[HN Gopher] No, I Did Not Hack Your MS Exchange Server
___________________________________________________________________
No, I Did Not Hack Your MS Exchange Server
Author : todsacerdoti
Score : 111 points
Date : 2021-03-28 17:42 UTC (5 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| mywacaday wrote:
| That's exactly what someone who did hack my server would say.
| brian_herman wrote:
| https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchang...
|
| https://kemptechnologies.com/blog/top-15-tips-to-increase-ex...
| fotta wrote:
| > What was the subdomain I X'd out of his message? Just my Social
| Security number. I'd been doxed via DNS.
|
| That would freak me the fuck out wow.
| wyxuan wrote:
| Iirc some ppl used it to extract his credit report from
| experian - we need better govt identification than just a few
| numbers
| Natsu wrote:
| I'm surprised that governments aren't using some kind of 2FA
| tokens for peoples' identities, while credit cards are.
| djxfade wrote:
| I don't know about most of Europe, but in Norway, we use a
| 2FA system called BankID. You authenticate with either with
| your phone using a custom SIM app, or an app, or a OTP
| device. This system is used for everything from banking, to
| checking taxes, medical records, or signing documents.
| uniqueid wrote:
| Pretty sure every American's SSN has been public since 2017
| anyways. Thanks Equifax!
| paranorman wrote:
| Yeah that's pretty brutal.
| vdfs wrote:
| Probably not the worst thing he saw, not too familiar with
| him but i thing he get attacked a lot
| fotta wrote:
| Yeah the bottom of the article has a list of times his
| likeness has been used in an attack. Yikes, the downsides
| of being a public figure.
| BrandoElFollito wrote:
| It always amazes me that in the US there is such a weak
| identification system, relying on a single number.
|
| Then it is apparently to the owner of said number to worry if
| it leaked.
| WarOnPrivacy wrote:
| > It always amazes me that in the US there is such a weak
| identification system, relying on a single number.
|
| Offer Govs/LEO/Biz an alternative that will allow them
| stronger & less visible influence over the public and it will
| be adopted yesterday.
| anitil wrote:
| The story of how this happened is quite interesting. CGP Grey
| did a video about how it evolved [0]. I'm not American so I
| can't judge how likely it is to ever change because it seems
| to be politically radioactive to propose a government
| mandated ID.
|
| We had a similar issue in Australia, but our workaround is
| that your drivers license (or ID card from the equivalent of
| the DMV) typically acts as your ID.
|
| [0] https://www.youtube.com/watch?v=Erp8IAUouus
| aidenn0 wrote:
| My first driver's license number was my SSN
| quercusa wrote:
| US Social Security cards used to say "NOT FOR IDENTIFICATION"
| but I guess it's just too hard to pass up a good primary key.
| marcosdumay wrote:
| Hum... When normal people say "identification" the almost
| always mean what we understand by "authentication"1. They
| main intended use of a social security number is as a key,
| that's the intended use 99.(some more 9s)% of the times a
| government gives a number to somebody.
|
| 1 - And when they say "authentication", they almost always
| mean what we understand by "non-repudiation".
| dhosek wrote:
| When I was first enrolled at University of Illinois of
| Chicago in 1985, your SSN was your student ID. You could
| log in to the mainframe using your SSN in the username
| field (although thankfully, the actual user ID was a
| sequentially assigned five-digit number and not the SSN. I
| was U10754). I think around 1986 or 1987, universities were
| instructed to stop using SSNs as student ID numbers.
| Spooky23 wrote:
| Lol. My SUNY school addressed this by suppressing the
| first three numbers.
|
| Considering that about 30% of the student body seemed to
| be from Islip, it was pretty trivial to guess the first
| three.
| macintux wrote:
| In the early 90s I had a professor who passed around a
| sheet of paper for us the first day of class to write
| down our names and our SSN.
|
| I had to point out to him after class that was a rather
| boneheaded idea (I'm sure I was a bit more polite than
| that).
| toast0 wrote:
| > I think around 1986 or 1987, universities were
| instructed to stop using SSNs as student ID numbers.
|
| And around 2005 they actually mostly stopped.
| bonzini wrote:
| The problem is that it's a username that is used as a
| password. In Europe you'd use some kind of tax identification
| number _plus_ a physical copy of an ID card or driving
| license.
|
| My identification number is algorithmically derived from
| place and date of birth, first and last name and gender.
| Anybody who knows my address and has heard someone greeting
| me happy birthday can guess mine with two-three trials
| corresponding to the closest hospitals. But that doesn't
| worry me, because I don't fear identity theft, it just
| doesn't exist in Italy.
|
| Instead, as a result of America's allergy to ID, they are
| essentially the only country where identity theft is a thing.
| path411 wrote:
| 5 out of the 9 numbers for an American social security
| number is also derived from location and date of birth.
| mdturnerphys wrote:
| This was finally done away with in 2011. I only found out
| because I was surprised that our second child's SSN
| (issued in 2012) had a different prefix than that of our
| first child (2009).
| toyg wrote:
| _> identity theft [...] just doesn't exist in Italy_
|
| Big lol. The country used to be famous for frauds and
| scams! _Of course_ identity fraud exists, but precisely
| _because_ everyone expects it, the majority of systems errs
| on the side of caution and requires validation from
| multiple sources. The result is that fraud processes become
| so much harder to pull off that fewer and fewer bad guys
| attempt it, but on the other hand every validation step
| becomes a bureaucratic nightmare ("did you include
| certificate X from office A, Y from office B, and Z from
| office C, as well as your ID card, health card, tax card,
| and recent pictures? No? Sorry, no cookie for you.")
|
| This is also why the country has a pretty secure and
| advanced way to carry out official acts electronically
| (PEC) - because otherwise fraud would be even more rampant.
|
| I do agree that the "anglo" hate for ID documents ("such
| Napoleonic constructs, so barbaric!") leaves the door open
| to scammers, but it's not like they don't exist in Italy
| too.
| bonzini wrote:
| I see, the good old racist card. But no, you're wrong. I
| have opened bank accounts in three EU countries and the
| procedure was the same everywhere. No ID, no bank
| account.
|
| I still have to see a headline like "identity theft
| ruined my life" in any other language than English. Every
| single time "furto di identita" makes the news in Italy,
| it's just about someone impersonating a famous person on
| social media to scam the followers, which is a completely
| different thing than in the US.
|
| So yeah of course scams and credit card skimmers exist in
| Italy (though the US's disdain for chip and PIN would be
| another interesting topic). Dishonest telemarketers
| convince gullible people to switch into more expensive
| utilities contracts. But identity theft in the US is not
| in any way comparable to "scamming".
|
| And yeah, PEC ("registered email") is pretty cool. :)
| mesofile wrote:
| When I visit Italy I'm often impressed by the physical
| lock & key systems in use even in pretty humble
| domiciles. Those keys look incredibly complex compared to
| anything I normally see in the US short of, say, a Mult-
| T-Lock.
| liversage wrote:
| I live in Denmark so also Europe. Our social security
| number (which can be guessed with enough information and a
| few tries) has been incorrectly used as a password instead
| of a key just like you describe. You make a call, provide
| this number and the clerk on the phone believes that you
| are who you claim to be.
|
| Nowadays things are better because computers are used
| everywhere We have a national ID system using 2FA which is
| pretty safe. Unfortunately, identify theft is still a
| thing.
|
| Recently someone installed keyloggers on public computers.
| The second factor in the 2FA is a cardboard card with a
| list of one time password codes. You use a code on each
| sign in.
|
| The criminals were able to determine when there were only a
| few codes left on the card. You then get a new cardboard
| card sent to your home address. They would stalk their
| victim's mail box and steal the new card as soon as it
| arrived.
|
| With user name (your social security number) and password
| from the key logger together with the 2FA codes they were
| able to perform identity theft.
|
| It's not easy to guard against attacks like this.
| bonzini wrote:
| Absolutely, but it's more effort than knowing an SSN and
| being immediately able to get a loan in the name of that
| person. That would be ridiculous in Europe.
| imglorp wrote:
| And possession of the original paper SSN card is sometimes
| required as a form of identity. Not the hardest thing to
| print.
| bryanrasmussen wrote:
| Basically the same in Denmark, I believe many other European
| nations have a similar situation.
| itsthecourier wrote:
| They really trolled Krebs this time
| tommica wrote:
| I think our company also got affected by this, and we are a very
| small one
___________________________________________________________________
(page generated 2021-03-28 23:00 UTC)