News stories about hackers stealing personal data are legion.
Some of the threatening email which my spam filter blocks are from supposed hackers demanding ransoms in bitcoin. If you go to the bitcoin account they claim you must pay in order to avoid having your "pornographic" files exposed, you find that it has been suspended. Since I don't have any such files, I realized the whole thing was fake, then learned that the same blackmail has been sent to friends and relatives. They don't even have to be the original hackers -- they can just take advantage of the ubiquitous nature of hacks now, so that anyone can vaguely sense at any minute that maybe it applies to them.
A Woman Hacker?
Since I was once a Capital One customer, I paid more than a minute of attention than usual to this story about Paige Adele Thompson, but I thought it was curious that it was a woman hacker. Usually, hackers are not women, even if there are plenty of women coders around today (and I know some who go back decades). She had reportedly stolen 120,000 bank account numbers and 77,000 Social Security numbers. Capital One didn't do any mass mailing to customers, although they put a notice on their web page.
Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Beyond the credit card application data, the individual obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information.
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
This information has been shared on Capital One’s website, servicing portal, press release and 8K filing.
The individual also obtained the following data:
-
About 140,000 Social Security numbers of our credit card customers.
-
About 80,000 linked bank account numbers of our secured credit card customers.
We will directly notify these customers through the mail.
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident. We will directly notify all Canadian customers affected.
Someone can perhaps explain to me how 106 million people in the US and Canada are "affected," but "only" 140,000 SS numbers, 1 million Social Insurance Numbers, and 80,000 bank accounts are "obtained". What does this mean? That people's home addresses and salaries were stolen?
Victory-Dance Leads to Capture
How was this Seattle-based hacker caught?
Strangely, this hacker -- whose handle was appropriately "erratic" -- was not secretive, but bragged about her hack on various social media and GitHub, which enabled someone to send a tip (maybe she herself?) to Capital One to show them the admission, and offer to help.
The FBI listed in the criminal complaint all of the online platforms investigators uncovered that appeared to lead to Paige Adele Thompson. The original GitHub profile linked to a GitLab page, which included Thompson’s resume.
Investigators further uncovered a Meetup group, a Slack channel and a Twitter account all affiliated with Thompson. The user “erratic” posted on the Slack channel on June 26, 2019, a list of files they possessed.
The complaint states that Thompson appeared to brag about the information she had accessed related to Capital One. The FBI agent wrote that Thompson had “made statements on social media fora evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally.”
Why would Paige want to distribute those Social Security and Social Insurance numbers first? To what end? To whom? Random thieves? Are we quite sure that in fact while she was openly discussing this, others didn't obtain these files?
Swat Team
Quite a display of force was used to arrest her -- although it's not clear how the authorities knew about the weapons in the apartment before the raid. This elicited a great deal of ridicule of the police for overkill and poor tactics, snarky comments about Capital One, haiku about hacking, and almost no condemnation of the hacker (although there were still a few, which was something):
Managed to get video of the raid in Seattle that lead to the arrest of Paige Thompson, 33yo software engineer accused of hacking databases and stealing info on 100 million credit card applications for #CapitalOne in a major breach. Housemates share details @ Noon @KIRO7Seattle pic.twitter.com/NXsjfAOInn
— Ranji Sinha (@RanjiKIRO7) July 30, 2019
It was said that Paige Adele Thompson, a software engineer for various companies according to an online resume, had "threatened to shoot up a California social media company". Twitter? (Her account there was suspended). There are 30 top companies and zillions of others.
Then, it developed that Thompson was found not only top have breached Capital One, but "30 other organizations". That sounded like one of those crime stories common to Russia, but not only Russia, where the police pin a bunch of other crimes they haven't solved on the one culprit they've caught. Furthermore, the data wasn't only of the personal type, supposedly:
"The servers seized from Thompson's bedroom during the search of Thompson's residence, include not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities."
US prosecutors said the "data varies significantly in both type and amount," but, based on currently available information, "much of the data appears not to be data containing personal identifying information."
Then it said that while the hacker had stolen these millions of accounts, she hadn't exploited them, i.e. used the credit cards to steal money or buy things online. Then the news stories said the hacker was mentally ill because they not only didn't exploit the data, they admitted it freely. Reports had begun to emerge from friends that she "struggled" with mental illness. All that seemed strange. You're depressed to you hack a zillion files and risk arrest?
A Trans Woman Safe House
Now, the latest stories say that the hacker in question is a trans woman who has demanded that she not be kept in a regular jail facility with males (that seems perfectly reasonable as she would indeed be in danger). Some redditors got mad over the lag between the first reports about a "woman" hacker and the later reports of the "transwoman" report -- because, so they reasoned, this artificially inflated crime statistics regarding women.
Then, we learn about her room mate, Park Hang Quo, who was arrested for illegal fire arms, who in the past had done jail time for illegal weapons' possession and attempted assassination (a Silk Road user?) and had been released after cooperating with authorities. He, too, admitted his crime and admitted his room mates (there three others besides Paige) could have access to the arms, and that the original hacker wanted to commit "suicide by cop".
The other room mates -- who included a woman Navy veteran and two other military veterans -- said they knew there were guns in the house in this media report, but that they didn't know Park Hang Quo was a felon with a past conviction on arms.
How is it that these five people, four of whom are military veterans, (at least) one of whom is a programmer, meet each other and become room mates in a home where there is not only such a firearms arsenal but an Airstream RV and large box truck -- a home where it turns out a hacker stole millions of personal files?
We don't know if there are others behind Thompson involved in the hack, if Park is related to it, or the role of the other three room mates, although the hacker is said to have "acted alone". How did she hook up with a room mate who possessed illegal firearms and had a history of a jail sentence for involvement in an assassination isn't explained, as well as three other veterans? There doesn't seem to be much curiosity about any of this from the media. Who are these people?
There is one explanation buried in the Seattle Times story for how they all ended up together:
The roommates, who like Thompson are transgender women, said she used to be a systems engineer at Amazon but lost her job in 2016 after she began drinking at work to deal with harassment from a co-worker. She hasn’t worked since, the roommates said, and was living at the house rent-free.
Has this story gotten thoroughly weird yet? It has. I don't know what to make of it.
Flight Risk
The judge has not released the suspect on bail because of the problem of flight. Petition to have her stay at a half-way house was denied because as a person without a job or a home (her room mate said was not welcome back at her previous home), she was a flight risk. An indication that in the past, she was addicted to drugs also came up -- although defense said this was "over".
But the threat of harm to herself and others and the "suicide by cop" wishes mentioned in news reports are a reason as well to deny bail, said Judge Michelle Peterson:
“You are highly talented,” Peterson told Thompson, “and have the means and ability to create havoc in our banking system.”
Why would someone who was smart enough to break into those accounts get caught? Why would they break into them if they weren't going to use the stolen data? Why would they hoard millions of these files in their home? Fox news quotes a local tech who explains this as "accidental"?
But on Friday, Thompson’s long-time friend Tim Carstens, from the tech community, showed up to court in support of Thompson.
Carstens said Thompson is not the tech mastermind the government is making her out to be.
He says she breached the data by most likely snooping around randomly. He says she didn't even know what to do with all the stolen information.
(The surfacing of Carstens is yet another odd detail in this story. Tim Carstens said he knew Thompson since she was "a teenager" [in Arkansas? where she lived with a now-estranged mother and dad MIA]. Tim is said to have written "the" white paper on Bitcoin [a joke?] and once worked for "Uncle Sam". ?)
Hacker "Altruism"
The answer suggested to me, from following past hacker exploits, is that this hacker believed she could prove a point -- "it can be done" -- and expose the flaws of big corporations -- which can be loathed by these anarchist types. And -- a variation on this "altruism" -- that discovery of this hack would force these companies to have better security. That hackers actually "help them" -- when they don't bring capitalism to its knees. It's all pretty jumbled, ideologically -- but to say it is "accidental" is to defy reason. You would have to be intended to breach the system to find such vulnerability.
And sure enough, this "hacker altruism" seemed to be part of the story, according to the Seattle Times. She was said to have made warnings to Capital One and been ignored, and then in a fit stole all the files.
“Paige is very, very skilled. If she wanted to, she could hack foreign governments,” said another of the roommates, who like the other two asked not to be named to protect their privacy and because they’re still shaken from Monday’s raid. “I didn’t know exactly what she had done … We never heard anything about it. She probably didn’t think it was a big deal.”
She described Thompson, who is also know by the online handle “erratic,” as a “white hat hacker” who tried to warn Capital One about vulnerabilities in their firewall but was blown off. Thompson posted links to the company’s data “to teach them a lesson,” she said.
So black hat felons are merely white hats yearning for recognition?
When hackers smash big companies supposedly in the name of altruism, why don't think care about the little guy, the people harmed by hacks with identity theft and further disruption of their lives?
So far, the mental illness of this hacker has not been established by a court of law, and it is only a supposition.
Sometimes when I read news stories of massive hacks or mass shootings, I wonder if foreign states who are enemies of the US -- Russia, China, Iran, North Korea and others -- go trawling around for these disturbed and vulnerable individuals online -- they're easy enough to spot on social media -- and then incite them, and guide them, and "hands free," let nature take its course. That's because there are so many of them, sometimes one right after another, that they seem planned.
But there are plenty of factors within our own society to set up the tragic chain of events that set off these mass crimes, without any foreign actors or need for conspiracy theories.
Disgruntled Former Amazon Employee
We talk a lot about our tech overlords but perhaps we have less awareness of how their own employees want to rebel against them, too:
Capital One is a major customer of Amazon Web Services (AWS), the Seattle commerce giant’s cloud computing business which provides companies the ability to rent computing and storage power on Amazon servers. AWS’ website touts Capital One’s choice of its cloud computing services, quoting its chief information officer saying, “We believe we can operate more securely in their cloud than in our own data centers.”
While the federal complaint against Thompson does not name AWS, it does say that Thompson worked at the cloud hosting provider Capital One uses. Thompson’s resume, posted on multiple online platforms, indicates she was a level 4 systems engineer at Amazon from May 2015 to September 2016, where she worked on the “build-out and deployment of new load balancing capacity for S3” — AWS’s Simple Storage Service, which allows AWS customers to store and access data from anywhere online.
Amazon had no comment. Funny how it's only a site like this that puts "former Amazon employee" in the headline -- mainstream media does not, and if it even includes that information, buries down in the story.
Yes, Amazon wanted to distance itself from this former employee:
A person familiar with the matter said there was no breach or malfunction in the underlying AWS infrastructure, and the fact that the accused perpetrator had worked for AWS was not relevant to the hack. Instead, the hacker apparently exploited Capital One’s faulty firewall. Capital One said it was informed of the vulnerability July 17 and discovered the hack exposed personal information of as many as 106 million individuals in the U.S. and Canada.
Yet, there may have been a breach of Amazon, after all:
Thompson’s posts on Twitter suggest she may have accessed other data stored on AWS. Computer security researcher and reporter Brian Krebs reviewed posts on a Slack channel attributed to “erratic.” One post, on June 27, lists “various databases she found by hacking into improperly secured Amazon cloud instances,” Krebs wrote on his KrebsonSecurity blog, adding that a screenshot she posted suggests “she may also have located tens of gigabytes of data belonging to other major corporations.”
That said, Krebs saw no postings suggesting Thompson “sought to profit from selling the data taken from various Amazon cloud instances she was able to access.” Capital One, in its statement, said it was “unlikely that the information was used for fraud or disseminated by this individual,” but it continues to investigate.
Even so, it doesn't seem like the discovery of the "improperly-secured Amazon cloud instances" was accidental, like you just clicked something on Pastebin heedlessly.
Mental Illness
Thomson's defense -- like Manning's -- as possibly "my transgender made me do it" is already being outlined by a friend -- and if it isn't a "suicide by cop" attempt, it's a "obtain mandatory inpatient mental health treatment" (which can be hard to get) by cop:
Aife Dunne, an online friend of Thompson’s, told The New York Times Thompson struggled with her transition to a woman, discussed suicidal thoughts, and would sink into dark phases with little support outside her online communities.
According to her online resumes, Thompson studied software engineering at Bellevue College and moved through nine Seattle-area IT jobs over the last 14 years. In recent weeks, Thompson posted photographs of the Viaduct demolition, her various technology projects and of her cat Millie, who died last week.
She also wrote about having a therapist appointment and made reference to something momentous that was going to result in her losing her freedom.
“After this is over I’m going to go check into the mental hospital for an indefinite amount of time,” she wrote on Twitter. “I have a whole list of things that will ensure my involuntary confinement from the world. The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.”
That explains the references to the dead cat -- which supposedly enabled the FBI to track down Thompson -- she had been forced to put down her beloved pet, and posted a notice about this that contained her address. (Other news stories say it was a resume attached to her GitHub account that outed her.)
All's well that ends well?
Well, Paige faces only up to 5 years of jail and a $250,000 fine because of the lack of evidence for use of the cards -- and she may not be found unfit to stand trial and get the psychiatric care she wants and needs.
I'm all for hackers serving their sentences to the full extent of the law and I don't think "hacking while transgender" should be permissible as a defense as it does a grave disservice to all the transgender computer people who do not hack company servers. Mandatory psychiatric treatment might be the most humane thing in this case, however, especially as friends who got her into short stints of mental treatment multiple times were unsuccessful -- and Thompson only harassed them, geolocated them and harassed them more, to the point they were forced to move and get a protective order (!). She did, after all, knowingly live with a person with firearms she could access in theory.
Russian Propaganda Response
As I learned from a conservative blog, RT went beyond its usual glee at US misfortune with this story -- making a point of mentioning Amazon as the hacker's former employer and the "cloud computing company" not mentioned in earlier reports. At 2:56, the anchor even jokes for his audience that he believes "doesn't watch" CNN or ABC, that likely those networks are already blaming this hack -- whose damage is assessed at $100 million -- "on the Kremlin". (In fact, no US media report did that). He also drills down on the hacker's possible motives -- somebody who is actually greedy? Or who wants to expose the greed and carelessness of corporations? His colleague doesn't answer.
He then returns to the topic of the hacker's nature a third time:
Do we know how often it is a person, a group of persons, versus an institution, a nation-state, a group...how...what...have you looked into the whole hacking thing that seems to be in the news now?
Of course this doesn't mean Russia is behind Thompson's hack -- but it is Russian state propaganda trying to distract from its own state-sponsored hacking, to make it seem like America and its big corporations are to blame?
His fellow anchor makes the point that this is just days after the settlement of the Equifax breach that affected 170 million people.
Maybe it's about cloud computing or about single actors getting more attention? she wonders. Say, does the Kremlin want to get into the cloud-computing business in a bigger way?
The two anchors have a thinky philosophical discussion that might have been lifted from a Soviet class on Marxism about the motives of capitalism and how security your data cannot get in the way of their profits. The male anchor asks if we should be worried that Capital One can just write off the cost of $100 million to "make this right" and it isn't much of a dent. This plays very well in the hundreds of comments -- and is a good example of how often Russian propaganda is anti-capitalist, although supposedly the Kremlin "dropped" the communist ideology:
Maybe this means this particular model we're using is suspect?
I think this is a great point? It's always the case in a profit-based system that you will make decisions based on profit. If securing your data falls lower on the list of priorities than making money for you, then that's the way it goes.
Evil American corporations and their disgruntled former problems, not the Kremlin! BTW, I see various hacker sites have already published the details of how Thompson did this hack, provided step-by-step instructions of how to implement it elsewhere, and congratulated Google for removing a vulnerability that apparently Amazon had not.
Update: So, not surprisingly, this hacker was released, and the trial is still ongoing.
Recent Comments