An ex-founder member of the internationally notorious hacktivist groups Anonymous and LulzSec has found over 43,000 individual data leaks belonging to .lk domains in just 32 out of a total 2,500 breaches.
The leaks, covering a span of about six years, are spread out across political, financial, military and business interests, the researcher claims.
Speaking to Daily FT on the sidelines of the 5th annual Cyber Security Summit, hacktivist turned ethical hacker Darren Martyn, now serving as a Security Researcher at the UK-based Xiphos Research Lab, said that his team have yet to form a full picture of what could be out there.
“So far we’ve collected evidence of 2,500 data breaches. That’s unique ones. That’s 2,500 different organisations whose data have leaked publicly to the internet. We only analysed 32 of those breaches. We haven’t had the time to go through the others yet.
We need to validate and verify,” he told Daily FT.
Martyn and his colleague Jake Davis, both of whom were in Colombo for the annual cyber security summit organised by this newspaper in collaboration with CIRCA Campus, had found passwords, emails and other personal information among the more than 43,000 leaks belonging to what Martyn called “important people.”
“The people affected probably have no idea their data has been made public by third parties,” he said.
According to Martyn, the leaked data had initially been made available for sale, but had eventually become available free of charge, leading him to believe that the hacks had been carried out with the intention of profiting.
Among the compromised organisations Martyn had found were at least one big-name commercial bank and an internet service provider (ISP).
However, he was quick to point out that some of the risks were not the victims’ fault.
“Those organisations had done nothing wrong. Maybe they just had a network appliance that was connected that had a vulnerability. We found that they had so many security issues but we can guarantee that every company has security issues,” he said.
The vulnerabilities found, according to Martyn, were to do with how the victims had implemented Secure Sockets Layer (SSL) encryption, as well as Heartbleed, Freak and a few other well-known but easy-to-fix exploits. (Heartbleed is an information leakage vulnerability that allows an attacker to read memory from a server so they can leak information like usernames, passwords, encryption keys, etc.).
“All you have to do is upgrade the version of SSL and problem solved,” he told Daily FT.
Asked if the organisations ought not to be more concerned, Martyn said it’s a lot to do with manpower, time and budget.
“They’re probably fixing more severe things, and that kind of got kicked down the pile a bit. I’d say that they’d probably fix it now,” he said.
He did, however, recommend a more rigorous patch management and ensuring that everything was up to date. Martyn also suggested haveibeenpwned.com as a possible tool to check what information, if any, has been compromised. Basic security measures such as a password manager are also recommended, he said.
“I assume everyone’s doing their best, but we always have to up the game a bit.”
Asked how damaging the leaks could potentially be, Martyn said: “If the criminals have the data already, if they were to start using that data, if those passwords were still valid quite a bit of damage could potentially be done. So it would be good to work on getting that fixed.”
“You’ll find data on anyone if you look hard enough. That’s the terrifying thing. It’s all available. You just have to find it,” he added.