15 years of NCIX customer data available for sale
-
https://www.privacyfly.com/articles/ncix_breach/
God dammit. First Newegg, now NCIX. Maybe I'll just pay for my next PC in cash.
-
@bb36e Posted in the Other News thread yesterday. Mobile, so no link; sorry.
-
@bb36e Apparently, NCIX included DirectCanada.com, so if you used that your info is pwned as well.
-
@hungrier FUCK LE SHIT LE MERDE TABERNAK
-
Company goes bankrupt.
Stores all their servers in a rented warehouse.
Doesn't pay the rent.
Warehouse owner sells servers -- that haven't been wiped.
https://i.imgur.com/e0RiWnc.gif
-
@bb36e said in 15 years of NCIX customer data available for sale:
NCIX DATABREACH
I met [a] ... man in his mid-thirties who identified himself as Jeff.
-
@HardwareGeek said in 15 years of NCIX customer data available for sale:
@bb36e Posted in the Other News thread yesterday. Mobile, so no link; sorry.
Link for those that want to see the other discussion: https://what.thedailywtf.com/post/1415422
-
That's...insane. It is also a contingency that I have never even considered.
-
Been reading up on this. If true, insane.
BUT... I'm waiting for confirmation on this one. So far all the articles refer back to a single source: the security researcher's blog post.
Some things that need to be cleared up before I give it a "passes Lorne's smell test":
- Why was this sensitive data being stored at all, let alone in plaintext-- given NCIX supposedly had PCI compliance. I know getting PCI is a joke, but not THAT big of a joke
- Why was there 15 years of this data stored? None of it was ever deleted or archived? What?
- How were these servers kept in a warehouse, and not a datafarm or something?
- How did a company that specializes in liquidating companies fail to wipe the hard drives? That's negligence on a massive scale.
- If the "Jeff" guy knew what he had, why in the world would he put up a fucking CRAIGSLIST ad (which is local), rather than hopping onto The Dark Net?
- If the "Jeff" guy didn't know what he had, why didn't he do anything about it when he was told. And once he was told, why did he keep selling the info. (Yes, this could be ignorance / greed)
- Why hasn't the security guy who wrote the article released any of the data as proof that he has it? Most times someone puts up a scrubbed version of the db so people can look up if they were affected.
editfake while I was writing this:
So the Mounties have raided someone and seized some servers. Now it's "wait and see" as to what they find.
-
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
So the Mounties have raided someone and seized some servers. Now it's "wait and see" as to what they find.
awesome. hopefully they can put this NCIX site out of business for such a security failure.
-
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
- Why was this sensitive data being stored at all, let alone in plaintext-- given NCIX supposedly had PCI compliance. I know getting PCI is a joke, but not THAT big of a joke
Getting PCI is not a joke, but enforcement of compliance is.
- Why was there 15 years of this data stored? None of it was ever deleted or archived? What?
The company went bankrupt and shut down. The stuff in the warehouse was literally everything, including desktop PCs and office furniture. Probably includes all of their backups and archives, too.
- How were these servers kept in a warehouse, and not a datafarm or something?
The company went bankrupt. Money is tight. Proper storage costs too much. Some manager, somewhere, on his last day of work, said "not my problem any more."
- How did a company that specializes in liquidating companies fail to wipe the hard drives? That's negligence on a massive scale
And your point is . . . . . .?
- If the "Jeff" guy knew what he had, why in the world would he put up a fucking CRAIGSLIST ad (which is local), rather than hopping onto The Dark Net?
Being Asian and/or named Jeff doesn't automatically make you smart.
- If the "Jeff" guy didn't know what he had, why didn't he do anything about it when he was told. And once he was told, why did he keep selling the info. (Yes, this could be ignorance / greed)
I betting a combination of ignorance and greed. Just smart enough to realize he might have something valuable and greedy enough to steal it.
-
@El_Heffe said in 15 years of NCIX customer data available for sale:
Probably includes all of their backups and archives, too.
TFA says yes.
-
@El_Heffe said in 15 years of NCIX customer data available for sale:
And your point is . . . . . .?
That it is less likely for a company to forget to format hundreds of hard drives, when one of the things they do is resell business computers (and have to reformat hard drives).
Even if just to keep the BSA off their asses.
I can see one or two being overlooked. But dozens (hundreds?)-- like I said, it's either unlikely, or a huge screw up. I'd accept either.
-
@bb36e said in 15 years of NCIX customer data available for sale:
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
So the Mounties have raided someone and seized some servers. Now it's "wait and see" as to what they find.
awesome. hopefully they can put this NCIX site out of business for such a security failure.
Don't worry, 2017 already took care of that for you.
-
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
@El_Heffe said in 15 years of NCIX customer data available for sale:
And your point is . . . . . .?
That it is less likely for a company to forget to format hundreds of hard drives, when one of the things they do is resell business computers (and have to reformat hard drives).
Even if just to keep the BSA off their asses.
If they were still in operation, you would be absolutely correct.
But in this case the answer is still the same.
They went bankrupt and went out of business. They didn't "forget" to wipe hundreds of drives. There's no longer a business. Or people to properly wipe all the drives. Or money to pay for it. So, good luck with that.
What's the BSA going to do to a company that doesn't exist anymore? Even if the BSA can do something, I'm pretty sure the people, who are now all unemployed, don't really care.
-
@El_Heffe said in 15 years of NCIX customer data available for sale:
What's the BSA going to do to a company that doesn't exist anymore?
Hold a big jamboree? Go door-to-door in the neighbourhood to raise money by mowing lawns and so on? What else might the Boy Scouts of America do?
-
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
Why was this sensitive data being stored at all, let alone in plaintex
Why was there 15 years of this data stored?
If only a group of countries could get together and pass general regulations trying to protect this kind of data.
-
@coldandtired said in 15 years of NCIX customer data available for sale:
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
Why was this sensitive data being stored at all, let alone in plaintex
Why was there 15 years of this data stored?
If only a group of countries could get together and pass general regulations trying to protect this kind of data.
They'd just fuck it all up.
-
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
@El_Heffe said in 15 years of NCIX customer data available for sale:
And your point is . . . . . .?
That it is less likely for a company to forget to format hundreds of hard drives, when one of the things they do is resell business computers (and have to reformat hard drives).
Even if just to keep the BSA off their asses.
I can see one or two being overlooked. But dozens (hundreds?)-- like I said, it's either unlikely, or a huge screw up. I'd accept either.
Some friends and I bought a literal truckload of gear at auction when the for profit college ITT Tech went under. While we were there to pick it up I talked to the liquidation manager - they do not wipe anything. Data purge is the responsibility of the winddown employees, who are still employees of the defunct entity (though they're the first creditors paid by the liquidator). These people are typically upset, getting paid little and with much delay, busy looking for new jobs, and in the case of IT staff, the last ones out the door.
They have no incentive not to suck. Some services need to work until the bitter end. What the fuck do you do with things you legally need to retain but can't because you need to wipe the machine without replacement? Nobody writes an SOP for shutting down and destroying everything. Nobody practices implementing it. Some stuff doesn't get done.
The network gear we got had intact configs. Servers were wiped. Desktops laptops and tablets fired right up unmolested aside from the fact that the MDM and AD didn't exist anymore. We got some juicy stuff, but ultimately we're good people and wiped them on our end (except the CNC controller PC because unobtanium drivers. I still have a bunch of kids CAD homework)
-
@El_Heffe said in 15 years of NCIX customer data available for sale:
They didn't "forget" to wipe hundreds of drives. There's no longer a business. Or people to properly wipe all the drives. Or money to pay for it. So, good luck with that.
Um, he wasn't talking about NCIX wiping the data - he was talking about the reseller who was selling the computer equipment to recover costs not wiping the data. You know, what resellers are supposed to do!
edit: After reading @Weng's post about resellers... Huh. TIL...
-
@dcon said in 15 years of NCIX customer data available for sale:
reseller
I didn't get the impression that "Jeff" was a reseller, at least not in the sense of reselling computers as a legitimate business. I rather got the impression that the landlord just wanted to get paid, and asked his wife's cousin's friend's brother (or whatever) to sell them and didn't care or know enough to ask any questions about how he did it.
-
@dkf said in 15 years of NCIX customer data available for sale:
@El_Heffe said in 15 years of NCIX customer data available for sale:
What's the BSA going to do to a company that doesn't exist anymore?
Hold a big jamboree? Go door-to-door in the neighbourhood to raise money by mowing lawns and so on? What else might the Boy Scouts of America do?
*notices this isn't the garage and so doesn't make a specific remark*
-
@Weng said in 15 years of NCIX customer data available for sale:
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
@El_Heffe said in 15 years of NCIX customer data available for sale:
And your point is . . . . . .?
That it is less likely for a company to forget to format hundreds of hard drives, when one of the things they do is resell business computers (and have to reformat hard drives).
Even if just to keep the BSA off their asses.
I can see one or two being overlooked. But dozens (hundreds?)-- like I said, it's either unlikely, or a huge screw up. I'd accept either.
Some friends and I bought a literal truckload of gear at auction when the for profit college ITT Tech went under. While we were there to pick it up I talked to the liquidation manager - they do not wipe anything. Data purge is the responsibility of the winddown employees, who are still employees of the defunct entity (though they're the first creditors paid by the liquidator). These people are typically upset, getting paid little and with much delay, busy looking for new jobs, and in the case of IT staff, the last ones out the door.
They have no incentive not to suck. Some services need to work until the bitter end. What the fuck do you do with things you legally need to retain but can't because you need to wipe the machine without replacement? Nobody writes an SOP for shutting down and destroying everything. Nobody practices implementing it. Some stuff doesn't get done.
The network gear we got had intact configs. Servers were wiped. Desktops laptops and tablets fired right up unmolested aside from the fact that the MDM and AD didn't exist anymore. We got some juicy stuff, but ultimately we're good people and wiped them on our end (except the CNC controller PC because unobtanium drivers. I still have a bunch of kids CAD homework)
We acquired a new building a couple of years ago that had a 15 rack datacenter in it. The company had gone bankrupt but there was still two racks of servers populated (but no networking gear).
While seeing if any of the fully-loaded xServers worked, I noticed that I had basically the whole company's personal IT infrastructure, email, file servers, backups, the works.
What I think happened is that servers for their customers got removed, but all their internal stuff was just powered down and left.
I just DBAN'd the whole lot. I didn't see anything good coming from leaving that information around.
The only bad bit was that it had a beautiful hot isle/cold isle chiller system, but somebody had sawn through the refrigerant lines to the outdoor condenser pack leaving pipes open vertically to the elements. The aircon tech I called in said the system was full of water and beyond economic repair. Real shame there.
-
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
That it is less likely for a company to forget to format hundreds of hard drives, when one of the things they do is resell business computers (and have to reformat hard drives).
This is (one reason) why my company requires everything to have whole drive encryption. Relying on processes to wipe out sensitive data is definitely today.
-
I had a couple rackmounted NAS donated to my network lab, coming from a defunct company. I powered them up. Password protected. Look online, find the password reset procedure. Log in, find the entire company data intact in two copies (one main NAS, one backup NAS). It had documents from all levels of staff, license keys for software, employee data including payroll information etc.
I shook my head and then did a nuke and pave to wipe the data.
-
@boomzilla said in 15 years of NCIX customer data available for sale:
@Lorne-Kates said in 15 years of NCIX customer data available for sale:
That it is less likely for a company to forget to format hundreds of hard drives, when one of the things they do is resell business computers (and have to reformat hard drives).
This is (one reason) why my company requires everything to have whole drive encryption. Relying on processes to wipe out sensitive data is definitely today.
For servers this assumes the hard drives will be separated from the servers (unless you're insane and have people keying in encryption keys at server boot)
Resellers will basically never do that because "missing drive sleds" basically cuts the value of the machine in half, if not worse.
-
@Weng said in 15 years of NCIX customer data available for sale:
Resellers will basically never do that because "missing drive sleds" basically cuts the value of the machine in half, if not worse.
Good to know!
-
@El_Heffe said in 15 years of NCIX customer data available for sale:
What's the BSA going to do to a company that doesn't exist anymore?
No, I meant the reseller / liquidator. If they sell the computers without wiping the drives, and the drives have licensed software, you can bet the BSA (or some other snivilling leech) will be biting up their ass for billions of dollars of "stolen" software.
-
@Weng said in 15 years of NCIX customer data available for sale:
. Data purge is the responsibility of the winddown employees
Ah, well there's my answer.
Or more likely, the answer to the inevitable question "who do we sue?"