Hacker News new | past | comments | ask | show | jobs | submit login
No, I did not hack your MS Exchange server (krebsonsecurity.com)
178 points by todsacerdoti 4 months ago | hide | past | favorite | 71 comments

> What was the subdomain I X’d out of his message? Just my Social Security number. I’d been doxed via DNS.

That would freak me the fuck out wow.

Pretty sure every American's SSN has been public since 2017 anyways. Thanks Equifax!

I thought for quite awhile that the whole list should be made public on a pre-announced date to "scorch the earth". On that date, liability for any fraud committed using the data would be placed on the party improperly using SSNs for authentication tokens.

The Equifax breach did the publishing part, but nothing changed with liability. A golden opportunity missed to fix this particular bullshit.

100% agree with this. Our SSNs are fully “compromised” many times over at this point. Scare quotes because—as far as I know—they weren’t originally regarded as a secret to begin with.

But the fiction of a secret SSN still persists. You're told to protect it; sensitive financial documents ask for it as part of proving you’re you; forgotten password pages use the last 4 digits as some sort of 2nd factor.

The best thing that could happen is if the names and corresponding numbers were published far and wide. So obviously public that nobody could keep this fiction up.

Banks and other high-stakes firms need to figure out how they want to identify their clients. It’s not an easy problem to solve, I get that. But that doesn’t mean we should be happy with them taking the easy way out.

I was required to write my SSN on all my checks and had to use it to get food in the chow hall whilst in the military. It was a very public number.

Ha, you just reminded me of my student ID number in college. Also used to purchase snacks and meals at the commons. In the strangest of coincidences, it was my SSN.

It always amazes me that in the US there is such a weak identification system, relying on a single number.

Then it is apparently to the owner of said number to worry if it leaked.

The problem is that it's a username that is used as a password. In Europe you'd use some kind of tax identification number plus a physical copy of an ID card or driving license.

My identification number is algorithmically derived from place and date of birth, first and last name and gender. Anybody who knows my address and has heard someone greeting me happy birthday can guess mine with two-three trials corresponding to the closest hospitals. But that doesn't worry me, because I don't fear identity theft, it just doesn't exist in Italy.

Instead, as a result of America's allergy to ID, they are essentially the only country where identity theft is a thing.

I live in Denmark so also Europe. Our social security number (which can be guessed with enough information and a few tries) has been incorrectly used as a password instead of a key just like you describe. You make a call, provide this number and the clerk on the phone believes that you are who you claim to be.

Nowadays things are better because computers are used everywhere We have a national ID system using 2FA which is pretty safe. Unfortunately, identify theft is still a thing.

Recently someone installed keyloggers on public computers. The second factor in the 2FA is a cardboard card with a list of one time password codes. You use a code on each sign in.

The criminals were able to determine when there were only a few codes left on the card. You then get a new cardboard card sent to your home address. They would stalk their victim's mail box and steal the new card as soon as it arrived.

With user name (your social security number) and password from the key logger together with the 2FA codes they were able to perform identity theft.

It's not easy to guard against attacks like this.

While all that is accurate, it should be noted that they have already mitigated some of the problems mentioned above (no more displaying number of keys left), but also that the entire system is being replaced this year with one that does not rely on a physical cardboard key card, but can use something like a Yubikey instead.

You can also change your username to something other than your CPR-number. Indeed, the problem lies more with other services that has used it as a password rather than 'username'. But those are rarer to come by these days.

Ditto in Finland. Just like in Denmark, the social security number is being used for authentication by some actors, even though it's inherently insecure to do so. The Swedish way of handling those numbers seems more reasonable; they're just used as unique identifiers and you still need to show some other kind of ID.

When I lived in Denmark, airlines occasionally did identity spot checks on domestic flights. I was always horrified to notice that everyone just pulled up (picture-less) social security cards and used them as identification.

Absolutely, but it's more effort than knowing an SSN and being immediately able to get a loan in the name of that person. That would be ridiculous in Europe.

That’s pretty ridiculous in the US as well. An SSN is never enough. Usually they will need some copy of a state ID and proof of access to a mailing address on your credit history.

I didn't say that, the US government does:

> Identity thieves can use your number and your good credit to apply for more credit in your name. Then, they use the credit cards and don’t pay the bills, it damages your credit. You may not find out that someone is using your number until you’re turned down for credit, or you begin to get calls from unknown creditors demanding payment for items you never bought.


That’s not how it works though in the vast majority of US financial institutions though. They won’t just send a credit card to a random address.

That document is written to scare people into protecting their SSN. It’s discussing what is now an edge case that may have been easier 20 years ago.

> identity theft [...] just doesn’t exist in Italy

Big lol. The country used to be famous for frauds and scams! Of course identity fraud exists, but precisely because everyone expects it, the majority of systems errs on the side of caution and requires validation from multiple sources. The result is that fraud processes become so much harder to pull off that fewer and fewer bad guys attempt it, but on the other hand every validation step becomes a bureaucratic nightmare (“did you include certificate X from office A, Y from office B, and Z from office C, as well as your ID card, health card, tax card, and recent pictures? No? Sorry, no cookie for you.”)

This is also why the country has a pretty secure and advanced way to carry out official acts electronically (PEC) - because otherwise fraud would be even more rampant.

I do agree that the “anglo” hate for ID documents (“such Napoleonic constructs, so barbaric!”) leaves the door open to scammers, but it’s not like they don’t exist in Italy too.

I see, the good old racist card. But no, you're wrong. I have opened bank accounts in three EU countries and the procedure was the same everywhere. No ID, no bank account.

I still have to see a headline like "identity theft ruined my life" in any other language than English. Every single time "furto di identità" makes the news in Italy, it's just about someone impersonating a famous person on social media to scam the followers, which is a completely different thing than in the US.

So yeah of course scams and credit card skimmers exist in Italy (though the US's disdain for chip and PIN would be another interesting topic). Dishonest telemarketers convince gullible people to switch into more expensive utilities contracts. But identity theft in the US is not in any way comparable to "scamming".

And yeah, PEC ("registered email") is pretty cool. :)

I don't speak Italian so I can't really say anything about that, but searching "identity fraud" in Dutch turns up plenty of results: https://www.google.nl/search?q=identiteitsfraude&hl=nl

Here's a "identity theft ruined my life" story: https://www.ad.nl/tech/hanna-krijgt-door-identiteitsfraude-i...

The problem might be worse in the US and UK, but it's not like it doesn't exist at all in the EU.

I have to wonder if part of the difference is down to how we deal with creditors in the US and the financial welfare of the population. We have a huge population living paycheck to paycheck with almost no cushion for crisis and we have a system where creditors can take the money from your bank account or directly from you wages.

If the money acquired by a creditor was what was needed to pay your rent you could be looking at eviction in short order. The law in my state until 2020 required only a 3 day delay to begin eviction for non payment. It used to be possible to be due on May 1st. Receive an eviction notice on May 4th and be homeless by mid month. I think it now takes a whole month for your life to disintegrate.

Being homeless doesn't bode extremely well for you continued employment as a handful of missed days can terminate your employment.

Being jobless doesn't bode well for your health insurance which there is no way you can afford to maintain past employment.

Being without insurance, job, money doesn't bode well for being able to afford medical care hopefully you aren't receiving continuing care for a major medical situation because you might be dead.

I have to hope western Europe isn't remotely like that.

Identity theft if very common in Italy for pension fraud, people don’t report deaths of their elderly parents and assume their identities to cash in pensions.

It's not really the same—a caregiver keeping on doing bureaucracy tasks after a person's death, vs. an unknown person using a living person's identity to get loans or credit cards.

It’s not just direct carers and it’s still an identity theft, what identity theft can be used for ranges between different countries based on financial incentives in some countries getting a loan or credit is far more easier than others in others state pensions and benefits are higher.

In the US stealing the identity of a 30 year old with decent credit can allow you to rack up a decent bill in their name. In Italy the state pension is universal and is about €14,000 a year and whilst in the US technically you can get far more in social security payments the people who are susceptible to identity theft in that group tend to not be the ones who maxed out their contributions over the past 30-40 years.

No, it's identity fraud which is a superset of identity theft.

All identity theft is fraud... you are grasping at straws here.

Right, all identity theft is fraud, but not all identity fraud is theft.

I can't answer below, so I will leave this here: https://web.archive.org/web/20090627220408/http://www.busine...

If a person dies the identity arguably belongs to their estate, if they don't declare death and use it to make money illegally it's not stolen.

You assume someone’s identity that’s identity theft...

> the good old racist card

Mate, I’m Italian ;) I might be self-hating at best.

When I visit Italy I’m often impressed by the physical lock & key systems in use even in pretty humble domiciles. Those keys look incredibly complex compared to anything I normally see in the US short of, say, a Mult-T-Lock.

It’s necessary. I grew up on the outskirts of a pretty wealthy, pretty law-abiding Italian city, and still: the flats on the first floor were burgled twice in a few years, my family’s own flat was squatted before it was even finished, and bikes or motorbikes were routinely stolen. My dad just told me this week that the closet where his amateur football club keeps training material was burgled: the idiots literally cut through the wall to remove the hardened door, just to get to a few footballs and plastic cones. This was the fifth attempt in two years, and they finally succeeded - thanks to the lockdown there was nobody around, my dad found out just because they littered some of the training bags nearby. Security remains a big problem.

'No Way To Prevent This,' Says Only Nation Where This Regularly Happens.

5 out of the 9 numbers for an American social security number is also derived from location and date of birth.

This was finally done away with in 2011. I only found out because I was surprised that our second child's SSN (issued in 2012) had a different prefix than that of our first child (2009).

When your identity gets stolen enough times, the IRS assigns you an identity protection PIN and mails you a new one every year. Too bad it's only useful for your taxes.

Just the fact that there is a process for that, and you have people whose "identity gets stolen enough times", is worth an Onion headline...

The thieves filed a fake tax return in my name so they could steal the refund. The IRS takes that stuff pretty seriously, fortunately.

US Social Security cards used to say "NOT FOR IDENTIFICATION" but I guess it's just too hard to pass up a good primary key.

When I was first enrolled at University of Illinois of Chicago in 1985, your SSN was your student ID. You could log in to the mainframe using your SSN in the username field (although thankfully, the actual user ID was a sequentially assigned five-digit number and not the SSN. I was U10754). I think around 1986 or 1987, universities were instructed to stop using SSNs as student ID numbers.

In the early 90s I had a professor who passed around a sheet of paper for us the first day of class to write down our names and our SSN.

I had to point out to him after class that was a rather boneheaded idea (I'm sure I was a bit more polite than that).

Lol. My SUNY school addressed this by suppressing the first three numbers.

Considering that about 30% of the student body seemed to be from Islip, it was pretty trivial to guess the first three.

The State (Commonwealth!) of Massachusetts used your SSN for your Driver License number, as recently as the mid-1990s.

Every time you had to show ID anywhere, you were giving your SSN away.

When looking up the details of the incarceration of a POS we had locked up in the state of Washington we discovered his electronically available prior warrants show his entire SSN NOW.

> I think around 1986 or 1987, universities were instructed to stop using SSNs as student ID numbers.

And around 2005 they actually mostly stopped.

My university (back in the early 2000s) used your initials and last 4 of SSN as your student ID number. I think they finally stopped a year or two after I graduated.

Hum... When normal people say "identification" the almost always mean what we understand by "authentication"¹. They main intended use of a social security number is as a key, that's the intended use 99.(some more 9s)% of the times a government gives a number to somebody.

1 - And when they say "authentication", they almost always mean what we understand by "non-repudiation".

The story of how this happened is quite interesting. CGP Grey did a video about how it evolved [0]. I'm not American so I can't judge how likely it is to ever change because it seems to be politically radioactive to propose a government mandated ID.

We had a similar issue in Australia, but our workaround is that your drivers license (or ID card from the equivalent of the DMV) typically acts as your ID.

[0] https://www.youtube.com/watch?v=Erp8IAUouus

We have in France ID Cards that are not compulsory. It is just such a hassle to use something else that everyone has one.

Alternatively, for minor things, you can make a declaration on your honor. This is super useful in, say, a library where you need to enroll.

My first driver's license number was my SSN

> It always amazes me that in the US there is such a weak identification system, relying on a single number.

Offer Govs/LEO/Biz an alternative that will allow them stronger & less visible influence over the public and it will be adopted yesterday.

And possession of the original paper SSN card is sometimes required as a form of identity. Not the hardest thing to print.

Basically the same in Denmark, I believe many other European nations have a similar situation.

Iirc some ppl used it to extract his credit report from experian - we need better govt identification than just a few numbers

I'm surprised that governments aren't using some kind of 2FA tokens for peoples' identities, while credit cards are.

I don't know about most of Europe, but in Norway, we use a 2FA system called BankID. You authenticate with either with your phone using a custom SIM app, or an app, or a OTP device. This system is used for everything from banking, to checking taxes, medical records, or signing documents.

Seeing that Krebs doxed other people too, now he knows how that feels.

Yeah that’s pretty brutal.

Probably not the worst thing he saw, not too familiar with him but i thing he get attacked a lot

Yeah the bottom of the article has a list of times his likeness has been used in an attack. Yikes, the downsides of being a public figure.

On the one hand, I feel very sorry for Mr Krebs and his family, yet on the other I'm grateful for his tenacity in sticking with it despite all the brick bats the bad guys throw at him.

from the comments:

> Well, at least they’ve stopped SWATTING you, thank God.

thoughts specific to SSN:

Seems like the SSA will will run out of 9-digit usable numbers in about 1 generation (~70 years).

Then what ?

Is this software's next Y2K ?


There would need to be a billion people in the US for us to run out of SSNs. I find it highly unlikely that our population will triple in 70 years. The Census Bureau finds it unlikely, too, considering they expect us to add only 76m by 2060. They could also decide to re-use the SSNs of those who have been dead for decades.

> They could also decide to re-use the SSNs of those who have been dead for decades.

That will definitely NOT cause a new bunch of issues!

Recycle old ones? Add a few digits? They can give 10 years notice, then a bunch of corps will kick off huge projects for consultants.

A generation is generally defined as 20 years. So you mean 3.5 generations i guess?

I think our company also got affected by this, and we are a very small one

That's exactly what someone who did hack my server would say.

It's also what someone innocent would say

No its not. Why on earth would someone hack you, tell you their name and then deny it later. Why not either own it or never share it?

We're not talking about the "tell you their name" part, we're talking about the denial specifically.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact