or similar) and see how long it takes before a) the service is accessed and b) another service within that identity is accessed. I will be trying to automate as much of the process as possible along with developing my own methods for monitoring access/usage.
Can you help?
In order to make the honey identities desirable, I’d ideally register accounts on the most popular web services especially those that have a known/high value on the “dark web”. Unfortunately, the number of services that I can actually use is limited by various ethical (e.g. against Ts&Cs), practical (e.g. requires billing information) or technical (e.g. no way to monitor) constraints.
For this reason, I’m looking for a bit of help. If you happen to work for a popular website and have the ability to create honeypot accounts then please contact me. I wouldn’t require anything indepth – just a simple notification if the correct credentials are used would be amazing. I’d be also more than happy to share the results of my project with you/your company.
- What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild
- Tripwire: inferring internet site compromise
This project is part of my MSc in Information Security at Royal Holloway, University of London. For more information on the MSc project criteria, please view the ISG website.
My project supervisor is Dr Jorge Blasco Alis