If it was not a zero-day, it means the attack was preventable, which points away from a world where a hundred million people's private information is unavoidably vulnerable.
In either case, it's a very small amount of evidence anyway, but in that respect at least, hoping it wasn't a zero-day makes sense.
If it was not a zero-day, it means the attack was preventable, which points away from a world where a hundred million people's private information is unavoidably vulnerable.
Working in the security industry quickly cures you of this illusion. It is unavoidably vulnerable in most cases. If someone wants to pop your network, they can usually find a way. The most clever code won't prevent someone from strolling in and plugging a raspi onto your network. Nobody notices an inconspicuous black box amid a pile of cables.
Let's not confuse physical access to getting it over the internet.
If they stayed old-school and had their computers inaccessible except to their own people, you'd have to make phone calls, fax, and mail to do anything with them. That would be less efficient - more costly - but it would prevent the possibility of a remote attack compromising huge amounts of data.
If we move up in abstraction, if these companies didn't exist and collect all the data the danger would be completely eliminated. OTOH the banks and lenders who use their services would have to find other ways to estimate credit-worthiness and that would again... cost more.
The network isn't necessarily the target. Developer machines are prime candidates for pivots. Most devs don't bother installing security updates, and many laptops are badly configured or running tools like Jenkins which in certain cases gets you remote code access. Equally promising is to set up a honeypot wifi AP and then wait for someone to accidentally connect to it.
Most devs have creds littered throughout their system. Some subset of the creds will get me access to your network. If you let me rifle through your box for a few hours I'd likely find a way to pivot somewhere else.
Yeah, I know and I agree. That's where the "very small amount of evidence" comes into play. A slightly better point is how this acts as evidence for how unavoidably vulnerable we are.
Unfortunately ~nobody does. The effectiveness of red teams was one of the most surprising aspects of working in security. The most common way to break into someplace was to pose as a construction worker: http://i.imgur.com/ZjnGmZ5.png
If you're dressed as one of them, you can go wherever you want and people rarely ask questions. Another approach is to pose as an interviewee. That's how you get into the building, but beyond that you never actually talk to anyone so nobody is suspicious. People generally don't care when someone is walking around the halls dressed up in a suit.
One of my coworkers was involved in dozens of red teams and he got caught a grand total of one time. Every other time he was able to acquire an IP address, take a picture of himself sitting in the exec's chair, swipe a file out of the server room, or whatever the customer wanted.
>If you meet a member of that select club, "The Twelve True Fishermen," entering the Vernon Hotel for the annual club dinner, you will observe, as he takes off his overcoat, that his evening coat is green and not black. If (supposing that you have the star-defying audacity to address such a being) you ask him why, he will probably answer that he does it to avoid being mistaken for a waiter. You will then retire crushed. But you will leave behind you a mystery as yet unsolved and a tale worth telling. ...
So, every time, he took a pic in the exec's chair, stole a file from the server room, and also did whatever he wanted? What is the 'N' factor here, because it sounds like your friend is a bold high schooler who achieved N=1,2,3(tops). Pretty boring security stuff.
To clarify, the companies he penetrated were the ones that hired him in the first place. Red teaming is when a company hires you to perform physical pentesting. You're legally allowed to break into their company within a set of defined rules. Usually the rules are straightforward: no breaking stuff (though sometimes there are exceptions), achieve the objective, carry a "get out of jail" envelope with two emergency contacts from inside the target company who will verify they paid you to break in if anything goes wrong. Other than that, you're free to be as creative as you want in achieving whatever the customer asked for. Think Ocean's Eleven.
These gigs are highly paid and secretive. The coworker I mentioned went on dozens of assignments like this. Admittedly he was legendary, but only because he was so experienced. If you were motivated and malicious, you could do many of the same things to attack a target network. People rarely do that, but it's the ultimate proof that none of us are secure against motivated adversaries.
I mean GP that you're replying to literally said N~=dozens, meaning probably 25+
Side note, that sounds like something one of my old bosses would do on his red team excursions (he also told me to get my teeth pulled without anesthetics at all, so... yea).
The fact that the pii existed is more systemic. We use social security numbers to verify identity and have a unique way of identify people across systems. If our current system of doing this (i.e. SSNs) are no longer reliable we will have to come up with something to replace it. If what we use to replace it is as brittle of a solution we will run into a similar problem down the road.
well ya thats the point, credit card breaches may still happen but those are easy to cancel, but all the PII would be permanently in the public domain.
In either case, it's a very small amount of evidence anyway, but in that respect at least, hoping it wasn't a zero-day makes sense.