CFN Original: Q&A with cyber security genius Troy Hunt

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

It’s another CFN original to ease you into your weekend. We sat down with Troy Hunt the  creator of Have I Been Pwned? A website dedicated to letting you know whether or not your email and social media accounts have been breached. It’s a great website that provides a free source to help combat the seemingly endless amount of data hacks that have been popping up in the news lately.

We  had the opportunity to discuss everything with Troy Hunt, from the 2013 Adobe hack to why password managers are the most underrated security tool not enough people are using. But we also got to talking about the nature of undisclosed breaches, if it’s actually possible to stay safe online in 2017 and the most important question: Did he see any of this coming?


Q: You write about how the Adobe breach in 2013 was what prompted you to create Have I Been Pwned? But What specifically about that breach kicked off this idea?

The timing worked for me because I was doing analysis of other data breaches when it happened, looking at patterns of password reuse and the like. The thing that really struck me was the prevalence of people who were impacted across multiple platforms in regards to other data breaches. And I had this thought “I wonder if they know. I wonder if they know that they’ve been impacted multiple times.” So that really gave me the motivation to start HIBP.

I ran some numbers recently for a company involved with this sort of thing and I found that the average customer they had info on, appeared 1.7 times in a data breach. That was the average. I just ran through some data about an hour ago and there was a 75 per cent hit rate for accounts that were already in the system in terms of a data breach.

So then how long did it take you to get the website in the shape that you wanted it to be in? 

To be honest, not that long. I mean it’s a pretty basic setup, I’ve added a lot of bits and pieces afterwards but not long to get it going. I think I was on a flight to Manila when I started and then finished it up in my hotel room.

One of the most interesting parts of the site is the FAQs that you include. Specifically, one question regarding the amount of data breaches that go unreported and undetected. Off the top of your head how many do you think have happened that we aren’t aware of?

Just untold numbers. For example the data that I uploaded about an hour ago was for a company called Victory Phones, and to be honest I can’t even remember who sent me the data but it was 213 gigabytes of information. Certainly the company knew about the breach because it’s open data, but no one involved in the actual breach is aware because they haven’t disclosed that there’s been a breach at all. So this kind of stuff happens all the time.

So then do you think, with all of these breaches and hacks happening of late, is it possible to remain safe online? Or are we all just exposed no matter what.

See I think there’s two camps that always comes with this question and both are strange. As with of a lot of things in life, we feel the need to examine things in absolutes. So either you’re absolutely safe or your absolutely at risk all the time. But the truth is, cyber security and staying safe online is coloured in various shades of grey. It’s not a matter of asking “are you safe?” but minimizing the amount of risk you face of being a part of a breach or scams online.

The second part of the answer then, is minimizing the impact of the problem when you do face a security crisis online. Because it’s my belief that if you take the proper steps to protect yourself, yes you still might be at a slight risk of a breach, but you can all squash it much easier with certain safeguards in place. So I don’t really believe in this one or the other type scenario.

So then in terms of staying safe, what is it we don’t know about that you wish people understood? In terms of risks we aren’t aware of or things that we could be doing to protect ourselves online?

I think more than anything it’s an understanding of password managers. Because this just solves so many of our problems. And either people don’t know about them at all or people don’t understand how to properly use them and have these misconceptions about them.

It’s kind of like, the impact if it gets breached is really high, but the likelihood of  password manager getting hacked, that’s used in the way the designer intended it to be used, is really quite low.

What do you say then to people who bring up the Fastpass hack that happened a little while ago?

So I wrote a blog post called Password Managers Don’t Have to be Perfect. This was after one of the LastPass hacks and the point I was making was that’ve taken really super sophisticated people to find these vulnerabilities which is a good thing. But then when they do find them the headlines look terrible except for all the wrong reasons and don’t actually explain what’s going on.

The reality is we just haven’t seen a major vulnerability that exposes people’s personal keychains. The premise of the post is that we don’t have to get this absolutely perfect it just needs to be better than the alternative. And what’s the alternative? Have 9 passwords written down? Or God forbid one password for everything. So I think when used correctly password managers are a wonderful thing that we need to all be using.

Did you ever think, 15 years ago, that it would ever get this complicated in terms of our personal security? What did you think was going to be the biggest issue we would have to deal once we introduced technology into our lives in such a seamless way?

It’s just fundamentally changed the way we think about things. There have been a lot of little steps along the way that have caused us to think about these changes but yeah if you go back 10 years ago, we didn’t have millions of apps all collecting data from all over the place. Over that same period we’ve seen cloud technology take over and cause people to unnecessarily lose their minds.

In real terms, we have more access to more computer power and storage than we ever have before and anyone can do it. It is easier than ever to screw this stuff up so I didn’t really see that coming. We see all of these things coming along, which in a way has done a lot of awesome things for society but they also give us new ways to screw it up.

You can check out Troy Hunt at his blog where he writes frequently about cyber security and stay safe online.