How Your Data Gets Stolen: a Conversation with a Data Thief
I blogged about how easy it was for one hacker to steal data. He contacted me… with some stolen data.
A couple weeks back, I wrote on these pages about the recent doings of the hacker known as Kapustkiy (@kapustkiy). He had lately been making the rounds of diplomatic missions and hacking into publicly facing servers, stealing data on hundreds of Indians studying abroad, as well as other sensitive information.
The point of my article was that hacking and data theft aren’t the stuff of Hollywood thrillers. These are no online Oceans 11 – requiring a team of ninjas (each with a job to do) and months of intricate planning and preparation. Mostly, they’re a matter of reaching up to pick ripe and low hanging fruit. Asked by the online publication Security Affairs what was the most difficult part of his hacks, Kapustkiy answered honestly: “nothing.”
Well, apparently, Kapustkiy liked that blog post, because he (she?) reached out to me last week to say so. During a Twitter exchange, the hacker also offered me proof of yet another hack carried out in recent days: against Argentina’s Ministry of Industry (Ministerio de Proucción). The hacker provided me with screenshots of an administrative interface to the Ministry’s web server as well as other proof that he could access sensitive data on ministry employees and others that were stored on the server. He has estimated that around 18,000 accounts were exposed in the incident. He told me that he has no plans to leak the information to the public.
Of course, I wasn’t the only reporter he was speaking to. The same news was written up here and here. I contacted the Ministry by email to confirm the breach and ask for comment, but never heard back. Kapustkiy also claims to have contacted his victim with no result.
How did this happen? In my previous post, I noted that Kapustkiy was a big fan of SQL injection attacks, one of the most common methods of online compromise. In SQL injection attacks, an attacker uses SQL (structured query language) to manipulate the database server that runs many web applications into coughing up sensitive data or providing administrative access to an unauthorized user. Preventing these flaws is relatively straightforward and groups like OWASP have been warning about them for years. But they’re still endemic online.
For the Ministry of Industry, however, it turns out that no SQL injection attack was needed. Instead, the attacker needed only to guess the user name and password of a Ministry employee – no hard task, given that both were that target’s first name. Eight letters, total.
As a reward for clearing that low bar, Kapustkiy gained access to a critical IT asset of one of the most important government ministries in Argentina, which is involved in trade policy and negotiations, import and export rules, negotiations with other governments and multinational corporations and promotion of trade.
In this case, the hacker behind the keyboard has altruistic motives (if he or she is to be believed, that is). Kapustkiy assured me in a Twitter exchange that he has no plans to release the stolen information to the public. His previous actions also appear aimed at getting his victims (and others like them) to improve their security hygiene rather than profit.
“I only want to let the world know that it could happened (sp),” he wrote.
Indeed. The problem for Argentina and other government agencies is that for every altruistic hacker – self-professed or otherwise – there are 10 or more criminal or state-sponsored actors. It is safe to assume that if Kapustkiy found the server with the weak authentication controls, someone working for governments like Russia, China, the U.S. and others found it first and have familiarized themselves with the Ministry’s affairs, thinking, employees and so on.
In the small scale, this might not seem to matter much. Much of what goes on at the Ministry of Industry is likely bureaucratic and dull. However, step back and consider how that information might be used or abused to tilt diplomacy or markets in a desired direction or in favor of certain firms, how disinformation might be used to destabilize or embarrass an unfriendly government and the importance of that silly, insecure user account becomes much, much larger.
The problem for governments and others, then, isn’t small scale incidents like this with data on a few hundred or thousands of individuals leaked. It is the destabilizing effect of the hacking on agencies big and small over time – the way in which it tips the balance of power in the direction of chaotic actors and away from organizations and institutions (like the Ministry) that are formal and – at least in some way – accountable.
That was the gist of a warning that Alex Younger – aka “C”, the head of Britain’s MI6 – gave in a speech this week in London. Speaking on Thursday morning, he warned that “the connectivity that is at the heart of globalisation (sp) can be exploited by states with hostile intent to further their aims deniably. They do this through means as varied as cyber attacks, propaganda or subversion of democratic process,” Younger said. “The risks at stake are profound and represent a fundamental threat to our sovereignty; they should be a concern to all those who share democratic values.”
It’s strange to think that such weighty issues as those “C” is discussing might boil down to mundane matters like choices about passwords and web interfaces – but they do. That’s what Kapustkiy is trying to tell you. You should listen.