Orvis data leak and the need to monitor ‘paste’ sites

Fishing retailer Orvis had a serious (and embarrassing) data breach recently. Independent security researchers found a posting on text snippet site Pastebin with what appeared to be the keys to the firm’s security systems.

According to Brian Krebs:

…included in the Pastebin files from Orvis were plaintext usernames and passwords for just about every kind of online service or security product the company has used, including:

-Antivirus engines
-Data backup services
-Multiple firewall products
-Linux servers
-Cisco routers
-Netflow data
-Call recording services
-DNS controls
-Orvis wireless networks (public and private)
-Employee wireless phone services
-Oracle database servers
-Microsoft 365 services
-Microsoft Active Directory accounts and passwords
-Battery backup systems
-Security cameras
-Encryption certificates
-Mobile payment services
-Door and Alarm Codes
-FTP credentials
-Apple ID credentials
-Door controllers

To make matters worse, the information was posted to Pastebin twice during the month of October.

Pastebin provides the ability to post snippets of text (“pastes”) so that they can be shared with others on the interwebs. Programmers use pastes to swap useful bits of code. Gamers use it to post information about their characters. Random folks post what look like encrypted messages for other folks. And attackers post information they have looted from systems to show off their abilities and/or shame the victims.

Orvis released a statement pointing out that the data was only exposed for a short time and did not reflect the current passwords for their infrastructure.

If you are not monitoring Pastebin for mentions of your company name, as well as the names of key personnel, you should be. By signing up for a free Pastebin account, you can set up three keywords for alerting when new pastes are created. Popping for the Pro version (a one time cost of $49.95) ups your alert key words to 15.

If you need more than 15 alerts, you can build your own monitoring solution using SearX and Python. You will need to have a Pastebin Pro account to do this, but you won’t be limited as to your keyword searches. You can find instructions on how to set this up here.

Another option for Pastebin monitoring is PasteLert, which provides free alerting services but seems to be a project of one person, so it may not have the longevity of the other solutions listed above.

There are many other Pastebin type sites out there on the internet. One tool I saw (Paste Site Search Tool) claims to search over 90 different paste sites using Google Custom Search. There does not appear to be an API available on this site, so you’ll have to search manually or write a script to perform your search and digest the results. The Resources tab on this page has links to some other resources for searching paste sites.

This type of monitoring is a detective control – it will alert you to a problem you already have, but it will give you a chance to react quickly before more damage is done. You can report pastes of confidential or copyrighted information to Pastebin by clicking the “report” button located to the right of the paste’s toolbar.


*** This is a Security Bloggers Network syndicated blog from Al Berg's Paranoid Prose authored by Al Berg. Read the original post at: https://paranoidprose.blog/2019/11/11/orvis-data-leak-and-the-need-to-monitor-paste-sites/