Interesting to see @haveibeenpwned / @troyhunt having decided to start offering "Threat Intelligence".
While I understand the thinking, the quote from the article
But even when you get the full dump of the data from the shadiest providers*, it's just been a waste of time.
Sure, there is some value in informing people about problems. But it's important to provide actionable information.
A better approach might be to provide this information to the breached sites to allow them to 1. validate the information. 2. inform the users. 3. force changes.
That approach has it's own problems**, but seems like it more effectively attacks the core of the problem instead of the symptom.
And if that is not possible, then maybe something proactive like identity-protection services which you pay to take actions on your behalf of any data.
Maybe this isn't something Troy wants to do, which is fine. But I felt like I needed to write down my thoughts on why I don't think it's the right approach.
Footnotes:
=> More informations about this toot | More toots from gnyman@infosec.exchange
@gnyman @haveibeenpwned the problem is that there are no “breached sites” in stealer logs, only breached individuals
=> More informations about this toot | More toots from troyhunt@infosec.exchange
@troyhunt yeah, but the site usually has some kind of incentive to ensure their users aren't hacked? Hacked accounts are rarely used for something good, instead they are used for spam or other malicious activity which the site probably does not want.
So if you send them a list of usernames and passwords for that site, they can check if it's valid. If it is, they can prevent the user (and criminal) from logging in with that compromised password. They can then inform the user and force them to set a new password.
One problem with this is of course that if the individual is still compromised , there is little benefit and the site might not be interested or able to help them clean up the malware.
Then again, a similar approach is sometimes used by ISP:s who will disconnect the customer and check that they are clean before allowing them back online, so maybe it's not as unrealistic as I think they the websites might try to lock people out until they are "clean".
=> More informations about this toot | More toots from gnyman@infosec.exchange This content has been proxied by September (ba2dc).Proxy Information
text/gemini