Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management
Buying Breached Data: When Is It Ethical?
Payment Information From WeLeakInfo Shows Security Companies Were CustomersSecurity practitioners often tread a fine and not entirely well-defined legal line when conducting data breach research. This research can also pose ethical questions when commercial sources for stolen data fall into a gray area.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Illustrative of this problem is WeLeakInfo, a breached data search service that ran for several years until it was shut down by law enforcement officials in January 2020.
WeLeakInfo offered inexpensive subscriptions to browse and access raw data from some 10,000 breaches, collectively representing more than 12 billion records. Most were breaches for which data was already public, but some were exclusive to the site, raising questions as to how that data was acquired. But the service ended up in legal hot water, as did one of its predecessors, LeakedSource (see: LeakedSource Operator Busted by Canadian Police).
Law enforcement officials in Germany, the U.K., the U.S. and the Netherlands announced a takedown of WeLeakInfo in January 2020 and the arrests of two 22-year-old men, one in Northern Ireland and one in the Netherlands.
But law enforcement hasn't stopped there. In December, the U.K.'s National Crime Agency announced it had arrested 21 people who bought data from the site. The agency has also either visited or served cease-and-desist orders to 69 others whom the NCA is warning not to use data in furtherance of crime. The NCA says it's continuing to contact others.
21 people have been arrested in a nationwide cyber crime crackdown targeting customers of an online criminal marketplace that advertised stolen personal credentials.
— National Crime Agency (NCA) (@NCA_UK) December 25, 2020
Read more ➡️ https://t.co/9OTnQyXHlI pic.twitter.com/k3YxfnrrCo
While the bulk of purchases from the site appear to have been made by individuals, a recent leak of payment data from WeLeakInfo's Stripe account shows an interesting group of customers: security companies.
Why did WeLeakInfo become a source for security researchers, given that there are plenty of other threat intelligence vendors who are on solid legal ground? Some users say WeLeakInfo filled a gap in the threat intelligence market for low-cost, unfettered access to breached data. But such sites are clearly problematic on legal and ethical grounds.
Popular With Security Companies
About 141 companies offering information security services paid WeLeakInfo for breached data, according to an analysis by Trevor Giffen, who for several years has studied services offering access to breached data. Giffen is cyber threat intelligence lead with KPMG-Egyde in Toronto, but he did the research outside of his work with the firm.
Giffen says security firms' use of sites such as WeLeakInfo shows that there's demand in the threat intelligence industry for a lower-cost service that offers access to breached data but closely vets those requesting access. Otherwise, analysts may still turn to the gray market.
"Eventually, we need to have an affordable, competitive and legally assured method of providing security practitioners breached data search services for them to be able to protect organizations," Giffen says.
While security companies and consultancies likely represented a very small percentage of WeLeakInfo's revenue, some of the individual payment amounts were the highest that site received, the leaked payment data shows. The payments ranged from $2 to $1,000. The leaked payment data isn’t complete, however, because WeLeakInfo also accepted virtual currency and PayPal payments, and data on those purchases remains unreleased.
Many small- to medium-sized security consultancies were among WeLeakInfo's customers, but there are big names in the list, including IBM and Deloitte. Neither of those companies responded to my request for comment. The security firm customers are located in the U.K., Australia, the U.S., and throughout Europe and Asia.
Two Markets
WeLeakInfo primarily appealed to two markets: legitimate security researchers and pen testers trying to protect customers and a black hat crowd involved in malicious activities. U.K. authorities allege they have uncovered links between WeLeakInfo and the sale of malware and remote access tools.
Some security researchers and pen testers tell me that prior to the WeLeakInfo takedown, they believed the site was legitimate. Furthermore, they say the site performed well and collated and normalized breached data in convenient formats. Essentially, it was the path of least resistance for data that could be obtained elsewhere but with more intensive work.
William Coulter, a cybersecurity consultant with Alchemy Security Consulting in Adelaide, tells me he first heard of WeLeakInfo during a presentation by Kevin Mitnick at the Australian Cyber Conference in Melbourne two years ago.
The email address of Mitnick, one of the most well-known individuals to be prosecuted in the U.S. for computer-related intrusions, is in the WeLinkInfo's Stripe data. Mitnick did not respond to a request for comment.
Coulter says he believed WeLeakInfo was in a legal gray area, but its search features allowed for the retrieval of email addresses and password hashes that belong only to his clients, from which he had obtained permission to access. That avoided acquiring full data dumps, which he says he doesn’t feel comfortable storing.
While the data helped his company during red team exercises to show its customers the risk of reusing passwords, using WeLeakInfo "still doesn't sit right with me," he says.
Alexei Doudkine, co-founder and offensive director of Volkis, a Sydney-based penetration testing and security consultancy, says the data in WeLeakInfo was a good starting point for penetration tests, red teaming and open-source intelligence exercises.
Doudkine says he didn't use the site much, but in retrospect he wouldn't have used it at all if he'd realized it was leaning more toward the criminal spectrum. But the data dumps he looked at on the site were already public anyway, and the site offered a shorter path to continue to do what he actually specializes in.
"I could - with days or weeks of research - gain access to these hacker forums but, again, that's not where I want to focus my time," Doudkine says. "It's not my specialty. My specialty is breaking into Windows networks."
WeLeakInfo was waving big red flags, which were noticed by many. The site advertised in places such as Hack Forums. It also allowed users to access any individual record from breaches, but it apparently did not vet its customers to help guard against misuse of the data.
WeLeakInfo was also involved in password "cracking." Data breaches often leak cryptographic representations of passwords called hashes because services typically don't store plain-text passwords. With enough computing power, it may be possible to figure out the plain-text passwords that those hashes correspond to by using brute-force guesswork.
In early 2019, WeLeakInfo published a blog post saying it was trying to crack hashes from the AdultFriendFinder.com breach and would eventually put plain-text passwords into its database. That makes the data even more useful to those who could misuse it.
Legality of Buying Leaked Data
In February 2020, just a month after WeLeakInfo's operations were shut down, the U.S. Justice Department released a 15-page paper intended to help security researchers stay on the right side of the law while conducting threat intelligence research, and it addressed the legality of buying leaked or stolen data.
Generally, U.S. prosecutors are unlikely to take up a case unless purchased data is subsequently used to commit a crime, the DOJ said. That would appear to leave security researchers in the clear. But knowingly buying the data of another party without permission of the party poses legal risk, the DOJ noted.
"It is much more likely to raise questions about the purchaser’s motives and result in scrutiny from law enforcement and the legitimate data owner, particularly if a trade secret is involved," the DOJ wrote.
Zubair Khan, CEO of the security consultancy Tranchulas, says he believed that WeLeakInfo wasn’t legitimate, but his legal counsel said purchasing data was probably OK. Also, Tranchulas obtained the consent of its clients before purchasing their data from WeLeakInfo.
Ultimately, using data from WeLeakInfo was in the best interests of Tranchulas' customers, Khan says. "How can we be confident about the security of our customers if we don’t know what is in these massive randomly named database breaches which are being bought by black hats?" he asks.
Broader Ethical Consideration
Still, there's a broader ethical consideration: Why make payments to a highly questionable website that arguably contributes to the breach economy under the premise of protecting people? Some researchers steer away from such markets entirely.
Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned breach notification service and Pwned Passwords, doesn’t pay to obtain breached data.
Both of his services have a high degree of confidentiality and privacy built into them, allowing for notifications of breached email addresses and passwords. Also, the services decouple email addresses from compromised passwords, and users can't go fishing for data that is not theirs.
Hunt says it's highly problematic for security companies to use services like WeLeakInfo.
“I can't for the life of me understand how security companies paying for that data on a legal basis is any different than the hacker buying the data," he says. "People justifying this practice are relying entirely on intent being the differentiating factor, but that doesn’t do anything to de-incentivize the market for stolen data.”
Lawyers have advised Alex Holden, CISO of Wisconsin-based Hold Security, that it is illegal to buy breached data. Holden says his company, which alerts companies to possible data breaches, has amassed a cache of 14.5 billion unique credentials without paying a cent.
Despite the guidance that it may be OK under some circumstances to buy data, Holden says the DOJ broadly advises not to empower cybercriminals - and he contends giving them money does just that. Also, European data protection laws appear to prohibit purchasing breach data, he says.
"If we start breaking these rules and buying everything we see, we are going to be creating a really powerful dark web economy," Holden says. "The bad guys are going to keep coming back with higher and higher prices."
Also, Holden says that "as long as people pay, these [leak] sites will keep popping up."
Giffen says it’s a call to action for the threat intelligence industry to fill the void. "The threat intelligence industry should be thinking about how to help well-vetted security practitioners stop having to rely on gray markets in order to protect organizations."