
Dell Computers Has Been Hacked - MilnerRoute
http://www.10zenmonkeys.com/2016/01/04/dell-computers-has-been-hacked/
======
davismwfl
I posted about this about 7 months ago on HN,
[https://news.ycombinator.com/item?id=9881674](https://news.ycombinator.com/item?id=9881674),
I also tweeted it out. Dell responded to my tweet saying there has been no
breach and our data was secure. Obviously I didn't and don't believe them, and
their main response was report it to the FTC. That is crap, admit it, fix it
and deal with the issue.

What totally pissed me off is that it was my sons laptop they called on and
they called him directly since his number was listed when he called in for
real Dell support about 3 months prior to the scam call. They had convinced
him they were Dell until I walked into his room and heard 30 seconds of the
call and asked why he called them, soon as he said he didn't I told him to
hang up. They were persistent, calling him back many times over the next 2
months. I had to block the number to finally get it to stop and my son says he
got a new call just a few weeks ago, new number same scam but at least he is
smarter about it now.

~~~
drzaiusapelord
I've accepted that we live in an age where no one can secure data that is
coveted by determined attackers. Even companies with the best infosec are
often taken down by the simplest social engineering or clumsy spear-phisihng
attempts that work well enough.

I hope this changes as we migrate away from passwords and passphrases to
mandatory two factor login with physical keyfob tokens, from C to Rust, and
from putting things directly onto the internet to putting everything behind a
IPS/IDS that updates itself via signatures, honepots, etc. Especially in the
home where no one runs IPS, the same way early consumer OS's didn't bother to
ship with firewalls.

Phones need something like this too, especially with blocking known spammer
numbers/providers. Everyday I get an Indian call center impersonating either
state farm or blue cross. I have no way to stop this as they randomize the
phone number each time, often in mocking ways like starting with a movie 555
prefix or having a prefix starting with 1.

I also don't want a relationship with companies like Dell where they store all
my info. Why can't I buy something via a private OpenID/Persona-like system
that has a tokenized version of my credit card and Dell just ships the
product? I must have hundreds of accounts spread out with various sites,
vendors, etc. Each of them ripe for the taking by scammers and hackers with my
real name, stored card, etc.

I hope this stuff is what breaks the camel's back. IT security right now is a
nightmare. I suspect it will get much worse before it gets better.
Cryptolocker didn't suddenly fix corporate IT security. From what I can tell,
its just as bad as its ever been.

~~~
prplhaz4
Because retailers figured out a while ago that having a personal relationship
with their customers (knowing everything about them) is EXTREMELY valuable.
Think of the merchant wars with MC/Visa/ApplePay...etc as well as how much
they sink into loyalty programs. Knowing your customer pays off in spades
(until you have a security breach and get sued into oblivion).

Would be nice to be able to opt-in to a "forget everything you know about me"
program - Newegg would probably get tons of business from paranoid nerds with
an option like that in place.

~~~
chris_wot
I have to warn you that you just triggered a liars paradox.

------
cm2187
I don't know if it's related but I found something deeply worrying a couple of
months ago. I purchased a laptop on Dell's website at my home address using a
personal email and my personal paypal account. No reference anywhere to my job
or employer. A couple of weeks later I receive a call from India on the mobile
number provided to Dell, from a guy pretending to be from Dell (and he might
have been) who wanted to discuss how he could do business with my employer
which he mentioned by name (a large corporation).

At that time I thought that Dell's commercials were unacceptably pushy,
googling their private clients to find a way in their employer. It didn't
occur to me that this might have been a scam using Dell's database.

~~~
nthitz
Axciom, Epsilon and similar companies track your credit card purchases and
correlate them with a profile of who they think you are. If you work for a
large corporation that is probably easier to identify than a small one.

[http://www.acxiom.com/](http://www.acxiom.com/)
[http://www.epsilon.com/](http://www.epsilon.com/)

~~~
dcposch
I assumed that when I buy something on a card, it's more or less private. The
transaction should be known only to: me, the merchant, our respective banks,
Visa, and I guess the IRS if they come and ask for it.

If I understand correctly, youre saying my entire purchase history is shared
with random third party marketing companies. Full transaction data, PII
included, no anonymization.

How is that even remotely OK?

~~~
xorcist
Guess why Google and Apple desperately wants to get in on payments? It fits
their data driven business model perfectly.

~~~
macintux
Apple has a data-driven business model?

~~~
xorcist
Well, they aspire to. Their ad network is large and growing.

~~~
macintux
I've not seen numbers and I'm skeptical that it's growing, but the revenue
can't be more than a rounding error on their books.

Lumping Apple with Google in terms of data gathering is misleading at best.

~~~
mastazi
You mean Apple, the company that until recently forced you to give them cc
data in order to install any app on your device, regardless of the app being a
paid or free one?

~~~
macintux
Apple wants your money, not your data (as further evidenced by the fact that
they just killed iAds).

------
geocar
It doesn't sound like Dell has been very effective here: likely attackers
downloaded the database raw or it's one of their many contractors who log in
remotely. Last time I saw that interface it was a web form that someone could
access from any machine!

This is serious.

If you have customer data, you need to log _access_ to that data, and you need
to _audit_ access to that data, and (very important!) you need to have a zero-
tolerance policy. This isn't trivial to set up, but it's necessary; The CTO is
responsible here, not some "website hackers".

~~~
madaxe_again
_The CTO is responsible here, not some "website hackers"._

If only that bore up in reality - you need only look at any number of recent
high profile breaches (TalkTalk, for instance), to see that the "hacked"
(incompetent) party gets sympathy, the exploiter gets prison time.

As to how this is happening - quite likely exactly as you say. They have
extreme staff churn in their Indian operations, and all it takes is a few
dishonest individuals to make this sort of thing become widespread. I've even
had Dell sales reps contact me from their personal email address trying to get
me to scam Dell (buy servers, I get commission, you return, I give you 50% of
commission, deal?), so this is as unsurprising as it gets.

~~~
geocar
Wow that's terrifying.

I think it's systemic, and we need to be very clear what we want a company
(like Dell) to do in this situation.

Programmers are not usually held accountable for their own bugs, and I think
that needs to change too. I don't recommend prison time, but maybe just some
humility?

Bankers do the same thing: Past performance is not a guarantee of future
results, and I _get_ they're just doing their best, so why don't they put
their own money in the same pot?

Heck, we expect the cafe to refund our coffee if they mix it up wrong, so why
can't we just push that message upwards?

~~~
kruczek
> Programmers are not usually held accountable for their own bugs, and I think
> that needs to change too.

I disagree. Bugs are created and will be created; it is up to the proper
process to test the system and get rid of them. A bug that goes into
production code is a collective failure. Why do you blame the programmer, but
won't blame the tester, or the guy who designed the test, or the guy who
designed whole workflow, or the architect who planned the system?

~~~
geocar
> Why do you blame the programmer, but won't blame the tester, or the guy who
> designed the test, or the guy who designed whole workflow, or the architect
> who planned the system?

Where did you get the idea that I don't?

I think people make mistakes sometimes (myself included), but I don't somehow
think that diminishes the mistake.

I also think the programmer has less responsibility than the architect, or the
CTO (which is why we pay them more). I don't like that shit only runs
downhill.

~~~
alextgordon
The best programmers have a choice of where they work, and will avoid
environments that have a reputation for excessive blaming or scapegoating.

So it's a self-defeating strategy for a company to take. Only the desperate
need apply.

Better to create an environment like the fabled NASA software lab, where
individuals are never blamed -- only the "process". _That_ will attract high-
quality applicants.

~~~
geocar
That's a good point.

I don't know. Maybe if we can get top programmers paid more to stop
bullshitting we can do something about that.

------
dogma1138
I actually wonder if Dell was hacked or this is some 3rd party info sharing
that got leaked the old fashion way.

The problem with these types of cold call scams is that they do not scale, it
seems a bit odd that a group could target a company the the likes of Dell
would resort to such tactics (And yes I am fully aware that they could've
breached Dell and sold the data but then I'm not sure that phone scammers
would be in their price range).

My bet would be on a 3rd party losing some data or getting hit, or even just
employees doing it the really old fashion way print out couple of 1000's of
profiles and go to work your operation most likely wont scale much beyond that
anyhow.

But in general allot of that info could've been fished even the Dell support
tag. Dell's own support website has an auto detect feature that scans for it
on your machine it supports .NET HTTP distro app, ActiveX and a few other
plugin methods and if you have the Dell Support bloat ware installed I think
even JavaScript could potentially work.

(Don't remember if Dell was affected but over the years multiple laptop
vendors were found to leak support info over LAN/Ethernet as they run various
services both during boot and later through the bloatware they ship the
machines with)

If you have the support tag you usually can access old tickets opened on that
tag either online or by social engineering their support team (With IBM
support in the UK if you have the S/N you'll see all past tickets in their
system) the rest of the data like name and phone numbers can be found out
quite easily.

So if you want to scam people by pretending to be Dell support you should be
able to do it without actually needing access to their customer DB.

------
roflaway
Throwaway account because I just shared this story with a buddy of mine:

I, too, have received these "Dell" tech support calls and angrily yell at them
as I hang up within 15seconds.

Lately though, I received a bombardment of calls (15 to be exact) in the past
3 days from the same number. I answered the one of them, and it had the same
1minute 10s message saying to call the number back regarding a computer threat
they found on my computer (the voicemails are all 1min 10s). These calls woke
my kids and I up every..damn..day. The calls kept coming on my work and
personal line. Without dialing back the number, I'll never know how this crap
even started.

I feel bad for others out there who may actually fall for these kind of
tactics

~~~
Natsu
I prefer not to hang up right away. Instead, I try to waste a bit of their
time. For automated calls, I just put down the phone and wait a while to hang
up.

But for people? I try other means of time wasting, so they can't call someone
else to scam them.

Last time they called, I told them that it was good that they called, because
my computer had detected a virus on their computer and that I wanted them to
download an install malware.exe to remove it.

Next time they claim to call from Microsoft, I think I'll tell them I'm glad
they've called, because I really need to speak to Bill Gates. Or if he's not
available, Steve Ballmer.

I guess Bill might not answer his own phone any more, but I have to admit that
I wonder what Bill does if he gets a call from them?

Maybe next time I should say that I'm Bill Gates and they're all fired?

At least this is more amusing than simply hanging up in disgust. And it helps
slow down the rate at which they scam new people, even more so the more people
who do this.

~~~
reitanqild
I had a lot of fun with someone from "Microsoft IT Support" just before
Christmas : )

Tried to do a reverse phish and connect to their TeamViewer[0] but I didn't
have time.

At least for an hour I bothered them by being the most clueless user I could
get myself to be, "mistyping" urls so I ended up on tech websites instead. I
also made notes to add to my previous guesswork on how they manage to fool
users.

[0]: Yep, that or another seemingly legitimate remote access tool is what they
use around here. Why TeamViewer cannot stop them I have no idea, these kinds
of connections (India(?) to rural Western Europe) should stick out like a sore
thumb in the data sets IK would guess?

~~~
mootothemax
>these kinds of connections (India(?) to rural Western Europe) should stick
out like a sore thumb in the data sets IK would guess?

I'd guess the opposite: there are enough _legitimate_ outsourcing firms in
India that traffic from fraudsters blends in pretty nicely.

~~~
reitanqild
But none of those legitimate ones try to connect to me (IT tech, TeamViewer
should know), my brothers and in-laws across the country etc etc all in the
same day.

Off the top of my head typical TeamViewer usage should be more like some new,
some recurring I think.

------
stevebmark
Sincerely, thank you for reporting this and helping bring it to the spotlight.
It's too easy for things like this to fall under the radar of any major
acknowledgement, letting corporations get away with major scandals without any
accountability.

------
acomjean
Am I the only one thinking that we've lost total control over the machines and
data we've created. It seems like nothing is safe and or verifiable anymore.
Add to this the backdrop of governments wanting backdoors. People calling you
in the US pretending to be from the "IRS" and yet nothing is/ can be done
about it?

Maybe its really high time for C and its buffer overflows to go... And SQL
injection.

We're tech savy here, yet sometime even we fall for these things. Its starting
to get actually expensive.

I hate to be all conspiracy theory about this, but if/when the banks fall down
like this....

~~~
ctstover
You do realize that if "they" took C away from us, then all we would be
allowed to use is closed source lock-in oriented ecosystems to the point we
wouldn't even be able to trust the very language itself. That's always been
the dream, trusted computing all the way from boot to .NET (or similar). You
can not in the same breath call for secure computing and spread propaganda
against C. (I know it's too much of a leap for most, but it's the same non
sequitur as being against government's tight grip on society and for gun
control at the same time.)

~~~
VeilEm
How could anyone take C away from you anyway? You can build your own C. You
can build your own hardware to run your own C compiler on.

~~~
javajosh
Computers are great at brain augmentation devices - but if you spend all your
time building the device, then you'll get a poor outcome and have wasted (most
of) your life. That's the practical reason we want _both_ mass produced
hardware _and_ transparent (and hence, controllable) hardware state. A world
of augmented minds is much more problematic when a central authority can and
does monitor everyone's mind, not the least of which because in such a state
revolution would be trivial to eliminate even in it's earliest forms. And I
believe all thinking humans have learned by now to distrust any system that
can perpetuate itself so perfectly, and so indefinitely.

------
EwanToo
Far more likely it's call centre staff who work for dell customer support
abusing their system access than an external hack, this seems quite common
across almost all brands and industries

------
biot
Years ago at work, I noticed Dell's emails had an unsubscribe link that went
to a "manage account" kind of interface. The idea was you enter your email
address, go to some kind of "Manage Subscriptions" page, and you could opt
out. Unfortunately, you could also see a bunch of Personally Identifiable
Information including your first and last names, possibly your mailing
address, and other information.

I reported this to Dell and got back a very dismissive, abrasive email saying
something to the effect of "Well how else are we going to let people
unsubscribe?", claiming that they had no other legal option. I just changed
all my info to junk and left it at that; eventually they closed that hole, but
it wouldn't surprise me if some site exists that still allows people to
harvest anybody's information from Dell using nothing but their email address.

------
et1337
Has Dell made any sort of announcement about this? Getting hacked is one
thing. Failure to promptly notify the public is another.

------
Already__Taken
Back in February of 2013 I bought an XPS 13" convertible (nice btw, shocked it
doesn't ship with Pro) and whilst it was on the way I got 2 very convincing
looking shipping tracking scam emails that ask to run some executable and
enter some details. They had the correct model of laptop and very specific
timing. I've never had any other spam like in before it since.

Sadly gmail has removed the spam from so long ago and the initial Dell contact
email must have been sent from a form as I only have the service desk reply
with my correct shipping number to track myself.

This might be even more serious than it looks.

------
hackuser
Something doesn't make sense: How can it be worthwhile for the attackers to
invest that much time in gaining access to one computer?

Given wrong numbers and that many people won't answer the phone, be near the
computer, have time at that moment, or be willing to cooperate, and then add
the time it takes to talk an end user through such a process, will they gain
access to even one computer every 2 hours? How can that pay off?

There are many, many more efficient attacks. How about good old-fashioned
spam?

~~~
spoondan
The purpose of the scam is not to gain access to computers. The purpose of the
scam is to fleece unsuspecting Dell customers. The scammers gain the trust of
their victim by using misappropriated Dell customer data. They charge
exorbitant fees for unnecessary services to the less technically competent.

My assumption is that the scammers are based in India or somewhere else where
dollars go quite a bit farther than the US. Even apart from the potential for
fraudulent charges, spending a few days to earn a few hundred dollars is
definitely worth it in a country where the average income for a year is around
$1300.

------
joshchaney
The title should really be changed, there is no confirmation they were hacked.
I have an equally plausible theory -- You used the same username and password
somewhere else that got hacked, or your credentials were stolen through some
infostealing malware. Account takeover is a huge problem these days, it
wouldn't surprise me if there is a tool out there written specifically to
validate combo lists against Dell's website.

~~~
Bhullnatik
He mentions using two-step verification though. That doesn't mean it's not
possible, but that makes a lot harder to get into his account.

~~~
joshchaney
He said his email account has 2FA (convincing us his email was not hacked), I
don't think he meant his account on Dell.

------
mergy
Same here back in mid-2015. We got a call from scammers with valid service ids
of some of our equipment from Dell. I hope Dell comes clean on all of this.

------
z3t4
I don't know about you, but where I live (Sweden) there are strict rules on
how you can store personal data and who has access to it. It's also against
the law to put people in "databases". I guess we still remember WW2 and how
the Nazi used such registers ...

~~~
greggyb
> It's also against the law to put people in "databases".

I find this very hard to believe. At face value I interpret this as saying
that no company doing business in Sweden has any sort of customer database. Is
this correct?

What about a CRM system?

~~~
z3t4
You need the customer's consent. So if they opt-in it's alright in most cases.
But you can only store their personal data if you absolutely need to, and in a
secure way. For example only store post address if you intend to send them
snail male.

You can for example only have someone in your CRM if they are a customer. And
if they ask you to remove their data, you must remove all information about
them.

You do not have to worry if your company and all your equipment is located
outside Sweden though. But as for example Facebook have a data-center in
Sweden, you can actually request them to remove all your data.

Example of illegal database is a database for direct marketing. Or a register
of race, religion or preferences.

------
ferongr
It's been some time (10 years or so) since I've last bought a prepackaged
computer (I build my desktops from parts) but do you really have to register
your personal information with the manufacturer when you buy a prebuilt
computer? Why would there be a need to do that anyway, wouldn't the serial
number of the machine be enough for warranty purposes?

~~~
nandhp
Well, generally speaking, if you order a computer online (as most people
probably do) you give them your name, address, and phone number so they can
ship it to you.

~~~
ferongr
Thanks for pointing that out.

Here in Greece (and most of Europe AFAIK) manufacturers don't sell directly to
consumers, hence my confusion.

------
txutxu
14:43 UTC+1, site not loading, DNS error (domain not resolved).

It seems DNS this was hosted on godaddy, but can't see the content now.

It was pointing to shared hosting on dreamhost.

The domain will expire in August, so that is not the problem.

The domain is in status clientUpdateProhibited, clientTransferProhibited,
clientRenewProhibited, clientDeleteProhibited... the whois has been updated
today.

Maybe this site was put down?

~~~
kenbellows
Looks up to me, 08:55 UTC-5. If it's still not working for you try the
archive:
[https://web.archive.org/web/20160105091436/http://www.10zenm...](https://web.archive.org/web/20160105091436/http://www.10zenmonkeys.com/2016/01/04/dell-
computers-has-been-hacked/)

~~~
txutxu
Still does not resolve here... maybe the problem is just in my network. I can
see it now using translate.google.com as a proxy and it works.

Thanks !!

------
mmaunder
Suggestion: if you are affected by this, get your attorney to reach out to
Dell and get a response on record. You might be surprised. Their legal team
will understand the risks of sweeping under the carpet or denying something
they know about.

------
revscat
I'm not seeing any direct evidence of a hack. It seems just as likely that
Dell could have simply sold customer data to interested parties.

~~~
fabulist
Superphish showed us that Dell is clearly willing to do something of that
nature, but the data the hackers are alleged to possess (shared secrets,
support histories, ...) isn't the kind of thing you'd sell. There is no proof,
but there the author certainly presents plenty of evidence. Unless you have
access to information outside this article, the most likely hypothesis is that
their database was compromised.

------
josh_carterPDX
Time to take my Optima 8200 offline. Sigh.

------
victorantos
it's blocked for me, I get

 _We 've blocked this page

O2 Wifi takes public wifi seriousl.._

------
ommunist
I'd rather bet that real Dell outsourced tech support to some company in
India, where very often business ethics towards customer records is virtually
non-existent. But what else can you expect? If you are not paying decent
money, be prepared that your data woll be sold, unless you are ReallY able to
enforce control over it. I seriously doubt that Dell tech support is ISO 27000
compliant.

~~~
tzs
> If you are not paying decent money, be prepared that your data woll be sold,
> unless you are ReallY able to enforce control over it

From what I can see from a bit of Googling, Dell _does_ pay their tech support
people decent money. If Glassdoor is to be believed [1] [2], Dell tech support
people in India make about 340k rupees a year, or about 28k per month.

That appears to be a middle class income for an Indian city dweller [3] [4].

[1] [https://www.glassdoor.com/Salary/Dell-Technical-Support-
Asso...](https://www.glassdoor.com/Salary/Dell-Technical-Support-Associate-
India-Salaries-EJI_IE1327.0,4_KO5,32_IL.33,38_IN115.htm)

[2] If the above link does not work without you being logged into a Glassdoor
account, try Googling for "how much does dell pay tech support people in
india" and clicking the Glassdoor result.

[3] [http://qr.ae/RgYML2](http://qr.ae/RgYML2)

[4] [http://www.pewresearch.org/fact-tank/2015/07/16/are-you-
in-t...](http://www.pewresearch.org/fact-tank/2015/07/16/are-you-in-the-
global-middle-class-find-out-with-our-income-calculator/)

~~~
chaostheory
ommunist can correct me but I believe he was referring to having Dell tech
support being located in a western country, instead of being based in asia.
Yes it's more expensive to keep operations here, but we are more familiar with
the business practices as well as the laws. Of course this is a price of "the
race to the bottom".

~~~
robotresearcher
> we are more familiar with business practices

Almost everywhere in the world had been doing business for thousands of years
before the US existed. It's pretty careless to say that Asians are not
'familiar with business practices'.

They may not be all about _your_ business practices. If yours get too weird
and uptight they'll just return to doing business with the rest of the world
and won't miss you too much.

~~~
wfo
It's fairly well known and accepted that regulations and rules in western
countries are FAR stricter than those in Asian and Indian countries. If you
care about privacy EU > US > everywhere else (any non western country has
literally zero protections or laws about privacy that are enforced), if you
care about workers being treated decently EU and US are bastions of fairly
mediocre to bad treatment, everywhere else is sweatshops and de facto slavery.

~~~
kuschku
That’s not really true, though. Look at Japan.

Sweatshops and de facto slavery isn’t everywhere, but you’re kinda right,
countries which were colonies before – mostly in Africa, Asia and South
America – tend to have less wealth and prosperity.

~~~
eppsilon
> ...countries which were colonies before – mostly in Africa, Asia and South
> America – tend to have less wealth and prosperity

The US, Canada, and Australia are rather prominent counterexamples.

~~~
kuschku
They also are countries where there were enough immigrants that the native
population was mostly displaced – it’s unfair to put them in the same category
as colonies where only a tiny immigrant population ruled over the native
population.

And even in some of these countries the wealth and prosperity for the native
population has been an issue even in the past decades.

