[podcast] On Identity and the Capital One Data Breach
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
On this episode, Strategists Jim and Jeff talk about the recent news regarding the Capital One data breach and what might have been the motivations behind the incident. They also reference this video when talking about man in the middle attacks against two-factor authentication.LISTEN HERE
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
LISTEN HERE or read the full transcript below (*).
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #5 Full Transcript:
Identity At The Center #5: What Just Left Your Wallet?
Jeff: welcome to episode number five, five in a row, Jim. We've got a streak going.
Jim: I think so. I mean, we're publishing weekly, people can count on our uploads and have some content to listen to on their drive home.
Jeff: I know people probably set their alarms and, probably they might even ask for the day off, which we typically publish on Fridays. So we're recording a Thursday. So try to get out by Friday, but what better way to go into weekend than, with a little IAM talk.
Jim: Absolutely. I mean, it makes people's weekend, Jeff. I'm sure of it.
Jeff: I know. I'm sure it does. So we've got some timely conversation for this week. If you want to talk about the Capital One breach, right?
Jim: Absolutely. I think that's a headliner in our industry.
Jeff: So what do we know so far? Where? and what about Capital One?
Jim: There I think there are a few interesting angles, so maybe a couple of statistics to start.
So you capture these. I went to various Web sites because I feel like when you get a story like this, you have to go and get information from different sources of cross correlated and all that stuff.
But I've got that a hundred and six million individuals had their data compromised. The Capital One credit card breach, a smaller number, one hundred and forty thousand customers had their Social Security numbers swiped. And I thought I saw one. I actually I think it was the original release by Capital One that a million Canadian social insurance numbers were breached as well.
So, what I thought would be interesting. First off, there's a big gap between the one hundred six million and the number of Social Security numbers of social short numbers that were swiped. And suddenly a large part of the data that was using the term data bond is accurate, it probably is, and there's a file or a set of files that were or captured by this hacker.
And a lot of the data was encrypted and a lot of it was like bank account numbers and things other than Social Security numbers, but a lot of it was credit card applications as well.
So couple of things that I read that I think like, number one, am I affected? And I'm sure everybody out there do you know whether you're a capital One customer or not, is probably wondering if they were affected. Because its credit card applications, I don't think you necessarily have to be a capital one customer to have been affected. And I also think that if you are a Capital One customer, you're probably really worried about it. I know personally I have a Capital One credit card. And so I obviously was worried about it. Couple other things I thought were interesting were, the time that the breach occurred and that we're just finding out about it now and that's three months so probably can be explained away. I wasn't able to find a lot of information explaining that time frame from the time of the hack to the time that we're finding out about it. But we did find out about it also after the alleged hacker was arrested. And so that's probably part of it. Like let's not announce that is the big deal, because you don't want a hacker to, tried to flee the country or something. I thought it was interesting information around who it was, who was the hacker? And just the tidbits of information that we're able to get about that person, how they perform a hack, how they put the information out there, which led to figuring out who it was and maybe just, kind of what their motivations were and things like that. And then the whole tie in back to Amazon Web Services, because there was an initial release, said something about a firewall being breach. There have been some releases and some information put out by Amazon themselves that said, well, we'll get into all that. So I laid out a bunch of things that were interesting about it to me. What about you?
Jeff: I think there were some bank account numbers that were part of that too write something somewhere between seventy seven and eighty thousand. And if you look at the total number of records, one hundred million US six million in Canada. And people are going to look at and say, oh, one hundred million people were affected.
Well I think most end at the Canadian equivalent. The big numbers are probably the ones there had the most impact. It's a percentage of that hundred and six million combined. So that people are going to get two ways with it. At least, the vast majority people are secure, but you still think about it. A hundred and forty thousand ends are out there in other eighty thousand bank account numbers, etc... So it certainly is quite the breach. it's interesting how it started. As I guess, just a random e-mail to Capital One email address, some sort of kind of tip line basically that their data was on GitHub. And it sounds like Capital One moved relatively quickly to try to get to the bottom of things. And the way few months here, I think was back in March. So three, four months of delay and getting notification that there I'm sure they had to tie back to investigations and so forth. But, I went through a Web application firewall, which was miss-configured. And apparently this individual had some sort of Amazon Web Services background.
Jim: Or choose a former employee of Amazon.
Jeff: I don't know how that person got, you know, compromised the account that was associate that because it really wasn't an A.W.S issue, it sounds like more was an application issue that just happened to be hosted in A.W.S, the individual basically compromised the account associated with Web application firewall and that started to run commands and enumerating and make data that sort of things. Good on Capital One is that actually had good logging and they were able to actually determine what commands were run and trace the anatomy of the attack and figure things out. It was pretty interesting is, this individual didn't really seem to be trying to cover their tracks. They were able to tie the log in IP address that the person used and get hub where the file was stored under their name. So the IP address where the S3 access was coming from and they were both using the same VPN. Which people kind of associate VPN maybe with security, but that's not 100 percent true, especially important. One thing to consider in this part two is that a lot of VPNs was claim that they don't work with the government and they don't keep logs etc... But it's clear that the VPN that was being used here was clearly not doing that, whether they advertise it or not, something to think about, too.
Jim: So many angles to this. And I think one thing we should point out. Obviously, this news is out there, but it's this is the alleged perpetrator. This is a United States and people are afforded their due process. So we forget to say alleged in any context going forward? That's what we mean. But I mean, at least from the news tidbits that have been put out there. One of the things that I remember reading is that, Capital One does not believe that the data was sold and that the perpetrator did not use the bank accounts. It did not access into the bank account. So you almost wonder to yourself for three months since those data was breached, the data wasn't sold. The accounts weren't accessed. So it was our financial motive? Or was there something else? Heck, we don't know everything about this person yet. But, there were a few things that I saw. One was a screenshot of some kind of messaging application where a Radic, which was the hackers handle said something like, I've got a bomb strapped to my chest. I've got these Capital One docs and it kind of just. It was a very light hackery, to set the upper case, Lower case, the word no word. DOCSIS stole audio X and I thought that was kind of like class or hacker movie kind of stuff. But I kind of wondered, was all this done for kind of ego hacking? So was there really not a financial motive which doesn't really make it any less of a crime, because as far as capital one concerned that it's going to cost them a fortune to move a fortune, I could put them out of business or anything. But it's going to cost a lot of money to deal with this. Plus, they had to probably run around. Some people are probably working 24 by 7 in terms of dealing with media requests and trying to put a lid on this a little bit, so, just a couple of interesting things when it came to that.
My guess, Jeff, and again, we don't have the full anatomy of the hack and like, how did this person gets into this web application firewall? But my guess is a miss-configured firewall, in other words, the IP address was open or somehow they were able to get beyond the exterior firewalls. And then they either used a password that was easily guessed, a password that was dumped or purchased on the on the dark web or maybe a default password. It could be any of those things. I don't know if we'll ever get that information, but my guess is that day and like brute force or perpetrated brute force, this application firewall, they had a password that they were able to use to walk right through.
Jeff: Yes, I mean, the person obviously has experience at A.W.S and you just have an apparently was rather knowledgeable in this area, but it doesn't sound like this was necessarily a difficult thing in the grand scheme of things to pull off. The motive really is interesting because if it isn't financial, it gets back to ego hacking or something along those lines. But it just it's this is the kind of breach where the number of records, the type of data and the motive and the lack of really trying to cover tracks just don't line up. That's what I think the weirdest thing about this entire kind of story is it's almost like the individual wanted to get caught. And it just it doesn't make sense from that perspective. it doesn't fit the profile of a normal breach.
Behavior might look like if they were talented enough to get in, do all this work, and then they just use the same VPN and real track IP addresses very easily that way. It just doesn't. Something doesn't smell right in that regards, no, not typically a conspiracy theorist at all. But something is not lining up there. I wonder if there's more that we just don't know about yet or ever will.
Jim: There's definitely more that we don't know about whether we ever will or not.
I'm not sure maybe that information will come out in a couple of years. You’re gonna be at the Black Hat conference next week. We're hoping to do a podcast from there. I'm sure this will be talked about.
Jeff: Yes, I'm sure it will be.
I'm sure vendors are already starting to position their marketing around, how they would help in that scenario. So, there’s something with helping protect A.W.S credentials or manage them more effectively because it's I think Amazon made a statement that it really wasn't tied to A.W.S and the A.W.S worked as expected. So I so wanted it back over to Capital One.
Jim: I can read the quote that I found of Amazon Web Services, the companies cloud product, in other words, capital ones. Cloud was not compromised in any way and functioned as designed; a company spokesperson told the Associated Press. The perpetrator gained access through a miss-configuration of the web application and not the underlying cloud based infrastructure as Capital One explained clearly in its disclosure. This type of vulnerability is not specific to the cloud.
Bring it back one if I could, because I thought was interesting was the arrested individual. Her name was Paige Thompson. A little bit about her background. So let me go over a few of my notes. So, Thirty three year old former Amazon employee lives in Seattle, goes by the alias Radic, boasted about the hack of social media and appears to have gained some information from several other companies, government entities and educational institutions. According to the court documents, her resume lists eight different employers over a 12 year period, including positions with Amazon and division of Lowe’s the hardware store. One of the things that I thought was interesting was the types of employer she's had over the 12 year period. I did read somewhere that one of the positions was as more or less an ethical hacker.
And I have a quote from Nasraty, CEO of Columbus SOF, which acquired Seattle Software Solutions, which I guess where she worked from. A previous owner said Thompson was a very talented white hat ethical hacker who excelled at testing clients security systems for flaws. She was involved in the hacker community from what I knew of her. I don't see how she would have done anything illegal.
I think that's really interesting. It's like she made a career as a white hat hacker. So she obviously knew how most exploits took place and she was practiced in it. So what would flip the switch to go ahead and break the law? And then you pair that up with the fact that in three months at least, what they're saying now is that it doesn't appear that she access any of the accounts or sold any of the data, maybe she was doing this for more or less kicks. Just to say I was able to do it. And then fame and get props on social media from the rest of the hacker community, seeing things like a plausible explanation. I think what people have to understand that, if they're listening to this and they're kind of hackers and they like doing things like this for sport, that they realize that the victim of somebody like this is not only Capital One, which, they have they of state for a dollars and cents standpoint. But all those people who had their accounts compromised are now going to have to go through and like make sure that they have a credit watch put on their account. It's just going to inconvenience them. And so, that a lot of people are affected by this sort of in a negative ways. It's not a joke.
Jeff: This is just a weird. Not clear what that motive was in the background and the whole lack of it, if I was a conspiracy theorist, this would be the opening of the movie where the person is doing this hack and there's some sort of spy thing, espionage saying happening behind the scenes. And, they've got the wrong person or something along those lines. It just something doesn't smell right to me.
Jim: It's fun if you want Jack or movie and you watch like I'm pouring through millions of lines of code. And I have the feeling that most hackers don't operate like that because the more when I was like more hands on into this side of the world, it's a lot of like IP scanning and running scripts to try well-known passwords that people often use and stuff like that. It's like trying to find the least common denominator vulnerabilities, obviously, if you have a specific target and the way that I mean, there's different kinds of hackers and I don't know what kind of hacker we're talking about here, but, there's also a state sponsored cyber attackers. Those guys are operating a pretty high level, I'm sure. But there's so many people out there who are like want to be hackers who are the nickname are script kiddies. Many people would just go out and download a bunch of application and kind of figure out the anatomy of a hack. But they're looking for low-hanging fruit. So, I don't know if this was more or less low-hanging fruit or, an inside job or something. We don't know that information at this moment.
Jeff: Or basically just speculating really beyond what we have.
Jim: We're speculating. My guess is that, well, I have a feeling that it could have been Capital One or it could have been probably a number of other companies that had their stuff hosted to Amazon.
It just seemed like more or less that was kind of a total coincidence that she worked for Amazon Web Services. And then the system she hacked was hosting the Amazon Web services like you. I think like you mentioned, she had to have some kind of inside knowledge that she knew what to look for, at least to get part of the hack done. And then with her background as kind of an ethical hacker, you and I know this, so, from when you go into production with web applications, you're going to hire somebody like White Hat security to come and scan your application and look for vulnerabilities. And they can do that from outside the firewall. You can let them inside the firewall. Usually it's a good idea to do a combination of both. And they're going to scan your application, look for all these different vulnerabilities. And some of them are like, if you didn't configure application very securely, it's going to come back to say, hey, this service is running with a default credentials. And having worked in the financial services industry, I'm sure that Capital One runs those kinds of scans. So it's probably not likely that it was a default password, but there's a good chance it was easily guess password or that the attacker got the password through some other means.
Jeff: Some sort of checkbox somewhere that you kind of have to know what you're looking for. Maybe, it's not readily apparent that allows, some sort of account to come in and do whatever. But, I think there was definitely some leveraging of inside knowledge that might be attributed to this.
Jim: One other thing I wanted to talk about with this is that kind of how to find out if your information was stolen. The thing that I found out, or at least as of this morning, what was published on the news articles that I read is that Capital One currently doesn't have a website where you can go and, you know, just self-check to see if you're part of the breach, but that they're planning to reach out to all the customers directly who were affected. My guess is that if they haven't reached out to you yet, you probably were not affected since being that this happened or this was at least a few days ago. I don't know that for sure, though, but that's what I found out, is that they're going to contact you directly. If anybody out there was contacted directly, and you can send us a message, let us know what it was, what it was like, how you were contacted, what they informed you of and all of that. That would be pretty cool and be something that we could report back on. And what else did I find out?
Jeff: This is an area where companies typically struggle to is the notification process of a breach. Making sure the right people are notified in a timely manner. It seems like it's never really quite good enough from a business standpoint. So be interesting to see how this kind of unfolds in real time for the affected users.
Jim: And one other thing that I saw, which I thought we should repeat is just that. Be on guard for emails or phone calls from scammers posing as Capital One or government representatives asking for credit card or account operation or your Social Security number. It's when somebody when something like just happens and someone calls, it just might be so surprised. Make sure you go through a verification process of some sort. Or you call them back before you get engaged and provide too much information.
Jeff: Phishing is going to be on the rise, definitely. It already is.
It's kind of, it’s more of a shock approach to hacking, but stuff like this doesn't help.
And, I would expect that there'll be a large number of Capital One phishing emails. Click here to find out if you were affected and that takes you to the wrong site. Enter your credentials and all of a sudden you're in real trouble. So be on the lookout for that. You always look and see what the true you are always behind once you're clicking.
Just be safe out there when it comes to that kind of thing and be aware of it that it could be that what it appears to be especially an email.
You know, how folks get that information is going to be more difficult for them to track sometimes. Unfortunately sometimes like the older community, they may not be as aware of it. They're kind of clicking on stuff and fortunate. That's how scammers operate. They just feast on these types of opportunities. Even if we get one out of one hundred or a thousand, it's still worth it for them and they'll keep doing it.
Jim: That's right. And as you mentioned, the URL is so cute. Sometimes I end up clicking links in emails, which I know better than to do that. But, if you look at the URL, if it's something you're not expecting, it looks like a mess or whatever. Just don't go there. I saw it in recent video. I think you said it to me, Jeff, a recent video on YouTube. And I think it was from the Black Hat conference last year. Are these the eyes of the phishing site in front of Google Mail in front of G-mail? And it went as far as to come back to you, as, asking you for what it were doing shows it was take your username and password. It would take that information, then pass it on to Google, authenticate you. And if it was asking for a second factor, come back to you and ask the second factor. That Google would text to you. So then it would capture on the way back when you're typing it then and then it would provide it to Google and then it would be able to send you to your mail application. But in the meantime, they captured your log in and your site second factor.
Jeff: So that session, they could do that right away and do something with it. I got man in the middle attack in that regards, but was definitely more of a live session because depending on how the web application using, if they had a long session, time-outs could give them free reign for fifteen minutes, 20 minutes, six hours, whatever gets whatever they've got configured for 30 days, generic, and once they've got your account they can go and turn off factor or switch the phone number to a different phone number. So they're getting the two factors they can walk into or they want.
So, it's just something to be aware of that. This is the age we live in. there's bad actors out there.
Jim: do you remember the video that I'm talking about?
Jeff: I vaguely remember it. I'm sure I could dig it up somewhere, probably somewhere in one of our Slack chats. So but I vaguely remember it,it was a while back.
Jim: I think, only because if we could put it in the show minutes or something, I'll look forward to. If we could find it, we'll be in the show.
Jeff: If we can search through our search, it's like history. And if we feel like it, we'll put it in there. But, we're trying to dig it up and put it there, all right. I think that's pretty good recap of where our capital one breach to see how this unfolds over the next days, weeks, months as more maybe comes to light on this. But good to kind of talk about it here in real time and see what's going on.
Jim: Yes. Since we're recording and publishing every week. We can always carve out a couple minutes of a juicy update.
Jeff: Yes, that works out well. I hope you guys enjoy. Listen to this.
Feel free to post amazing reviews and like, Star and Up-vote and whoever else share it with your friends. Always looking to have full to be part of the conversation. So if you've got something you want to let us know about, there'll be a link to that in the show notes as well. You can leave us a message. Whether it's a comment, a question or a topic, you'd like Jim and I to address for the future. So don't hesitate to reach out and we'll leave it there for now, Jim.
And we'll talk to you later.