This is your Shared Security Weekly Blaze for August 5th 2019 with your host, Tom Eston. In this week’s episode: everything you need to know about the Capital One data breach, changes in the payouts from the Equifax settlement, and Nextdoor app scams.
If you happen to be in the cybersecurity industry this week is what we call “security summer camp” where thousands of cybersecurity professionals, enthusiasts, and even black hat hackers all meet in Las Vegas to attend the Bsides, BlackHat, and the infamous hacker conference, DEF CON. These conferences are probably the most dangerous place on the plant because your laptop or smart phone could easily be compromised since everyone is hacking everyone else either intentionally and even unintentionally as part of quote unquote “research”. I know that I’ll be using a faraday bag for all my devices while I’m at the conferences this week. That way I know my devices are completely secure and off the grid. If you’re heading to Vegas this week make sure you protect your devices with Silent Pocket’s great product line of faraday bags. In fact, stop by the Silent Pocket booth at DEF CON this weekend and check out their products for yourself while you’re at the conference. Don’t forget you can also visit slientpocket.com and receive 15% off your order using discount code, “sharedsecurity”. Stay safe this week and be sure to mind the grid!
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
The big news last week was the massive Capital One data breach affecting more than 100 million customers in the US and 6 million in Canada. This is actually the third largest data breach in history with Equifax being number one followed by the Heartland Payment Systems data breach which took place in 2009. The 30 gigabytes of personal information exposed in this breach included names, addresses, phone numbers, email addresses, dates of birth, and self-reported income as well as 140,000 Social Security and 80,000 bank account numbers. All of this data appears to be from credit card applications dating back to 2005. In the announcement posted by Capital One the breach was discovered on July 19th and the person responsible, Paige Thompson a former Amazon employee, was arrested by the FBI. Perhaps the most interesting aspect of the breach is how the perpetrator was caught. Paige had posted details about the data she had stolen on her GitHub page and boasted about it on her Twitter account. Someone had saw this information posted in the GitHub account and sent an email to a Capital One’s security vulnerability disclosure email alerting them of the issue. So how did this data get compromised in the first place? Well she was able to download this data from an Amazon S3 bucket through a misconfigured web application firewall (which is also known as a WAF). Now this isn’t the typical Amazon S3 vulnerability we commonly hear about where this data was left wide-open for anyone to access and there is much debate in the security community about how the breach actually occurred. It’s largely suspected that one of the user roles that was assigned to the WAF may have been exposed through a Server Side Request Forgery (or SSRF) which is a vulnerability that affects public cloud environments like Amazon.
What’s even more fascinating is how she tried to steal this data without getting caught. The official complaint filed by the FBI states that she attempted to cover up her tracks by using a VPN as well as Tor (which is also used to hide your IP address) when she was downloading Capital One data from the Amazon S3 server. However, that didn’t matter much when she discussed how she could steal data from Amazon S3 buckets on Twitter and in a Slack chat room, as well as storing the data in a public GitHub repository with her real name tied to it. It’s almost like she wanted to get caught! Quite the lesson of how criminals make mistakes and how those mistakes could put someone in prison for a very long time. In this case, the accused could face up to five years in prison and a $250,000 fine.
Now we don’t know if this data was accessed by anyone else and Capital One has stated that they don’t think it has either. But I think some positives here are that Capital One did have a way for people to report security vulnerabilities and that the incident response from Capital One seemed to have been handled very quickly. It’s also the first data breach I’ve heard of where an arrest was made within days of the breach being detected. The negatives? Well, for starters be on the lookout for phishing emails capitalizing (no pun intended) on this data breach asking you to verify your personal data or pay for credit monitoring services which attempt to steal more of your data and your credit card number. Also, we weary of spam from identity theft protection or monitoring services as well. Many of these services are a waste of money and you’re better off freezing your credit on your own and monitoring your credit card statements, bank accounts, and other financials on a monthly basis. Plus, its one less company that you have to give your private data to just so they can monitor your credit. We’ve talked about how to freeze your credit and do all of this on your own in episode 16 of this podcast and we’ve linked to a great guide put together by Brian Krebs. Check out our show notes for links to these resources.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically.
There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next.
That’s where NETSCOUT comes in.
Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud.
With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com.
Speaking of data breaches last week remember how I talked about how you should go and claim your $125 if you happen to have been a victim of the Equifax breach? Well the FTC announced this past week that too many people have filed claims and that the actual payout will be significantly less than the stated $125. The FTC said in a updated FAQ posted on the official settlement web site quote “The public response to the settlement has been overwhelming. Millions of people have visited this site in just the first week. Because the total amount available for these alternative payments is $31 million, each person who takes the money option is going to get a very small amount. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.” end quote. The FTC goes on further to say that the free credit monitoring is a better value which has a market value of hundreds of dollars per year. I think that statement about value is debatable and what about the people who already have paid for credit monitoring? Why would they get another service on top of the one they already have? What this means is that most of us will get nothing out of this settlement unless you did happen to get your identity stolen and can prove it in your claim. In that case there is still money for real victims of the breach, up to $20,000 per claim. Oh, and don’t bother getting a credit monitoring service by giving Equifax even more of your data. You’re better off freezing your credit on your own.
Nextdoor, the popular app that your neighbors use to discuss everything from lost cats to loud cars going down your street and of course the one neighbor that hasn’t cut their lawn in two weeks, is also being used by criminals for identity theft and other scams. Buzzfeed news reported last week that more and more of these types of scams are happening because people have a higher level of trust since the app only lets your neighbors register. This has led to people blindly trusting recommendations by neighbors for contractors and other services which end up being scams. In fact a recent 2018 study by the Better Business Bureau showed that people between the ages of 35 and 54 were more susceptible to home improvement scams. The sad part is that the elderly are also common targets because they often have a nest egg and also have excellent credit according to the FBI. And just because Nextdoor tries on its own to verify your neighbors when they register, by the way which seems like a privacy nightmare waiting to happen, don’t think for a second that criminals won’t pretend to be one of your neighbors in order to post fake recommendations and other scams. Also, Nextdoor shares your full name and address to other neighbors by default so this gives criminals even more information about you and your address unless you’re changing the default settings. And this problem is not just limited to Nextdoor. The same thing can happen on those private Facebook groups for neighborhoods and cities that everyone is using.
Now I’m not saying that you shouldn’t use apps like Nextdoor but before you hire a contractor for anything you should be doing your own research outside of just a good recommendation from your neighbor. That means, check the Better Business Bureau , Angie’s List and simply Google the contractor to see what type of reviews have been left before you move forward with hiring someone. A little extra due diligence and research can go a long way to help prevent becoming a victim of these increasingly popular scams.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.