Patterico's Pontifications

7/30/2019

Hackers

Filed under: Crime — DRJ @ 7:00 am



[Headlines from DRJ]

Let’s talk about hacking and hackers … like the news that Capital One target of massive data breach:

A security breach at Capital One Financial, one of the nation’s largest issuers of credit cards, compromised the personal information of about 106 million people, and in some cases the hacker obtained Social Security and bank account numbers.

It is among the largest security breaches of a major U.S. financial institution on record.

Authorities have already made an arrest of a transgender ex-Amazon employee, 33, in Seattle who had boasted about the hack online:

Thompson allegedly pulled it off between March and July of this year by breaking into the bank’s servers through a misconfiguration in its firewall.

The data was being stored on Amazon’s Web Services cloud but Amazon insists it is not to blame for the hack and that she exploited Capital One’s systems to access it. Capital One admits that it was a fault in its infrastructure, and not Amazon’s, which led to the breach.

After allegedly stealing the data, Thompson left authorities a trail of breadcrumbs, posting online about the hack so much that other hackers warned her she was facing jail.

Her online postings about the hack were reported to Capital One on July 17 in an email from a white hat hacker who had seen the information on a website called GitHub alerted the bank to it in an email.

There are also warnings about a different kind of hacking:

The Department of Homeland Security plans to issue a security alert Tuesday for small planes, warning that modern flight systems are vulnerable to hacking if someone manages to gain physical access to the aircraft.

An alert from the DHS critical infrastructure computer emergency response team recommends that plane owners ensure they restrict unauthorized physical access to their aircraft until the industry develops safeguards to address the issue, which was discovered by a Boston-based cybersecurity company and reported to the federal government.

Most airports have security in place to restrict unauthorized access and there is no evidence that anyone has exploited the vulnerability. But a DHS official told The Associated Press that the agency independently confirmed the security flaw with outside partners and a national research laboratory, and decided it was necessary to issue the warning.

A hacker would need to have access to the plane, which seems harder (but not impossible) given post-9/11 security measures.

Let’s end with a Georgia Tech study about hacking our cars:

In the year 2026, at rush hour, your self-driving car abruptly shuts down right where it blocks traffic. You climb out to see gridlock down every street in view, then a news alert on your watch tells you that hackers have paralyzed all Manhattan traffic by randomly stranding internet-connected cars.

Flashback to July 2019, the dawn of autonomous vehicles and other connected cars, and physicists at the Georgia Institute of Technology and Multiscale Systems, Inc. have applied physics in a new study to simulate what it would take for future hackers to wreak exactly this widespread havoc by randomly stranding these cars. The researchers want to expand the current discussion on automotive cybersecurity, which mainly focuses on hacks that could crash one car or run over one pedestrian, to include potential mass mayhem.

They warn that even with increasingly tighter cyber defenses, the amount of data breached has soared in the past four years, but objects becoming hackable can convert the rising cyber threat into a potential physical menace.

“Unlike most of the data breaches we hear about, hacked cars have physical consequences,” said Peter Yunker, who co-led the study and is an assistant professor in Georgia Tech’s School of Physics.

It may not be that hard for state, terroristic, or mischievous actors to commandeer parts of the internet of things, including cars.

“With cars, one of the worrying things is that currently there is effectively one central computing system, and a lot runs through it. You don’t necessarily have separate systems to run your car and run your satellite radio. If you can get into one, you may be able to get into the other,” said Jesse Silverberg of Multiscale Systems, Inc., who co-led the study with Yunker.

Why do hackers hack? Money/criminal gain, to leak information or disrupt services, attention/fun, ideology or to make a political or personal point. In other words, hackers are going to hack. We live in wonderful times but we need to stay smart.

— DRJ

21 Responses to “Hackers”

  1. Staying smart means not using “cloud computing” for anything you want or need to keep private.

    Gryph (08c844)

  2. transgender

    So it isn’t really a female.

    I had wondered about that anomaly.

    The New York Times doesn’t mention that fact. Just the name Paige Thompson, and te age, 33. ,

    Because, of course, this person’s new identity is supposed to be accepted fully, with no disntinctions

    Sammy Finkelman (7cd5f4)

  3. Is there any platform secure,

    Narciso (72d34b)

  4. If my expectations of self-driving cars are even close, hacking will be superfluous. Based on my long experience of computers I look forward to the day when a software bug causes thousands of copies of the same car to accelerate/turn left/die for no readily apparent reason, in the middle of rush hour traffic.

    Hilarity ensues.

    C. S. P. Schofield (9eb8bc)

  5. A bug or virus instead of an intentional hack? That makes sense and the consequences would be even more unpredictable.

    DRJ (15874d)

  6. 3. No Narciso, there is no system that is completely secure. That is why it is foolish to trust someone else to keep your sensitive data on their computer. IMO, there is no substitute for paper and graphite.

    Gryph (08c844)

  7. Yes but they arent even trying basic countermeasures

    Narciso (72d34b)

  8. 7. There’s no way to know if they are or not. If someone is bound and determined to get into a system, given enough time and effort they will. Keep in mind, most hacking isn’t a technical endeavor. Google “social engineering hackers” and you’ll see what I mean.

    Gryph (08c844)

  9. Here’s an excellent piece on the Hacker Crackdown of 1992 written by Bruce Stirling. Don’t worry folks. The link leads to a legitimate sharing site and the whole work is available online for free. It’s also available in paperback from Amazon if you feel like supporting the author.

    Gryph (08c844)

  10. Identity theft sucks. 60% of Americans have their identities and personal information exposed by the experian data breach. Most of our information is out there. It’s just that it hasn’t been used by a criminal yet… if you are lucky.

    NJRob (4d595c)

  11. Equifax, so far, fireeye, saw the hack in progress, and did nothing to stop it, three guesses who the intruders were?

    narciso (d1f714)

  12. A big part of the problem is that the cost of the data breach isn’t really carried by the company that holds that data. If it were I think they’d come up with ways to make this less likely. I think a great way to encourage that would be put a clear fine for companies that didn’t protect my data.

    I was subject to identity theft last year. Wasn’t that bad. Probably took about 4-5 hours to sort out. I know there are people who have had it worse. So, let’s keep the math simple.

    -Median HHI for the US is 60,000$
    that works out to about 30$ / hour. Since I have to do this on top of my normal job I’d like time and a half (45$/Hour) Let’s round up to 50$ / Hour. Call it 250$ for anyone who had their information stolen.

    So let’s call it a fine of 25 billion USD.

    I’ll bet that we’d quickly see 2 things.

    -an increase in costs of online transactions as these costs were factored in.
    -a decrease in information breaches as companies worked to make my data more secure on their servers.

    Time123 (36651d)

  13. Equifax, correct. My apologies.

    NJRob (71c153)

  14. Time,

    I was subject to it this year. Took a week to sort out. Still monitoring and locked reports. Wasn’t fun. At least I caught it as it was happening and protected myself. Can’t imagine what happens after you’ve been destroyed and have to pick up the pieces.

    NJRob (71c153)

  15. I’ll bet that we’d quickly see 2 things.

    -an increase in costs of online transactions as these costs were factored in.
    -a decrease in information breaches as companies worked to make my data more secure on their servers.

    Time123 (36651d) — 7/30/2019 @ 11:45 am

    Would we see the companies work to make things more secure if the costs had already been factored in and passed on?

    DRJ (15874d)

  16. This is the info Capital One says the hack obtained

    The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

    Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

    Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
    Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
    No bank account numbers or Social Security numbers were compromised, other than:

    About 140,000 Social Security numbers of our credit card customers
    About 80,000 linked bank account numbers of our secured credit card customers
    For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

    https://www.capitalone.com/facts2019/

    kishnevi (496414)

  17. 16. No bank accounts or social security numbers were compromised…except those that were. SMDH

    Gryph (08c844)

  18. About ten years ago I took a weekend off, drove up to Austin and checked into the Driskill Hotel. Stay for two nights, eat some great food, check out my old haunts, party on Sixth Street, a typical leisurely get away.

    Then a month later I stopped by the corner convenience store for $20 of gas. But when I tried to charge it to my debit/credit card, it was declined. That was odd, because there was or should have been over $25,000 in my account. Luckily I had some cash, so I went in a paid the clerk, then drove to the bank to ask what was wrong with my card. Had it expired?

    The account was completely empty, with a negative balance of $300, and a $1000 hold on all charges. What?! I asked to see the bank’s record of the last month, and there were all these charges made in Arizona. Arizona??!! I’ve only been to Arizona once in my entire life, and that was for a one hour layover on a flight to California.

    It took two weeks to get that mess cleared up, and I was able to recover almost all of my money. What happened?

    I was not the victim of identity theft. This was a far more sophisticated crime than that. The hacker(s) didn’t hack into the bank. What these criminals did was hack into the booking service used by the Driskill Hotel, and hundreds of other hotels around the country. So they got names and card numbers of literally thousands of unwitting customers, everyone who checked into any hotel that used the booking service, then they printed fake credit cards and sold them on the street.

    It’s the perfect crime. The only people who can be charged with anything are those caught using fake credit cards, and they’re just going to throw the cards away once a charge is declined because the account has been drained, so they won’t be caught. The real criminals, the ones who hacked the booking service and forged the credit cards, are invisible. Thousands of victims, millions of dollars stolen, how many and how much is impossible to calculate.

    That’s cybercrime, and it’s big money. Whoever pulled this off, and it had to be organized crime, the Mob, was smart and well-financed. They left no clues behind. They made a huge score and disappeared, rich.

    That was over a decade ago. Imagine what they can do now.

    Gawain's Ghost (b25cd1)

  19. Exactly Gawain’s Ghost.

    It’s Russian Roulette. Just hope we keep getting an empty chamber.

    If you do research the number of website breaches out there, it’s frightening. Never use the same password (or even username) if you can help it. Never store them on devices. And just hope when the site that they are a part of is hacked, that the company you use has your back.

    NJRob (4d595c)

  20. So ‘what’s in your wallet’ is in somebody else’s now?!?!

    DCSCA (797bc0)

  21. Currently, the most common way thieves get our credit and debit card numbers is by installing skimmers at gas pumps. There are suggestions at the link regarding how to avoid that.

    As for repairing credit after a theft, I suggest a credit freeze instead of credit monitoring:

    Chi Chi Wu, staff attorney at National Consumer Law Center, said in a statement Tuesday that the most effective measure consumers can take to prevent someone from stealing their identity and opening new accounts is to freeze their credit reports except when they want to apply for credit.

    A credit freeze is more effective than credit monitoring, Wu said. A credit monitoring service reviews credit reports and flags signs of fraudulent activity.

    “Credit monitoring is like shutting the door after the horse has left the barn, whereas a credit freeze is a preventative measure,” Wu said.

    Throughout the United States, consumers can freeze their credit reports free of charge by contacting each of the three credit reporting firms — Experian, Equifax and TransUnion — online or via mail.

    Identity thieves have a harder time taking out credit in the name of a person whose credit is frozen because the freeze prevents the person’s credit file from being shared with potential creditors, and creditors want to see the file before approving a new account. According to California Atty. Gen. Xavier Becerra’s website, even someone who has your name and Social Security number would probably not be able to take out credit in your name if you have a freeze in place.

    DRJ (15874d)


Powered by WordPress.

Page loaded in: 0.0858 secs.