“Not a creature was stirring” – well, except Chris Vickery

Three Lock Box is a construction escrow agency in Las Vegas. And while the name “lock box” might suggest security, unfortunately, they had a misconfigured MongoDB installation that exposed several million dollars in funds available in over 90 accounts.

Chris Vickery uncovered the leaky database and contacted them immediately on December 24th because of concern that an attacker might be able to write to the database to add payees or change the admin’s password. Chris tells DataBreaches.net:

… even though the “normal” users’ password hashes are bcrypt hashed, they completely forgot to hash the password if someone resets their password. The result is that many of these accounts have plaintext exposed passwords.

Chris’s notification to them, by email and phone, resulted in a quick call back from the firm, which left Chris with the impression that the database would be secured immediately. But when the database was still not secured by the end of the day, Chris found the owner’s home phone number and woke him up at 2 am (Chris is nothing if not passionate and determined about security!).

“I am incensed that they had all day to put some sort of authentication on it, but failed to do so,” Chris tells DataBreaches.net. Despite owner Noah Allison’s assurance that no money would be moving through the web site at that time, Chris says he informed  him that his entire business was at risk –  the keys to the admin kingdom, all of his client contact details, all the contract documents, w-9 filings, bank account numbers, routing numbers, and many plaintext passwords of his clients were all up for grabs.

Twenty minutes after that middle-of-the-night call, the database was secured.

DataBreaches.net asked Three Lock Box for a statement. Shuli Cheng, IT Manager, responded. He states that after speaking with Chris earlier in the day, the firm immediately proceeded to contract  a technology provider.

“The shortened Christmas Eve workday added to the challenge of reaching someone who was qualified and available, ” Cheng says. “After  many  phone calls and work sessions, we successfully configured two layers of security by 3:00am PST. A faster turnaround time would have been more desirable.”

Chris’s phone call to Noah at 2 am on Christmas morning was “unexpected given our previous conversation, but still very much appreciated,” Cheng added, also confirming Chris’s claim about what was exposed and at risk.

The firm investigated the incident and found that the leak may have occurred back in early September, when they migrated the database onto its own server.

“For the sake of completeness,” Cheng says, they reviewed access logs going back six months.

Preliminary results for that time span revealed 17 unique IP addresses across 5 unique parties connecting on multiple occasions for a duration  of more than 20 seconds. Cheng says they are suspicious of connections from steadfast.net IP addresses and Amazon AWS addresses.

“We are currently unsure of the malicious intent of the linode.com node since we have also utilized linode servers for other activities that may have resulted in a brief test run on this database instance,” Cheng tells Databreaches.net.

The firm plans to notify its clients in writing of the breach (that’s how they referred to it) and reassure them that money does not move through their system. “We manually approve and initiate ACH transfers via our banking institution’s platform.”

Three Lock Box intends to send notification letters by postal mail to its clients within one business day of completing more testing of their security, including penetration testing, and patching their server.

About the author: Dissent

Has one comment to ““Not a creature was stirring” – well, except Chris Vickery”

You can leave a reply or Trackback this post.
  1. J. Tate - December 30, 2015

    I sincerely appreciate the work your doing. We have been doing similar work in regards to getting companies more aware of the lackluster configurations on their information systems that make it low hanging fruit for persons with malicious intent. We however run into the same apprehension that you do, when it comes to “owning up” to some of these finds companies play a very unique game to ensure minimum negative attention. Which is why I believe the approach should go a bit higher in certain circumstances at the Federal, Commerce or Regulatory Compliance level. The end is not approaching with regards to these finds, and we would love to share our findings with you intandem with assisting forensically to identify the ownership of the finds you have identified.

Comments are closed.