Social Network For Security Executives: Network, Learn & Collaborate
[Posted on Behalf of Steve King, Director, Cybersecurity Advisory Services at Information Security Media Group (ISMG) ]
Why did the CapitalOne hacker do what she did?
Following forensic analysis related to the Capital One breach, a spokesperson for the bank claimed that the data has not been compromised for fraudulent or monetary purposes, saying, "Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual."
Immediately following that statement, Avivah Litan, a VP and distinguished analyst at Gartner, told CIO Dive "No one steals that much data just for bravado. It's possible, the information was already sold, increasing the chances of identity fraud for impacted customers.”
Now, it may indeed be possible that Paige Thompson, the woman who is in custody for the attack on CapitalOne and 30+ other companies perpetrated the breaches with the intent to monetize and enrich herself in the process, but having worked on a software development project with Paige over a several month long period, I have no doubt about her motive.
I hired Paige Thompson as a contractor in early 2014 to join our software team and work on a cybersecurity media platform we were developing for our customer base. Over the ensuing months, I got to know Paige and her outlook on life pretty well. While it would be incorrect for a number of reasons to characterize the attack as motivated by bravado as Ms. Litan has, I think a better description would be around the need to make a big, bold and dramatic statement and one that in her mind served the community at large.
In fact, she was so driven to make that statement that she was willing to risk her life and a future locked behind bars for a long time in exchange. Essentially, Paige exhibited all of the classic signs of someone seeking suicide by law enforcement.
Making absolutely no attempt at hiding her activities and in fact chatting casually about the details of the hack on her Slack account and providing the locations where she had moved the data, are all signals that she understood clearly she would be apprehended and prosecuted.
"I don't feel like there's anything worth stealing for. I mean there's dumb stuff, like stealing Wi-Fi, or goldbricking 4g access... but then there's stealing ... on a large scale .... I don't think I could enjoy living in a house that I paid for with stolen money." - Paige Thompson email to me on 12/17/2014.
Looking back on our email exchanges during that project, it is clear to me that these hacks were the culmination of years of frustration over what she would call our, “stupid approaches to cybersecurity” and an attempt to simply prove how easily even a mid-level hacker could take down the leading digital bank along with 30 other organizations just for fun.
From an email exchange on the subject back in 2014, she wrote in part,
“You have no margin for error … there are millions of routers on the internet that have the default admin/password, are running Linux and are fully open to anyone … you can scan the entire internet in less than 5 minutes … the work involved to actually source a botnet of a few thousand instances ... is nothing; it’s a script kiddie.”
2014. A script kiddie.
Fast forward to Valentine’s Day, 2020 where we see the U.S. Department of Homeland Security, the U.S. Department of Defense, CISA and the FBI issue a critical alert based on new malware analysis that identifies 7 strains used in attacks being run by the same crew that ran WannaCry targeting Windows users through advanced phishing schemes. Different attack vector; same problem ... 6 years later ... 7 new strains … Windows.
Maybe Paige’s hacks could be seen as a portfolio of public service warnings. For some insight into her motivations and personality, in late 2014 she wrote me,
“I ...sorta.. have a blackhat mentality, but I'm a fairly composed person, I don't have destructive intentions, I'm just a little bit elitist. The pleasure of knowing that I can and always will be able to is enough for me. No doubt you've heard of Adrian Lamo? To some degree I still consider him a friend, we talk occasionally. I know the kind of people (our circle) that he hangs out with; lots of twisted mind games and social engineering. I like that I can say that the FBI are a bunch of fear mongering a******s who talk a big game about how ‘they will always catch you’ but the truth is the successful ones are the ones you don't hear about and that they don't even know about, and they're definitely there.”
For those of you who haven’t heard of him, Lamo was a white hat hacker who was driven by the belief that others failed to see the importance of Internet security in the early days of the world wide web. Lamo would break into corporate computer systems, but he never caused damage to the systems involved. Instead, he would offer to fix the security flaws free of charge, and if the flaw wasn't fixed, he would alert the media. Lamo hoped that his break-ins would inspire companies to hire him to break into their systems and test their security.
In December 2001, Lamo in fact was praised by WorldCom for helping to fortify their corporate security. Two years later, he was arrested and charged by the FBI with committing computer crimes against Microsoft, LexisNexis, and The New York Times.
A white hat hacker demonstrating the importance of cybersecurity to anyone who would listen.
The point here is not that Paige should somehow be excused from accountability because she was trying to expose an example of our ineptitude as an industry, and that her crime should be re-cast as a noble effort and excused accordingly. No. Paige deserves full punishment under the law. She may be suicidal and exhibit sociopathic tendencies, but she knew exactly what she was doing.
On the other hand, as we saw with our most recently famous British hacker, Marcus Hutchins, who in an apparent exchange for doing good by stopping the WannaCry ransomware attack, received only time served and a year of supervised release, it is possible that Paige could receive similar treatment based on her simple demonstration of how easily all of our impressive technological defenses can be bypassed.
Marcus had been indicted on six hacking-related federal charges in the U.S. District Court for creating and distributing for profit on AlphaBay forums the banking malware known as Kronos. Nonetheless, Mr. Hutchins pleaded guilty to one count of conspiring to commit wire fraud, and distributing, selling, promoting, and advertising a device used to intercept electronic communications with a statement that read in part, "I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes.”
Using that same defense strategy, Paige may be able to avoid the five years in prison and $250,000 in fines Hutchins had faced, though in her case, the judge will probably extend that one condition of her current release that she be prohibited from visiting any Capital One or Amazon-owned locations, including Whole Foods.
Whatever the outcome, a reading of one email exchange with me might shed more light on whether Paige Thompson could use those same skills for constructive purposes as well:
“The real point I am trying to make is that I believe that encouraging fear still only encourages people to believe that they know what they are doing. I think it's better to encourage people to address what is incomprehensible to them and understand that the best security is proactive but more importantly awareness and understanding of what the vectors are for compromise.
At some point the world got this idea that using computers is supposed to be easy, which to me is like saying that immortality is supposed to be easy or space travel is supposed to be easy; things that nobody fully understands are supposed to be easy?"
This was a popular theme of Paige’s messaging throughout many of our communications. This notion that we all see every day in the IT and especially in the InfoSec world, this preponderance of “knowing” what’s going on when in fact, very few of us actually understand the threat landscapes that we are hired to defend and know very little about our net exposures. One case in point might be whether our average CISO can identify where all of the information assets reside in the enterprise and what value they represent. Seems fundamental but I know of no one who can actually answer that question.
One of my closest friends in the CISO community who is incredibly well-respected has admitted repeatedly that she knows very little about everything she should understand about her world. This admission, in today’s rapidly shifting world is completely reasonable as it becomes virtually impossible for any one person to understand all of the threats and vulnerabilities, technologies and best practices as they continually evolve to meet attack vectors morphing at the speed of light. Instead, oftentimes what we end up doing inadvertently resembles something akin to security theater more closely than it does actual security.
"We live in a world where people don't question things and believe they know better because they are ‘well advised.’ They have no chance of standing on their own. Asides from the fact that people in general still don't understand computers, I firmly believe that the sort of ‘do as I say not as I do’ mentality that is all too common has taken its toll in other aspects of life and empowered people to incredulous acts of corruption; I don't believe that capitalizing on people's fears is a path to innovation or progress for anybody except for the people who get paid for it.
There's also this social stigma of ‘if something is difficult to understand then it's easy to hide behind what somebody else says’ because it's somehow embarrassing to not have the answers; it means that somebody is ‘better’ than you but long ago I realized I must get over this in order to find the truth. It is important to embrace your mistakes and take pride in knowing that the better way is to accept that there is always somebody who is better than you and try to do better yourself.”
These may be the ramblings of an “erratic” sociopath who created a lot of havoc for a lot of people, but her thesis strikes me as hitting pretty close to the truth about a few issues.
I believe that there are a lot of Paige Thompsons residing throughout our computing environments and like Paige, some will soon come to redefine the idea of what an insider threat looks like. A former employee using the tools she discovered while working at a major custodian of customer data to execute one of the world’s biggest breaches may easily inspire other incredibly smart, brilliant hackers who are a hair away from connecting the dots between their rationales for showcasing their skills and executing the next headline attack.
As custodians of information we host on behalf of our clients/business partners, we owe it to them to be thinking about resiliency in our own Cybersecurity programs and working hard to prevent the next breach. As Paige points out, a good first step is to stop pretending that this stuff is supposed to be easy.
The Capital One breach has proven to be debilitating for all the parties involved, and the cost to repair will probably exceed $1 Billion soon. If we continue on the path we are on, it will only get worse from here.