Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Message added by vanished

This is the thread on this news story.  If you see other threads popping up about it, please report them and ask for them to be merged in here.  Don't bother commenting on them.

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:

 

This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?

 

In one very big and public case the worst thing that could happen, happened.

If you've ever bought anything on NCIX before it went defunct, worth a read.

Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.

 

Quote

Millions of Canadian and American consumers are now at risk thanks to a series of shady backroom deals that have resulted in records detailing 15 years of business being sold.

 

https://www.privacyfly.com/articles/ncix_breach/

 

--- 

Sort of a TL;DR:


On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 

 

Quote

NCIX had been renting a portion of a warehouse in Richmond where all the hardware is currently located. He explained that the owner of the hardware is currently NCIX’s previous landlord, as NCIX had abandoned the hardware when they failed to pay a past due rent total of $150,000. Jeff stated that he was a former systems administrator for a Richmond based telecommunications company and was helping NCIX’s landlord recover the money he was owed in exchange for being able to copy the source code, and database to aid his development team on a project.

 

further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 

 

Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.

Quote

Jeff believed these contained a combination of functional but decommissioned hard drives used by NCIX and customer data from machine’s that had been in for repair at the time of bankruptcy.

Let that bit sink in. CUSTOMER's PERSONAL data. 

 

In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 

 

On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 

 

On the SuperMicro backup server:

Quote

The first image I explored contained multiple folders of invoices from their retail stores, while the second contained of images of devices. I mounted one image belonging to Steve Wu the founder of NCIX. Inside I found data going back 13 years, financial documents, employment letters containing SIN numbers, and data from Mr. Wu’s home computer which featured personal documents and images of his family mixed in with numerous private photos of high end escorts from mainland china. I then moved forward with examining some of the SQL databases titled nciwww.MDF, payroll_Data.MDF, OrdersSql.MDF, posreports.MDF, among other names and this where things got increasingly worrisome.

6

A rundown of the types of information contained in the UNENCRYPTED storage and databases: 

  • nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data
  • Customer service inquiries including messages and contact information
  • three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords.
  • full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.
  • OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data.
  • Financing programs
  • Employee records
  • Vendor pricing
  • Confidential company emails 
  • Source Code
  • intellectual property from NCIX’s ventures into manufacturing
  • Other confidential data

The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:

Quote

The examination portion of the meeting began to wind-down as time flew by and Jeff jumped into brokering a deal over a cup of tea. The first offer was thirty-five thousand dollars which would allow me to purchase all the desktop’s and server hardware, excluding one group of hard drives that I had analyzed which he would allow me to copy. This struck me as strange and I inquired as to why I couldn’t purchase those drives. He explained that those drives and the data on them had already sold for around fifteen thousand dollars to a foreign buyer who was arriving in Vancouver to acquire them in December. “December” I quipped in questioning tone which, prompted Jeff to explain that even though the buyer was picking up the physical drives in December. Jeff had already copied the data from those drives to a network storage device and allowed the buyers remote access. The data on those drives contained thirteen terabytes of SQL databases and various VHD and Xen server backup files.

Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts

  • if you have ever worked for NCIX as an employee or contractor.
  • If you've ever had a vendor agreement with them,
  • if you've ever communicated with them in any way,
  • if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy.

Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.

 

Edited by Remog
more detail added information to help readers.
Link to post
Share on other sites
1 minute ago, Rune said:

Huh, so maybe those boxes containing records in @LinusTech ncix video were actually up for auction....

Seems like EVERYTHING was, most of what was part of this breach seems to be data that was on hardware liquidated from their East coast data centre due to non-payment of rent, as well as desktop equipment and servers from all over NCIX's properties. 

 

It would not surprise me if there is even more stuff that was not part of this specific breach but was thrown to the wind, regardless. 

Link to post
Share on other sites

This is in many ways the single worst thing that could have possibly happened in a data breach scenario... employee INCOME TAX records are now out there - income, SSN's, home addresses... Not to mention customer transaction and CC data... This could ruin lives. 

Link to post
Share on other sites
11 minutes ago, Remog said:

This is in many ways the single worst thing that could have possibly happened in a data breach scenario... employee INCOME TAX records are now out there - income, SSN's, home addresses... Not to mention customer transaction and CC data... This could ruin lives. 

Yea, and why they would store this all unencryped is beyond me. They were also storing unsalted MD5 passwords and even some plaintext passwords! Did they just decide to throw this mess of a system together themselves one weekend and decide it was good to go?

Link to post
Share on other sites

Common issue when computer get sold/liquidation. A bigger issues are scanner/printer with hard drives.

Link to post
Share on other sites

I read through the whole article and it is actually really bad, like really really bad. All the addresses, credit cards, phone numbers, names, secret NCIX documents etc

Im very happy i haven't bought from NCIX.

 

But @Remog maybe try to add some more info to your posts, so those who can't be bothered to read the whole article can still understand the severity of the situation.

Link to post
Share on other sites

https://www.privacyfly.com/articles/ncix_breach/

 

 

Quote

 

I was then led by Jeff to the NCIX server on the table and handed passwords on a piece of paper. I sat down and began to review the contents of the hard disk. The first folder I opened was documents, where I found some passwords and notes from who I assume was a system administer for NCIX. I then stumbled upon various XML files which gave me some insight into what was inside the database files. Between a couple of different XML files, I found plain text names, usernames, passwords, and addresses. I then opened SQL Server Management Studio which is tool used to manage the database files. Unfortunately, this is where my exploring grinded to a halt.

 

I then opened one of the Canadian databases titled OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. I also opened a more recent version of the file and it contained the addition of email addresses. As time ticked by, I quickly looked at more databases and discovered data from a financing program, employee records and vendor pricing.

 

 

 

Welp today is not a good day to be a PC enthusiast.

 

This breach is going to hurt some more than others, I also wonder is Linus's T4 is in there?

Link to post
Share on other sites
2 minutes ago, Origami Cactus said:

I read through the whole article and it is actually really bad, like really really bad. All the addresses, credit cards, phone numbers, names, secret NCIX documents etc

Im very happy i haven't bought from NCIX.

 

But @Remog maybe try to add some more info to your posts, so those who can't be bothered to read the whole article can still understand the severity of the situation.

You're right it is a lot to process. I can work on a summary here in a bit. 

Link to post
Share on other sites
4 minutes ago, Remog said:

You're right it is a lot to process. I can work on a summary here in a bit. 

Yeah maybe add that quote too:

Quote

I was then led by Jeff to the NCIX server on the table and handed passwords on a piece of paper. I sat down and began to review the contents of the hard disk. The first folder I opened was documents, where I found some passwords and notes from who I assume was a system administer for NCIX. I then stumbled upon various XML files which gave me some insight into what was inside the database files. Between a couple of different XML files, I found plain text names, usernames, passwords, and addresses. I then opened SQL Server Management Studio which is tool used to manage the database files. Unfortunately, this is where my exploring grinded to a halt.

 

I then opened one of the Canadian databases titled OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand(3848000) records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. I also opened a more recent version of the file and it contained the addition of email addresses. As time ticked by, I quickly looked at more databases and discovered data from a financing program, employee records and vendor pricing.

 

Link to post
Share on other sites

Yah no one actually gives a fuck about your data. 

businesses dump hardware on ebay all the time without secure erasing properly. You'd be surprised how many thing's I've gotten that either has customer data on it or a simple data recovery program can bring it up. This is why so many just sell the shit without hard drives. Better that than to trust the business selling your old hardware to properly erase discs. They may say they do but proper secure erasing or even slow formats are time consuming. 

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to post
Share on other sites

Was about to post this glad to see @Remog is quicker than me. Can we get some feedback from the LTT staff or Linus in regards to this?

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
1 minute ago, Syntaxvgm said:

This is why so many just sell the shit without hard drives

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

Link to post
Share on other sites

Can you really call this a breach though?

 

I mean it sucks for those innocently caught up in it for sure but nothing was actually breached, they sold it.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites
19 minutes ago, Remog said:

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

well reality is many request they be put through secure erase unless legally required to destroy drives. The reason they request it is the resell value/appeal of something loaded with an OS and ready to go is so, so much higher. 
There's also some sellers will take the drives and instead of destroying them sell them using a different ebay account. I've even gotten drives with medical records from ebay. 

The smart/ethical organizations pull the drives out and hit them with a drill press themselves before even having it reach a seller, and those with legal requirements like HIPAA often use a NAID AAA certified computer recycler/reseller. 

But I just bought some computer equipment from a small company that specifically deals with medical billing as their main business and I had to remind them that the drives need removed and destroyed before I get them, soo....yea reality. 

Remember that most laws governing secure data practices only dictate punishment for a breach, not bad practices. So they risk it. Chances are low and it's not their problem. 

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to post
Share on other sites

Well shiiiiiiit.... 

import shittyTechAdvice as RollTime

 

Link to post
Share on other sites
Quote

I further learned that he still possessed around 300 desktop computers from NCIX’s corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks. In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufactures.

Quote

The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained FULL CREDIT CARD PAYMENT DETAILS in plain text for two hundred and fifty-eight thousand users between various tables.

 

https://vancouver.craigslist.ca/rch/sys/d/ncix-database-servers/6677293677.html

 

Anyone else want a server?

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites

It's a good thing the card I used to pay for the thing I bought from NCIX US no longer exists or rather is no longer active, I ended up losing it and having to cancel it

a Moo Floof connoisseur and curator.

:x@handymanshandle x @pinksnowbirdie || Jake x Brendan :x
Youtube Audio Normalization
 

 

 

Link to post
Share on other sites

Would LOVE to see Linus' take on this, both on the WAN Show as well as a video emphasizing the importance of PCI compliance and data encryption. Maybe that clip from the auction that @rcmaehl screengrabbed could intro that video.

@Remog said it: This could ruin lives.

Just... facepalm.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×