Slashdot Mirror

← Back to Stories (view on slashdot.org)

LexisNexis and Other Major Data Brokers Hacked By ID Theft Service

Posted by Unknown on from the someone-forgot-to-install-rkhunter dept.

gewalker writes "Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis." And they had access for months to most of them. From the article: The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called nbc.exe was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet." The companies compromised aggregated data for things like "credit decisions, business-to-business marketing and supply chain management. ... employment background, drug and health screening."

8 of 99 comments (clear)

  1. This is what IDS/IPS appliances are for... by mlts · · Score: 5, Insightful

    No real excuse for this. This is exactly what network IDS/IPS programs/appliances are for.

    Any data center dealing with sensitive information should have an IDS/IPS installation which should have shut down nbc.exe's access out to the Internet, or at least raised a red flag in Splunk or whatever logging console application in use. Most data centers have a list of authorized IPs that internal sites communicate out to, and if some machine communicates to an IP repeatedly on a sensitive network, it would be investigated, or at the minimum, looked at. Multiple machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect, and IPS offerings designed to cork until someone takes a look at it.

    Security isn't rocket science. It is using basic concepts to compartmentalize information and applications to check for known/unknown attacks, and buying/using the tools needed.

    1. Re:This is what IDS/IPS appliances are for... by Archangel+Michael · · Score: 3, Insightful

      A good IDS/IPS isn't signature based, it is activity based. It looks for, and flags suspicious activity. A sudden increase in random hosts connecting to a server via Outbound HTTP(S) traffic is suspicious. HTTP server getting a ton of hits on non-standard (ie used) ports is suspicious.

      In short, there is someone asleep at the wheel, and they need to step up and get trained on how to do their job right, or hire someone else. It isn't like any of this is new.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:This is what IDS/IPS appliances are for... by DarkOx · · Score: 5, Insightful

      Right! This is the big problem. We need to be able to look at the laws that are allowing these guys to escape liability both on the accuracy side and the privacy side.

      Slapping "information may not be 100% accurate" in light type face on the bottom of a credit report should not protect them from being held responsible for libel. When they leak your PI and you have to change account numbers, etc, they should be held responsible for interference with your other contracts.

      If the courts really worked we could bankrupt them in a week; which is what they deserve.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  2. Good? by AmiMoJo · · Score: 5, Insightful

    This might be a good thing. Once we have a major "privacy apocalypse" and millions of people get screwed over something might be done about it. Otherwise there will just be endless "minor" breeches where a few hundred thousand people get ripped off and no-one really cares.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Good? by Austrian+Anarchy · · Score: 2, Insightful

      In a "privacy apocalypse" the "right people" will be bailed out with everybody else's wealth and the accompanying "nothing to see here, move along" warning.

      --
      Time Bomber the Book coming soon.
  3. Identity cannot be stolen by erroneus · · Score: 4, Insightful

    Let's stop calling it that. These numbers we call our identity is not our identity. The whole notion of doing things like this were an invention of mega-business interests who wanted to expand their business range without having to employ a whole bunch of people. You see, long ago, people were given credit by a process which involved references... actual people who could vouch for your reputation. But this is too much of a hassle and involves the use of people and people, of course, are very expensive. So much better to track a whole bunch of people with a computer system where they are tagged with a unique number -- say a social security number which we were promised would never ever ever be used for anything but social security account tracking. Several legal filings surrounded the controversy long ago but the serfs of the USA lost out and here we are.

    Stop feeding the machine. Stop being in debt. Stop relying on credit and build a savings instead. It's harder to get started if you're already accustomed to the debt financing game, but it's the difference between LIFO and FIFO where your money is concerned. Stop spending money you don't have. Of course, this message goes out to people who aren't reading this... everyone here has "good reasons" for using credit instead of cash.

    1. Re:Identity cannot be stolen by sl4shd0rk · · Score: 3, Insightful

      Stop feeding the machine. Stop being in debt. Stop relying on credit and build a savings instead.

      That's a great way to keep from getting digitally bum rolled, but society will never go back to 1970 now that so much business is done over the internet.

      Many people pay off their CC debt every month and the ones who have a problem are the same people who cannot balance a checkbook or go an entire payday without blowing the whole thing in on frivolous purchases. Self control and good money management skills do not come easy for everyone and the problem with credit for those people is simply an extension of an existing dysfunction.

      --
      Join the Slashcott! Feb 10 thru Feb 17!
    2. Re:Identity cannot be stolen by onyxruby · · Score: 3, Insightful

      This is a horrible idea, let's start with how credit worked in the old days. You got a house loan or car loan by paying 1/3 the cost up front. You also paid off your credit on terms that were much shorter than today's terms. I don't know about you, but outside the rich or someone that has been saving for many years that is simply no longer feasible in today's society. Simply put, only the rich could afford to get credit if we adopted the old standards.

      Your also forgetting other reasons that people went to numbers such as racism, religious based discrimination and so on. When you had everything done by having someone approve the loan by who they knew the result was that people that were in better favor with the banker were more likely to be approved. In many towns if you were a protestant or a catholic you simply couldn't get credit in that town, or you had to go your bank. If you weren't a member of either church in good standing than you certainly weren't getting a loan.

      Problems with this kind of behavior became so bad that it became known as redlining. Bankers would literally draw a line around certain neighborhoods on a map with a red line. If you lived in that neighborhood you either couldn't get credit or had to pay a lot more for it.

      Many lawsuits were filed and banks lost badly in days gone by over these practices and the modern credit system was in large part derived as a result of them. Nowadays the person approving your loan is someone you don't know, probably doesn't live in the same state as you and who tries to look at you abstractly - as a number - for the express purpose of ensuring that discrimination doesn't occur.

      All that being said, the idea that people should rely less on debt is one I agree with, but you have obviously never worked in credit.