Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Privacy

LexisNexis and Other Major Data Brokers Hacked By ID Theft Service 99

gewalker writes "Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis." And they had access for months to most of them. From the article: The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called nbc.exe was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet." The companies compromised aggregated data for things like "credit decisions, business-to-business marketing and supply chain management. ... employment background, drug and health screening."
This discussion has been archived. No new comments can be posted.

LexisNexis and Other Major Data Brokers Hacked By ID Theft Service

Comments Filter:
  • by mlts ( 1038732 ) * on Wednesday September 25, 2013 @10:55AM (#44948323)

    No real excuse for this. This is exactly what network IDS/IPS programs/appliances are for.

    Any data center dealing with sensitive information should have an IDS/IPS installation which should have shut down nbc.exe's access out to the Internet, or at least raised a red flag in Splunk or whatever logging console application in use. Most data centers have a list of authorized IPs that internal sites communicate out to, and if some machine communicates to an IP repeatedly on a sensitive network, it would be investigated, or at the minimum, looked at. Multiple machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect, and IPS offerings designed to cork until someone takes a look at it.

    Security isn't rocket science. It is using basic concepts to compartmentalize information and applications to check for known/unknown attacks, and buying/using the tools needed.

    • by Anonymous Coward on Wednesday September 25, 2013 @11:08AM (#44948479)

      This company and every one like it shouldn't even exist.

      They collect all this data about us without out our permission. They offer me no service.

      Just remember kiddies, things were quite fine without these services. But with the demise of local business, consolidation into massive organizations spread all over the World, these businesses were created for their use, convenience and to lower their costs. It gives then the edge on knowledge about us and how to market shit to us - and it's all shit - especially in financial services.

      I had a credit bureau problem. THEIR information was wrong and as a result, I failed the authentication. They gave me a 800 number to call and I got this woman with a heavy accent (Indian?) who asked me a bunch of personal questions.

      When I asked her what country she was in, she responded that she couldn't answer because of "Security reasons."

      So, MY security means nothing to TransUnion but where their off shored call center is does.

      Corporations are the only ones who have a right to privacy and security.

      • If they were subject to the level of liability that they *should* be subject to, they would have been gone long ago and replaced by those who know what they are doing.
      • by DarkOx ( 621550 ) on Wednesday September 25, 2013 @12:27PM (#44949391) Journal

        Right! This is the big problem. We need to be able to look at the laws that are allowing these guys to escape liability both on the accuracy side and the privacy side.

        Slapping "information may not be 100% accurate" in light type face on the bottom of a credit report should not protect them from being held responsible for libel. When they leak your PI and you have to change account numbers, etc, they should be held responsible for interference with your other contracts.

        If the courts really worked we could bankrupt them in a week; which is what they deserve.

        • Mod this one up.

          Remember that they were also found to be artificially inflating the ratings of mortgage derivatives, leading to the "crash" of 2008.

          I say just get rid of 'em. They work for the international bankers, not us.
      • You are absolutely right. On top of this , in order to access a game, use a convenience, buy a rug, check their email, answer their phone, people always agree to a contract (TOS) they never read which allows them the right to do this. It is a process like spam, xss, hacking, cracking, and many other things that come with a complex anonymous communication network between people that includes sociopaths. People who live in glass fiber shouldn't throw stone packets.
        It seems from a technical standpoint there
    • Re: (Score:3, Informative)

      Any IDS/IPS is only as good as its signatures. The problem with these devices is that attackers can use a flurry of heuristic tactics to completely bypass these systems as well as DLP. There is a difference had you mentioned SIEM which *may* have worked if there were vigilant analysts looking at logs repeatedly. In order to understand why IDS/IPS' fail, you need to understand attacks. At any point in time, when I perform pentests, I ALWAYS start off sending a barrage of data to generate junk. This is done f
      • by Anonymous Coward

        You let employees check gmail from production database hosts? If my IDS showed this, there likely would be one less person on the IT team.

        • by cyberpocalypse ( 2845685 ) on Wednesday September 25, 2013 @11:33AM (#44948793)
          You're missing the gist of it here. The reality on production server is, most are locked down from egress attacks. This does not stop, minimize, and or deter an attacker from hitting you up with a client side attack on a non-production machine, passing a hash, then to and from trusted sources until it gets out: Attacker --> client side --> workstation workstation --> attack --> production server production server workstation workstation --> via SSL --> attacker. This would fill a wiki page so I will stop there. There was a point to be made without me having to spell things out
    • by cyberpocalypse ( 2845685 ) on Wednesday September 25, 2013 @11:23AM (#44948663)
      I believe there is more going on to this than you would understand. For example, the Zeus/Qakbot strain always downloads a file. Most times it will be randomized. For arguments sake, lets say it was named nbc.exe. What Zeus/Qakbot did was communicate out via IE. Even though the nbc.exe was the application responsible for running the show, the communications portion was done via good ole GET and POST via HTTPS. At issue with detecting nbc.exe where Zeus/Qakbot was/is concerned, is the fact that the operators of the malware were/are changing the executable N amount of hours. So most AV systems wouldn't even detect it. So no... IPS/IDS here means nothing. Blacklisting *may* have worked to stop the communication, but even then a fast flux would have trumped that.
      • by Archangel Michael ( 180766 ) on Wednesday September 25, 2013 @11:33AM (#44948797) Journal

        A good IDS/IPS isn't signature based, it is activity based. It looks for, and flags suspicious activity. A sudden increase in random hosts connecting to a server via Outbound HTTP(S) traffic is suspicious. HTTP server getting a ton of hits on non-standard (ie used) ports is suspicious.

        In short, there is someone asleep at the wheel, and they need to step up and get trained on how to do their job right, or hire someone else. It isn't like any of this is new.

  • Why should the likes of Dun & Bradstreet or LexusNexus have any fun at all?

  • nbc.exe (Score:5, Funny)

    by Anonymous Coward on Wednesday September 25, 2013 @11:09AM (#44948489)

    Dot exe. I think I see the problem.

  • Good? (Score:5, Insightful)

    by AmiMoJo ( 196126 ) * <mojoNO@SPAMworld3.net> on Wednesday September 25, 2013 @11:10AM (#44948507) Homepage Journal

    This might be a good thing. Once we have a major "privacy apocalypse" and millions of people get screwed over something might be done about it. Otherwise there will just be endless "minor" breeches where a few hundred thousand people get ripped off and no-one really cares.

    • Re: (Score:2, Insightful)

      In a "privacy apocalypse" the "right people" will be bailed out with everybody else's wealth and the accompanying "nothing to see here, move along" warning.
      • The new word is "bailed in."

        The whole thing where they started taking people's private assets to manage the financial crisis in Cypress was just the test bed to see how well people would accept this. Since the whole story died down, they are now preparing to do that asset seizure in Canada and in several European countries as well. They would do it in the US too, but we have too many guns and the government doesn't yet have enough bullets.

    • If Snowden's revelations do not count as a privacy apocalypse, I don't know what does.
    • by houghi ( 78078 )

      and millions of people get screwed over something might be done about it

      Oh, you mean like how the banks are now regulated and nothing like what happened before can happen again?

    • by Anonymous Coward

      Something won't get done about it until a bunch of "The 1%" log in one day and find all their accounts drained to the point where they're now in "The 99%".

      "Egads, Buffy! We're impoverished!"
      "Broke? Screw that. I'm outta here Warren."

      • They'll immediately ask for welfare. We keep treating them as a society as principled people, but they are anything but.

    • Most people care more about Honey Boo Boo right now. A privacy apocalypse will happen without their notice.

  • by Anonymous Coward on Wednesday September 25, 2013 @11:13AM (#44948551)

    Lexis Nexis has a database of all united states citizens compete with full address history, SSN, DOB, associations such as relatives and neighbors, and you can cross reference and search the different relationships. They purchase the info from the government and then banks use them to verify information on credit applications by paying for the service and simply accessing a web interface via ssl over the public internet. I know this because I used to work for a large bank doing just that.

    • by Anonymous Coward

      OP here... forgot to mention it also lists info related to the address such as whether the resident is a probable renter or owner, how much the property is worth, how much neighboring property is worth, death certificate information if the person is deceased, and so on...literally everything there is to know about a person's life "on the grid." Everything is shown on a single screen and the info can be brought up by search of address, phone number, SSN, or broader google-like searches such as names, zip c

  • Opt-out? (Score:4, Interesting)

    by jerpyro ( 926071 ) on Wednesday September 25, 2013 @11:32AM (#44948787)

    So how do I opt-out? Where do I get away from companies releasing my information to third parties that track my identity or other things to allow other corporations to peruse at their leisure? Not only do you not get to tell companies where they can and can't store your personal information, you also can't dispute that information when someone uses it for the wrong reasons or enters things that you're not allowed to know about.

    For example, let's say LexisNexis had an entry that said I caused a major auto accident involving 15 cars, because an insurance clerk pressed the wrong button that said I was at fault rather than being involved in the accident? How do I correct that data? How do I dispute that entry? How do I even find out about that information?

    And how do I get them to delete my personal data rather than allowing their poor network security policies to expose my life to risk? Answer: I can't. I have no agreement with them to host my personal data. I'm not just upset about the breach, I'm upset about the lack of ownership and consequence of such regarding my own life.

  • by sl4shd0rk ( 755837 ) on Wednesday September 25, 2013 @11:34AM (#44948809)

    Seems like the only way to combat identity theft now is just "loose" your credit card every few months and get a new number. I don't see any other way to mitigate identity theft as long as places like Heartland Payment Systems and LexisNexis are going to just give away the keys to the kingdom through gross negligence, apathy or ignorance.

    • Losing your credit card and getting a new number won't solve the problem because the ID thieves can just open an account or take out a loan in your name since they have your name, social security number, date of birth and all the other information a bank uses to confirm that the person opening the account is you.
    • by Jason Levine ( 196982 ) on Wednesday September 25, 2013 @12:38PM (#44949549) Homepage

      Freeze your credit.

      I was the victim of identity theft. Someone got access to my name, address, SSN, and DOB and used it to open up a credit card account in my name. (Thank you, Capital One, for not caring that the Mother's Maiden name was wrong! And for stonewalling both me and the police every step of the way in the name of YOUR liability.)

      The credit agencies will recommend fraud alerts but these have two major flaws: 1) They are optional. Credit Card Company A *should* check for a fraud alert before issuing a credit card in your name, but doesn't *have* to. (You can bet that the ID thieves know which companies check and which don't.) 2) They expire after 90 days. Your information isn't going to magically disappear from the ID thieves after three months. It's out there for good now. So why should the check against ID theft expire?

      If you freeze your credit then nobody (you or anyone else) can open a new line of credit on the account. If you actually do want to open a new line of credit (or get a loan or have a background check performed), you thaw your credit report for a set period of time. The downsides are that you have to pay for each thaw and you can't sign up for credit on the spot. (We actually consider the latter to be a perk. "Would you like to save 10% by getting our store card?" "No thanks. Credit frozen thanks to ID theft.")

      Of course, the credit agencies HATE credit freezes because they make money by offering your credit file to anyone and everyone to send you offers for credit cards and the like. A frozen credit card file takes away that income opportunity.

      Come to think of it, that's another bonus to freezing your credit file.

      This site has some good information on Credit Freezes including links/phone numbers to freeze your credit file: http://www.clarkhoward.com/news/clark-howard/personal-finance-credit/credit-freeze-and-thaw-guide/nFbL/ [clarkhoward.com]

  • This should have been easy to catch with their IPS. Why is their an encrypted data stream going from a server to a server outside the organization? Even without using an SSL decryption device to look at the contents of the stream, the mere fact that an encrypted stream of data was going to an unauthorized destination should have set off alarm bells by it's own right.

    I've seen any number of environments that simply blocked encrypted data sessions until they had been white-listed. It's something that ought to be in your change management system along with all of your other firewall rules. The fact that a major credit agency got owned by this tells me that they probably outsourced their security to India along with the rest of their staff.

  • by erroneus ( 253617 ) on Wednesday September 25, 2013 @11:35AM (#44948821) Homepage

    Let's stop calling it that. These numbers we call our identity is not our identity. The whole notion of doing things like this were an invention of mega-business interests who wanted to expand their business range without having to employ a whole bunch of people. You see, long ago, people were given credit by a process which involved references... actual people who could vouch for your reputation. But this is too much of a hassle and involves the use of people and people, of course, are very expensive. So much better to track a whole bunch of people with a computer system where they are tagged with a unique number -- say a social security number which we were promised would never ever ever be used for anything but social security account tracking. Several legal filings surrounded the controversy long ago but the serfs of the USA lost out and here we are.

    Stop feeding the machine. Stop being in debt. Stop relying on credit and build a savings instead. It's harder to get started if you're already accustomed to the debt financing game, but it's the difference between LIFO and FIFO where your money is concerned. Stop spending money you don't have. Of course, this message goes out to people who aren't reading this... everyone here has "good reasons" for using credit instead of cash.

    • by sl4shd0rk ( 755837 ) on Wednesday September 25, 2013 @11:54AM (#44949007)

      Stop feeding the machine. Stop being in debt. Stop relying on credit and build a savings instead.

      That's a great way to keep from getting digitally bum rolled, but society will never go back to 1970 now that so much business is done over the internet.

      Many people pay off their CC debt every month and the ones who have a problem are the same people who cannot balance a checkbook or go an entire payday without blowing the whole thing in on frivolous purchases. Self control and good money management skills do not come easy for everyone and the problem with credit for those people is simply an extension of an existing dysfunction.

    • by DarkOx ( 621550 )

      I don't know if you are being sarchasitic or not but there are good reasons to use credit instead of cash even for the typical individual not running a business.

      The first big one is you can dispute charges. Pay someone with a CC to do a job and they don't do it or don't do it in the fashion you'd agreed to have it done you can reverse the changes. You pay them in cash and they don't want to make good on it you are looking at either taking the loss or potentially lengthy court process.

      The next one is ofter

    • Yeeeeah, we're not all as rich as you. I got a very crappy paying part time head IT manager job (wooo $19.5K/yr USD with no benefits) 2 years ago because it was the only job I could get during the crap economy. My last car I got 5 or so years ago I paid $7300 cash for. Now that it's undriveable just yesterday I bought an 07 Vibe from a family member's dealership for a huuuuge discount but I still have to finance $5,000 out of the $8000 cost because I simply don't have the money. I've got no family, no g
    • by onyxruby ( 118189 ) <`ten.tsacmoc' `ta' `yburxyno'> on Wednesday September 25, 2013 @12:31PM (#44949453)

      This is a horrible idea, let's start with how credit worked in the old days. You got a house loan or car loan by paying 1/3 the cost up front. You also paid off your credit on terms that were much shorter than today's terms. I don't know about you, but outside the rich or someone that has been saving for many years that is simply no longer feasible in today's society. Simply put, only the rich could afford to get credit if we adopted the old standards.

      Your also forgetting other reasons that people went to numbers such as racism, religious based discrimination and so on. When you had everything done by having someone approve the loan by who they knew the result was that people that were in better favor with the banker were more likely to be approved. In many towns if you were a protestant or a catholic you simply couldn't get credit in that town, or you had to go your bank. If you weren't a member of either church in good standing than you certainly weren't getting a loan.

      Problems with this kind of behavior became so bad that it became known as redlining. Bankers would literally draw a line around certain neighborhoods on a map with a red line. If you lived in that neighborhood you either couldn't get credit or had to pay a lot more for it.

      Many lawsuits were filed and banks lost badly in days gone by over these practices and the modern credit system was in large part derived as a result of them. Nowadays the person approving your loan is someone you don't know, probably doesn't live in the same state as you and who tries to look at you abstractly - as a number - for the express purpose of ensuring that discrimination doesn't occur.

      All that being said, the idea that people should rely less on debt is one I agree with, but you have obviously never worked in credit.

      • by 0123456 ( 636235 )

        This is a horrible idea, let's start with how credit worked in the old days. You got a house loan or car loan by paying 1/3 the cost up front. You also paid off your credit on terms that were much shorter than today's terms. I don't know about you, but outside the rich or someone that has been saving for many years that is simply no longer feasible in today's society. Simply put, only the rich could afford to get credit if we adopted the old standards.

        And how is that bad?

        Just imagine how cheap houses would be if banks weren't giving million-dollar mortgages to anything with a pulse.

        Credit does not make you rich. It just allows people with less forethought to outbid you in restricted markets so you can no longer afford to buy the things you could otherwise have bought.

        • by ADRA ( 37398 )

          "Just imagine how cheap houses would be if banks weren't giving million-dollar mortgages to anything with a pulse."

          That's pretty much Canada at the moment.. and we now have a debt service ratio that was higher than the US during it's crash... *holding breath* But at least housing costs are at a record high! No correlation or anything...

    • I don't have debt (other than a very small mortgage). I always pay off my credit card bill every month and in 30 years have never paid a penny in interest. I have lots of savings - short term, long term and pension. I use credit cards for the convenience of not having to carry large amounts of cash (safer too). However, I also have a social insurance number (Canadian equivalent of SSN), a driver's license number, bank account numbers, health card numbers, insurance policy numbers, employee number, etc.

      • My complaint, just to be clear, is how, against protest and wisdom, society was quite literally handed over to bankers as indentured servants. Every time you hear deficit and all that. It's money "borrowed from the Fed" with taxpayer money as the collateral. And when people say "our grandchildren are in debt" they are exactly correct and deadly serious. It means in our lifetimes, we cannot be the collective collateral for the borrowing of the government. Our children cannot be the collective collateral

  • My guess: 'nbc' here is short for "NSA Botnet Communicator."

    Then again, it might never have been found if they'd been smart enough to name it "svhcost.exe" [sic] or "winupdate475YWHV63275278592,bat"

  • Is why does LexisNexis, which has been around since at least the 1970's, trust the use of Microsoft Windows to their server infrastructure. Sounds like they really dropped the ball here. Hopefully heads will roll on this one.

In seeking the unattainable, simplicity only gets in the way. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982