Bulk Reef Supply Security Breach

MondoBongo said:
this is known as a air gapped network. they're common place on very secure locations, but just like you pointed, humans are always the weak point.

the usb mechanism you mentioned is precisely the attack vector used by stuxnet (possibly the coolest malicious code ever written) to penetrate and sabotage Iranian nuclear accelerators.

the command and control infrastructure alone was impressive. wired has a great write up on it:

http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

i can't find the link right now, but i read an article a while back reporting on a study of these rogue usb sticks. apparently if you drop a usb stick somewhere, there is a really good chance someone is going to pick it up and put it in their computer.

if that usb stick happens to have a company logo on it, the success rate is frighteningly high.
Click to expand...

here is another iteration of the aforementioned attack vector:

http://www.darkreading.com/attacks-breaches/social-engineering-the-usb-way/d/d-id/1128081?

and here is the original article i was referring to:

http://www.bloomberg.com/news/artic...hacking-as-test-shows-nothing-prevents-idiocy

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.
Click to expand...
 
mattsreefadise said:
somebody should upload their letter so we can see what its all about.
Click to expand...

Here is the general letter area, I just cut out my personal info. The rest of the letter is them blabbing on about their free offer and what have you.
 

Attachments

  • Untitled.jpg
    Untitled.jpg
    103.7 KB · Views: 0
MondoBongo said:
this is known as a air gapped network. they're common place on very secure locations, but just like you pointed, humans are always the weak point.



the usb mechanism you mentioned is precisely the attack vector used by stuxnet (possibly the coolest malicious code ever written) to penetrate and sabotage Iranian nuclear accelerators.
Click to expand...


Gah! I meant Iranian. Thanks for putting the right info out.
 
just a question to everyone that had their cc stolen, did you guys save your credit card numbers on their website?

I just lost any confidence to buy from their website right now....
 
I'm sorry to say that this is not just a BRS issue and I'm glad we are talking about information security as a whole because something radical needs to be done and we all need to do our part.

When my insurance company recently notified me that my information was compromised, I cried a little - My insurance company knows almost everything about me and pretty much all my cards have been compromised over the last 3 years.

For those of you saying you won't use BRS anymore think about a couple of things...

Do you shop at any small to medium stores that use X-cart, Magento, OsCommerce or any other off-the-shelf shopping cart software? You are at risk. Because when someone discovers an exploit, they simply run a search and find every store that is using the software. (If you don't know what the hell I'm talking about then my point is made, even the smallest store can present a professional looking site and you don't know who the hell, or what level of security you are dealing with)

Your Tax Person/Accountant - This is THE worst, you probably use an accountant who has a copy of all your personal information in an office on a laptop with a shitty firewall with employees from god knows where., He is also had a hard copy and some tax places aren't open all year so your files are moved at some point by someone....Your entire life is sitting in some dudes office and you see him 1 time a year for an hour, who know what the hell goes on for the rest of the year in that office.

Your Realtor - Same as your accountant, only you probably only dealt with this person once but he has a copy of all your documents....
 
Well the only person you hurt by stopping business with brs is brs. They are already the victim here and now their loyal customers threaten to ditch them because some jerk presumably in a foreign country found an exploit and has been robbing their customers cards.

This is the kind of thing that can kill businesses that have done nothing but try to help the community. Use your cards freely, do NOT let the bad guys win. If you use your card, even a check card that has the credit emblem on it you are going to get reimbursed. It may be a royal pain but like I said in my last post. You better get used to it, it isn't going away. This is the digital age.

The same thing that makes it easy for you to facechat or whatever with your family and friends, browse this website, and overall makes your life WAY easier has downsides. One of them is when you put personal info into it the information is rarely secured and almost never erased. That is just how the internet works. I could sit outside your house, intercept packets from your wifi connected washing, tv, computer, toilet, cell phone, cat box, whatever machine, and have a server hosting highly illegal content in a background process running in 15 minutes. You wouldn't know it until the feds show up. IME having your credit card stolen is much less of a hassle than what some people go through.

The internet is not secure, please stop pretending it is. You will all fair better in the long run.

Oh and I recommend myfico.com (or any of the active credit monitoring companys), lowering the non authorized spending caps on all cards, and a sole credit card you use for every expense that is not a repetitive bill. That way if it is that card that is compromised you don't have to update anyone, there is relatively no hassle.

They sell little slip in devices that go into atms and gas pumps. These skim off hundreds of cards each day where installed. It is really common and easy to get away with.

I don't want to be all doom and gloom and going against the grain. I understand you folks who were compromised are upset, I was compromised as well. Many times this past year. Even blue cross blue shield, so if they can't stop it...

I just don't want this to impact one of our good sources more than it has to. I hope I don't come off as an :deadhorse1:.
 
BRS was the victim of a crime, not the perpetrator.

To take it further, what a stand up company to send a notice. Home Depot, target, and many others never sent letters during their massive breaches. Granted, the instance was more common knowledge, but it still shows BRSs continued commitment to their customers.
 
Breadman03 said:
Gah! I meant Iranian. Thanks for putting the right info out.
Click to expand...

i figured it probably happened to North Korea as well, stuxnet was pretty prolific in the industrial controllers for those types of things.

the scary part, is that stuxnet is like the harmless kid brother to other software developed by Equation Group. Kaspersky just released some incredible analysis of their product family. most likely an NSA/Israeli backed hacker group.

what they've accomplished is nothing short of amazing:

http://arstechnica.com/security/201...-nsa-hid-for-14-years-and-were-found-at-last/

http://arstechnica.com/security/201...ecipher-elusive-equation-group-crypto-hashes/

this kind of stuff is absolutely terrifying, buy at the same time i'm left in awe of the sheer genius of its implementation.
 
The card I have used on BRS in the past was compromised a few weeks ago. Thankfully, the CC company alerted me to the odd charges and we closed it right away. I will definitely start using the Paypal method on smaller sites in the future.
 
christopherjudd said:
just a question to everyone that had their cc stolen, did you guys save your credit card numbers on their website?

I just lost any confidence to buy from their website right now....
Click to expand...

I had 4 cards saved on their website. I used all 4 cards during the window they stated was open. However, only the card that I used in Jan. (and it's replacement that I used just recently) were used by criminals.

I have double checked the statements of the other 2 cards through the entire period and neither of them have any suspicious activity, and I've not been contacted by either card issuer either regarding any suspicious activity.

This follows along with what others have put forward that stored CCs are not necessarily at risk; it was the transactions themselves that were compromised and information was stolen from that.

FWIW, I'm placing an order today for more consumables and will be buying new Vortechs from BRS as they come in stock.
 
So because I personally have never established any credit, Experian was unable to enroll me for ProtectMyID when I tried. I've never had a need for credit cards, I prefer spending cash since it's easier to control.

Anyways, point is, if you're young like me and don't have any credit established, you're going to have to work with these people to get enrolled. I can tell it's going to be a pain in the butt too.. I may have nothing to worry about since I imagine they want people with high credit, but I'd rather be safe so hopefully we can figure it out.
 
Definitely disappointed this happened, but BRS seems to be handling it as well as can be expected. When I emailed them to find out precisely what data of mine was compromised, instead of an email response, I received a phone call within 12 hours. Again, it sucks that it happened, but BRS seems to be doing what they can to assist affected parties.
 
Well this explains the charges I had a few months ago on the card I used at BRS. The card was cancelled and a new one issued but I was trying to figure out where the breech came from, now I know. To answer a question above, no, I didn't have my card saved. This won't prevent me from shopping with them in the future, it happens, the charges were reversed and all is well. I've had to get new cards after the Target breech and the Home Depot one.
 
I got one too in the mail l, but its good that they are on top of it.
And I never place on line orders, I call them to place the order
 
I also received the letter and had fraudulent charges on my card back in January which were reversed by the issuer. My thoughts are that Home Depot and target had similar issues however they didn't offer any kind of fraud protection as BRS has done here. Hell Target didn't even send a letter of notice.

I have been banking, filing taxes and pretty much do all my shopping online for over a decade. So much of my information is out there that stopping now is kind of a moot point. I will say that it's better to use a credit card than a debit card online. If a cc is stolen most issuers have some sort of fraud protect but if a debit card is stolen they can wipe out the account before anybody knows and it can take a while to get that money back. Also, some cc companies will provide a cc number to use for online purchases that is only valid for a few days and has a max dollar amount associated with it. This would be a good option for those concerned.
 
broncofish said:
i got hit as well. The thing i do not understand is why they were aware of the issue weeks ago (jan 30th) and are just now getting those letters out. Sure would have been nice to cancel the card before fraudulent activity. I also dont see how their attempt at an apology is a credit monitoring service. Thats included with any reputable cc company anyways. How about a "sorry this happened, we would like you to take a chance with our business again, here's a coupon". But that would be too reasonable.
Click to expand...
+1
 
You must log in or register to reply here.

Similar threads

Mr. Brooks
FS: Activated Carbon - ROX 0.8 from Bulk Reef Supply - Roughly two gallons $60
Replies
6
Views
725
waterman78
W
B
Apex Pro Failure - Lack of Support from Apex
Replies
4
Views
374
griss
griss
C
Biota Group Captive Bred Mandarin Dragonet - 4 Month Update
Replies
5
Views
757
OTTOMATIC
O
o2manyfish
o2manyfish - Status Update on 750g tank upgrade.
Replies
3
Views
762
acesq
acesq
W
White Mountain Floating Reef
Replies
17
Views
1K
Trevor40
Trevor40
Back
Top