Major data aggregators have been compromised “for months”, according to prominent security blogger Brian Krebs, including Lexis-Nexis and Dun & Bradstreet. Writing at Krebsonsecurity, Krebs says the ID theft invasion of the brokers' servers dated back at least as far as April this year, and that “the miscreants behind this ID …
Data aggregrators are big targets because pwnage allows access to lots of data that would otherwise take a lot more pwned targets to find.
The fact that these places got pwned (again) is not a surprise. Humans work there, and spear phishing is a popular sport amongst miscreants and is proven (repeatedly) to be highly effective. The fact that someone, possibly one of the sysadmins if they got access to the databases, fell for it is concerning as they are in the "should know better" category.
The fact that they were pwned for months and didn't know is only mildly surprising.
These places need to learn some real security.
Key here is that (in the US) the D&B and LexNex databases are used to authenticate business clients before deals, and that banks use the data to vet businesses and individuals for lines of credit and before underwriting business deals. A common phrase before a deal is, "send us your D&B."
The stolen database info allows 3rd parties to pose as authenticated and trustworthy business partners, and to pose as creditworthy banking clients.
Re: allows 3rd parties to pose as authenticated and trustworthy
Depending on the sophistication of the breach, it might also allow them to monitor the number and types of inquiries legitimate companies are making. That could be used to improve your trading positions in the securities markets with less risk of exposure than direct fraud.
Either way, despite my other humorous post, this is cause for concern for all of us.
Whew! D&B = Dun & Bradstreet
So I'm safe then.
If it had been Dave & Busters I'd be more concerned.
What does this mean for 3rd parties that connect into the D&B or LexNex services? How does the botnet propagate? Are 3rd parties, with direct connectivity, at risk? Shame this article is a bit lite on the implications.
Re: After effects
Go ask Brian Krebs himself, he actually reads worthwhile comments on his blog, and generally if he can tell you something you want to know, he will. Keep in mind though sometimes he can't, he's a security researcher with contacts throughout the business, IT, Security and Intelligence communities so keep that in mind.
Id imagine that third parties might be compromised too, for the moment I would safely assume that any system connected to D&B or Lexis-Nexis is potentially unsecure and should be treated as such. Which really sucks if you have to work with their products.
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?