Category Archives: Cybercrime

Paige Thompson, “Erratic” Capital one hacker, Pleads Not guilty to charges of computer fraud

In July of this year, an investigation began on a massive data breach at Capital One. On September 5, the defendant pleaded not guilty, so I thought this would be a good time to discuss what happened since this is one of the best hacking stories I’ve heard since I’ve been interested in computer security.

The Hacker

Paige Thompson was a 33-year-old software engineer living in Seattle. She frequently posted on Twitter about her fascinating life, tweeting hacking tips and lamenting her dating life and the death of her cat, Millie.

Outside of her life as a software engineer, Thompson had a shady side, running a hacking meetup group called ‘Seattle Warez Kiddies’. This group had their own slack channel, which she frequently messaged under the handle erratic.

The Crime

Paige was accused of compromising the personal data from over 100 million customers, including 140,000 Social Security Numbers and 80,000 bank account numbers. She then posted this data to Github, where a whistleblower eventually spotted it and reported to Capital One.

The Exploit

Johnson, who previously worked at AWS, had a deep understanding of cloud architecture and security. She used this knowledge to create a tool to scan a certain cloud provider’s customers for misconfigurations, which she then used to gain unauthorized access to their data.

The Investigation

The investigation began after Capital One received a tip from an unknown email address reporting that some of their data may have been leaked on Github.

Screenshot of responsible disclosure email
Screenshot of initial email. Taken from indictment papers.

Unfortunately, despite being an expert in cloud security, Johnson did not practice especially good operational security and used her full name as the GitHub username on the leak. From here, investigators were able to find her meetup group and its associated slack channel, where she made the mistake of bragging about her exploits, claiming she had “basically strapped [her]self with a bomb vest,” and detailing the methods she used to stay anonymous.

Screenshot of slack chat
Screenshot of slack chat between Thompson (<erratic>) and another member of the meetup group. Taken from indictment papers.

Thompson was indicted on August 28 for violation of Title 18, United States Code, Section 1030(a)(2). She pleaded not guilty on September 5 and has a jury trial scheduled for November 4.

Further Reading

Written by Daniel Monteagudo on September 9, 2019

HSBC Data Breach

Today, HSBC Bank disclosed that they had a data breach between the dates of October 4th and October 14th. The amount of people affected by this breach is undisclosed, but only Americans have had their data compromised. The kinds of information that was leaked may include: full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

To rectify this, HSBC has said that they are going to enhance their authentication processes for their online banking and will offer affected customers a year long subscription to a “credit monitoring and suspicious activity alerting product”. These gifts and claims sort of fall flat, as they do not have good history with their security. According to Wired, they weren’t using “up to date encryption standards for online banking” and according to a Swansea University researcher, they were ranked in the bottom five of banks based on “the technical measures used by their respective websites” as of me writing this.

The way the breach occurred hasn’t been stated yet, but Ilia Kolochenko, the CEO and founder of High-Tech Bridge, has said that “as it would appear that only US customers have been affected, that could point to the breach occurring by way of an authorized third-party or careless employee”.

This breach definitely results from these accusations that Wired and the Swansea University researcher said, as potential hackers could have seen this informations and decided to attack them next, as they had reported lower levels of security as opposed to other targets.

– Jacob Peverly

Sources:

Burgerville’s data breach

At some point in 2017 or 2018, the restaurant chain Burgerville experienced a security breach. The only way Burgerville learned of the issue is when the FBI notified them on August 22 of this year. At first, it was seen as a “brief intrusion that no longer existed”. However by September 19, (almost a whole month later), the company realized that the breach was active, and was targeting customer’s financial information. Burgerville does not specify what kind of malware it was or where it was detected, though the source article adds that it could be at a point-of-sale system, where people physically swipe/scan/insert their cards.

Data that was stolen includes credit/debit card information: names, card numbers, expiration dates, and CVV security numbers. Burgerville also does not know how many people could have been affected by this, though they warn everyone who used cards from September 2017 through September 2018 to watch their accounts for false purchases. Anyone who used a card to purchase anything at any one of their locations during the last year can have their credit info compromised.

“This was a sophisticated attack in which the hackers effectively concealed all digital traces of where they have been,” states Burgerville. Although no direct evidence was given, the data breach is attributed to Fin7, also known as Carbanak group, another Eastern European hacking network that has successfully done cyberattacks on over 100 US companies.

In August, three Ukrainian members of Fin7 were arrested in Europe, where Fin7 is believed to operate. Despite the arrests, Fin7 is still actively deploying malware on corporate networks. According to the US Department of Justice, this is not the first time Fin7 has targeted a US restaurant chain. Other victims include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

Although the chain made the initial mistake of underestimating the breach, they pulled in an external cybersecurity company to stop the breach, remove malware, and take preventative measures. “The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company’s network,” Burgerville said in a written statement. Burgerville completed the operation to seal the breach on September 30.

Source articles: 

https://www.zdnet.com/article/burgerville-customer-credit-card-info-stolen-in-data-breach-laid-at-fin7s-feet/

https://www.oregonlive.com/business/index.ssf/2018/10/burgerville_reports_major_cred.html

 

Michael Abdalov

Fired Chicago Schools Employee Causes Data Breach

Recently, a temporary worker at Chicago Public Schools was fired from her job and is alleged to have stolen a personal database in retaliation. The personal database contained the information of approximately 70,000 people. The information which was stolen included, names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services.

She allegedly copied the database then proceeded to delete it from the Chicago Public School’s system. Those affected by this breach included employees, volunteers and others affiliated with Chicago Public Schools. Luckily, the breach was discovered before any information was used or spread in any way by the former employee. The individual is now being charged with one felony count of aggravated computer tampering/disrupting service and four counts of identity theft.

This incident is an example of a very essential part of computer security, no matter how many security measures are put in place to guard a system somebody, like a disgruntled employee, can still cause a security breach. The lesson to be learned is to keep a close eye on employees, especially those which show red flags, and to be careful what data/databases certain employees are authorized to use, view and modify.

Written by: Craig Gebo

Source: https://www.securitymagazine.com/articles/89553-fired-chicago-schools-employee-causes-data-breach

Healthcare.gov data breach: 75k affected

health-care-sign-up

Last week (as of writing) the Centers for Medicare & Medicaid Services announced a large data breach regarding Healthcare.gov’s Federally Facilitated Exchanges. The specific part of the  exchanges that was breached is supposed to provide customers access with access to healthcare agents and brokers to assist in their applications for coverage.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

The breach seems to be a result of compromised agent/broker account, which CMS has done away with. The scope as reported by CMS is believed to be around 75,000 users, but the Office of the Inspector General has reported that no banking, federal tax, or personal health records were lost in the breach. CMS reported the breach to the FBI and are currently complying with the federal investigators regarding this event.

The strange activity began on October 13th and CMS identified it as a breach and reported it on October 16th. The offending accounts were disabled, and as an extra precaution they disabled the part of the FFE that allowed for agent/broker interaction with customers. As that tool is only one of multiple options for enrollment, Healthcare.gov remains open and operational while CMS works to fix the issues that led to a breach.

 

-Henry Ballentine