Podcast Episode Details
Back to Podcast Episodes
Capital One Data Breach, Equifax Settlement Payouts, Nextdoor App Scams
This is your Shared Security Weekly Blaze for August 5th 2019 with your host, Tom Eston. In this week’s episode: everything you need to know about the Capital One data breach, changes in the payouts from the Equifax settlement, and Nextdoor app scams.
If you happen to be in the cybersecurity industry this week is what we call “security summer camp” where thousands of cybersecurity professionals, enthusiasts, and even black hat hackers all meet in Las Vegas to attend the Bsides, BlackHat, and the infamous hacker conference, DEF CON. These conferences are probably the most dangerous place on the plant because your laptop or smart phone could easily be compromised since everyone is hacking everyone else either intentionally and even unintentionally as part of quote unquote “research”. I know that I’ll be using a faraday bag for all my devices while I’m at the conferences this week. That way I know my devices are completely secure and off the grid. If you’re heading to Vegas this week make sure you protect your devices with Silent Pocket’s great product line of faraday bags. In fact, stop by the Silent Pocket booth at DEF CON this weekend and check out their products for yourself while you’re at the conference. Don’t forget you can also visit slientpocket.com and receive 15% off your order using discount code, “sharedsecurity”. Stay safe this week and be sure to mind the grid!
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
The big news last week was the massive Capital One data breach affecting more than 100 million customers in the US and 6 million in Canada. This is actually the third largest data breach in history with Equifax being number one followed by the Heartland Payment Systems data breach which took place in 2009. The 30 gigabytes of personal information exposed in this breach included names, addresses, phone numbers, email addresses, dates of birth, and self-reported income as well as 140,000 Social Security and 80,000 bank account numbers. All of this data appears to be from credit card applications dating back to 2005. In the announcement posted by Capital One the breach was discovered on July 19th and the person responsible, Paige Thompson a former Amazon employee, was arrested by the FBI. Perhaps the most interesting aspect of the breach is how the perpetrator was caught. Paige had posted details about the data she had stolen on her GitHub page and boasted about it on her Twitter account. Someone had saw this information posted in the GitHub account and sent an email to a Capital One’s security vulnerability disclosure email alerting them of the issue. So how did this data get compromised in the first place? Well she was able to download this data from an Amazon S3 bucket through a misconfigured web application firewall (which is also known as a WAF). Now this isn’t the typical Amazon S3 vulnerability we commonly hear about where this data was left wide-open for anyone to access and there is much debate in the security community about how the breach actually occurred. It’s largely suspected that one of the user roles that was assigned to the WAF may have been exposed through a Server Side Request Forgery (or SSRF) which is a vulnerability that affects public cloud environments like Amazon.
What’s even more fascinating is how s
Published on 6 years, 4 months ago