It’s time to build our own Equifax with blackjack and crypto | TechCrunch

https://techcrunch.com/2017/09/08/its-time-to-build-our-own-equifax-with-blackjack-and-crypto/?utm_source=tcfbpage&sr_share=facebook

This article talks about security breach that will affect verty many people in the USA. It can cause need to rethink the current sloppy security practices on many companies – the identifying data many companies use has now leaked out.

The private data of 143 million Equifax “customers” is now available for download. Have no doubt: This means you will be hacked. This means your SIM card can be spoofed. This means someone will try to get into your email and online accounts. This means someone will try to open a credit card in your name. 
First, we cannot allow our most precious data to be accessible via the last four digits of our social security number. 

Further, we must also outlaw SMS two-factor authentication. In fact, thanks to the data stolen from Equifax, that process can be easily broken.

Mistakes happen. Ultimately we must hold these companies that keep leaking sensitive data accountable for their fails. In short, it’s time for those who are careless big data to die.

USA might need to look outside the US for leadership in security. 

93 Comments

  1. Tomi Engdahl says:

    Equifax Cybersecurity Failings Revealed Following Breach
    http://www.securityweek.com/equifax-cybersecurity-failings-revealed-following-breach

    Shortcomings revealed by researchers and cybersecurity firms following the massive data breach suffered by Equifax show that a successful hacker attack on the credit reporting agency’s systems was inevitable.

    Some members of the industry pointed out last week that the company’s Chief Security Officer (CSO) Susan Mauldin was a music major with no educational background in cybersecurity or technology. Mauldin and Chief Information Officer David Webb retired from the company on Friday.

    Others dug up old vulnerability reports that the firm had still not addressed and noted the lack of even basic protections on the company’s website. Even the website set up by Equifax to provide information about the breach was riddled with security holes and some services flagged it as a phishing site.

    The Apache Struts 2 vulnerability leveraged by cybercriminals to breach Equifax systems had been known and exploited for roughly two months before the attack on the company. Equifax said its security team knew about the flaw and is now trying to determine why an online dispute portal, which served as the initial point of entry, remained unpatched.

    Experts pointed out that the Apache Struts flaw is not easy to fix, especially if you have many systems that need patching. However, they believe the problem can be addressed with modern security solutions.

    Comodo discovered that more than 388 records of Equifax users and employees are up for sale on the dark web. The information, which includes usernames, passwords and login URLs, was apparently stolen using Pony malware. The security firm pointed out that some Equifax credentials were also exposed in third-party incidents, including the massive LinkedIn and Dropbox breaches.

    “From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement,” Comodo said in a blog post.

    Equifax stock was worth roughly $140, but it has now dropped to $92, and financial experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.

    Equifax Shares More Details About Breach
    http://www.securityweek.com/equifax-shares-more-details-about-breach

    Equifax has shared more details about the recent breach that affects roughly 143 million U.S. consumer

    Equifax also revealed that the breach affected less than 400,000 U.K. consumers. Their data had been stored in the United States due to a “process failure” between 2011 and 2016. It’s still unclear how many Canadians are impacted by the breach.

    That was when Equifax’s security team discovered that the attackers had exploited an Apache Struts flaw to access its systems on May 13. The vulnerability in question, CVE-2017-5638, has been exploited in the wild since the first half of March.

    Equifax said its team had known about the Struts vulnerability since it was disclosed and it took steps to patch systems. The organization is still reviewing the facts in an effort to determine why the dispute portal remained unpatched. FireEye-owned Mandiant has been called in to assist in conducting a comprehensive forensic investigation.

    “The word patch is a bit inappropriate for this problem, since what Equifax would have had to do is replace the vulnerable Struts library with the latest one,”

    Reply
  2. Tomi Engdahl says:

    Bloomberg:
    Equifax discovered major breach in March but says it’s unrelated to recently disclosed hack affecting 143M people; source says both involve the same intruders — New timeline could have implications for executive stock sales — The company is the subject of multiple investigations

    Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed
    https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed

    New timeline could have implications for executive stock sales
    The company is the subject of multiple investigations

    Equifax Inc. learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation.

    Equifax’s hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. Vitor De Souza, senior vice president for global marketing at FireEye Inc., Mandiant’s parent company, declined to comment.

    The revelation of a March breach will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

    Equifax has said the executives had no knowledge that an intrusion had occurred when the transactions were made. The company’s shares fell 1.8 percent in premarket trading Tuesday. The stock closed at $94.38 on Monday.

    New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity, including social security and driver’s license numbers, and steal credit card numbers.

    In public statements since disclosing the intrusion on Sept. 7, Equifax said it became aware of the breach only after the data taken by the hackers had been gone for months.

    In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate.

    One possible explanation, according to several veteran security experts consulted by Bloomberg, is that the investigation didn’t uncover evidence that data was accessed.

    Even so, the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July.

    It’s the stock sales by several executives that are likely to get the most scrutiny in light of the new timeline.

    If the two hacks are unrelated it could be that different hacking teams had different goals. One clue has emerged that suggests one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter.

    The discovery suggests that the attackers may have been trying to piggyback off of Equifax’s connections to large banks and other financial institutions as a backdoor way to hack those entities and gain access to sensitive partner systems

    Reply
  3. Tomi Engdahl says:

    Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed
    https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed

    Equifax Inc. learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation.

    Reply
  4. Tomi Engdahl says:

    Failure to patch two-month-old bug led to massive Equifax breach
    Critical Apache Struts bug was fixed in March. In May, it bit ~143 million US consumers.
    https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/

    The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more than two months earlier, officials with the credit reporting service said Thursday.

    The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

    Thursday’s disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn’t immediately respond to an e-mail seeking comment on this possibility.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

    Reply
  5. Tomi Engdahl says:

    New York Pushes to Regulate Credit Agencies After Equifax Breach
    http://www.securityweek.com/new-york-pushes-regulate-credit-agencies-after-equifax-breach

    New York Governor Andrew Cuomo announced on Monday plans to make credit reporting firms comply with the 23 NYCRR 500 cybersecurity regulations enacted earlier this year. The move is in response to the massive Equifax breach disclosed on September 7, 2017.

    “In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue new regulation making credit reporting agencies to register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard,” says the statement.

    “A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

    Reply
  6. Tomi Engdahl says:

    Equifax’s disastrous Struts patching blunder: THOUSANDS of other orgs did it too
    Those are just the ones known to have downloaded outdated versions
    https://www.theregister.co.uk/2017/09/20/equifax_vulnerability_could_be_widespread/

    Thousands of companies may be susceptible to the same type of hack that recently struck Equifax.

    The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected.

    Additionally, more than 46,000 organisations downloaded versions of Struts and/or its sub-projects with known vulnerabilities despite perfectly safe versions being available. Altogether, upwards of 50,000 organisations might be vulnerable to attack.

    Why are developers still using vulnerable software packages when newer versions are available?

    Why are developers still using vulnerable software packages when newer versions are available?

    A variety of factors might be responsible, such as dependencies, old links in documentation, no time allotted to test newer versions, and simple fear of change. Compatibility is a big factor. “Over the years Struts versions have unsupported/broke features, plugins,” noted infosec consultant Kevin Beaumont‏.

    Jason Coulls, a mobile app developer, added: “Technical debt. If you don’t keep up, compatibility will force you backwards.”

    Why wouldn’t you patch?

    Mike Pittenger, VP of security strategy at SecDevOps tools firm Black Duck Software, told El Reg that it could be that developers – whose work performance is generally judged by the functionality of their software rather than security factors – neglect to check whether the version of Struts they are using is secure or not.

    Struts is a framework for web app development and the amount of work needed to patch a particular environment can vary widely. Sometimes there are valid reasons to defer patching. “Fixes could require API [program interface] changes or more testing to make sure you don’t break things,” Pittenger said.

    Reply
  7. Tomi Engdahl says:

    Equifax Breach Affects 100,000 Canadians
    http://www.securityweek.com/equifax-breach-affects-100000-canadians

    Equifax revealed on Tuesday that the recent data breach affects roughly 100,000 Canadian consumers, but the company’s systems in Canada were not compromised.

    Equifax Canada said the company’s investigation is still ongoing, but it believes the incident affects approximately 100,000 Canadians. Similar to the United States, the exposed information includes names, addresses, social insurance numbers, and, in some cases, credit card numbers.

    “Equifax Canada can confirm that Canadian systems are not affected. We have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases. Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S.,” the company said.

    Impacted individuals will be notified via mail and they will be offered credit monitoring and identity theft protection services for one year at no charge.

    Reply
  8. Tomi Engdahl says:

    Equifax customer DISservice department:

    Dani Deahl / The Verge:
    Equifax customer service, tweeting from @Equifax, accidentally directed customers to a critic’s phishing site for over a week in at least three Twitter replies — Earlier this month, hackers broke into Equifax’s servers and stole 143 million people’s personal information, including their Social Security numbers.

    For weeks, Equifax customer service has been directing victims to a fake phishing site
    https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-identity-monitoring

    Reply
  9. Tomi Engdahl says:

    Unisys: Micro-segmentation and AI in the security wake of Equifax
    http://www.zdnet.com/article/unisys-micro-segmentation-and-ai-in-the-security-wake-of-equifax/

    The chief trust officer of Unisys explains what business leaders and technologists need to know about next-generation network security practices. Read carefully to protect your organization.

    The Equifax security breach is on everyone’s mind. Equifax has broken our trust and made clear that security is everyone’s problem — ultimately, no one is immune to the effects of poor computer security.

    During our conversation, Patterson explains why effective security must go beyond technology to encompass business strategy and practice at the most senior levels in an organization. It’s a perspective that explains why organizational leaders and technologist are jointly responsible for securing data, corporate assets, and even critical infrastructure.

    However, the technology itself is also fascinating. From micro-segmentation to predictive analytics, there is plenty of material for the most hardened technologist to study and enjoy.

    Is security a business or technical problem?

    It used to be bits and bytes and routers and firewalls. Now, it’s boardroom decisions and what should we do about an M&A? How should we go into a merger? How should we partner in this country or that country?

    These are all business decisions. And, the threats are dramatic. There’s not only the threat of being shut down or having all the information that you are entrusted with taken from you, but there’s also regulatory compliance now. New regulations coming that starts next year where the fines start at $20 million dollars and go up from there.

    It’s an issue that goes well beyond the technology. That’s what the chief trust officer role works with here. We’re a coordination point for privacy, physical security, and business security issues.

    Where does technical debt have an impact?

    Most every company of any size that’s been around for a while has issues like technical debt. They’ve got old stuff and there’s not enough money to buy all new stuff.

    So, they’ve got to work together and be realistic with each other, and say, “Well, we’ve got this privacy spin that we’ve got to do, and we’ve got this technical debt issue here, and we’re trying to go an open business in country X and country Y. Let’s design a system, maybe using a cloud provider and some micro-segmentation and we do this.”

    Suddenly, we’re addressing all those issues with one spend. That opens the eyes not only of the practitioners but also of the business leaders and the governance leaders across the board. Literally around the world.

    Reply
  10. Tomi Engdahl says:

    Apache Struts Remote Command Execution explained
    https://www.linkedin.com/pulse/apache-struts-remote-command-execution-threat-report-raviv-raz/?trackingId=n98%2Bd4TYzv6GNnRAWq92ag%3D%3D&lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BaHj%2FntXmT36cgzoj2xFiow%3D%3D&licu=urn%3Ali%3Acontrol%3Ad_flagship3_feed-object

    We all heard about the recent misfortunate tale of Equifax, losing all their customer data in one major breach. According to their disclosed information, it was all due to the Apache Struts Remote Command Execution vulnerability found in their servers. In fact, if this was the case, then the whole attack might have started and finished within seconds, using one HTTP transaction sent to their website.

    OWASP categorizes this type of attacks as “Command Injection”, defined as:

    “an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.

    Attacks in the wild are seen abusing the HTTP “content-type” header to inject the malicious code.

    Conclusion

    As always, keep your systems up-to-date to minimize the exposure time window. Audit your code, keep yourself up to speed with the latest trends in application security. And of course, monitor all your web applications for malicious and suspicious web user behavior.

    Reply
  11. Tomi Engdahl says:

    New York Times:
    Despite safety being part of Equifax’s sales pitch, company’s strategy of gathering as much personal data as possible amplified the consequences of the breach

    As Equifax Amassed Ever More Data, Safety Was a Sales Pitch
    https://www.nytimes.com/2017/09/23/business/equifax-data-breach.html

    Equifax’s chief executive had a simple strategy when he joined more than a decade ago: Gather as much personal data as possible and find new ways to sell it.

    The company was making good money compiling credit reports on Americans. But Wall Street wanted stronger growth.

    The chief executive, Richard F. Smith, delivered, releasing dozens of new products each year and doubling revenue. The company built algorithms and started scrubbing social media to assess consumers. In a big data collection coup, Equifax persuaded more than 7,000 employers to hand over salary details for an income verification system that now encompasses nearly half of American workers.

    As part of its pitch to clients, the company promised to safeguard information. It even sold products to help companies hit by cyberattacks protect their customers.

    “Data breaches are on the rise. Be prepared,” the company said in one pitch. “You’ll feel safer with Equifax.”

    But this strategy means that Equifax is entrenched in consumers’ financial lives whether they like it or not — or even know it. Equifax’s approach amplified the consequences of the breach, reported this month, that exposed the personal information for up to 143 million people.

    Ordinary people are not Equifax’s customers. They are the company’s product. The “Big Three” credit bureaus, Equifax, Experian and TransUnion, collect 4.5 billion pieces of data each month to feed into their credit reports.

    From birth to death, the record grows. Decades’ worth of addresses and identifying information, including drivers’ licenses and Social Security numbers. Utility accounts like telephone and cable subscriptions. Criminal records, medical debt, as well as rental and eviction histories.

    Equifax’s records on any given individual, scattered throughout dozens of databases, typically stretch across hundreds or thousands of pages.

    Reply
  12. Tomi Engdahl says:

    When blockchain meets Equifax-style breaches
    https://enterprisersproject.com/article/2017/9/when-blockchain-meets-equifax-style-breaches?sc_cid=7016000000127ECAAY

    How could blockchain improve security and data sharing? In part two of our interview, Andreas Freund of TCS explains

    “I tell our clients our goal is to turn a billion-dollar bank into a billion one-dollar banks,” Freund explains. “The incentive to go after these little honeypots is much less than for going after one big honeypot.”

    Today, a hacker might break into one system and make off with 143 million identities, as recently happened to Equifax. With blockchain, he says, “Even if you can penetrate one identity, you’ll have to extend the same effort to hack another and another.”

    Decentralizing security – allowing it to be spread over many networks and in effect giving up absolute control – might be a highly uncomfortable prospect for many CIOs and CISOs. But, Freund says, it could be the only way to keep data safe over the long term. “We have looked at many, many models and found that any centralized security model won’t scale effectively,” he says. “And it will eventually fail.”

    Reply
  13. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Equifax chairman and CEO Richard Smith steps down effective immediately after massive data breach, after more than a decade at the company — The company’s shares were halted pending the news. — Equifax chairman and chief executive Richard Smith has stepped down from the embattled credit rating agency, effective immediately.

    Equifax chief executive steps down after massive data breach
    The former chief executive made over $4 million in salary last year.
    http://www.zdnet.com/article/equifax-chief-executive-to-step-down-following-hack/

    Equifax chairman and chief executive Richard Smith has stepped down from the embattled credit rating agency, effective immediately.

    The company said in an early Tuesday statement that Smith will “retire” after more than a decade at the company. Paulino do Rego Barros, who served as the company’s Asia-Pacific president, will serve as the company’s new chief executive.

    Shares in Equifax ($EFX) were halted during pre-market trading pending the news.

    It comes two weeks after the credit rating giant admitted it had been hacked earlier in the year. The company said 143 million consumers may have been affected by the breach of sensitive information.

    Since then, a litany of security problems have plagued the company’s incident recovery, spearheaded by security firm Mandiant.

    Reply
  14. Tomi Engdahl says:

    David Lazarus / Los Angeles Times:
    How credit agencies like Experian use fear to pitch online identity protection services of questionable value and with onerous ToS including arbitration clauses

    Credit agency Experian says it can protect you from the ‘dark Web’ — sort of
    http://www.latimes.com/business/lazarus/la-fi-lazarus-experian-dark-web-20170922-story.html

    The ad opens with quick cuts of creepy-looking hackers in sinister surroundings. A serious male voice asks: “Is your personal information already being traded on the dark Web?”

    Then the imagery brightens — a sunny kitchen, a family playing with a fluffy white dog. “Find out with Experian,” says a friendly female voice. “Act now to help keep your personal information safe.”

    Consumers’ and lawmakers’ attention is rightly focused at the moment on the security breach involving Equifax, which left millions of people facing a very real possibility of fraud and identity theft.

    But the recent ad from rival Experian highlights a more troublesome aspect of credit agencies — their use of questionable methods to spook people into buying services they may not need and, in so doing, giving the companies permission to share data with marketers and business partners.

    “One of the biggest problems with credit reporting agencies is that their real customers are the banks and landlords who pay for credit reports,” said Peter Swire, a professor of law and ethics at Georgia Tech.

    “Ordinary consumers are not their main market, except when the company can talk us into paying for something about our own credit history,” he said.

    “Because of its hidden nature and the use of special applications to maintain anonymity, it’s not surprising that the dark Web can be a haven for all kinds of illicit activity,” Experian says on its own website. “This means if you’ve ever been a victim of a data breach, it’s a place where your sensitive information might live.”

    Scary.

    Luckily, Experian is here with a free scan of the dark Web on consumers’ behalf. All you have to do is enter your email address.

    It turns out running a free dark-Web email scan opens you up to “advertisements or offers for available credit cards, loan options, financial products or services, or credit-related products or services and other offers to customers.”

    https://www.experian.com/consumer-products/free-dark-web-email-scan.html

    Reply
  15. Tomi Engdahl says:

    San Francisco sues Equifax on behalf of 15 million Californians affected by the breach
    https://techcrunch.com/2017/09/27/san-francisco-sues-equifax-on-behalf-of-15-million-californians-affected-by-the-breach/?utm_source=tcfbpage&sr_share=facebook

    Equifax is not only in deep for a class-action lawsuit over a breach exposing 143 million U.S. citizen’s Social Security numbers and a subpoena in New York, it’s now being sued by the city of San Francisco.

    S.F. City Attorney Dennis Herrera filed the lawsuit against the credit reporting agency in San Francisco Superior Court for “failing to protect the personal data of more than 15 million Californians,” according to a statement.

    Reply
  16. Tomi Engdahl says:

    N.Y. regulators issued Equifax with a subpoena, per report
    https://techcrunch.com/2017/09/27/n-y-regulators-issued-equifax-with-a-subpoena-per-report/?utm_source=tcfbpage&sr_share=facebook

    Equifax was issued a subpoena from New York state’s financial service regulators in regards to the massive data breach the company announced last month, Reuters reported today. The regulators want Equifax to provide more information, which is about right since it seems like Equifax has changed the story several times since the first announcement.

    Specifically, Reuters states the subpoena is looking for documents related to the data breach and details on when the company first learned about the hack.

    Reply
  17. Tomi Engdahl says:

    Jennifer Surane / Bloomberg:
    Equifax to launch a new free service by February 2018 which allows users to lock and unlock access to their credit files

    Equifax Will Offer Free Credit Locks for Life, New CEO Says
    https://www.bloomberg.com/news/articles/2017-09-27/equifax-will-offer-free-credit-freezes-for-life-new-ceo-says

    New ‘safe and simple’ service to be introduced by January
    CEO Barros lays out plan in newspaper op-ed on 2nd day in job

    Equifax Inc. will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free.

    The service will be introduced by Jan. 31, Chief Executive Officer Paulino do Rego Barros Jr. wrote in a Wall Street Journal op-ed Wednesday, a day after taking the helm. The company will also extend the sign-up period for TrustedID Premier, the free credit-monitoring service it’s offering all U.S. consumers, he said.

    “The service we are developing will let consumers easily lock and unlock access to their Equifax credit files,” Barros wrote. “You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.”

    Barros was named interim CEO on Tuesday, less than three weeks after Equifax disclosed that hackers accessed sensitive data for 143 million U.S. consumers. Former CEO Richard Smith will appear before Congress next week, and lawmakers have demanded more information on how the breach happened, while faulting the company’s efforts to alert victims and help them safeguard their finances.

    Reply
  18. Tomi Engdahl says:

    Equifax Will Offer Free Credit Locks for Life, New CEO Says
    https://news.slashdot.org/story/17/09/28/0349200/equifax-will-offer-free-credit-locks-for-life-new-ceo-says

    Equifax will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free.

    Equifax Will Offer Free Credit Locks for Life, New CEO Says
    https://www.bloomberg.com/news/articles/2017-09-27/equifax-will-offer-free-credit-freezes-for-life-new-ceo-says

    New ‘safe and simple’ service to be introduced by January
    CEO Barros lays out plan in newspaper op-ed on 2nd day in job

    Equifax Inc. will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free.

    The service will be introduced by Jan. 31, Chief Executive Officer Paulino do Rego Barros Jr. wrote in a Wall Street Journal op-ed Wednesday, a day after taking the helm. The company will also extend the sign-up period for TrustedID Premier, the free credit-monitoring service it’s offering all U.S. consumers, he said.

    “The service we are developing will let consumers easily lock and unlock access to their Equifax credit files,” Barros wrote. “You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.”

    Reply
  19. Tomi Engdahl says:

    Equifax Board Forms Panel To Review Executives’ Stock Sales After Data Breach
    https://news.slashdot.org/story/17/09/30/0256244/equifax-board-forms-panel-to-review-executives-stock-sales-after-data-breach

    Equifax’s board of directors has formed a special committee to review the stock sales that top executives made days after the company found out it was hacked. Directors at Equifax have retained counsel and are conducting a “thorough review” of the trades, according to a Sept. 28 letter the company’s outside lawyers submitted to the top Democrat on the House Energy and Commerce Committee.

    Equifax Board Forms Panel to Review Executives’ Share Sales
    https://www.bloomberg.com/news/articles/2017-09-29/equifax-board-to-review-executives-stock-sales-following-hack

    Equifax Inc.’s board of directors has formed a special committee to review the stock sales that top executives made days after the company found out it was hacked.

    Directors at Equifax have retained counsel and are conducting a “thorough review” of the trades, according to a Sept. 28 letter the company’s outside lawyers submitted to the top Democrat on the House Energy and Commerce Committee. The examination adds to investigations already being conducted by federal law-enforcement agencies.

    “Equifax takes these matters seriously,” the company said

    Congressional Scrutiny

    The share sales by Equifax’s chief financial offer and other executives are among the issues that have drawn the most congressional scrutiny since the company disclosed earlier this month that a data breach had compromised the personal information of 143 million Americans. Equifax’s stock has fallen 25 percent since it reported the hack on Sept. 7.

    Multiple Hearings

    In the letter to lawmakers, Equifax attorneys at the law firm King & Spalding also disclosed more details on the company’s internal procedures for how breaches are handled

    “There is an ongoing root cause investigation into multiple issues, including compliance with Equifax’s plans and procedure guides,”

    Reply
  20. Tomi Engdahl says:

    Bloomberg:
    Sources: ongoing investigations find the Equifax hack may have been state-sponsored, and that 30+ entry points were created in Equifax computer systems

    The Equifax Hack Has the Hallmarks of State-Sponsored Pros
    https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros

    Investigations into the massive breach aren’t complete, but the intruders used techniques that have been linked to nation-state hackers in the past.

    In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren’t being disparaging, just darkly honest: Founded in the 19th century as a retail credit company, Equifax had over the years morphed into one of the largest repositories of Americans’ most sensitive financial data, which the company sliced and diced and sold to banks and hedge funds. In short, the viability of Equifax and the security of its data were one and the same.

    Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software.

    The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community.

    showed up the same day in Metasploit, a popular free hacking tool

    On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.

    Before long, hackers had penetrated Equifax. They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group—known as an entry crew—handed off to a more sophisticated team of hackers. They homed in on a bounty of staggering scale: the financial data—Social Security numbers, birth dates, addresses and more—of at least 143 million Americans. By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax’s computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.

    The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the U.S. Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.

    Others involved in the investigation aren’t so sure, saying the evidence is inconclusive at best or points in other directions.

    a nation-state may have played a role, but that it doesn’t point to China.

    Wherever the digital trail ultimately leads, one thing is clear: The scant details about the breach so far released by Equifax—besides angering millions of Americans—omit some of the most important elements of the intrusion and what the company has since learned about the hackers’ tactics and motives. Bloomberg has reconstructed the chain of events through interviews with more than a dozen people familiar with twin probes being conducted by Equifax and U.S. law enforcement.

    The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company’s challenges may go still deeper. One U.S. government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company.

    The attackers avoided using tools that investigators can use to fingerprint known groups. One of the tools used by the hackers—China Chopper—has a Chinese-language interface, but is also in use outside China, people familiar with the malware said.

    The impact of the Equifax breach will echo for years. Millions of consumers will live with the worry that the hackers—either criminals or spies—hold the keys to their financial identity, and could use them to do serious harm. The ramifications for Equifax and the larger credit reporting industry could be equally severe.

    Smith explained that the company gets its data for free (because regular consumers hand it over to the banks when they apply for credit). Then, he said, the company crunches the data with the help of computer scientists and artificial intelligence and sells it back to the banks that gave Equifax the data in the first place. The business generates a gross margin of about 90 percent. “That’s a pretty unique model,” Smith said.

    And one that he fully exploited. Smith acquired two dozen companies that have given Equifax new ways to package and sell data, while expanding operations to 25 countries and 10,000 employees. Business was good

    But the man who transformed Equifax was plagued each and every day by the fear that hackers would penetrate the company’s firewall and make off with the personal data of millions of people. By the time he gave the speech on Aug. 17, Smith knew of the hack but the public didn’t. He told the audience the risk of a breach was “my No. 1 worry” and lingered on the threats posed by spies and state-sponsored hackers.

    Not long after becoming CEO, he hired Tony Spinelli, a well-regarded cyber expert, to overhaul the company’s security.

    “Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security.”

    Besides amassing data on nearly every American adult, the hackers also sought information on specific people.

    The company continued to invest heavily in state-of-the-art technology, and had a dedicated team to quickly patch vulnerabilities like the one identified by Zheng.

    Lapses in security began to catch up to the company in myriad ways beginning early this year. Since at least Feb. 1, Equifax had been aware that identity thieves were abusing a service that manages payroll data for companies, according to notices sent to victims.

    Equifax hired Mandiant in March to investigate any security weaknesses related to the scams

    The investigation in March was described internally as “a top-secret project”

    The relationship with Mandiant broke down sometime over the next several weeks—a period that would later turn out to be critical in how the breach unfolded. Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said.

    Although the hackers inside Equifax were able to evade detection for months, once the hack was discovered on July 29, investigators quickly reconstructed their movements down to the individual commands they used.

    The company’s suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network’s internal communications and data traffic. Using Moloch, investigators reconstructed every step.

    Once the hackers found the vulnerability Zheng reported, they installed a simple backdoor known as a web shell. It didn’t matter if Equifax fixed the vulnerability after that. The hackers had an invisible portal into the company’s network.

    Those intruders used special tunneling tools to slide around firewalls, analyzing and cracking one database after the next—while stockpiling data on the company’s own storage systems.

    Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered.

    “This wasn’t a credit card play,” said one person familiar with the investigation. “This was a ‘get as much data as you can on every American’ play.” But it probably won’t be known if state hackers—from China or another country—were involved until U.S. intelligence agencies and law enforcement complete their work.

    That could take weeks or months, but Equifax is already a changed company.

    Reply
  21. Tomi Engdahl says:

    Equifax CEO: All Companies Get Breached
    https://news.slashdot.org/story/17/09/30/2036215/equifax-ceo-all-companies-get-breached

    There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. “There’s those companies that have been breached and know it, and there are those companies that have been breached and don’t know it,” he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it…

    After Equifax’s Data Breach, Its CEO Gave a Speech Saying a Hack Was His ‘No. 1 Worry’
    http://fortune.com/2017/09/29/equifax-ceo-hack-worry/

    There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on Aug. 17. “There’s those companies that have been breached and know it, and there are those companies that have been breached and don’t know it,” he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it.

    The speech, given by Smith to students and faculty at the university’s Terry College of Business, covered a lot of ground, but it frequently returned to security issues that kept the former CEO awake at night—foremost among them was the company’s large database.

    “When you have the size database we have, it’s very attractive for others to try to get into our database,” said Smith. “So that is a huge priority for us.”

    Smith elaborated on what hackers can do with consumers’ personal information, including selling it on the Dark Web. “It is a very lucrative way to make money,” he said.

    Smith’s fastest growing area of security concern was state-sponsored hacking and espionage, he said. “It’s countries you’d expect—you know it’s China, Russia, Iran, and Iraq—and they’re being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries,” said Smith. “It’s my number one worry.” he added.

    Reply
  22. Tomi Engdahl says:

    The Equifax Hack Has the Hallmarks of State-Sponsored Pros
    https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros

    Investigations into the massive breach aren’t complete, but the intruders used techniques that have been linked to nation-state hackers in the past.

    Reply
  23. Tomi Engdahl says:

    Rick Smith, CEO, Equifax
    https://www.youtube.com/watch?v=lZzqUnQg-Us&feature=youtu.be&t=308

    Terry College of Business at the University of Georgia
    Julkaistu 22.8.2017
    August 17, 2017

    Richard F. “Rick” Smith has been chairman and CEO of Equifax since 2005. Prior to that role, he spent 22 years with General Electric, holding several president and CEO roles across a variety of business, including engineering thermoplastics, asset management, leasing, and insurance solutions. Smith is an avid supporter of education, and has made it a key focus of the Equifax Foundation

    Reply
  24. Tomi Engdahl says:

    Equifax Apology Reveals CEO’s True Identity
    https://www.youtube.com/watch?v=AKHOZQJVBaM

    Body Language: Equifax Hack
    https://www.youtube.com/watch?v=b6fxkNgcj0Y

    Reply
  25. Tomi Engdahl says:

    Bloomberg:
    Sources: ongoing investigations find the Equifax hack may have been state-sponsored, and 30+ entry points were created in Equifax computer systems — In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company …
    https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros

    Reply
  26. Tomi Engdahl says:

    Can Equifax’s Offerings Actually Protect Your Identity?
    https://www.wired.com/story/equifax-identity-protection-offerings

    News about the massive Equifax data breach has been unrelenting since the credit bureau publicly disclosed its lapse at the beginning of September. It’s difficult to keep up with all the company’s blunders, not to mention the complicated fiscal policy and regulatory debates the incident has fueled. But weeks later, most consumers in the United States are still just trying to figure out what the whole thing means for them, and how to steel themselves against identity theft and fraud.

    To this end, Equifax’s interim CEO Paulino do Rego Barros Jr. (former CEO Richard F. Smith “retired” on Tuesday) published an update to consumers in The Wall Street Journal on Wednesday humbling himself before Equifax’s critics and announcing an additional identity protection service that the company will give consumers for life beginning in January. At this point, Equifax has at least three similar-sounding identity protection offerings as part of its breach response. But there’s always that pesky question in security that has plagued the company before—do they work?

    “In the event something goes wrong, which unfortunately is inevitable, companies need to respond urgently, transparently, and empathetically—none of which Equifax did,” says Adam Levin

    Experts maintain that Equifax’s offerings are ultimately productive, but caution that consumers need to really understand what the choices are so they can make the right defense decisions for themselves long-term.

    Regos Barros announced in his public letter that Equifax will be extending the enrollment period for its credit monitoring and freezing services through January.

    Credit monitoring sends you alerts so you can catch any suspicious activity early, while credit freezes actually lock down your credit files so institutions you don’t already do business with can’t access your data without specific permission from you and special PIN numbers. A freeze significantly reduces the chance that a fraudster will be able to do things like take out a line of credit in your name. Personal identity security advocates have long favored freezes, but acknowledge that the measure isn’t necessarily for everyone (say, someone who anticipates applying for student loans) since it is fairly rigid and restrictive.

    The free monitoring and freezes have a short timespan, perhaps because they are services Equifax wants to resume capitalizing on as quickly as possible.

    The third service Regos Barros mentioned on Wednesday, a so-called “credit lock” tool, will debut in January, and will be a more flexible option through which consumers can lock and unlock access to their credit data whenever they want.

    Experts agree that to protect themselves, consumers need to see past the gimmicks and noise to the long game of utilizing what Equifax and other companies that have experienced data breaches provide while planning to supplement as needed. If your data is compromised in multiple breaches over time you may be able to daisy chain years of free services together.

    And everyone can pull and review one complete credit report per year for free from AnnualCreditReport.com. Additionally, consumers need to be aware that credit monitoring, locks, and freezes alike don’t protect against things like tax fraud and medical fraud, in which identity thieves can file bogus tax returns on your behalf to claim your refund or jeopardize your insurance coverage by scamming your provider.

    Consumers also may have more resources available to them for free than they realize

    Reply
  27. Tomi Engdahl says:

    Here’s What to Ask the Former Equifax CEO
    https://krebsonsecurity.com/2017/09/heres-what-to-ask-the-former-equifax-ceo/

    CREDIT FREEZE VS. CREDIT LOCK

    My first group of questions would center around security freezes or credit freezes, and the difference between those and these credit lock services being pushed hard by the bureaus.

    Currently, even consumer watchdog groups say they are uncertain about the difference between a freeze and a lock. See this press release from Thursday by U.S. PIRG, the federation of state Public Interest Research Groups, for one such example.

    Also, I’m curious to know what percentage of Americans had a freeze prior to the breach, and how many froze their credit files (or attempted to do so) after Equifax announced the breach. The answers to these questions may help explain why the bureaus are now massively pushing their new credit lock offerings (i.e., perhaps they’re worried about the revenue hit they’ll take should a significant percentage of Americans decide to freeze their credit files).

    BREACH RESPONSE

    Equifax could hardly have bungled their breach response more if they tried. It is said that one should never attribute to malice what can more easily be explained by incompetence, but Equifax surely should have known that how they handled their public response would be paramount to their ability to quickly put this incident behind them and get back to business as usual.

    FRAUD AND ABUSE

    Multiple news organizations have reported that companies which track crimes related to identity theft — such as account takeovers, new account fraud, and e-commerce fraud — saw huge upticks in all of these areas corresponding to two periods that are central to Equifax’s breach timeline; the first in mid-May, when Equifax said the intruders began abusing their access to the company, and the second late July/early August, when Equifax said it learned about the breach.

    This chart shows spikes in various forms of identity abuse — including account takeovers and new account fraud — as tracked by ThreatMetrix, a San Jose, Calif. firm that helps businesses prevent fraud.

    -Has Equifax performed any analysis on consumer credit reports to determine if there has been any pattern of consumer harm as a result of this breach?

    -Assuming the answer to the previous question is yes, did the company see any spikes in applications for new lines of consumer credit corresponding to these two time periods in 2017?

    Many fraud experts report that a fast-growing area of identity theft involves so-called “synthetic ID theft,” in which fraudsters take data points from multiple established consumer identities and merge them together to form a new identity. This type of fraud often takes years to result in negative consequences for consumers, and very often the debt collection agencies will go after whoever legitimately owns the Social Security number used by that identity, regardless of who owns the other data points.

    -Is Equifax aware of a noticeable increase in synthetic identity theft in recent months or years?

    -What steps, if any, does Equifax take to ensure that multiple credit files are not using the same Social Security number?

    -Prior to its breach disclosure, Equifax spent more than a half million dollars in the first half of 2017 lobbying Congress to pass legislation that would limit the legal liability of credit bureaus in connection with data security lapses. Do you still believe such legislation is necessary? Why or why not?

    Reply
  28. Tomi Engdahl says:

    Equifax Breach Bigger Than Initially Reported
    http://www.securityweek.com/equifax-breach-bigger-initially-reported

    Number of U.S. Consumers Exposed by Equifax Breach Increased by 2.5 Million

    Equifax on Monday afternoon said that 2.5 million additional U.S. consumers were exposed as a result of the massive data breach disclosed by the company last month. The credit reporting agency now says that a total of 145.5 million individuals have been exposed, after originally saying that 143 million had been impacted.

    Data exposed as a result of cyber attack involved names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers and credit card numbers.

    According to Equifax, FireEye-owned Mandiant, which was retained by Equifax to investigate the breach, has completed the forensic portion of its investigation of the incident to finalize the consumers potentially impacted.

    According to Equifax, Mandiant was not able to identify any evidence of additional or new attacker activity or any access to new databases or tables, and concluded that there is no evidence the attackers accessed databases located outside of the United States.

    The investigation found that personal information of approximately 8,000 Canadian consumers was impacted, a figure lower than the 100,000 originally estimated by the company. “That number was preliminary and did not materialize,” Equifax said.

    In a statement to a congressional committee on Monday, former Equifax CEO Richard Smith said the security team at Equifax failed to patch a vulnerability in March after becoming aware of the flaw, which according to Equifax policy, would have required a patch to be applied within 48 hours.

    Equifax says that it maintains data on more than 820 million consumers and more than 91 million businesses worldwide.

    Reply
  29. Tomi Engdahl says:

    Equifax Warned About Vulnerability, Didn’t Patch It: Ex-CEO
    http://www.securityweek.com/equifax-warned-about-vulnerability-didnt-patch-it-ex-ceo

    The security team at Equifax failed to patch a vulnerability in March after getting a warning about the flaw, opening up the credit agency to a breach affecting 143 million people, the former chief executive said Monday.

    Former CEO Richard Smith, in a statement to a congressional committee released Monday, offered a timeline of the cyber attack which is believed to be the worst in terms of damaging information leaked — including social security numbers and other sensitive data.

    Smith said in prepared remarks to a House panel that the company on March 9 disseminated an internal memo warning about a software flaw identified by the government’s Computer Emergency Response Team (CERT).

    He added that Equifax policy would have required a patch to be applied within 48 hours and that this was not done — but he could not explain why.

    Equifax’s information security department ran scans that should have identified any systems that were vulnerable but failed to identify any flaws in the software known as Apache Struts.

    “I understand that Equifax’s investigation into these issues is ongoing,” he said in the statement.

    “The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information.”

    Smith said he was notified of the breach on July 31, but was not aware “of the scope of this attack.” He informed the company’s lead director three weeks later, on August 22, and board meetings were held on the matter August 24 and 25.

    Equifax, one of three major agencies which gathers data used in credit ratings for banks, has come under fire for waiting until September 7 to publicly disclose the breach, and investigators are looking into stock sales by two senior executives in August.

    Smith offered a fresh apology for the attack, saying in his statement: “As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down.”

    Reply
  30. Tomi Engdahl says:

    U.S. Cyber Command Launched DDoS Attack Against North Korea: Report
    http://www.securityweek.com/us-cyber-command-launched-ddos-attack-against-north-korea-report

    The United States Cyber Command has reportedly been engaged in offensive activity, namely a DDoS attack, against North Korea’s military spy agency, the Reconnaissance General Bureau (RGB). The attack is thought to have commenced on September 22, and continued until September 30.

    The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command. At the time, Trump said, “The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries. Through United States Cyber Command, we will tackle our cyberspace challenges in coordination with like-minded allies and partners as we strive to respond rapidly to evolving cyberspace security threats and opportunities globally.”

    The action seems to be partly in response to North Korean cyberattacks, and partly an aspect of a wide-ranging diplomatic offensive led by Secretary of State Rex Tillerson, who was in Beijing on Saturday.

    That this cyber attack was non-destructive and temporary suggests it could be considered more as a warning than a punishment. It is Cyber Command telling North Korea that it has its range and is capable of much stronger action. By being non-destructive it is probably hoped that it won’t provoke kinetic retaliation; although it is quite likely to provoke cyber retaliation from North Korean hacking groups.

    Reply
  31. Tomi Engdahl says:

    A series of delays and major errors led to massive Equifax breach
    Former CEO’s testimony to Congress reveals a shocking lack of security rigor.
    https://arstechnica.com/information-technology/2017/10/a-series-of-delays-and-major-errors-led-to-massive-equifax-breach/

    A series of costly delays and crucial errors caused Equifax to remain unprotected for months against one of the most severe Web application vulnerabilities in years, the former CEO for the credit reporting service said in written testimony investigating the massive breach that exposed sensitive data for as many as 143 million US Consumers.

    Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.

    “We at Equifax clearly understood that the collection of American consumer information and data carries with it enormous responsibility to protect that data,” Smith wrote in testimony provided to the US House Subcommittee on Digital Commerce and Consumer Protection. “We did not live up to that responsibility.”

    “Consistent with Equifax’s patching policy, the Equifax security department required that patching occur within a 48-hour time period,” Smith wrote. “We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel.”

    Smith said tentative results of the investigation so far show attackers first accessed sensitive information on May 13 and continued to have access over the next two months. Company officials first discovered suspicious network traffic on July 29 and didn’t fully shut down the intrusion until July 30, when the dispute application was taken offline. Smith said he didn’t learn of the suspicious activity until July 31. On August 2, Smith retained forensic consulting firm Mandiant to investigate the breach and first informed the FBI. By August 11, investigators determined that, in addition to dispute documents, the attackers accessed database tables containing large amounts of consumer information. On August 15, Smith learned that consumer information had likely been stolen, not just exposed.

    Equifax has said the data exposed in the breach included names, Social Security numbers, birth dates, and addresses for as many as 143 million people and, in some instances, driver’s license numbers. The exposed data also included credit card data for about 209,000 consumers and dispute documents with personally identifying information for about 182,000 consumers.

    Reply
  32. Tomi Engdahl says:

    US Studying Ways To End Use of Social Security Numbers For ID
    https://yro.slashdot.org/story/17/10/03/2046247/us-studying-ways-to-end-use-of-social-security-numbers-for-id

    U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers. “I feel very strongly that the social security number has outlived its usefulness,” Joyce said. “It’s a flawed system.”

    US Reviewing Better Tech Identifiers After Hacks: Trump Aide
    http://www.securityweek.com/us-reviewing-better-tech-identifiers-after-hacks-trump-aide

    US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.

    Rob Joyce, the White House cybersecurity coordinator, told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers.

    Joyce’s comments come after news that some 145 million Americans may have had personal information leaked, including the important social security numbers, in a breach at Equifax, one of three big US firms which collect data for credit applications.

    “I feel very strongly that the social security number has outlived its usefulness,” Joyce said.

    “It’s a flawed system.”

    For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft.

    “If you think about it, every time we use the social security number we put it at risk,” Joyce said.

    “That is the identifier that connects you to all sort of credit and digital and information online.”

    The official spoke as US lawmakers opened hearings on the Equifax breach, believed to be one of the worst because of the sensitivity of data leaked.

    Reply
  33. Tomi Engdahl says:

    Equifax Warned About Vulnerability, Didn’t Patch It: Ex-CEO
    http://www.securityweek.com/equifax-warned-about-vulnerability-didnt-patch-it-ex-ceo

    The security team at Equifax failed to patch a vulnerability in March after getting a warning about the flaw, opening up the credit agency to a breach affecting 143 million people, the former chief executive said Monday.

    Former CEO Richard Smith, in a statement to a congressional committee released Monday, offered a timeline of the cyber attack which is believed to be the worst in terms of damaging information leaked — including social security numbers and other sensitive data.

    Smith said in prepared remarks to a House panel that the company on March 9 disseminated an internal memo warning about a software flaw identified by the government’s Computer Emergency Response Team (CERT).

    He added that Equifax policy would have required a patch to be applied within 48 hours and that this was not done — but he could not explain why.

    Reply
  34. Tomi Engdahl says:

    IRS awards multimillion-dollar fraud-prevention contract to Equifax
    http://www.politico.com/story/2017/10/03/equifax-irs-fraud-protection-contract-243419

    The no-bid contract was issued last week, as the company continued facing fallout from its massive security breach.

    The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.

    A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.

    The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.

    Lawmakers on both sides of the aisle blasted the IRS decision.

    Reply
  35. Tomi Engdahl says:

    White House plan to nuke social security numbers is backed by Equifax’s ex-top boss
    We meant it, nothing matters any more. Nothing at all
    https://www.theregister.co.uk/2017/10/04/white_house_plans_to_ditch_social_security_numbers_as_ids/

    White House cybersecurity coordinator Rob Joyce has won the backing of Equifax’s ex-CEO for a plan to stop using social security numbers as personal identifiers in the US.

    We have no idea of Joyce’s opinion of the endorsement, but what we do know is that he floated the notion in a speech given to a Washington Post-sponsored cybersecurity conference on Tuesday. Joyce suggested using a “modern cryptographic identifier” – presumably a hash or public-private key pair or something – to identify individual US taxpayers rather than the usual nine digits.

    Former Equifax CEO Richard Smith followed a similar path, but in a less-favorable forum – on Tuesday, he was giving testimony to the US House committee investigating the litany of failures that led to his credit-check agency leaking 145 million Americans’ social security numbers and other sensitive personal data. The same biz that just won a US$7.5 million contract to help Uncle Sam identify taxpayers, funnily enough.

    “The concept of a Social Security number in this environment being private and secure – I think it’s time as a country to think beyond that,” Smith told politicians. No kidding, Dick, you just lost 145 million of the numbers to hackers.

    Meanwhile, arguing the social security number has “outlived its usefulness” for citizen-government interactions, Joyce said that “every time we use the Social Security number you put it at risk.” Again, no kidding, thanks to organizations like Equifax.

    Reply
  36. Tomi Engdahl says:

    Sole Equifax security worker at fault for failed patch, says former CEO
    Someone failed to order the patch. If it was you, c’mere, have a hug. And a new identity
    https://www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/

    Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz’s IT security breach on a single member of the company’s security team.

    In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news about Apache Struts, that protocol broke down at Equifax due to human error, meaning no one was told to apply patches for the flaw.

    Hackers ultimately exploited the Struts bug on Equifax’s systems to infiltrate the organization and swipe sensitive personal records, including social security numbers, of more than 140 million folks in the US, UK and Canada.

    “The human error was the individual who is responsible for communicating in the organisation to apply the patch, did not,” Smith told the subcommittee at around the 1:05:15 mark in the video below.

    Congressman Greg Walden sought clarification of that statement, asking “Does that mean that that individual knew the software was there, and it needed to be patched, and did not communicate that to the team that does the patching? Is that the heart of the issue here?”

    Smith’s reply was: “That is my understanding, sir.”

    Smith said the company had otherwise followed its protocol of distributing information on necessary patches and that in the case of CVE-2017-5638 its procedures were observed, except by the individual mentioned above.

    Smith spent more than two-and-a-half hours testifying and, after apologising and taking responsibility for the hack, spent much of that time defending Equifax’s decision to withhold news of the hack for many days after discovering it. Smith repeatedly justified the delay on grounds of avoiding further attacks and ensuring consumer protection measures could be in place.

    “It did not help that hurricane Irma took down two of our larger call centres in the early days after the breach,” he said.

    https://www.youtube.com/watch?v=4pgg2LCY8iE&feature=youtu.be&t=1h4m46s

    Reply
  37. Tomi Engdahl says:

    Oversight of the Equifax Data Breach: Answers for Consumers
    https://www.youtube.com/watch?v=4pgg2LCY8iE

    Reply
  38. Tomi Engdahl says:

    John McCrank / Reuters:
    Equifax says that 15.2M records from 693,665 UK customers were accessed during US hack

    Equifax says 15.2 million UK records exposed in cyber breach
    http://www.reuters.com/article/us-equifax-cyber/equifax-says-15-2-million-uk-records-exposed-in-cyber-breach-idUSKBN1CF2JU

    Credit reporting agency Equifax Inc (EFX.N) said on Tuesday that 15.2 million client records in Britain were compromised in the massive cyber attack it disclosed last month, including sensitive information affecting nearly 700,000 consumers.

    The U.S.-based company said 14.5 million of the records breached, which dated from 2011 to 2016, not contain information that put British consumers at risk.

    Overall, around 145.5 million people, mostly in the United States, had their information, including Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers, stolen.

    The company was alerted in March that a software security vulnerability existed in one or more of its systems, but it failed to fix the problem because of “both human error and technology failures,”

    Reply
  39. Tomi Engdahl says:

    Equifax hack included nearly 11 million US driver’s licenses
    https://techcrunch.com/2017/10/10/equifax-hack-included-nearly-11-million-us-drivers-licenses/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    AdChoices
    MenuTechCrunch
    Equifax hack included nearly 11 million US driver’s licenses
    Posted 17 hours ago by Devin Coldewey

    The latest news from the enormous Equifax hack is that the stolen records included 10.9 million driver’s licenses from U.S. citizens, according to The Wall Street Journal’s sources. This isn’t much of a surprise given how poorly all the other information was secured, but it’s nice to put a number on just how many of various personal documents Equifax’s poor security practices exposed.

    Licenses are of course a ubiquitous form of state-issued ID, and as such end up being used frequently for certain kinds of verification.

    What does this mean? Well, websites and services that previously used licenses as a way of verifying identity should no longer do so, since millions of them are now in the wild. Unfortunately, you can’t really make them stop — but you can report your license stolen.

    Sure, it wasn’t stolen like you’d steal a car, but it was stolen like you’d steal a movie — copied and distributed online. Unlike a movie, however, your license loses its value upon being widely copied.

    It may cost you a few bucks (here in Washington, it’s $20), but you can get a brand new license with a brand new number simply by saying it was stolen, which for 10.9 million Americans is true. I’m not a lawyer or big security expert, but I do think this is a fairly painless way to put this particular inconvenience behind you

    Reply
  40. Tomi Engdahl says:

    Equifax products also leaked thousands of salary histories
    https://techcrunch.com/2017/10/11/equifax-products-also-leaked-thousands-of-salary-histories/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Equifax is still leaking like a sieve. Security researcher Brian Krebs has outlined a vulnerability in Equifax’s The Work Number product, a system used by credit companies to confirm your salary.

    The system uses a number of personal details, including your SSN and birthdate, to bring up a salary history. These are details leaked in Equifax’s 143 million record breach this year.

    The Equifax breach shows us a few things but primarily it proves that the systems put in place to protect banks from customers are inefficient and prone to catastrophic failure. While I doubt this will cause a popular uprising and wipe out services like Equifax, here’s hoping that some industrious startup with a quantum encryption scheme and half a brain can figure out a better solution to keeping our financial data secure.

    Reply
  41. Tomi Engdahl says:

    Equifax Website Redirects Users to Adware, Scams
    http://www.securityweek.com/hacked-equifax-website-redirects-users-adware-scams

    A security researcher noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to websites set up to serve adware and scams.

    Independent security analyst Randy Abrams wanted to find his credit report on Equifax’s website when he was redirected to a website offering a fake Flash Player installer. The browsing session was taken through multiple domains before the final page was reached.

    It’s not uncommon for cybercriminals to deliver malware using fake Flash Player installers, but in this case the website pushed adware.

    The Equifax webpage, hosted at aa.econsumer.equifax.com, did not redirect the connection when accessed by SecurityWeek on Thursday morning. Abrams believes Equifax removed the malicious code from its website sometime on Wednesday.

    An analysis of the domains involved in the redirection chain shows that they can lead not only to adware. The final destination depends on the type of device and the geographical location of the user.

    SecurityWeek has seen redirects to fake Android and iOS updates, premium SMS services, and other scammy sites. Various online security services detect the domains involved in the attack as malicious, and while there is no evidence of actual malware being served, the possibility cannot be ruled out.

    Contacted by SecurityWeek, an Equifax spokesperson stated, “We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.”

    Equifax recently informed customers that hackers breached its systems after exploiting an Apache Struts 2 vulnerability that had been patched and exploited in the wild since March. The attackers gained access to the personal information of more than 140 million individuals, including hundreds of thousands of Canadian and British citizens.

    “I’m really not trying to kick Equifax while they are down. There are already 150 million other people doing that. I just sort of tripped over them,” Abrams said in a blog post.

    New Equifax Website Compromise
    https://randy-abrams.blogspot.fi/2017/10/new-equifax-website-compromise.html

    Update: Third party analysis tends to indicates something that is conceptually the same as malvertising. Watch the video and replace Equifax with your favorite website. It happens every day throughout the world. Now it’s a security training video.

    Reply
  42. Tomi Engdahl says:

    Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Script
    http://www.securityweek.com/malicious-redirects-equifax-transunion-sites-caused-third-party-script

    Two of the “Big Three” U.S. credit reporting agencies, Equifax and TransUnion, were hit by a cybersecurity incident caused by the use of a third-party web analytics script.

    Independent security analyst Randy Abrams noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to a website set up to serve adware disguised as a Flash Player installer.

    While initially it appeared that Equifax’s website had been hacked, the company’s investigation revealed that the malicious redirects occurred due to a third-party vendor’s script.

    “Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” Equifax stated.

    The redirection chain, often seen in malvertising attacks, results in users being taken to a scammy or malicious website, depending on their geographical location and the type of device they use to access the affected webpage.

    Researchers at Malwarebytes have analyzed the incident and determined that the redirection occurs due to a web analytics script from Digital River-owned Fireclick. A search for the script involved in the attack (fireclick.js) revealed that it had also been used on the Central America website of TransUnion, whose customers were also redirected to shady sites.

    Both Equifax and TransUnion have removed the problematic script from their websites. Equifax took the affected service offline and had not restored it at the time of writing.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*