Skip to content

Monthly Archives: July 2019

Capital One – Hacker swipes personal info on 106 million US, Canadian credit card applicants

Maybe if Capital One stopped practicing age discrimination and hired more experience IT workers (problem at numerous companies btw), it could have avoided the breach. In my opinion, this breach should result in crippling fines and C-suite execs being held criminally liable. Of course that will never happen in the U.S.
Quote

A hacker raided Capital One’s cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada.

The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we’re told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.

The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.

Seattle software engineer Paige A. Thompson, aka “erratic,” aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and was collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.

According to the Feds in their court paperwork [PDF], Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services’ S3 buckets, and downloaded their contents.

The financial giant said the intruder exploited a “configuration vulnerability,” while the Feds said a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. US prosecutors said the thief slipped past a “misconfigured web application firewall.”

Either way, someone using VPN service IPredator and the anonymizing Tor network illegally accessed the bank’s in-the-cloud systems, and downloaded citizens’ private data. This “misconfiguration” has since been fixed.

Thompson was, for what it’s worth, an engineer at Amazon Web Services, specifically on its cloud storage systems, between 2015 and 2016, and worked on various software projects in her spare time as well as running her own server-hosting outfit…

What You Should Know About the Equifax Data Breach Settlement

Brian Krebs has a good summary

Excerpt

Q: What happened?

A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.

Q: What about the rest of the money in the settlement?

A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.

Q: $650 million seems like a lot. Is that some kind of record?

A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.

Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?

A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.

Q: Okay. What can I do?

A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.

Q: Uh, that doesn’t look like Equifax’s site…

A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.

Q: What can I get out of this?

A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:

–Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.

–Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.

–Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.

Q: Does this cover my kids/dependents, too?

A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.

Q: How do I take advantage of any of these?

A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.

Update: The eligibility site is now active, at this link.

The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.

KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.

He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so).

Well the real issue is that company is allowed to continue operations. It should have been wound down and the C-suite execs held liable, perhaps criminally liable.

….and as Brian’s and my Senator, Sen. Mark Warner (D-Va.) said

“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Until real teeth are in breach laws which hold c-suite executives criminal liable and such breach threatens the survival of the company, nothing will change. Even the EU general data protection regulation does not go far enough (but much further than the laughable U.S. regs.)

US Guard Warns Again about Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels

For the second time this year the US Coast Guard has issued a warning about the cybersecurity practices aboard commercial sea vessels. Full US Guard Alert Here

To us in Cyber Security, the recommendations are fairly standard. But for the Maritime industry, it seems new.

In order to improve the resilience of vessels and facilities, and to protect the safety of the waterways in
which they operate, the U.S. Coast Guard strongly recommends that vessel and facility owners,
operators and other responsible parties take the following basic measures to improve their
cybersecurity:

  • Segment Networks. “Flat” networks allow an adversary to easily maneuver to any system
    connected to that network. Segment your networks into “subnetworks” to make it harder for an
    adversary to gain access to essential systems and equipment.
  • Per-user Profiles & Passwords. Eliminate the use of generic log-in credentials for multiple
    personnel. Create network profiles for each employee. Require employees to enter a password
    and/or insert an ID card to log on to onboard equipment. Limit access/privileges to only those
    levels necessary to allow each user to do his or her job. Administrator accounts should be used
    sparingly and only when necessary.
  • Be Wary of External Media. This incident revealed that it is common practice for cargo data to
    be transferred at the pier, via USB drive. Those USB drives were routinely plugged directly into
    the ship’s computers without prior scanning for malware. It is critical that any external media is
    scanned for malware on a standalone system before being plugged into any shipboard network.
    Never run executable media from an untrusted source.
  • Install Basic Antivirus Software. Basic cyber hygiene can stop incidents before they impact
    operations. Install and routinely update basic antivirus software.
  • Don’t Forget to Patch. Patching is no small task, but it is the core of cyber hygiene.
    Vulnerabilities impacting operating systems and applications are constantly changing – patching
    is critical to effective cybersecurity.

Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational
imperative in the 21st century maritime environment. The Coast Guard therefore strongly encourages
l vessel and facility owners and operators to conduct cybersecurity assessments to better understand
he extent of their cyber vulnerabilities.

We recommend using a full UTM Firewall on all commercial vessels that have internet connectivity. In addition, individual connected endpoint devices, need to have active anti-malware software installed and running. L4 Networks can help! Contact Us Please.