 Capital One, what's missing from your wallet? I always got to kick out their ad campaign. I thought it was rather clever. But the fact is they have now lost, and we'll take a look at the Capital One press release if you haven't heard the news. Capital One has lost 140,000 Social Security numbers and 80,000 linked bank account numbers. Now I bring this up because the news spin sometimes says, well, they only lost 1% of the total number of names dumped in the database, et cetera, et cetera. These are fun marketing or spins put on by the media to try to downplay the attack, but they did lose data. Now I'm going to read through some of the court filings, court papers to show how they were able to track down the person that did this, which I think is kind of interesting. They left a pretty strong evidence trail. And I also want to talk about how hard security is sometimes in a little bit about Capital One here. Now we don't have the exact details, but I do know a few places kind of got it vague, but this is typical for a lot of news because there's a lot of technical in here. So we're going to run through and talk about the document itself because they do have at least some detail of how they were able to obtain the arrest warrant. First we'll start with the Department of Justice that's a Seattle tech worker arrested for data theft involving large financial services companies. This is like the general blurb that they have as a press release here. And then you can go to and actually grab the document where all of this data is so we can walk through the actual process and figure out what happened. So they're going to be charged under the computer for auto abuse acts real briefly here. So between or about March 12th, 2019 and or July 17th, 2019, Seattle within the Western District of Washington Elsewhere, Paige Thompson intentionally accessed a computer without authorization to wit a computer containing information belonging to Capital One financial and therefore obtained information contained in a financial record institution or a card issuer. So this is like the crime they're being accused with. So I just figured just be clear on what's going on there and I'm not going to, they have all the people involved summary of the investigation and they have we'll run through some of this, but it's not that interesting. It's a lot of words you may or may not know the what they define what an IP address is. They're going to define what was used like the onion router or tour a virtual private network. They were using a VPN to hide things. They were using GitHub, IP predator, meetup, Slack and Twitter. So a lot of these are other companies that participated and helped the FBI in the investigation to gather information. The intrusion and exfiltration. So they're going to describe what Capital One is financial services company and they have a whole responsible disclosure because they had posted this data on their GitHub. So this is actually really interesting. Hello there, there appears to be some leaked S3 data of yours in someone's GitHub and they have it on there. So this was part of the responsible disclosure at CapitalOne.com and sent, you know, let me know if you need help tracking them down. So this is where it all starts. You find out that your data has been exfiltrated which is never the email anyone wants to receive whatever the responsible disclosure addresses. The individual's email said that there appear to be leaked data belonging to Capital One on GitHub provides the address of the GitHub and a file containing the link data. The address provided for this file was redacted. The substitute to the character sometimes fewer often more than five characters. One of the terms in this address was what I know from the Department of Licensing Records to be Paige A. Thompson. Full first, middle and last name. After receiving Capital One GitHub file which is timestamped, April 21st, 2018, Capital One determined the April 21st file contained the IP address for a specific server, a firewall misconfiguration permitted commands to be executed by that server which enabled access to folders of buckets of data, Capital One storage, space in the cloud computing company. Now, people I've already seen the flame wars going on. This is why you never put anything in the cloud. This is the problem. Data, if you have it accessible in some way, cloud, local, you have to have customers accessing their data, so there are tools involved that need to be able to access that. Those tools can have vulnerabilities or be misconfigured. Either one of those problems apply whether I host it in my office or I host it in the cloud. So misconfiguration, it sounds like it was the problem here but this is something I've always pointed out. Security's very hard. You have to configure everything properly and it only takes one little edge for someone to find their way in. So let's go a little further and talk about the little details of that. Now, this is where I know Capital One at least had some good internal logging that they were using because they were able to walk through and understand what user role was compromised and WAF, I'm assuming would stand for web application firewall in this case. So it sounds like it was a web application firewall that allowed them to get in there. Now, they walked through each one of the things they did. They listed the bucket command. Like I said, this takes good internal logging to even have this because some companies don't have these things. They just assume no one's gonna get in and when they get in, they don't know because they have no way of logging everything that happens so they can't answer the question very concisely of what did they do when they got in. They at least seem to have that. So they're examining what they did. They've seen them listing the buckets or we may call that enumerating things with the list bucket command. They wanna see what are all the buckets I have available based on the permissions of this role. And that's what led them to kind of understanding that yes, they were able to go through and say yes, this person did access all of this and which Tor exit nodes they were commonly using when they access this. So it was a combination of Tor exit nodes and them using the IP predator VPN which will keep giving you this IP address. Now, because they had the person's GitHub name already, they had some information. So then by working with GitHub, they were able to determine that this same IP address that was trying to access this was the same login credentials used by the person on GitHub. So now you have that correlation day where you can assemble that two pieces of information to build this case against them. And then go on further down through the document to talk about this IP being used to copy the data, actual trace the data. So once again, all this login going on. And it's kind of interesting to me because it feels like they should have blocked VPN and blocked Tor because generally speaking, unless you have some unique users or maybe it's a user convenience thing, I'm really not sure why they would do this. And what I mean by that is if your firewall blocks, we block a lot of things on our firewall just so people can't access any of our remote access tools that are publicly available on our website but will block a lot of things. And it's a cat and mouse game blocking them but it does help cut back on the noise and you don't probably frequently have your general end user customers accessing things through Tor. But maybe they are, maybe they leave that open on the system that they penetrated here. So then they have to get to the evidence of the involvement as and above the GitHub address where the April 21st file was posted includes the full name. Matter of fact, not only name, resume and all kinds of information was on there for the GitLab page and some of the GitHub stuff. So they have a lot of stuff on there and this person was putting like their entire resume on there. So once you have some of this correlation data going, well, this is the IP address they log into, they have the data in their GitHub that's from Capital One and they use those same IP addresses to log in. They're making a really strong case for this arrest. Now, this is another place because they were also using the other alias of Erratic and they also went again in a Slack channel were using this and they have information from the Slack channel where they were also talking about that we're gonna jump to that. So there's a discussion and this is publicly available. Well, it was, I believe a lot has been taken down now but they were able to go through a lot of these public channels and they have Erratic, the same user, bragging basically, I'm like IP predator, then to Tor, then S3 and all this. I wanna get it off my server, that's why I'm archiving all of it. It's all encrypted. I just don't want it around though. I gotta find somewhere to store it that's, and I kind of go and talk about places that could potentially store it. And according to a screenshot of Capital One provided, I have reviewed on June 27th, the user page posted, I've got a leak proof IP predator router set up if anyone needs as well as GitHub link included, page Thompson link. I was not able to locate the post and get it myself, although that may be because it's been deleted. So there's kind of some bragging going on here, like, hey, I got all this stuff as if they wouldn't get caught and it's really, I'm happy they got caught but it's also sometimes how people get caught. So thank you actually, a person who's doing illegal things for bragging. Back to this. I basically shot myself and I'm dropping Capital One docs and admitting it. I want to shoot with these buckets, I think first. There's SSN, full name DOB, so they have date of birth in there and this is where they're just kind of going, hey, I want to do it. And they're using their profile picture. So I kind of think they wanted to get caught, less clear and all that. This person seems perhaps to be a bit self-destructive and then the raid on the residents of Page Thompson and it's basically they found a bunch of computer stuff and things containing the Capital One cloud and the obviously associated aliases and usernames. So it's an interesting breakdown. We're going to have to see just how bad it was and where this comes down to, at least in my opinion and sometimes in the opinion of the courts when it comes to Capital One's fault for this, in the Equifax debrief, we understand Equifax was being very sloppy with security, had not updated things, et cetera, et cetera. There's a few good deep dives you can find on the Equifax debrief of it to see what they had done and we definitely seen Equifax being negligent. We're going to have to wait and find out if they were told about this problem, if this is a problem they knew from a security audit and should have fixed. Well, obviously they should have fixed it, but did they know about it? How bad was the misconfiguration? You know, what are some of the details involved in that? I'm actually going to be very interested to find out in the debrief. But at least on the internal side, they have a lot of knowledge. They were clearly logging, they were clearly logging the transaction so they were able to do some data and digging once they found out that someone had put this data out there. So that's a good side on the Capital One. So they do have an internal team with some management on there because some companies, you know, and obviously it's terrible when you find out from an email that, hey, someone's got your stuff out on the internet, but then being able to reverse that and go figure out some of the details behind it, that's at least some good security practice going on inside. But it's kind of a wait and see where I'll see what the fines are for this. And it's a reminder as he finds and Equifax has recently fined hugely for their negligence, this is great. As we see this, it's the only way we're really gonna see change is not by slapping them on the wrist, but when you slap them with fines, some type of restitution to be paid. Fines are probably the wrong term, the way I think about it. I would actually think restitution to those affected which are the people whose credit card or any of these numbers are lost, show security numbers, any of your personal information that was lost, you should be compensated for it and making these companies compensate users for it, that's where they're gonna start to see change is they're gonna think very long and hard about how they audit, how they put security together because once there's a financial incentive to do so, it's not one of those balances. And unfortunately some of these companies play this balance going, well, the potential fines, because we have good lawyers or restitution we may have to pay is lower than what it costs to secure this. So let's roll the dice. They're doing risk mitigation. This is what happens at a lot of these C-sweets. What's the brand erosion gonna be? What's the reputation gonna be if we get breached and how much would we have to pay out versus putting in this really high-end security or hiring a team of security engineers, security costs this much. There's a balancing act. Once it costs more, they will put more security in. It's this race back and forth. So hopefully Capital One, I'm hoping someone does a deep dive debrief and they can talk about it because being more open about it one lets us know internally how it was done. And even the Equifax, I think it was a lot of learning lessons because one of the things we learned from the Equifax breach was that a whole lot of people without assigning a responsibility. So while we learned many people were notified of the misconfiguration, like over a hundred I believe were on a list, they all thought it was somebody else's job. And that's important in security that it's not like we send out a notice that something needs to be configured. We have to have an assignment. One, a person to do it. Two, a person to check to make sure that person do it. And maybe even a third layer at these larger scales, another person who checks that that person checked that that person did it. Even at the scale of Equifax, yes, a person should be responsible specifically to confirm something's done. These are procedures that humans fail at. They sometimes will send it out and I've worked in corporate environments. And it gets very tricky because no one sometimes is clear on whose job it was to turn off something, turn on something or update something. And this goes beyond an outside technology. Good companies have really strong processes in place to say it is this person's task to get this done and it is specifically this person's task to make sure this person's doing it and maybe one more layer on top and this is how things get done. And it gets overlooked in IT departments and IT departments are notoriously understaffed, under budget and crying for more stuff that the people at the top go, well, how much more secure will it do and comes back to the risk assessment of how much they're gonna budget for that. So like I said, I'll leave links to all this so you can read through it yourself. It's an interesting, all the processes used and it sounds like this person is probably quite guilty but in the US justice system you are innocent until proven guilty but this person certainly left them a lot of evidence to bring them to their front door and we'll see what it plays out with Capital One. Thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you wanna subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you wanna hire us for a project that you've seen or discussed in this video, head over to LawrenceSystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you wanna throw at us. Also, if you wanna carry on the discussion further, head over to forums.lorencsystems.com where we can keep the conversation going and if you wanna help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.