Capital One Data Theft Impacts 106M People — Krebs on Security - Krebs on Security

Capital One Data Theft Impacts 106M People — Krebs on Security - Krebs on Security

Capital One Data Theft Impacts 106M People — Krebs on Security - Krebs on Security

Posted: 30 Jul 2019 01:04 PM PDT

Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breach played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.

Paige "erratic" Thompson, in an undated photo posted to her Slack channel.

On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.

That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.

"Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised," Capital One said in a statement posted to its site.

"The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019," the statement continues. "This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income."

The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named "Netcrave," which includes the resume and name of one Paige A. Thompson.

The tip that alerted Capital One to its data breach.

The complaint doesn't explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused's resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson's most recent employer was Amazon Inc.

Further investigation revealed that Thompson used the nickname "erratic" on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances.

The Twitter user "erratic" posting about tools and processes used to access various Amazon cloud instances.

According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named "Netcrave Communications."

KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.

That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:

According to Erratic's posts on Slack, the two items in the list above beginning with "ISRM-WAF" belong to Capital One.

Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.

None of Erratic's postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.

Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data breaches.

"The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats," Watson said. "She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches."

"The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with," he continued.

In Capital One's statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.

"Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual," Fairbank said. "While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.

Bloomberg reports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.

A copy of the complaint against Thompson is available here.

Update, 3:38 p.m. ET: I've reached out to several companies that appear to be listed in the last screenshot above. Infoblox [an advertiser on this site] responded with the following statement:

"Infoblox is aware of the pending investigation of the Capital One hacking attack, and that Infoblox is among the companies referenced in the suspected hacker's alleged online communications. Infoblox is continuing to investigate the matter, but at this time there is no indication that Infoblox was in any way involved with the reported Capital One breach. Additionally, there is no indication of an intrusion or data breach involving Infoblox causing any customer data to be exposed."

Tags: , , , , , ,

This entry was posted on Tuesday, July 30th, 2019 at 9:59 am and is filed under Data Breaches, Ne'er-Do-Well News. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

5 Ways to Protect Yourself from Cybercrime - Government Technology

Posted: 30 Jul 2019 11:42 AM PDT

High-profile data breaches at companies like British Airways and Marriott get a lot of media coverage, but cybercriminals are increasingly going after community groups, schools, small businesses and municipal governments.

Just in the Midwest, hospitals, libraries, voter registration systems and police departments have fallen victim to one type of digital hijacking or another. Cybercrime is not just a concern for corporate technology departments. Schools, scout troops, Rotary clubs and religious organizations need to know what to look for and how to handle it.

As the academic director of a new cybersecurity clinic at Indiana University, I'll be helping to lead students and faculty members in teaching local, county and state government agencies, not-for-profit organizations and small businesses how to improve their cyberhygiene. They'll learn how to better manage digital systems, protect their intellectual property and improve consumer privacy.

Everyone should know the basics for how to protect themselves and the groups or organizations they're part of. Here is a brief look at some of the cybersecurity best practices we'll be teaching members of our communities to keep in mind as they go online for work, play or volunteering.

1. Keep everything up to date

Many breaches, including the 2017 one at the Equifax credit bureau that exposed the financial information of almost every American adult, boil down to someone leaving out-of-date software running. Most major computer companies issue regular updates to protect against newly emerging vulnerabilities.

Keep your software and operating systems updated. To make it easy, turn on automatic updates when possible. Also, be sure to install software to scan your system for viruses and malware, to catch anything that might get through. Some of that protection is free, like Avast, which Consumer Reports rates highly.

2. Use strong, unique passwords

Remembering passwords, especially complicated ones, isn't fun, which is why so much work is going into finding better alternatives. For the time being, though, it's important to use unique passwords that are different for each site, and not easy-to-hack things like "123456" or "password."

Choose ones that are at least 14 characters long. Consider starting with a favorite sentence, and then just using the first letter of each word. Add numbers, punctuation or symbols for complexity if you want, but length is more important. Make sure to change any default passwords set in a factory, like those that come with your Wi-Fi router or home security devices.

A password manager program can help you create and remember complex, secure passwords.

3. Enable multi-factor authentication

In many situations, websites are requiring users not only to provide a strong password but also to type in a separate code from an app, text message or email message when logging in. It is an extra step, and it's not perfect, but multi-factor authentication makes it much harder for a hacker to break into your accounts.

Whenever you have the option, enable multi-factor authentication, particularly for crucial log-ins like bank and credit card accounts. You could also consider getting a physical digital key that can connect with your computer or smartphone as an even more advanced level of protection.

Have hackers driven us back to the age of the physical key? Bautsch/Wikimedia Commons

4. Encrypt and back up your most important data

If you can, encrypt the data that's stored on your smartphone and computer. If a hacker copies your files, all he'll get is gibberish, rather than, for instance, your address book and financial records. This often involves installing software or changing system settings. Some manufacturers do this without users even knowing, which helps improve everyone's security.

For data that's crucial, like medical information, or irreplaceable, like family photos, it's important to keep copies. These backups should ideally be duplicated as well, with one stored locally on an external hard drive only periodically connected to your primary computer, and one remote, such as in a cloud storage system.

5. Be careful using public Wi-Fi

When using public Wi-Fi, anyone nearby who is connected to the same network can listen in on what your computer is sending and receiving across the internet. You can use free browsers like Tor, which was originally developed to provide secure communications for the U.S. Navy, to encrypt your traffic and camouflage what you're doing online.

You can also use a virtual private network to encrypt all your internet traffic, in addition to what goes through your browser – like Spotify music or video in the Netflix app – to make it more difficult for hackers, or even casual users, to spy on you. There is a wide range of free and paid VPN options.

In short: Be cautious, proactive and informed

Of course, there is much more a person or organization can do to protect private data. Search engines like DuckDuckGo don't track users or their searches. Firewall software built into both Windows and Mac OS – or downloaded separately – can help stop viruses and worms from making their way into your systems.

To protect yourself against data breaches at places where your information is stored, you should consider freezing your credit, which blocks anyone from applying for credit in your name without your personal permission. It's free. If you have already received a notification that your data has been stolen, consider putting a free "fraud alert" on your credit reports.

There are plenty of other places to learn more about cybersecurity, too, including some very good podcasts.

No person, organization or computer can ever be 100% secure. Someone with the patience, money and skill can break into even the most protected systems. But by taking these steps, you can make it less likely that you'll be a victim, and in the process help raise the overall level of cyberhygiene in your communities, making everyone safer both online and off.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Encryption for Android (Guide) | 3 ways to Secure your Android phone - https://proprivacy.com/

Posted: 02 May 2019 12:00 AM PDT

Encryption in its most basic form is the process of changing information into illegible code to prevent people from accessing your data.

As of Android 7.0 Nougat, which was first released in March 2016, almost all Android phones come pre-encrypted. However, this encryption is not without problems. In this article, we show you several ways of encrypting your Android phone.

3 ways to encrypt your Android phone

  1. Use Third-party file Android encryption apps

    If you store highly sensitive data on your phone then, you really shouldn't trust Android's encryption. What you can do, though, is secure your data using third-party apps. 

    EDS/ EDS Lite is an open source app that allows you to store files in a secure VeraCrypt (or LUKS, EncFS, or CyberSafe) container on your phone. Cryptomator will encrypt data locally as well as securely syncing it to the cloud.
    High-end Samsung users also have the built-in Secure Folder feature, which allows you to store files and apps in a specially encrypted folder protected by the Samsung Knox security platform. Similar features are available on Huawei, OnePlus, Oppo, Viovo, and Xiaomi phones.
    Note that numerous third-party app locker apps exist, but as far as we are aware these do not actually encrypt data stored by the locked app.

  2. Enable Lockdown mode

    Android 9.0 Pie has introduced a neat feature aimed at stopping people from forcing you to unlock your phone.

    Once enabled, "Lockdown mode" brings up an "Enter Lockdown" option when you long-press the power button. Selecting it disables biometric authentication methods such as fingerprint scanning and Smart Lock (which can open your phone when connected to an authenticated WiFi network or Bluetooth device, for example). 

    To enable Lockdown mode in Android Pie 9.0 Pie:

    1. go to Settings
    2. click on security Lock screen preferences
    3. click on lock Screen Secure Lock Settings
    4. click on Show lockdown option on Samsung phones

  3. Encrypting SD Cards on Android

    Most phone manufacturers no longer support external SD card storage. A notable exception is Samsung, although others also exist. If your phone supports expandable storage then it should be possible to encrypt it.

    On a Samsung S9+, this is simply done by going to Settings, selecting Biometrics & security and choosing to Encrypt your SD card, but may vary by device. 

    SD card encryption is completely transparent in use, as long as you access encrypted files from the phone you encrypted them on.

    The files cannot now be accessed in any other way, though. If you lose or break the phone used to encrypt the SD card, you will not be able to recover data stored on it.  

Current Android Encryption

Before Android 7.0, data was protected using dm-crypt full disk encryption (FDE).

An open source transparent disk encryption subsystem used in Linux, dm-crypt is commonly used for desktop encryption. This approach works quite well on desktop computers, but not so well in Android as users rarely power their devices down.

Android enforced strong lock screen protection (via either password or fingerprint) to mitigate against this problem, but this could never be as secure as the 128-bit AES-CBC with essiv:sha256 encryption used to secure data when the device was off.

If an adversary could bypass the lock screen, a not impossible task, then the encryption keys would just be sitting there in the memory for them to grab.

Final thoughts

These days, high and mid-range Android phones all come encrypted straight out-of-the-box, and this should also soon be true of low-end Android phones. 

This is undoubtedly a step forward for the security of most phone users' personal data, but if you store sensitive files on your phone, then you should further encrypt them using something like EDS. 

Hacker Arrested In Capital One Breach Affecting 100M+ - pymnts.com

Posted: 30 Jul 2019 04:01 AM PDT

A former Amazon systems engineer working for Capital One is said to be the woman behind a breach that accessed the data of over 100 million people.

Software engineer Paige Thompson, 33, allegedly boasted about the hack and left crumbs for investigators to follow, The New York Times reported. Thompson formerly worked for Amazon Web Services, which hosted the Capital One database that was breached.

Seattle-based Thompson was charged with one count of computer fraud and abuse following her arrest on Monday (July 30).

"I've basically strapped myself with a bomb vest," Ms. Thompson wrote in a Slack post, according to prosecutors, "dropping capital ones dox and admitting it," the NYT said.

The F.B.I. noticed her activity on a Meetup she organizes called Seattle Warez Kiddies, which is for people into "hacking, cracking." This led a GitHub post and to the incriminating Slack message and Tweet. Online, she used the name "erratic."

Court documents filed with Seattle's District Court state that Thompson appeared to brag about the information she had accessed related to Capital One. The documents said Thompson accessed the data through a "misconfiguration" of a firewall on a web application.

Capital One revealed the massive data breach in a news release on July 29, 2019. The bank says it does not appear that the hacker had used the stolen information for fraudulent purposes, but investigators will continue to look into it.

The company said it discovered July 19 that there was unauthorized access and fixed the configuration vulnerability, then immediately notified federal law enforcement.

The breach impacts about 100 million individuals in the United States and around 6 million in Canada. Capital One stressed that credit card account numbers and login credentials were not compromised, while more than 99 percent of Social Security numbers were not impacted.

"Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants' names, addresses, dates of birth and information regarding their credit history has not been tokenized," the FBI complaint said, and the bank told the bureau that the data includes "likely tens of millions of applications and approximately 77,000 bank account numbers."

The hack is expected to cost the company between $100 million and $150 million in the near term.

——————————–

Latest Insights: 

Our data and analytics team has developed a number of creative methodologies and frameworks that measure and benchmark the innovation that's reshaping the payments and commerce ecosystem. The July 2019 Pay Advances: The Gig Economy's New Normal, a PYMNTS and Mastercard collaboration, examines pay advances – full or partial payments received before an ad hoc job is completed – including how gig workers currently use them and their potential for future adoption.

Recommended for you
-

Comments

Post a Comment

Popular Posts

6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog

Image
6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 5 best TrueCrypt alternatives | Encrypt your computer with these apps - proprivacy.com The Best Way to Encrypt Email in Outlook - Security Boulevard 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog Posted: 23 Nov 2019 12:00 AM PST Anti-forensic techniques can make a computer investigator's life difficult. From committing fraud in an organization to stealing crucial data, cybercriminals can perform a wide range of nefarious activities. In some cases, these perpetrators try to cover their tracks by deleting browser history, cache memory, and even cookies. But with an upward trend , it is now much convenient for cyber attackers to use already progr...
Read more

How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf

Image
How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Mobile Encryption Market – Key Players, Size, Trends, Growth Opportunities, Analysis and Forecast To 2027 – The Courier - The Courier Fleeing WhatsApp for Better Privacy? Don't Turn to Telegram - WIRED How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Posted: 23 Feb 2021 12:00 PM PST [unable to retrieve full-text content] How to Encrypt Your iPhone or iPad Backup    MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Posted: 24 Feb 2021 06:14 AM PST Share this: Covering certain stories–such as human rights abuses, corruption, or civil unrest–can place you at a higher risk of arrest and detention, particularly...
Read more

A Look At Blockchain Smartphones Available Now - I4U News

Image
A Look At Blockchain Smartphones Available Now - I4U News A Look At Blockchain Smartphones Available Now - I4U News Posted: 09 Oct 2019 06:19 AM PDT There is probably no one in the world who has not heard of cryptocurrencies. In the past few years, the general public's awareness of the likes of Bitcoin and Ethereum has skyrocketed. This has happened to such a degree that there are literally millions of us using Bitcoin wallets offered by Luno and other well established names in the industry. On the other hand, blockchain is not necessarily that well known and its capabilities maybe a little less. So although we know that blockchain is the basis of cryptocurrencies, many of us know little more than that. Anyways, this technology is extremely adaptable and is being applied to many industries/sectors from health to disaster recovery. So that it will come as no surprise that blockchain is shifting its attention to mobile. This has resul...
Read more