Popular articles

18 / 01 / 2016

Chris Vickery about Data Security

We are here with Chris Vickery, a security researcher who explores the dark regions of the Internet to find vulnerabilities and faults. Chris Vickery had previously reported a misconfigured database containing the personal information of over 191 million voters. Vickery also found the unprotected data and customer records of Hello Kitty, MLB, ATP and Slipknot official online communities.

Tell us a little bit about some of your most recent findings.

  • Well, the most recent big one was finding the voter registration records of 191 million registered US voters. A lot of people say, “Oh, that’s public record,” but it’s not so black-and-white or clear as that. A lot of states restrict what you can give out and who you can give it to and they say you can make it available to everyone outside the United States. And this database was totally available to anybody, instantly, all around the world, so there is a line that was crossed there.

So, what one could somebody do with that data?

  • I think the easiest way to explain what you could do - because there’s name, phone number, and date of birth, along with address and other voter demographic data - is that you could take the date of birth and you could focus on people that are, say, over 60 or over 70. And you can use the common scams that are used against old people, because you’ve already got all their phone numbers, you’ve already got the targeted list. You don’t have to hit false positives and all that technologies that are used against the young people. No, if you are targeting old people, you go straight to them. And if you can bind it with something like let’s say the Ashley Madison database breach, you have all sorts of metrics to target people. Because email address is part of that. Not everybody has the email address, but some people do on the registration. So you can tie somebody’s name, address, phone number, date of birth to the Ashley Madison database, and all of a sudden you’ve got cross-references to do all sorts of extortions.

Were you contacted by FBI, CIA, or Homeland Security?

  • That’s actually one thing I cannot discuss at all. I am working with at least one federal agency in regards to that, but I can’t say what is the organization or its name or anything like that.

And with some of the other discoveries... Give us an example. Slipknot is there, Hello Kitty is there. When you found this information, you didn't know what company’s database it was until you researched it, right?

  • Not immediately, it’s not always apparent whose data it is. You do a little bit of legwork, you look at what the data is, you look at the IP address, if it’s hosted in the Amazon cloud instance it’s not so obvious, because there’s no straight and narrow DNS records. But sometimes it’s hosted on an email server. I think iFit was an example, they were hosting it on an email server or something like that, so it was an automatic DNS lookup that told me who it was. Sometimes you have to look at the data itself, look at the contact information and kind of call them and ask them if the IP belongs to them, and a lot of times they’ll confirm that it’s theirs.

How did you get started doing this? Tell us about you IT background, what got you into that and how you started looking for vulnerabilities in databases.

  • Well, I’ve always had a knack for computers and technology. It’s all my life. For the last 5 years I worked in IT tech support in a law firm, and really the earliest data breach research was a little bit before September of 2015. I came across an open Amazon bucket for the company named Systema Software. They do house private insurance and medical diagnoses and all sorts of call records and everything for various state and government agencies. It was just pure luck that I came across that. I was just looking in random Amazon S3 buckets not looking for anything in particular, and I came across that one and realized that it was something important. It made a big news splash and ever since then I’ve just kept and eye on.

Well, that’s really sensitive data because of medical privacy laws, so how did you deal with that? With the second you realized what you had, what did you do with that?

  • I figured out the affected entities, the state of Kansas was one of them. They had their entire workers database up there, social security numbers and everything. I contacted the state of Kansas and verified that it was their data. After a while, I was contacting other agencies, I got in contact with the Texas Attorney General’s office, because there were Texas people in some of the databases, so I figured out that local law enforcement was involved.

That’s really crazy to think about how many databases are vulnerable. How many today have you found?

  • I’ve probably come across about 80 open, not necessarily vulnerable, but just unauthenticated, totally available, being published in entire world databases that should not be published in that way.

Now, if you were going to give advice to, let’s say, an IT guy who is responsible for that database, what advice would you give them to troubleshoot or discover the type of vulnerabilities that you find?

  • The easiest way to explain that is assign a little bit of overtime to somebody in your IT department who knows your IP addresses, who knows what servers you host your important stuff on. Get them to go home and try to access it from their home PC. That’s really simple, really easy, and that will find almost 100% of the vulnerabilities that I find. And just if you can reach it from your home, anybody in the world can reach it. If these companies would do that, they’d catch it. There’s nothing complex or advanced.

So, we all know that was MacKeeper, you’ve discovered. Tell me the process when you discovered the MacKeeper accounts and walk me through the timeline, including up to now.

  • Well, I don’t remember the exact date it was. I came across using Shodan, a search engine that searches for devices and things that Google doesn’t search for. I came across an interesting-looking database that had the word “ZeoBIT” in it. I had never heard about ZeoBIT before, so I looked into it and realized this was account information belonging to somebody, and I saw all sorts of references to MacKeeper, so I googled what MacKeeper was, and Kromtech and MacKeeper showed up. I found a phone number on the MacKeeper website and tried calling it. Unfortunately, I don’t know what the exact situation was, but I wasn't able to get to a real person. So, I reached out the Apple subforum on Reddit, and said: “Hey, I've downloaded the information of X million people, can somebody help me get a hold of these Kromtech or MacKeeper people so we can get this secured. And I let everybody know that I was not gonna be leaking it or spreading it around. A little bit later MacKeeper contacted me and asked what was the IP address, what was the port number and they were very nice about it, and I provided it to them and found a couple more IP’s that were also exposed, they got them locked down pretty fast. Then they asked me if I wanted to start consulting with them security-wise. After a few days later I got a call from you, and I said, “That’s something I’m very interested in exploring.” You know, it’s not something I’ve done really professionally before, but I do have a knack for it, so why not? And then I got an email a few days after that, inviting me to CES to meet up with the MacKeeper people. And it’s been fantastic! The response was good, they were very nice to me, they didn’t call me a hacker or anything, so that was very, very refreshing. And as far as I know they’ve upgraded the password algorithms that they are using to store user passwords now, so they’re not easily crackable, and they’re taking many corrective steps to make sure that it won’t happen again.

What do you think about CES? You know, coming from your tech background. It’s your first year here, first time in Vegas. What do you think, seeing this much technology, seeing these many new innovations, there’s a lot of security stuff here as well... What is your general impression?

  • It’s pretty crazy. The amount of people here, and companies showcasing... it’s overwhelming, with so many people here and so many signs and glowing letters everywhere. I mean, it’s not overwhelming necessarily, but it is impressive.

MacKeeper in official partnership with Chris Vickery created MacKeeper Security Research Center that carries out regular security audits of the software and establishes security best practices to ensure the safety of users.

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher: Chris Vickery. 

Do you have security tips or suggestions? Contact: cvickery@kromtech.com