
First American Financial Corp. Leaked Hundreds of Millions of Insurance Records - PatrolX
https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/
======
client4
I did a penetration test for $NATIONALINSURER and they had an FTP site with
weak credentials where all the remote offices uploaded claims. Millions of
records and scans of SSNs, home addresses, bank information, etc. Their
mitigating controls were: we put it behind a firewall.

Then again I didn't expect much, their MSSQL in prod had SA/SA credentials
active.

~~~
bloopernova
I'm currently fighting against management dragging their feet on using 2FA.

On HIPAA PHI.

(I know HIPAA doesn't actually mandate 2FA, but it's recommended by many best
practices and guides.)

Apparently some tech folks don't like _the inconvenience_ of 2FA.

~~~
skrebbel
2FA freaks me out. It means I'll be locked out of all my key accounts and
services if ever my phone breaks or gets lost. Probably right when I need
these services most.

~~~
skunkworker
That’s why they usually have backup keys that you physically keep in a safe
place.

~~~
skrebbel
That sounds decent but I've not seen this a lot. Its often just "give us your
phone number and we'll SMS you an access key when you log in"

~~~
skunkworker
Unfortunately I see this all too often on systems that have enabled 2FA but
not TOTP.

------
zhte415
A lot of discussion on technical side, but not from organisational.

How could audit, both internal and external, not find this? 2003 to today is
16 years. Audit is a last line of defence and certainly not to be relied on
upon as a buddy to catch your errors. But... how? This is a major financial
institution in the most developed country in the world (the clue's in the
name). It should subscribe to the the highest integrity and tightest scrutiny.
This seems an opportunity for both internal and external auditors to tighten
their game.

Outside of audit, surely an employee might have noticed? Was there no formal
method to speak up without fear of recrimination? According to Wikipedia [1]
there are eighteen thousand employees. Someone never noticed?

This seems an organsiational failing, not a technical one.

[1]
[https://en.wikipedia.org/wiki/First_American_Corporation](https://en.wikipedia.org/wiki/First_American_Corporation)

~~~
nerdponx
You know what's a great incentive to actually care about this stuff? Legal
consequences for not caring about it.

Anyone conceivably responsible for ignoring the developer's complaint should
be on trial right now.

~~~
mcny
I personally think the board and CEO should be personally criminally liable. I
don't know exactly how but if I can't use ignorance of the law as a defense
for shouting in public (one yell back at someone who yelled "fuck you" at me
and I got a $180 fine) then the CEO and board can't use that as a defense for
leaking data for SIXTEEN years.

Didn't know this was happening in your organization? Fuxk you, go to prison.

------
angry_octet
Whenever you are compelled to upload/send a photocopy of an ID document it is
sensible to write the date and purpose / file reference on it. If it appears
in a document dump at some later date you know the path and date of the leak.

~~~
OrgNet
that is a good idea but most of the time I need to hand over my actual ID, and
not just a scan of it

~~~
angry_octet
I'm usually an uncooperative bastard at times like this. I ask them what their
purpose is in retaining a copy of my identity document, and I ask for their
privacy policy. When I'm travelling for work and a hotel asks I simply say no,
and remind them I can lodge a complaint with our corporate travel provider
that will have them delisted for future business; usually they come to their
senses. For overseas travel (where they often have to fax your passport to the
police) I ask for the photocopy back when I check out; since these documents
are lost/misfiled regularly the desk clerk usually complies. Always try for
point-in-time ID verification rather than retention.

~~~
nerdponx
Where do they ask you for a copy of your ID? I've never had that happen to me
at a hotel.

~~~
angry_octet
It's because of credit card fraud usually, they want it to prove to credit
providers that the actual card holder was present, and if not, exactly who.
And I've been asked in countries across the first world, though I haven't been
keeping specific note of when.

------
throwawaymath
Yet another security vulnerability caused by:

1\. Using sequentially incremented integer sequences as object IDs, and

2\. Failing to protect sensitive data using some kind of authentication and
authorization check.

This is becoming a trend with data breaches. Several of Krebs' other reports
on behalf of security researchers were originally identified by (trivially)
walking across object IDs on public URLs.

My cynical take is that Krebs couldn't go public before this afternoon because
First American wanted it to hit the news at an opportune time, then get ahead
of it with their own messaging. Krebs got in touch with First American on
Monday May 19th. The story is only just breaking now on a Friday afternoon at
5 pm; markets are conveniently closed for the weekend.

I expect them to issue a hollow PR statement about valuing security despite
being unable to act on security reports until an investigative journalist
threatens to go public.

~~~
mattmanser
I once made an app not using sequential integers as object ids, as you
suggest.

It was an absolute nightmare. Maintenance was a nightmare, you're constantly
having to generate or replicate these things that add an extra layer of
complexity to everything, and almost always unnecessarily.

It's also extremely bad for db performance, causes massive page fragmentation,
indexes become useless almost straight after rebuilding them, etc.

For almost everything, sequential int IDs are fine. It's the things you expose
to the users that you need to be careful with, and then don't use the primary
key to access them, add another unique key to them, but keep the id in there
for the db to use and for your own use.

My lesson was to go back to always using int ids, and on a few objects have a
separate unique key column to expose to users for sensitive stuff.

~~~
sverhagen
I also don't think using UUIDs as a security (by obscurity) strategy is valid.
But there are other reasons someone may choose to use UUIDs. For instance,
it's convenient to generate identifiers in a decentralized manner. I want to
counter your one bad experience with my (equally anecdotal) many-multiple good
experiences. Databases do just fine with UUIDs. Though we may be working on
different kinds of systems, and optimizing for different things. I don't frown
upon using integers (well, longs) for identifiers, but I personally prefer
UUIDs.

~~~
asaph
> For instance, it's convenient to generate identifiers in a decentralized
> manner.

For an elegant solution to this problem, check out Twitter's Snowflake[0].

[0]
[https://blog.twitter.com/engineering/en_us/a/2010/announcing...](https://blog.twitter.com/engineering/en_us/a/2010/announcing-
snowflake.html)

~~~
chaz6
I always wondered why databases have not implemented a scheme like Microsoft's
Active Directory RID master FSMO role. One server is responsible for handing
out chunks of ID's to each server. They request a new block whenever a
threshold is reached (50% by default IIRC).

------
raesene9
By the sounds of it, another breach from a well-known, not new web application
security vulnerability, "Insecure Direct Object Reference".

That vuln has been an explicit part of the OWASP Top 10 since 2007...

Unlike other common web app vulns (e.g. XSS SQLi) IDOR usually can't be fixed
by a development framework (e.g. ASP.Net or Rails), it needs app. specific
coding for proper Authentication/Authorization checks.

------
dmix
> He said anyone who knew the URL for a valid document at the Web site could
> view other documents just by modifying a single digit in the link.

Good thing he didn't post this bug online after getting no response. I
remember reading about someone who did that on an AT&T website a while back
and was sent to jail for simply incrementing an id number in the URL and
talked about it on Twitter.

~~~
luckylion
That was probably about weev, and they were after him long before that case,
so it's not likely that it would get some random person (that the FBI doesn't
have a file on and an interest in picking up) in the same trouble.

------
LinuxBender
That is an incredibly low friction interface to our documents. /s

What are the odds they have access logs going back to 2003?

~~~
PatrolX
Pretty good, everything was probably set up and configured with default
settings by that unpaid intern they had running their infrastructure back in
2003.

~~~
55555
default settings would wipe/rotate logs after some time, no?

~~~
krferriter
Rotate maybe, not wipe. As far as I'm aware for most webservers you have to
tell it to rotate the logs based on some criteria, otherwise it just keeps
appending.

If debugging is turned off it's entirely possible that they have been
appending lines to the same log file for the last 20 years and haven't run out
of disk space which would cause them to notice. Say 200 bytes in the log per
request, and even averaging 10000 (probably more than they get) requests per
day, in 20 years that's only 13GB.

It's also entirely possible they turned logging off or redirected to /dev/null
in order to "be more efficient".

------
reilly3000
I just closed on my first house this week, and First American was of course my
title company. I'll be interested to see if my data is included in this breach
settlement or not.

I did notice when I was reviewing my docs that they emailed links to
unauthenticated copies of docs, but they were mostly public records so I
didn't think twice about it.

So they have my Name, address, email, SSN, copy of ID, copy of check from my
bank with account/routing on it and much more, all in the open apparently.

I just went through an SSO implementation with a small team for a large user
base. It was a bigger project than we had anticipated, but nonetheless
manageable. I can't fathom that a financial institution of that scale could be
that lax with basic security. Wouldn't their systems be subject to some
regulation and require some kind of audit on a regular basis? Is this a
failure of auditing systems, as well as internal security or even basic IT?

------
JimmyDugan
Programmers fault? Audits fault? Securities fault? Pentesters fault? It fault?

Listen until C-level funds these programs properly and security is taken
seriously by all issues like this will forever be in the news.

I would be willing to bet their security like most have a long list of
security gaps they cant get fixed because resource issues just hope they
documented or it could fall on them.

Most coding classes just teach how to make things work in Mister Roger's
world. Secure coding is an elective! Most run the DevOps model instead
SecDevOps and only involve security after it is ready to go into production no
matter what flaws security finds.

Why are black box pentests still taking place? Because company required to
have pentest but really do not want testers to find things. Their goal is not
to improve security rather check that box ... we had a pentest.

C-level, this keep the lights on budget you give Security/IT is costing you
more than properly funding us! Oh yeah you put that $ into cyber insurance!
Lol let's see how well that works.

~~~
mjparrott
If the financial penalty was high enough they would increase budgets. There is
no accountability for losing customers personal information. If you can make a
strong business case behind the average risk a company takes on it would help
this discussion more. For each example of "company X had a major financial
impact" you need to average it out against "company Y lost hundreds of
millions of SSNs and had zero penalty".

------
PatrolX
Class Action Lawsuit Filed: [https://finance.yahoo.com/news/first-class-
action-lawsuit-fi...](https://finance.yahoo.com/news/first-class-action-
lawsuit-filed-110000081.html)

------
JimmyDugan
I see a lot of comments on sequential as the issue. Really is that the issue?

Not the fact that John Doe can get to John Doe2 stuff without authenticating?
WTF

Sequential or not if no auth I can run a scanner and get it all so what the
hell does that have to do with the price of tea in China?

------
zeroDivisible
I like how this news was posted on Friday afternoon before the Memorial Day
weekend.

~~~
awad
Taking out the trash, as it were

------
jammygit
Where does one go to learn how to not cause this one day?

~~~
krferriter
OWASP Top 10 list. OWASP's website is kind of a mess in my opinion, but there
are numerous external write-ups about the top vulnerability types.

[https://www.cloudflare.com/learning/security/threats/owasp-t...](https://www.cloudflare.com/learning/security/threats/owasp-
top-10/)

Also this github repo maintained by OWASP seems pretty exhaustive. The
cheatsheets directory has a lot of different vulnerability classes.

[https://github.com/OWASP/CheatSheetSeries/blob/master/cheats...](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md)

This "Insecure Direct Object Reference" was recently combined into the "Broken
Access Control" category with a few others.

~~~
jammygit
Thanks!

------
JimmyDugan
Lol everyone fights security and it is way under funded so can only get like 1
out of 100 risks fixed but must be securities fault.

------
gesman
"First American has learned of a design defect in an application that made
possible unauthorized access to customer data. At First American, security,
privacy and confidentiality are of the highest priority and we are committed
to protecting our customers’ information..."

Who is coming up with these statements?

If you kept royally screwing something for years that you claimed to be your
"highest priority" \- then what can one expect from your normal lines of
business?

------
Nicksil
>At First American, security, privacy and confidentiality are of the highest
priority and we are committed to protecting our customers’ information.

is such a meme.

Things will continue this way until there are serious repercussions for
entities carelessly handling data.

~~~
saagarjha
The next sentence too:

> We are currently evaluating what effect, if any, this had on the security of
> customer information.

It's downright dishonest to even say "if any": they were presented with
concrete examples of leaking customer information; they don't get to wonder
whether it had an effect on their security anymore.

~~~
55555
Yeah, considering that they have sent these URLs to at least tens of thousands
of people, it would be hard to believe that nobody ever inappropriately
accessed a document that didn't belong to them.

------
snovv_crash
At some point people will realise that holding large quantities of sensitive
information is a liability, not an asset. Mindsets are slowly changing in this
direction already.

The chickens will continue to come home to roost until people treat digital
security as seriously as physical security.

~~~
PatrolX
I wonder if we should take mandatory breach reporting a step further too and
require them to list all security vendor products and services that were in
place at the time of the breach.

Should security solution vendors be held to account for failing to live up to
the bold claims they make?

~~~
dsr_
Depends on how they sold it. Did they sell tools, or tools plus configuration
services and consulting?

~~~
PatrolX
It may not be workable, but when big businesses have invested millions in
tools and services I can't help feeling there should be some vendor
accountability.

------
wyxuan
It seems that the stock price (under the ticker FAF) hasn't suffered very
much. This was revealed on 5/19, and the response has been tepid.There isn't
likely going to be very much backlash on the stock, unfortunately.

~~~
raesene9
I don't think there will be, we're well into "breach fatigue" territory now,
and here there's not even currently any evidence of malicious use.

Unless/until this breach results in a large financial hit to the company
(possibly via a class action suit) I doubt it'll have any impact and I'm not
even sure a class action suit could show damages without evidence of misuse.

~~~
PatrolX
Equifax's costs as a result of their breach have exceeded $1 billion now, and
Moody's downgraded them a couple of days ago.

I suspect this is going to hit First American pretty hard.

~~~
CyanLite2
Doubt it. There's no evidence yet that FA's leak was used by malicious
hackers. The breach was discovered by some random other person who typed in a
different parameter to a URL. Very likely that no one else would've known
about it.

Whereas the Equifax situation was intentionally breached by attackers and it
can be assumed that the breach was used to capture information for later sale.

I suspect that First American knew about this earlier this week and
intentionally did a garbage dump on a Friday evening on Memorial Day Weekend.
Maybe trade down a few tenths of a percent on Tuesday and their CISO will
probably get axed. Nothing to see here, move along.

