linuxmemes @lemmy.world lemmesay @discuss.tchncs.de 9 mo. ago

classic opsec mistake

cross-posted from: https://discuss.tchncs.de/post/10692187

so, the company was Vastaamo. was because it got bankrupt after the breach, and GDPR violations.

the "hacker"(or rather cracker) was extradited from France to Finland.
you can read about how terrible the company's security was here: https://tietosuoja.fi/en/-/administrative-fine-imposed-on-psychotherapy-centre-vastaamo-for-data-protection-violations

or watch mental outlaw's video on the matter, or the Wikipedia article on the breach.

now there are several things that shouldn't have happened (e.g.: don't do these things on your main OS, have root access disabled, etc.), but I'll leave that to you experts.

Cybersecurity - Memes @lemmy.world lemmesay @discuss.tchncs.de 9 mo. ago

48 comments

Once again proves its not our technology thats weak, its our own brains
- would be great if i wasnt forced to share data with morons with that shitty fucking brain
No. This is fake, it's gotta be. Not even the "I use Kali by the way" script kiddies are that stupid.
- you're underestimating people's capability to make such mistakes. remember silk road? the guy used the same username in two places, and gave his email id(which had his full name) in one of them.
  
  Really who the fuck creates an email for that kinda thing with full names !
- Not saying its actually what happened but I would ask how he knew about the data.
  
  Statistically, it should have been a random port scan that got in but since he‘s from the same country, he‘s either professionally or privately connected I assume. He either worked there in IT function, visited as a patient, dated an employee, etc.
  
  So in other words, he‘s not a master hacker but probably stumbled across this. I had this with a webspace provider once were I could see all other customers folders when I used ssh instead of the web interface. I couldnt access them but I got a wiff of how stuff like this happens. 99.9% of their customers are inept at IT stuff so a mistake in ssh would never come up since customers wouldn’t use it and in that one case, they overlook it.
  
  So, this might have been his first hack ever and it probably took a long time til he even understood what he had in his hands. Thats why I dont do stuff like this, I‘m prone to such mistakes as well. Most elaborate scheme imaginable and cc it by mistake to someone I know.
  
  I just was reading Wikipedia and it said he was arrested previously for hacking.
  
  In 2015, when he was still a teenager, a Finnish court found Kivimäki guilty of more than 50,000 aggravated computer break-ins. Among other targets, he attacked large educational institutions in the US, hijacking emails, stealing credit card details and blocking site traffic.
  
  Kivimäki received a two year suspended sentence for those charges.
  
  https://yle.fi/a/3-12669196
  
  You're probably right he had some connection and stumbled onto the data, but this wasn't his first rodeo.
- Oh you wish. It was huge news, a shit ton of people.got their information and social security numbers leaked in plain text
- The main reason I've never done anything illegal online (not counting piracy) is that I'm confident I've been that stupid many times and will be if I do.
While in the U.S., your mental health data are just on the market, waiting to be brought.

https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke

In the good case, there will be a class action law suit, and every victim will get approximately 2 dollars back for all their health data sold; but only after giving more sensitive information to the company that distributes these two dollars.

https://www.morrisbart.com/faqs/how-is-money-divided-in-a-class-action-lawsuit/

What a fun time to be alive.
- What the fuck, I had no idea about betterhelp being so scummy.
  
  I firmly believe any service that advertises that much on YouTube and podcasts is evil.
  
  I'm waiting to hear about Hello Fresh's child trafficking ring or whatever they're up to.
Not exactly an indictment on the hacker as much as it is one on these predatory online psych dealerships.

Once again we're seeing deregulations leading to McSolutions that A) are of lower quality, and B) more expensive than what we had.
- Yeah, it felt like the clown man was the company in the first two panels, then it shifts to hacker, then the final few are just confusing. Poor clown man, so many internal conflicts.
Who has an email associated with their crypto wallet??

Unless... Oh... He transferred to a centralized service first then mixed it up and then transferred to the same service...
- Yeah I don't understand what email has to do with crypto wallets at all.
Sad that the company was able to declare bankruptcy, rather than the directors being held criminally liable.
- CEO got a 3-month suspended sentence
  
  Not even remotely enough
  
  That's a start, but on its own pretty meaningless. A suspended sentence means he does not go to prison, so long as he behaves himself for a year or however long.
  
  The article doesn't go into it, but I hope he was also fined heavily. All we have is "the court determined it could not be resolve through fines, a prison sentence is warranted".
  
  See? CEOs get criminal liabilities! Capitalism works!
  
  (/s alas)
A good criminal is a dumb one
- Whu? No, that's not right.
  
  It's good for us because they get caught is what they mean.
where linux
- You don't accidentally tar your ~ on wondows, I guess
I'm always worried when making .tars that I'm doing something wrong when the file also has a . file inside. I know this is probably nothing but it makes me think of something like this.
- . and .. are how terminals navigate around file systems.
  
  The command cd . means "change directory (cd) to here (.)"
  
  cd .. means "change directory to here, but one level up: my parent directory."
  
  So following that model, winrar and maybe older versions of 7zip used folders called '.' as navigational tools within the archive browser. If you double-clicked through them, you'd see where they go.
  
  I don't know how much of this you knew, but the point is it shouldn't freak you out too see them.
Here is an alternative Piped link(s):

mental outlaw's video

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.
On one hand what the fuck just happeend, on the other hand it's Finland, in Finland massmurderer will complain about lack of PS5 in prison and.

Edit: nevermind, it was PS3
- Dude, did you even read the (very short, obviously biased and sometimes factually incorrect) article you linked? Breivik is in Norway, not in Finland.
  
  Also, why the fuck should they not have access to ps3, books and such. Prison is about taking away one's freedom, not about putting people in psychological or physical distress. In Norway we want convicts to be in a better state when they come out than when they got incarcerated (though Breivik will most likely never come out). Who wants to live next to a person who have been 20 years in solitary, I mean come on.
  
  Edit: also Norway, not Finland I guess

You've viewed 48 comments.