[sf-lug] HaveIBeenPwned.com (was: Safer Browsing)

Rick Moen rick at linuxmafia.com
Mon Mar 11 19:28:23 PDT 2019


Quoting Akkana Peck (akkana at shallowsky.com):

> Thanks for that. I always wonder about these big data breaches that
> "may include" a long list of personal information and it's not clear
> why the breached company would have that data in the first place.

There's actually one other useful thing HaveIBeenPwned.com, can show
you:  'pastes' found on Pastebin.com that have been searched and found
to include your e-mail address.  I meant to mention that yesterday, and
so will cover it (much further down) below.

> I don't knowingly have a "gravatar", but I do have a GitHub account.
> I went to "Your profile" and clicked Edit, but I don't see anything
> about a gravatar (the comment in that article mentions a "Gravatar
> email" field which I don't see). And the article itself says:
> 
>   | By viewing the page source, I could see that in the process, 
>   | Github automatically created a Gravatar ID that included the
>   | following identifier: https://secure.gravatar.com/avatar/...
> 
> He doesn't mention *what* page's source he was viewing, but if I
> view page source for my profile page on GitHub and search for
> gravatar, I don't find any matches.
> 
> The article is dated 2013, so this may be long obsolete. Best I can
> find from a web search is that GitHub stopped using gravatars around
> 2014.

Well, thanks for that.  I really did not know, and lack any
GitHub presence, so have no direct experience.

A 'gravatar' is a small icon (you supply) with your face or other personal
signifier, which, if you upload one to the commercial site in question,
can then appear automagically next to your postings on a large number of
social media sites such as WordPress instances.  For example, about 2/3
of the reader comments currently on
http://file770.com/pixel-scroll-3-10-19-dont-go-chasing-waterscrolls-please-stick-to-the-pixels-and-the-clicks-you-know/
(a representative posting to Mike Glyer's file770.com news & commentary
site) have gravatars next to the postings as an individual point of
style for the individual poster.  I'm a commenter on that site, but my
postings all show the grey head-pic outline you see for the other 1/3 of
the comments, meaning I lack a gravatar.


> Of course your larger point still holds: the more accounts you make
> on various websites, the more likely it is that they're sharing your
> information with various other companies behind your back, and
> the more likely it is that some of your shared info will leak.

Moreover, gravatars are a particularly egregious example, in that you
are _explicitly signing up_ to let the firm hosting all gravatars know
whenever you post to a gravatar-supporting site anywhere on the
Internet.

I'm always glad to upload to a Web forum where I'm a regular some
whimsical picture file representing me, that they then host and
auto-supply with my logged-in postings, but the entire setup of
gravatars instead requires centralised data and automated
traffic-following across potentially many sites.

> This is something you quoted from the advisory, not something you're
> personally pushing as gospel; later on you make it clear that you
> don't think it necessarily solves the problem. I want to elaborate on
> that.

Good idea, thanks!

> 2FA sounds like a great idea in principle. But in most cases, I'm not
> convinced it adds any real security. Most companies (even banks) that
> use 2FA seem to use it as an optional step: if you lose your phone or
> your hardware dongle, no problem, we'll give you another way to log in
> even without bothering to do much verification. And in the case of
> phone-based 2FA, seems like I keep seeing stories of people who get
> their phone number hijacked by people who then use it for 2FA to break
> into an account.

Yes!  If I hadn't been too tired, I would have found a couple of
stunning stories about that from Krebs on Security.  Here's one:
https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentication/comment-page-1/

> Apparently this is pretty easy to do. I'd trust a dedicated hardware
> dongle a lot more than phone-based 2FA, but not many places offer one
> and almost none let you set things up so it's required.

FWIW, I'm in total agreement with your assessment.  Again, thanks for
bringing that up.


Back to the 'pastes'.  Occasionally some carefully anonymous person will
load onto http://pastebin.com/ a text file of CSV (comma-separated
value) or similar data, one record per line, that includes e-mail
addresses and other fields that might be security-sensitive or might
not.  Usually after some period of time (a week, a month...), the
'paste' will get removed (taken down) by someone.

HaveIBeenPwned.com advises people when their e-mail addresses have bene
observed in such 'pastes'.  Currently, it shows links to two such 'pastest' 
containing my e-mail address.  One of them, if you visit the
http://pastebin.com/ page, now shows as 'hast been removed' or words to
that effect.  The other is https://pastebin.com/wjdk8feS.

This is a 93kB 'paste' in CSV format, where the first line is header
information and each subsequent line is a row of data.  Header line is:

"Message","Date","From","Subj","Rank","Type","Priority"

The subsequent lines with my e-mail address are as follows:

"../../03-Classification/code/data/easy_ham/00274.ecbd86ce57edcb6a419a92479216e43c",2002-10-08 15:43:12,"rick at linuxmafia.com","Re: [ILUG] Interesting article on free software licences",5.86866404165859,"TESTING",0
"../../03-Classification/code/data/easy_ham/00272.c319ce83bd9b379fda60a7991da1b9d5",2002-10-08 12:06:33,"rick at linuxmafia.com","Re: [ILUG] Modem question",5.49629930080965,"TESTING",0
"../../03-Classification/code/data/easy_ham/00150.a4c5a8aaccd6b54f1000e9fa02f53114",2002-10-08 03:09:59,"rick at linuxmafia.com","Re: [ILUG] packaging risks and the reputation of linux distributions",5.69591770709854,"TESTING",0


My best guess about the nature of this 'paste' is based on the term
'easy_ham' in the first-column filename-spec:  Someone had been training
a Bayesian antispam classifier to better distinguish between spam and
'ham' (non-spam), and among the 'ham' examples were three postings I
made in October 2002 to the (publicly archived) Irish Linux User Group
mailing list.  Oh-kayyy then.  Not exactly sinister.

My recollection is that every single one of the past 'pastes' I've been
pointed to were no more sinister.  ISTR that most of them also included
my name, and I believe one of them purported to include a password for 
something, but it wasn't a password I'd ever used, and (I'm pretty sure)
was for a site where I'd never had a login.





More information about the sf-lug mailing list