SHARE

NewsHubThink about your most prized possession. Imagine it in your mind’s eye. Maybe it’s a family heirloom, or something a close friend gave you, or something you worked hard to afford. Now imagine it gets stolen.
Now suppose I’m your next-door neighbor, and I want to know if I’m in danger of being robbed, too. Should I go to all the local pawn shops and back alleys, buy up all the stolen property (including your prized possession) and take it home and look at it to see who it belongs to? Should I pay the people who robbed you to find out if they are going to rob me as well?
What if I’m Facebook, and you’re one of the countless consumer web services that have been breached in recent years? This is the news that CNET broke recently — that Facebook is buying up stolen credentials off the dark web to ensure that none of them could be reused to attack them — and it raises an outstanding issue that has circulated in industry and legal circles for a while. Namely, should companies buy stolen data from third parties to combat credential reuse attacks against themselves?
Information security is the land of tortured analogies, and I’m certainly torturing the stolen property analogy. For starters, goods in the physical world are unique — my stolen candlesticks can exist only once, whereas a set of stolen credentials can be copied and resold repeatedly at no cost to the thief. But from a legal and ethical perspective, the analogy provides a good starting point to talk about the rampant, and quiet, practice of legitimate companies buying stolen data off the dark web.
But before we dive into the sticky issues with the practice, let’s first talk about the motivation. As Alex Stamos, Facebook’s chief security officer, correctly identifies, credential reuse attacks are among the most pernicious and dangerous threats facing consumers on the internet.

Continue reading...