This article talks about security breach that will affect verty many people in the USA. It can cause need to rethink the current sloppy security practices on many companies – the identifying data many companies use has now leaked out.
The private data of 143 million Equifax “customers” is now available for download. Have no doubt: This means you will be hacked. This means your SIM card can be spoofed. This means someone will try to get into your email and online accounts. This means someone will try to open a credit card in your name.
First, we cannot allow our most precious data to be accessible via the last four digits of our social security number.
Further, we must also outlaw SMS two-factor authentication. In fact, thanks to the data stolen from Equifax, that process can be easily broken.
Mistakes happen. Ultimately we must hold these companies that keep leaking sensitive data accountable for their fails. In short, it’s time for those who are careless big data to die.
USA might need to look outside the US for leadership in security.
141 Comments
Tomi Engdahl says:
Equifax Cybersecurity Failings Revealed Following Breach
http://www.securityweek.com/equifax-cybersecurity-failings-revealed-following-breach
Shortcomings revealed by researchers and cybersecurity firms following the massive data breach suffered by Equifax show that a successful hacker attack on the credit reporting agency’s systems was inevitable.
Some members of the industry pointed out last week that the company’s Chief Security Officer (CSO) Susan Mauldin was a music major with no educational background in cybersecurity or technology. Mauldin and Chief Information Officer David Webb retired from the company on Friday.
Others dug up old vulnerability reports that the firm had still not addressed and noted the lack of even basic protections on the company’s website. Even the website set up by Equifax to provide information about the breach was riddled with security holes and some services flagged it as a phishing site.
The Apache Struts 2 vulnerability leveraged by cybercriminals to breach Equifax systems had been known and exploited for roughly two months before the attack on the company. Equifax said its security team knew about the flaw and is now trying to determine why an online dispute portal, which served as the initial point of entry, remained unpatched.
Experts pointed out that the Apache Struts flaw is not easy to fix, especially if you have many systems that need patching. However, they believe the problem can be addressed with modern security solutions.
Comodo discovered that more than 388 records of Equifax users and employees are up for sale on the dark web. The information, which includes usernames, passwords and login URLs, was apparently stolen using Pony malware. The security firm pointed out that some Equifax credentials were also exposed in third-party incidents, including the massive LinkedIn and Dropbox breaches.
“From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement,” Comodo said in a blog post.
Equifax stock was worth roughly $140, but it has now dropped to $92, and financial experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.
Equifax Shares More Details About Breach
http://www.securityweek.com/equifax-shares-more-details-about-breach
Equifax has shared more details about the recent breach that affects roughly 143 million U.S. consumer
Equifax also revealed that the breach affected less than 400,000 U.K. consumers. Their data had been stored in the United States due to a “process failure” between 2011 and 2016. It’s still unclear how many Canadians are impacted by the breach.
That was when Equifax’s security team discovered that the attackers had exploited an Apache Struts flaw to access its systems on May 13. The vulnerability in question, CVE-2017-5638, has been exploited in the wild since the first half of March.
Equifax said its team had known about the Struts vulnerability since it was disclosed and it took steps to patch systems. The organization is still reviewing the facts in an effort to determine why the dispute portal remained unpatched. FireEye-owned Mandiant has been called in to assist in conducting a comprehensive forensic investigation.
“The word patch is a bit inappropriate for this problem, since what Equifax would have had to do is replace the vulnerable Struts library with the latest one,”
Tomi Engdahl says:
Bloomberg:
Equifax discovered major breach in March but says it’s unrelated to recently disclosed hack affecting 143M people; source says both involve the same intruders — New timeline could have implications for executive stock sales — The company is the subject of multiple investigations
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed
https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
New timeline could have implications for executive stock sales
The company is the subject of multiple investigations
Equifax Inc. learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation.
Equifax’s hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. Vitor De Souza, senior vice president for global marketing at FireEye Inc., Mandiant’s parent company, declined to comment.
The revelation of a March breach will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.
Equifax has said the executives had no knowledge that an intrusion had occurred when the transactions were made. The company’s shares fell 1.8 percent in premarket trading Tuesday. The stock closed at $94.38 on Monday.
New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity, including social security and driver’s license numbers, and steal credit card numbers.
In public statements since disclosing the intrusion on Sept. 7, Equifax said it became aware of the breach only after the data taken by the hackers had been gone for months.
In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate.
One possible explanation, according to several veteran security experts consulted by Bloomberg, is that the investigation didn’t uncover evidence that data was accessed.
Even so, the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July.
It’s the stock sales by several executives that are likely to get the most scrutiny in light of the new timeline.
If the two hacks are unrelated it could be that different hacking teams had different goals. One clue has emerged that suggests one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter.
The discovery suggests that the attackers may have been trying to piggyback off of Equifax’s connections to large banks and other financial institutions as a backdoor way to hack those entities and gain access to sensitive partner systems
Tomi Engdahl says:
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed
https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
Equifax Inc. learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation.
Tomi Engdahl says:
Failure to patch two-month-old bug led to massive Equifax breach
Critical Apache Struts bug was fixed in March. In May, it bit ~143 million US consumers.
https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more than two months earlier, officials with the credit reporting service said Thursday.
The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.
Thursday’s disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn’t immediately respond to an e-mail seeking comment on this possibility.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
Tomi Engdahl says:
New York Pushes to Regulate Credit Agencies After Equifax Breach
http://www.securityweek.com/new-york-pushes-regulate-credit-agencies-after-equifax-breach
New York Governor Andrew Cuomo announced on Monday plans to make credit reporting firms comply with the 23 NYCRR 500 cybersecurity regulations enacted earlier this year. The move is in response to the massive Equifax breach disclosed on September 7, 2017.
“In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue new regulation making credit reporting agencies to register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard,” says the statement.
“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Tomi Engdahl says:
Equifax’s disastrous Struts patching blunder: THOUSANDS of other orgs did it too
Those are just the ones known to have downloaded outdated versions
https://www.theregister.co.uk/2017/09/20/equifax_vulnerability_could_be_widespread/
Thousands of companies may be susceptible to the same type of hack that recently struck Equifax.
The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected.
Additionally, more than 46,000 organisations downloaded versions of Struts and/or its sub-projects with known vulnerabilities despite perfectly safe versions being available. Altogether, upwards of 50,000 organisations might be vulnerable to attack.
Why are developers still using vulnerable software packages when newer versions are available?
Why are developers still using vulnerable software packages when newer versions are available?
A variety of factors might be responsible, such as dependencies, old links in documentation, no time allotted to test newer versions, and simple fear of change. Compatibility is a big factor. “Over the years Struts versions have unsupported/broke features, plugins,” noted infosec consultant Kevin Beaumont.
Jason Coulls, a mobile app developer, added: “Technical debt. If you don’t keep up, compatibility will force you backwards.”
Why wouldn’t you patch?
Mike Pittenger, VP of security strategy at SecDevOps tools firm Black Duck Software, told El Reg that it could be that developers – whose work performance is generally judged by the functionality of their software rather than security factors – neglect to check whether the version of Struts they are using is secure or not.
Struts is a framework for web app development and the amount of work needed to patch a particular environment can vary widely. Sometimes there are valid reasons to defer patching. “Fixes could require API [program interface] changes or more testing to make sure you don’t break things,” Pittenger said.
Tomi Engdahl says:
Equifax Breach Affects 100,000 Canadians
http://www.securityweek.com/equifax-breach-affects-100000-canadians
Equifax revealed on Tuesday that the recent data breach affects roughly 100,000 Canadian consumers, but the company’s systems in Canada were not compromised.
Equifax Canada said the company’s investigation is still ongoing, but it believes the incident affects approximately 100,000 Canadians. Similar to the United States, the exposed information includes names, addresses, social insurance numbers, and, in some cases, credit card numbers.
“Equifax Canada can confirm that Canadian systems are not affected. We have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases. Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S.,” the company said.
Impacted individuals will be notified via mail and they will be offered credit monitoring and identity theft protection services for one year at no charge.
Tomi Engdahl says:
Equifax customer DISservice department:
Dani Deahl / The Verge:
Equifax customer service, tweeting from @Equifax, accidentally directed customers to a critic’s phishing site for over a week in at least three Twitter replies — Earlier this month, hackers broke into Equifax’s servers and stole 143 million people’s personal information, including their Social Security numbers.
For weeks, Equifax customer service has been directing victims to a fake phishing site
https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-identity-monitoring
Tomi Engdahl says:
Unisys: Micro-segmentation and AI in the security wake of Equifax
http://www.zdnet.com/article/unisys-micro-segmentation-and-ai-in-the-security-wake-of-equifax/
The chief trust officer of Unisys explains what business leaders and technologists need to know about next-generation network security practices. Read carefully to protect your organization.
The Equifax security breach is on everyone’s mind. Equifax has broken our trust and made clear that security is everyone’s problem — ultimately, no one is immune to the effects of poor computer security.
During our conversation, Patterson explains why effective security must go beyond technology to encompass business strategy and practice at the most senior levels in an organization. It’s a perspective that explains why organizational leaders and technologist are jointly responsible for securing data, corporate assets, and even critical infrastructure.
However, the technology itself is also fascinating. From micro-segmentation to predictive analytics, there is plenty of material for the most hardened technologist to study and enjoy.
Is security a business or technical problem?
It used to be bits and bytes and routers and firewalls. Now, it’s boardroom decisions and what should we do about an M&A? How should we go into a merger? How should we partner in this country or that country?
These are all business decisions. And, the threats are dramatic. There’s not only the threat of being shut down or having all the information that you are entrusted with taken from you, but there’s also regulatory compliance now. New regulations coming that starts next year where the fines start at $20 million dollars and go up from there.
It’s an issue that goes well beyond the technology. That’s what the chief trust officer role works with here. We’re a coordination point for privacy, physical security, and business security issues.
Where does technical debt have an impact?
Most every company of any size that’s been around for a while has issues like technical debt. They’ve got old stuff and there’s not enough money to buy all new stuff.
So, they’ve got to work together and be realistic with each other, and say, “Well, we’ve got this privacy spin that we’ve got to do, and we’ve got this technical debt issue here, and we’re trying to go an open business in country X and country Y. Let’s design a system, maybe using a cloud provider and some micro-segmentation and we do this.”
Suddenly, we’re addressing all those issues with one spend. That opens the eyes not only of the practitioners but also of the business leaders and the governance leaders across the board. Literally around the world.
Tomi Engdahl says:
Apache Struts Remote Command Execution explained
https://www.linkedin.com/pulse/apache-struts-remote-command-execution-threat-report-raviv-raz/?trackingId=n98%2Bd4TYzv6GNnRAWq92ag%3D%3D&lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BaHj%2FntXmT36cgzoj2xFiow%3D%3D&licu=urn%3Ali%3Acontrol%3Ad_flagship3_feed-object
We all heard about the recent misfortunate tale of Equifax, losing all their customer data in one major breach. According to their disclosed information, it was all due to the Apache Struts Remote Command Execution vulnerability found in their servers. In fact, if this was the case, then the whole attack might have started and finished within seconds, using one HTTP transaction sent to their website.
OWASP categorizes this type of attacks as “Command Injection”, defined as:
“an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
Attacks in the wild are seen abusing the HTTP “content-type” header to inject the malicious code.
Conclusion
As always, keep your systems up-to-date to minimize the exposure time window. Audit your code, keep yourself up to speed with the latest trends in application security. And of course, monitor all your web applications for malicious and suspicious web user behavior.
Tomi Engdahl says:
New York Times:
Despite safety being part of Equifax’s sales pitch, company’s strategy of gathering as much personal data as possible amplified the consequences of the breach
As Equifax Amassed Ever More Data, Safety Was a Sales Pitch
https://www.nytimes.com/2017/09/23/business/equifax-data-breach.html
Equifax’s chief executive had a simple strategy when he joined more than a decade ago: Gather as much personal data as possible and find new ways to sell it.
The company was making good money compiling credit reports on Americans. But Wall Street wanted stronger growth.
The chief executive, Richard F. Smith, delivered, releasing dozens of new products each year and doubling revenue. The company built algorithms and started scrubbing social media to assess consumers. In a big data collection coup, Equifax persuaded more than 7,000 employers to hand over salary details for an income verification system that now encompasses nearly half of American workers.
As part of its pitch to clients, the company promised to safeguard information. It even sold products to help companies hit by cyberattacks protect their customers.
“Data breaches are on the rise. Be prepared,” the company said in one pitch. “You’ll feel safer with Equifax.”
But this strategy means that Equifax is entrenched in consumers’ financial lives whether they like it or not — or even know it. Equifax’s approach amplified the consequences of the breach, reported this month, that exposed the personal information for up to 143 million people.
Ordinary people are not Equifax’s customers. They are the company’s product. The “Big Three” credit bureaus, Equifax, Experian and TransUnion, collect 4.5 billion pieces of data each month to feed into their credit reports.
From birth to death, the record grows. Decades’ worth of addresses and identifying information, including drivers’ licenses and Social Security numbers. Utility accounts like telephone and cable subscriptions. Criminal records, medical debt, as well as rental and eviction histories.
Equifax’s records on any given individual, scattered throughout dozens of databases, typically stretch across hundreds or thousands of pages.
Tomi Engdahl says:
When blockchain meets Equifax-style breaches
https://enterprisersproject.com/article/2017/9/when-blockchain-meets-equifax-style-breaches?sc_cid=7016000000127ECAAY
How could blockchain improve security and data sharing? In part two of our interview, Andreas Freund of TCS explains
“I tell our clients our goal is to turn a billion-dollar bank into a billion one-dollar banks,” Freund explains. “The incentive to go after these little honeypots is much less than for going after one big honeypot.”
Today, a hacker might break into one system and make off with 143 million identities, as recently happened to Equifax. With blockchain, he says, “Even if you can penetrate one identity, you’ll have to extend the same effort to hack another and another.”
Decentralizing security – allowing it to be spread over many networks and in effect giving up absolute control – might be a highly uncomfortable prospect for many CIOs and CISOs. But, Freund says, it could be the only way to keep data safe over the long term. “We have looked at many, many models and found that any centralized security model won’t scale effectively,” he says. “And it will eventually fail.”
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Equifax chairman and CEO Richard Smith steps down effective immediately after massive data breach, after more than a decade at the company — The company’s shares were halted pending the news. — Equifax chairman and chief executive Richard Smith has stepped down from the embattled credit rating agency, effective immediately.
Equifax chief executive steps down after massive data breach
The former chief executive made over $4 million in salary last year.
http://www.zdnet.com/article/equifax-chief-executive-to-step-down-following-hack/
Equifax chairman and chief executive Richard Smith has stepped down from the embattled credit rating agency, effective immediately.
The company said in an early Tuesday statement that Smith will “retire” after more than a decade at the company. Paulino do Rego Barros, who served as the company’s Asia-Pacific president, will serve as the company’s new chief executive.
Shares in Equifax ($EFX) were halted during pre-market trading pending the news.
It comes two weeks after the credit rating giant admitted it had been hacked earlier in the year. The company said 143 million consumers may have been affected by the breach of sensitive information.
Since then, a litany of security problems have plagued the company’s incident recovery, spearheaded by security firm Mandiant.
Tomi Engdahl says:
David Lazarus / Los Angeles Times:
How credit agencies like Experian use fear to pitch online identity protection services of questionable value and with onerous ToS including arbitration clauses
Credit agency Experian says it can protect you from the ‘dark Web’ — sort of
http://www.latimes.com/business/lazarus/la-fi-lazarus-experian-dark-web-20170922-story.html
The ad opens with quick cuts of creepy-looking hackers in sinister surroundings. A serious male voice asks: “Is your personal information already being traded on the dark Web?”
Then the imagery brightens — a sunny kitchen, a family playing with a fluffy white dog. “Find out with Experian,” says a friendly female voice. “Act now to help keep your personal information safe.”
Consumers’ and lawmakers’ attention is rightly focused at the moment on the security breach involving Equifax, which left millions of people facing a very real possibility of fraud and identity theft.
But the recent ad from rival Experian highlights a more troublesome aspect of credit agencies — their use of questionable methods to spook people into buying services they may not need and, in so doing, giving the companies permission to share data with marketers and business partners.
“One of the biggest problems with credit reporting agencies is that their real customers are the banks and landlords who pay for credit reports,” said Peter Swire, a professor of law and ethics at Georgia Tech.
“Ordinary consumers are not their main market, except when the company can talk us into paying for something about our own credit history,” he said.
“Because of its hidden nature and the use of special applications to maintain anonymity, it’s not surprising that the dark Web can be a haven for all kinds of illicit activity,” Experian says on its own website. “This means if you’ve ever been a victim of a data breach, it’s a place where your sensitive information might live.”
Scary.
Luckily, Experian is here with a free scan of the dark Web on consumers’ behalf. All you have to do is enter your email address.
It turns out running a free dark-Web email scan opens you up to “advertisements or offers for available credit cards, loan options, financial products or services, or credit-related products or services and other offers to customers.”
https://www.experian.com/consumer-products/free-dark-web-email-scan.html
Tomi Engdahl says:
San Francisco sues Equifax on behalf of 15 million Californians affected by the breach
https://techcrunch.com/2017/09/27/san-francisco-sues-equifax-on-behalf-of-15-million-californians-affected-by-the-breach/?utm_source=tcfbpage&sr_share=facebook
Equifax is not only in deep for a class-action lawsuit over a breach exposing 143 million U.S. citizen’s Social Security numbers and a subpoena in New York, it’s now being sued by the city of San Francisco.
S.F. City Attorney Dennis Herrera filed the lawsuit against the credit reporting agency in San Francisco Superior Court for “failing to protect the personal data of more than 15 million Californians,” according to a statement.
Tomi Engdahl says:
N.Y. regulators issued Equifax with a subpoena, per report
https://techcrunch.com/2017/09/27/n-y-regulators-issued-equifax-with-a-subpoena-per-report/?utm_source=tcfbpage&sr_share=facebook
Equifax was issued a subpoena from New York state’s financial service regulators in regards to the massive data breach the company announced last month, Reuters reported today. The regulators want Equifax to provide more information, which is about right since it seems like Equifax has changed the story several times since the first announcement.
Specifically, Reuters states the subpoena is looking for documents related to the data breach and details on when the company first learned about the hack.
Tomi Engdahl says:
Jennifer Surane / Bloomberg:
Equifax to launch a new free service by February 2018 which allows users to lock and unlock access to their credit files
Equifax Will Offer Free Credit Locks for Life, New CEO Says
https://www.bloomberg.com/news/articles/2017-09-27/equifax-will-offer-free-credit-freezes-for-life-new-ceo-says
New ‘safe and simple’ service to be introduced by January
CEO Barros lays out plan in newspaper op-ed on 2nd day in job
Equifax Inc. will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free.
The service will be introduced by Jan. 31, Chief Executive Officer Paulino do Rego Barros Jr. wrote in a Wall Street Journal op-ed Wednesday, a day after taking the helm. The company will also extend the sign-up period for TrustedID Premier, the free credit-monitoring service it’s offering all U.S. consumers, he said.
“The service we are developing will let consumers easily lock and unlock access to their Equifax credit files,” Barros wrote. “You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.”
Barros was named interim CEO on Tuesday, less than three weeks after Equifax disclosed that hackers accessed sensitive data for 143 million U.S. consumers. Former CEO Richard Smith will appear before Congress next week, and lawmakers have demanded more information on how the breach happened, while faulting the company’s efforts to alert victims and help them safeguard their finances.
Tomi Engdahl says:
Equifax Will Offer Free Credit Locks for Life, New CEO Says
https://news.slashdot.org/story/17/09/28/0349200/equifax-will-offer-free-credit-locks-for-life-new-ceo-says
Equifax will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free.
Equifax Will Offer Free Credit Locks for Life, New CEO Says
https://www.bloomberg.com/news/articles/2017-09-27/equifax-will-offer-free-credit-freezes-for-life-new-ceo-says
New ‘safe and simple’ service to be introduced by January
CEO Barros lays out plan in newspaper op-ed on 2nd day in job
Equifax Inc. will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free.
The service will be introduced by Jan. 31, Chief Executive Officer Paulino do Rego Barros Jr. wrote in a Wall Street Journal op-ed Wednesday, a day after taking the helm. The company will also extend the sign-up period for TrustedID Premier, the free credit-monitoring service it’s offering all U.S. consumers, he said.
“The service we are developing will let consumers easily lock and unlock access to their Equifax credit files,” Barros wrote. “You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.”
Tomi Engdahl says:
Equifax Board Forms Panel To Review Executives’ Stock Sales After Data Breach
https://news.slashdot.org/story/17/09/30/0256244/equifax-board-forms-panel-to-review-executives-stock-sales-after-data-breach
Equifax’s board of directors has formed a special committee to review the stock sales that top executives made days after the company found out it was hacked. Directors at Equifax have retained counsel and are conducting a “thorough review” of the trades, according to a Sept. 28 letter the company’s outside lawyers submitted to the top Democrat on the House Energy and Commerce Committee.
Equifax Board Forms Panel to Review Executives’ Share Sales
https://www.bloomberg.com/news/articles/2017-09-29/equifax-board-to-review-executives-stock-sales-following-hack
Equifax Inc.’s board of directors has formed a special committee to review the stock sales that top executives made days after the company found out it was hacked.
Directors at Equifax have retained counsel and are conducting a “thorough review” of the trades, according to a Sept. 28 letter the company’s outside lawyers submitted to the top Democrat on the House Energy and Commerce Committee. The examination adds to investigations already being conducted by federal law-enforcement agencies.
“Equifax takes these matters seriously,” the company said
Congressional Scrutiny
The share sales by Equifax’s chief financial offer and other executives are among the issues that have drawn the most congressional scrutiny since the company disclosed earlier this month that a data breach had compromised the personal information of 143 million Americans. Equifax’s stock has fallen 25 percent since it reported the hack on Sept. 7.
Multiple Hearings
In the letter to lawmakers, Equifax attorneys at the law firm King & Spalding also disclosed more details on the company’s internal procedures for how breaches are handled
“There is an ongoing root cause investigation into multiple issues, including compliance with Equifax’s plans and procedure guides,”
Tomi Engdahl says:
Bloomberg:
Sources: ongoing investigations find the Equifax hack may have been state-sponsored, and that 30+ entry points were created in Equifax computer systems
The Equifax Hack Has the Hallmarks of State-Sponsored Pros
https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
Investigations into the massive breach aren’t complete, but the intruders used techniques that have been linked to nation-state hackers in the past.
In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren’t being disparaging, just darkly honest: Founded in the 19th century as a retail credit company, Equifax had over the years morphed into one of the largest repositories of Americans’ most sensitive financial data, which the company sliced and diced and sold to banks and hedge funds. In short, the viability of Equifax and the security of its data were one and the same.
Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software.
The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community.
showed up the same day in Metasploit, a popular free hacking tool
On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.
Before long, hackers had penetrated Equifax. They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group—known as an entry crew—handed off to a more sophisticated team of hackers. They homed in on a bounty of staggering scale: the financial data—Social Security numbers, birth dates, addresses and more—of at least 143 million Americans. By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax’s computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.
The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the U.S. Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.
Others involved in the investigation aren’t so sure, saying the evidence is inconclusive at best or points in other directions.
a nation-state may have played a role, but that it doesn’t point to China.
Wherever the digital trail ultimately leads, one thing is clear: The scant details about the breach so far released by Equifax—besides angering millions of Americans—omit some of the most important elements of the intrusion and what the company has since learned about the hackers’ tactics and motives. Bloomberg has reconstructed the chain of events through interviews with more than a dozen people familiar with twin probes being conducted by Equifax and U.S. law enforcement.
The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company’s challenges may go still deeper. One U.S. government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company.
The attackers avoided using tools that investigators can use to fingerprint known groups. One of the tools used by the hackers—China Chopper—has a Chinese-language interface, but is also in use outside China, people familiar with the malware said.
The impact of the Equifax breach will echo for years. Millions of consumers will live with the worry that the hackers—either criminals or spies—hold the keys to their financial identity, and could use them to do serious harm. The ramifications for Equifax and the larger credit reporting industry could be equally severe.
Smith explained that the company gets its data for free (because regular consumers hand it over to the banks when they apply for credit). Then, he said, the company crunches the data with the help of computer scientists and artificial intelligence and sells it back to the banks that gave Equifax the data in the first place. The business generates a gross margin of about 90 percent. “That’s a pretty unique model,” Smith said.
And one that he fully exploited. Smith acquired two dozen companies that have given Equifax new ways to package and sell data, while expanding operations to 25 countries and 10,000 employees. Business was good
But the man who transformed Equifax was plagued each and every day by the fear that hackers would penetrate the company’s firewall and make off with the personal data of millions of people. By the time he gave the speech on Aug. 17, Smith knew of the hack but the public didn’t. He told the audience the risk of a breach was “my No. 1 worry” and lingered on the threats posed by spies and state-sponsored hackers.
Not long after becoming CEO, he hired Tony Spinelli, a well-regarded cyber expert, to overhaul the company’s security.
“Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security.”
Besides amassing data on nearly every American adult, the hackers also sought information on specific people.
The company continued to invest heavily in state-of-the-art technology, and had a dedicated team to quickly patch vulnerabilities like the one identified by Zheng.
Lapses in security began to catch up to the company in myriad ways beginning early this year. Since at least Feb. 1, Equifax had been aware that identity thieves were abusing a service that manages payroll data for companies, according to notices sent to victims.
Equifax hired Mandiant in March to investigate any security weaknesses related to the scams
The investigation in March was described internally as “a top-secret project”
The relationship with Mandiant broke down sometime over the next several weeks—a period that would later turn out to be critical in how the breach unfolded. Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said.
Although the hackers inside Equifax were able to evade detection for months, once the hack was discovered on July 29, investigators quickly reconstructed their movements down to the individual commands they used.
The company’s suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network’s internal communications and data traffic. Using Moloch, investigators reconstructed every step.
Once the hackers found the vulnerability Zheng reported, they installed a simple backdoor known as a web shell. It didn’t matter if Equifax fixed the vulnerability after that. The hackers had an invisible portal into the company’s network.
Those intruders used special tunneling tools to slide around firewalls, analyzing and cracking one database after the next—while stockpiling data on the company’s own storage systems.
Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered.
“This wasn’t a credit card play,” said one person familiar with the investigation. “This was a ‘get as much data as you can on every American’ play.” But it probably won’t be known if state hackers—from China or another country—were involved until U.S. intelligence agencies and law enforcement complete their work.
That could take weeks or months, but Equifax is already a changed company.
Tomi Engdahl says:
Equifax CEO: All Companies Get Breached
https://news.slashdot.org/story/17/09/30/2036215/equifax-ceo-all-companies-get-breached
There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on August 17. “There’s those companies that have been breached and know it, and there are those companies that have been breached and don’t know it,” he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it…
After Equifax’s Data Breach, Its CEO Gave a Speech Saying a Hack Was His ‘No. 1 Worry’
http://fortune.com/2017/09/29/equifax-ceo-hack-worry/
There are two kinds of companies, according to a saying that former Equifax CEO Rick Smith shared in a speech at the University of Georgia on Aug. 17. “There’s those companies that have been breached and know it, and there are those companies that have been breached and don’t know it,” he said. Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it.
The speech, given by Smith to students and faculty at the university’s Terry College of Business, covered a lot of ground, but it frequently returned to security issues that kept the former CEO awake at night—foremost among them was the company’s large database.
“When you have the size database we have, it’s very attractive for others to try to get into our database,” said Smith. “So that is a huge priority for us.”
Smith elaborated on what hackers can do with consumers’ personal information, including selling it on the Dark Web. “It is a very lucrative way to make money,” he said.
Smith’s fastest growing area of security concern was state-sponsored hacking and espionage, he said. “It’s countries you’d expect—you know it’s China, Russia, Iran, and Iraq—and they’re being very aggressive trying to get access to the know-how about how companies have built their capabilities, and transport that know-how back to their countries,” said Smith. “It’s my number one worry.” he added.
Tomi Engdahl says:
The Equifax Hack Has the Hallmarks of State-Sponsored Pros
https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
Investigations into the massive breach aren’t complete, but the intruders used techniques that have been linked to nation-state hackers in the past.
Tomi Engdahl says:
Rick Smith, CEO, Equifax
https://www.youtube.com/watch?v=lZzqUnQg-Us&feature=youtu.be&t=308
Terry College of Business at the University of Georgia
Julkaistu 22.8.2017
August 17, 2017
Richard F. “Rick” Smith has been chairman and CEO of Equifax since 2005. Prior to that role, he spent 22 years with General Electric, holding several president and CEO roles across a variety of business, including engineering thermoplastics, asset management, leasing, and insurance solutions. Smith is an avid supporter of education, and has made it a key focus of the Equifax Foundation
Tomi Engdahl says:
Equifax Apology Reveals CEO’s True Identity
https://www.youtube.com/watch?v=AKHOZQJVBaM
Body Language: Equifax Hack
https://www.youtube.com/watch?v=b6fxkNgcj0Y
Tomi Engdahl says:
Bloomberg:
Sources: ongoing investigations find the Equifax hack may have been state-sponsored, and 30+ entry points were created in Equifax computer systems — In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company …
https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
Tomi Engdahl says:
Can Equifax’s Offerings Actually Protect Your Identity?
https://www.wired.com/story/equifax-identity-protection-offerings
News about the massive Equifax data breach has been unrelenting since the credit bureau publicly disclosed its lapse at the beginning of September. It’s difficult to keep up with all the company’s blunders, not to mention the complicated fiscal policy and regulatory debates the incident has fueled. But weeks later, most consumers in the United States are still just trying to figure out what the whole thing means for them, and how to steel themselves against identity theft and fraud.
To this end, Equifax’s interim CEO Paulino do Rego Barros Jr. (former CEO Richard F. Smith “retired” on Tuesday) published an update to consumers in The Wall Street Journal on Wednesday humbling himself before Equifax’s critics and announcing an additional identity protection service that the company will give consumers for life beginning in January. At this point, Equifax has at least three similar-sounding identity protection offerings as part of its breach response. But there’s always that pesky question in security that has plagued the company before—do they work?
“In the event something goes wrong, which unfortunately is inevitable, companies need to respond urgently, transparently, and empathetically—none of which Equifax did,” says Adam Levin
Experts maintain that Equifax’s offerings are ultimately productive, but caution that consumers need to really understand what the choices are so they can make the right defense decisions for themselves long-term.
Regos Barros announced in his public letter that Equifax will be extending the enrollment period for its credit monitoring and freezing services through January.
Credit monitoring sends you alerts so you can catch any suspicious activity early, while credit freezes actually lock down your credit files so institutions you don’t already do business with can’t access your data without specific permission from you and special PIN numbers. A freeze significantly reduces the chance that a fraudster will be able to do things like take out a line of credit in your name. Personal identity security advocates have long favored freezes, but acknowledge that the measure isn’t necessarily for everyone (say, someone who anticipates applying for student loans) since it is fairly rigid and restrictive.
The free monitoring and freezes have a short timespan, perhaps because they are services Equifax wants to resume capitalizing on as quickly as possible.
The third service Regos Barros mentioned on Wednesday, a so-called “credit lock” tool, will debut in January, and will be a more flexible option through which consumers can lock and unlock access to their credit data whenever they want.
Experts agree that to protect themselves, consumers need to see past the gimmicks and noise to the long game of utilizing what Equifax and other companies that have experienced data breaches provide while planning to supplement as needed. If your data is compromised in multiple breaches over time you may be able to daisy chain years of free services together.
And everyone can pull and review one complete credit report per year for free from AnnualCreditReport.com. Additionally, consumers need to be aware that credit monitoring, locks, and freezes alike don’t protect against things like tax fraud and medical fraud, in which identity thieves can file bogus tax returns on your behalf to claim your refund or jeopardize your insurance coverage by scamming your provider.
Consumers also may have more resources available to them for free than they realize
Tomi Engdahl says:
Here’s What to Ask the Former Equifax CEO
https://krebsonsecurity.com/2017/09/heres-what-to-ask-the-former-equifax-ceo/
CREDIT FREEZE VS. CREDIT LOCK
My first group of questions would center around security freezes or credit freezes, and the difference between those and these credit lock services being pushed hard by the bureaus.
Currently, even consumer watchdog groups say they are uncertain about the difference between a freeze and a lock. See this press release from Thursday by U.S. PIRG, the federation of state Public Interest Research Groups, for one such example.
Also, I’m curious to know what percentage of Americans had a freeze prior to the breach, and how many froze their credit files (or attempted to do so) after Equifax announced the breach. The answers to these questions may help explain why the bureaus are now massively pushing their new credit lock offerings (i.e., perhaps they’re worried about the revenue hit they’ll take should a significant percentage of Americans decide to freeze their credit files).
BREACH RESPONSE
Equifax could hardly have bungled their breach response more if they tried. It is said that one should never attribute to malice what can more easily be explained by incompetence, but Equifax surely should have known that how they handled their public response would be paramount to their ability to quickly put this incident behind them and get back to business as usual.
FRAUD AND ABUSE
Multiple news organizations have reported that companies which track crimes related to identity theft — such as account takeovers, new account fraud, and e-commerce fraud — saw huge upticks in all of these areas corresponding to two periods that are central to Equifax’s breach timeline; the first in mid-May, when Equifax said the intruders began abusing their access to the company, and the second late July/early August, when Equifax said it learned about the breach.
This chart shows spikes in various forms of identity abuse — including account takeovers and new account fraud — as tracked by ThreatMetrix, a San Jose, Calif. firm that helps businesses prevent fraud.
-Has Equifax performed any analysis on consumer credit reports to determine if there has been any pattern of consumer harm as a result of this breach?
-Assuming the answer to the previous question is yes, did the company see any spikes in applications for new lines of consumer credit corresponding to these two time periods in 2017?
Many fraud experts report that a fast-growing area of identity theft involves so-called “synthetic ID theft,” in which fraudsters take data points from multiple established consumer identities and merge them together to form a new identity. This type of fraud often takes years to result in negative consequences for consumers, and very often the debt collection agencies will go after whoever legitimately owns the Social Security number used by that identity, regardless of who owns the other data points.
-Is Equifax aware of a noticeable increase in synthetic identity theft in recent months or years?
-What steps, if any, does Equifax take to ensure that multiple credit files are not using the same Social Security number?
-Prior to its breach disclosure, Equifax spent more than a half million dollars in the first half of 2017 lobbying Congress to pass legislation that would limit the legal liability of credit bureaus in connection with data security lapses. Do you still believe such legislation is necessary? Why or why not?
Tomi Engdahl says:
Equifax Breach Bigger Than Initially Reported
http://www.securityweek.com/equifax-breach-bigger-initially-reported
Number of U.S. Consumers Exposed by Equifax Breach Increased by 2.5 Million
Equifax on Monday afternoon said that 2.5 million additional U.S. consumers were exposed as a result of the massive data breach disclosed by the company last month. The credit reporting agency now says that a total of 145.5 million individuals have been exposed, after originally saying that 143 million had been impacted.
Data exposed as a result of cyber attack involved names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers and credit card numbers.
According to Equifax, FireEye-owned Mandiant, which was retained by Equifax to investigate the breach, has completed the forensic portion of its investigation of the incident to finalize the consumers potentially impacted.
According to Equifax, Mandiant was not able to identify any evidence of additional or new attacker activity or any access to new databases or tables, and concluded that there is no evidence the attackers accessed databases located outside of the United States.
The investigation found that personal information of approximately 8,000 Canadian consumers was impacted, a figure lower than the 100,000 originally estimated by the company. “That number was preliminary and did not materialize,” Equifax said.
In a statement to a congressional committee on Monday, former Equifax CEO Richard Smith said the security team at Equifax failed to patch a vulnerability in March after becoming aware of the flaw, which according to Equifax policy, would have required a patch to be applied within 48 hours.
Equifax says that it maintains data on more than 820 million consumers and more than 91 million businesses worldwide.
Tomi Engdahl says:
Equifax Warned About Vulnerability, Didn’t Patch It: Ex-CEO
http://www.securityweek.com/equifax-warned-about-vulnerability-didnt-patch-it-ex-ceo
The security team at Equifax failed to patch a vulnerability in March after getting a warning about the flaw, opening up the credit agency to a breach affecting 143 million people, the former chief executive said Monday.
Former CEO Richard Smith, in a statement to a congressional committee released Monday, offered a timeline of the cyber attack which is believed to be the worst in terms of damaging information leaked — including social security numbers and other sensitive data.
Smith said in prepared remarks to a House panel that the company on March 9 disseminated an internal memo warning about a software flaw identified by the government’s Computer Emergency Response Team (CERT).
He added that Equifax policy would have required a patch to be applied within 48 hours and that this was not done — but he could not explain why.
Equifax’s information security department ran scans that should have identified any systems that were vulnerable but failed to identify any flaws in the software known as Apache Struts.
“I understand that Equifax’s investigation into these issues is ongoing,” he said in the statement.
“The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information.”
Smith said he was notified of the breach on July 31, but was not aware “of the scope of this attack.” He informed the company’s lead director three weeks later, on August 22, and board meetings were held on the matter August 24 and 25.
Equifax, one of three major agencies which gathers data used in credit ratings for banks, has come under fire for waiting until September 7 to publicly disclose the breach, and investigators are looking into stock sales by two senior executives in August.
Smith offered a fresh apology for the attack, saying in his statement: “As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down.”
Tomi Engdahl says:
U.S. Cyber Command Launched DDoS Attack Against North Korea: Report
http://www.securityweek.com/us-cyber-command-launched-ddos-attack-against-north-korea-report
The United States Cyber Command has reportedly been engaged in offensive activity, namely a DDoS attack, against North Korea’s military spy agency, the Reconnaissance General Bureau (RGB). The attack is thought to have commenced on September 22, and continued until September 30.
The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command. At the time, Trump said, “The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries. Through United States Cyber Command, we will tackle our cyberspace challenges in coordination with like-minded allies and partners as we strive to respond rapidly to evolving cyberspace security threats and opportunities globally.”
The action seems to be partly in response to North Korean cyberattacks, and partly an aspect of a wide-ranging diplomatic offensive led by Secretary of State Rex Tillerson, who was in Beijing on Saturday.
That this cyber attack was non-destructive and temporary suggests it could be considered more as a warning than a punishment. It is Cyber Command telling North Korea that it has its range and is capable of much stronger action. By being non-destructive it is probably hoped that it won’t provoke kinetic retaliation; although it is quite likely to provoke cyber retaliation from North Korean hacking groups.
Tomi Engdahl says:
A series of delays and major errors led to massive Equifax breach
Former CEO’s testimony to Congress reveals a shocking lack of security rigor.
https://arstechnica.com/information-technology/2017/10/a-series-of-delays-and-major-errors-led-to-massive-equifax-breach/
A series of costly delays and crucial errors caused Equifax to remain unprotected for months against one of the most severe Web application vulnerabilities in years, the former CEO for the credit reporting service said in written testimony investigating the massive breach that exposed sensitive data for as many as 143 million US Consumers.
Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
“We at Equifax clearly understood that the collection of American consumer information and data carries with it enormous responsibility to protect that data,” Smith wrote in testimony provided to the US House Subcommittee on Digital Commerce and Consumer Protection. “We did not live up to that responsibility.”
“Consistent with Equifax’s patching policy, the Equifax security department required that patching occur within a 48-hour time period,” Smith wrote. “We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel.”
Smith said tentative results of the investigation so far show attackers first accessed sensitive information on May 13 and continued to have access over the next two months. Company officials first discovered suspicious network traffic on July 29 and didn’t fully shut down the intrusion until July 30, when the dispute application was taken offline. Smith said he didn’t learn of the suspicious activity until July 31. On August 2, Smith retained forensic consulting firm Mandiant to investigate the breach and first informed the FBI. By August 11, investigators determined that, in addition to dispute documents, the attackers accessed database tables containing large amounts of consumer information. On August 15, Smith learned that consumer information had likely been stolen, not just exposed.
Equifax has said the data exposed in the breach included names, Social Security numbers, birth dates, and addresses for as many as 143 million people and, in some instances, driver’s license numbers. The exposed data also included credit card data for about 209,000 consumers and dispute documents with personally identifying information for about 182,000 consumers.
Tomi Engdahl says:
US Studying Ways To End Use of Social Security Numbers For ID
https://yro.slashdot.org/story/17/10/03/2046247/us-studying-ways-to-end-use-of-social-security-numbers-for-id
U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers. “I feel very strongly that the social security number has outlived its usefulness,” Joyce said. “It’s a flawed system.”
US Reviewing Better Tech Identifiers After Hacks: Trump Aide
http://www.securityweek.com/us-reviewing-better-tech-identifiers-after-hacks-trump-aide
US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.
Rob Joyce, the White House cybersecurity coordinator, told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers.
Joyce’s comments come after news that some 145 million Americans may have had personal information leaked, including the important social security numbers, in a breach at Equifax, one of three big US firms which collect data for credit applications.
“I feel very strongly that the social security number has outlived its usefulness,” Joyce said.
“It’s a flawed system.”
For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft.
“If you think about it, every time we use the social security number we put it at risk,” Joyce said.
“That is the identifier that connects you to all sort of credit and digital and information online.”
The official spoke as US lawmakers opened hearings on the Equifax breach, believed to be one of the worst because of the sensitivity of data leaked.
Tomi Engdahl says:
Equifax Warned About Vulnerability, Didn’t Patch It: Ex-CEO
http://www.securityweek.com/equifax-warned-about-vulnerability-didnt-patch-it-ex-ceo
The security team at Equifax failed to patch a vulnerability in March after getting a warning about the flaw, opening up the credit agency to a breach affecting 143 million people, the former chief executive said Monday.
Former CEO Richard Smith, in a statement to a congressional committee released Monday, offered a timeline of the cyber attack which is believed to be the worst in terms of damaging information leaked — including social security numbers and other sensitive data.
Smith said in prepared remarks to a House panel that the company on March 9 disseminated an internal memo warning about a software flaw identified by the government’s Computer Emergency Response Team (CERT).
He added that Equifax policy would have required a patch to be applied within 48 hours and that this was not done — but he could not explain why.
Tomi Engdahl says:
IRS awards multimillion-dollar fraud-prevention contract to Equifax
http://www.politico.com/story/2017/10/03/equifax-irs-fraud-protection-contract-243419
The no-bid contract was issued last week, as the company continued facing fallout from its massive security breach.
The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.
A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.
The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.
Lawmakers on both sides of the aisle blasted the IRS decision.
Tomi Engdahl says:
White House plan to nuke social security numbers is backed by Equifax’s ex-top boss
We meant it, nothing matters any more. Nothing at all
https://www.theregister.co.uk/2017/10/04/white_house_plans_to_ditch_social_security_numbers_as_ids/
White House cybersecurity coordinator Rob Joyce has won the backing of Equifax’s ex-CEO for a plan to stop using social security numbers as personal identifiers in the US.
We have no idea of Joyce’s opinion of the endorsement, but what we do know is that he floated the notion in a speech given to a Washington Post-sponsored cybersecurity conference on Tuesday. Joyce suggested using a “modern cryptographic identifier” – presumably a hash or public-private key pair or something – to identify individual US taxpayers rather than the usual nine digits.
Former Equifax CEO Richard Smith followed a similar path, but in a less-favorable forum – on Tuesday, he was giving testimony to the US House committee investigating the litany of failures that led to his credit-check agency leaking 145 million Americans’ social security numbers and other sensitive personal data. The same biz that just won a US$7.5 million contract to help Uncle Sam identify taxpayers, funnily enough.
“The concept of a Social Security number in this environment being private and secure – I think it’s time as a country to think beyond that,” Smith told politicians. No kidding, Dick, you just lost 145 million of the numbers to hackers.
Meanwhile, arguing the social security number has “outlived its usefulness” for citizen-government interactions, Joyce said that “every time we use the Social Security number you put it at risk.” Again, no kidding, thanks to organizations like Equifax.
Tomi Engdahl says:
Sole Equifax security worker at fault for failed patch, says former CEO
Someone failed to order the patch. If it was you, c’mere, have a hug. And a new identity
https://www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/
Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz’s IT security breach on a single member of the company’s security team.
In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news about Apache Struts, that protocol broke down at Equifax due to human error, meaning no one was told to apply patches for the flaw.
Hackers ultimately exploited the Struts bug on Equifax’s systems to infiltrate the organization and swipe sensitive personal records, including social security numbers, of more than 140 million folks in the US, UK and Canada.
“The human error was the individual who is responsible for communicating in the organisation to apply the patch, did not,” Smith told the subcommittee at around the 1:05:15 mark in the video below.
Congressman Greg Walden sought clarification of that statement, asking “Does that mean that that individual knew the software was there, and it needed to be patched, and did not communicate that to the team that does the patching? Is that the heart of the issue here?”
Smith’s reply was: “That is my understanding, sir.”
Smith said the company had otherwise followed its protocol of distributing information on necessary patches and that in the case of CVE-2017-5638 its procedures were observed, except by the individual mentioned above.
Smith spent more than two-and-a-half hours testifying and, after apologising and taking responsibility for the hack, spent much of that time defending Equifax’s decision to withhold news of the hack for many days after discovering it. Smith repeatedly justified the delay on grounds of avoiding further attacks and ensuring consumer protection measures could be in place.
“It did not help that hurricane Irma took down two of our larger call centres in the early days after the breach,” he said.
https://www.youtube.com/watch?v=4pgg2LCY8iE&feature=youtu.be&t=1h4m46s
Tomi Engdahl says:
Oversight of the Equifax Data Breach: Answers for Consumers
https://www.youtube.com/watch?v=4pgg2LCY8iE
Tomi Engdahl says:
John McCrank / Reuters:
Equifax says that 15.2M records from 693,665 UK customers were accessed during US hack
Equifax says 15.2 million UK records exposed in cyber breach
http://www.reuters.com/article/us-equifax-cyber/equifax-says-15-2-million-uk-records-exposed-in-cyber-breach-idUSKBN1CF2JU
Credit reporting agency Equifax Inc (EFX.N) said on Tuesday that 15.2 million client records in Britain were compromised in the massive cyber attack it disclosed last month, including sensitive information affecting nearly 700,000 consumers.
The U.S.-based company said 14.5 million of the records breached, which dated from 2011 to 2016, not contain information that put British consumers at risk.
Overall, around 145.5 million people, mostly in the United States, had their information, including Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers, stolen.
The company was alerted in March that a software security vulnerability existed in one or more of its systems, but it failed to fix the problem because of “both human error and technology failures,”
Tomi Engdahl says:
Equifax hack included nearly 11 million US driver’s licenses
https://techcrunch.com/2017/10/10/equifax-hack-included-nearly-11-million-us-drivers-licenses/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
AdChoices
MenuTechCrunch
Equifax hack included nearly 11 million US driver’s licenses
Posted 17 hours ago by Devin Coldewey
The latest news from the enormous Equifax hack is that the stolen records included 10.9 million driver’s licenses from U.S. citizens, according to The Wall Street Journal’s sources. This isn’t much of a surprise given how poorly all the other information was secured, but it’s nice to put a number on just how many of various personal documents Equifax’s poor security practices exposed.
Licenses are of course a ubiquitous form of state-issued ID, and as such end up being used frequently for certain kinds of verification.
What does this mean? Well, websites and services that previously used licenses as a way of verifying identity should no longer do so, since millions of them are now in the wild. Unfortunately, you can’t really make them stop — but you can report your license stolen.
Sure, it wasn’t stolen like you’d steal a car, but it was stolen like you’d steal a movie — copied and distributed online. Unlike a movie, however, your license loses its value upon being widely copied.
It may cost you a few bucks (here in Washington, it’s $20), but you can get a brand new license with a brand new number simply by saying it was stolen, which for 10.9 million Americans is true. I’m not a lawyer or big security expert, but I do think this is a fairly painless way to put this particular inconvenience behind you
Tomi Engdahl says:
Equifax products also leaked thousands of salary histories
https://techcrunch.com/2017/10/11/equifax-products-also-leaked-thousands-of-salary-histories/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Equifax is still leaking like a sieve. Security researcher Brian Krebs has outlined a vulnerability in Equifax’s The Work Number product, a system used by credit companies to confirm your salary.
The system uses a number of personal details, including your SSN and birthdate, to bring up a salary history. These are details leaked in Equifax’s 143 million record breach this year.
The Equifax breach shows us a few things but primarily it proves that the systems put in place to protect banks from customers are inefficient and prone to catastrophic failure. While I doubt this will cause a popular uprising and wipe out services like Equifax, here’s hoping that some industrious startup with a quantum encryption scheme and half a brain can figure out a better solution to keeping our financial data secure.
Tomi Engdahl says:
Equifax Website Redirects Users to Adware, Scams
http://www.securityweek.com/hacked-equifax-website-redirects-users-adware-scams
A security researcher noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to websites set up to serve adware and scams.
Independent security analyst Randy Abrams wanted to find his credit report on Equifax’s website when he was redirected to a website offering a fake Flash Player installer. The browsing session was taken through multiple domains before the final page was reached.
It’s not uncommon for cybercriminals to deliver malware using fake Flash Player installers, but in this case the website pushed adware.
The Equifax webpage, hosted at aa.econsumer.equifax.com, did not redirect the connection when accessed by SecurityWeek on Thursday morning. Abrams believes Equifax removed the malicious code from its website sometime on Wednesday.
An analysis of the domains involved in the redirection chain shows that they can lead not only to adware. The final destination depends on the type of device and the geographical location of the user.
SecurityWeek has seen redirects to fake Android and iOS updates, premium SMS services, and other scammy sites. Various online security services detect the domains involved in the attack as malicious, and while there is no evidence of actual malware being served, the possibility cannot be ruled out.
Contacted by SecurityWeek, an Equifax spokesperson stated, “We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.”
Equifax recently informed customers that hackers breached its systems after exploiting an Apache Struts 2 vulnerability that had been patched and exploited in the wild since March. The attackers gained access to the personal information of more than 140 million individuals, including hundreds of thousands of Canadian and British citizens.
“I’m really not trying to kick Equifax while they are down. There are already 150 million other people doing that. I just sort of tripped over them,” Abrams said in a blog post.
New Equifax Website Compromise
https://randy-abrams.blogspot.fi/2017/10/new-equifax-website-compromise.html
Update: Third party analysis tends to indicates something that is conceptually the same as malvertising. Watch the video and replace Equifax with your favorite website. It happens every day throughout the world. Now it’s a security training video.
Tomi Engdahl says:
Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Script
http://www.securityweek.com/malicious-redirects-equifax-transunion-sites-caused-third-party-script
Two of the “Big Three” U.S. credit reporting agencies, Equifax and TransUnion, were hit by a cybersecurity incident caused by the use of a third-party web analytics script.
Independent security analyst Randy Abrams noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to a website set up to serve adware disguised as a Flash Player installer.
While initially it appeared that Equifax’s website had been hacked, the company’s investigation revealed that the malicious redirects occurred due to a third-party vendor’s script.
“Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” Equifax stated.
The redirection chain, often seen in malvertising attacks, results in users being taken to a scammy or malicious website, depending on their geographical location and the type of device they use to access the affected webpage.
Researchers at Malwarebytes have analyzed the incident and determined that the redirection occurs due to a web analytics script from Digital River-owned Fireclick. A search for the script involved in the attack (fireclick.js) revealed that it had also been used on the Central America website of TransUnion, whose customers were also redirected to shady sites.
Both Equifax and TransUnion have removed the problematic script from their websites. Equifax took the affected service offline and had not restored it at the time of writing.
Tomi Engdahl says:
Equifax stock value drop
http://www.marketwatch.com/investing/stock/efx
Tomi Engdahl says:
EquiFIX – Lessons Learned From the Most Impactful Breach in U.S. History
http://www.securityweek.com/equifix-lessons-learned-most-impactful-breach-us-history
While Equifax is the latest major data breach to hit the headlines, we know it will not be the last. How prepared is your organization if you were similarly targeted?
As we all know, the impact of the Equifax breach is widespread, potentially affecting 145.5 million individuals in the U.S., Canada and the UK whose personally identifiable information (PII) and (to some extent) financial information was accessed by malicious actors. The exact impact is yet to be seen and depends on the motives of the attackers and the ways in which they plan to use the data, but any exposure puts individuals at risk. We’ve also seen tremendous impact on the company as a result of the breach, including a dramatic drop in share price, reputational damage, and job losses for some senior staff members including the CEO. There’s more to come as the total costs of dealing with the breach itself mount and the incident makes its way through the legal system
Before the breach
Equifax has said that the initial intrusion was through exploitation of a vulnerable Apache Struts web application. It turns out that prior to the intrusion multiple alerts about exploitation of this particular vulnerability were issued and a patch was made available. However even without following recommended patch management programs, implementing other basic security principles could have mitigated the damage.
Lessons:
• Maintain awareness of what an attacker can see regarding your infrastructure, people and processes so you can see potential weaknesses and points of access for attackers.
• Understand what methods attackers are using against your sector so you can proactively protect your valuable digital assets.
• Establish and maintain a threat intelligence program and act on the intelligence.
• Implement and follow general cybersecurity good practice measures, such as defense-in-depth, and include vulnerability and patch management.
• Protect your sensitive information through the use of encryption and network segmentation.
• Educate users on the importance of password hygiene and strong authentication requirements.
• Go a step further and assume a breach will occur and plan for this outcome. Ensure your strategy, people and processes are in place in advance.
After discovery
Not only did Equifax have to deal with the fallout of the breach itself, but unusual trading activity in Equifax shares have provoked suspicions of insider trading and a criminal investigation. Further, Equifax’s infrastructure to handle customer inquiries proved inadequate and some of the strategies put in place to address customer concerns in the wake of the discovery backfired.
Lessons:
• Control knowledge of a breach to trusted individuals to prevent collateral damage; no matter how swiftly an organization moves there will always be some lapse in time between discovery and disclosure.
• Anticipate fallout and prepare for announcements by analyzing the possible consequences of decisions to mitigate negative publicity and outcomes.
• Closely monitor response and make arrangements for extra bandwidth capacity – both infrastructure and people – to handle an initial flood of inquiries if needed.
After public disclosure
Once a breach is disclosed, researchers and opportunistic malicious actors will look for additional weaknesses in infrastructure. After the Equifax breach an insecure portal used to manage credit report disputes was discovered.
Lessons:
• Communicate clearly when a breach happens, stating the knowns and unknowns publicly; speculation from media and researchers can damage reputation.
• Look for your compromised data online to try to discern the attacker’s motive, if not identity
Tomi Engdahl says:
Equifax hack being probed by UK’s financial watchdog
https://techcrunch.com/2017/10/24/equifax-hack-being-probed-by-uks-financial-watchdog/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
The fallout from the massive Equifax hack, publicly disclosed last month, continues: Today the UK’s financial watchdog said it also wants to get to the bottom of what happened.
Tomi Engdahl says:
Congress votes to disallow consumers from suing Equifax and other companies with arbitration agreements
https://techcrunch.com/2017/10/24/congress-votes-to-disallow-consumers-from-suing-equifax-and-other-companies-with-arbitration-agreements/
MenuTechCrunch
Congress votes to disallow consumers from suing Equifax and other companies with arbitration agreements
Posted 43 minutes ago by Devin Coldewey
The Senate voted late Wednesday night to strike a federal rule that would have allowed consumers affected by the Equifax hack to sue the company. Without it, the millions affected by the historic security breach may be disallowed from related joining class action lawsuits. This specific rule, and only this rule, would be nullified if the joint resolution is signed by the President.
The vote was 50/50, with the tie-breaking aye cast by Vice President Pence.
Nevertheless, it’s very unclear just what users may or may not have signed up for, and to what degree Equifax is protected by these terms. Arbitration agreements have been effective before in preventing class action lawsuits.
Tomi Engdahl says:
White House official: Let’s replace Social Security numbers
https://www.cnet.com/google-amp/news/equifax-trump-white-house-official-replace-social-security-numbers/
A Trump cybersecurity adviser says alternatives to the numbers could include a cryptographic key.
After the massive data breach at Equifax, it would be fair to ask what your Social Security number is even good for anymore.
It’s no longer really a secret form of identification, so let’s think of something else. White House cybersecurity coordinator Rob Joyce, speaking Tuesday at the Washington Post’s Cybersecurity Summit, said that’s what the government should do.
“I feel very strongly that the Social Security number has outlived its usefulness,” Joyce said.
Major data breaches often spur complaints that the Social Security number was never intended to be a universal form of identification. But it appears Joyce isn’t just speculating. He said Tuesday the Trump administration has asked federal government departments and agencies to come up with ideas for a new form of personal identification.
If the idea goes any further, it’ll be one more way that the Equifax breach has touched every corner of our financial lives. So far, lawmakers have jumped on the opportunity to introduce bills that would tighten regulations on the companies that hold onto and sell consumer information. What’s more, other financial companies will likely consider changes to their practices as Equifax continues to take blows in public for its actions leading up to and after the data breach.
If we phase out Social Security numbers, though, we’ll need something that won’t just get compromised all over again.
“It’s a flawed system that we can’t roll back that risk after we know we’ve been compromised,” said Joyce, who acknowledged his own Social Security number has been compromised four times that he knows of.
The solution, he said, might be in cryptography —
You enter your password when you create your bank account, and the bank’s system runs some complex math wizardry to turn your password into a long string of numbers and letters that it then stores to identify you later. If the cryptography is good, criminals can’t ever turn that string back into your password and use it to log in to your accounts.
Joyce proposed a similar system to replace Social Security numbers. It’s known as a public-private key system, and it means you never have to trust someone else to take care of that identifying information for you.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Researcher recounts warning Equifax about vulnerability on public-facing site that exposed user data months before breach, six months before Equifax patched — Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack …
Equifax Was Warned
https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning
Last year, a security researcher alerted Equifax that anyone could have stolen the personal data of all Americans. The company failed to heed the warning.
Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it—but only after the massive breach that made headlines had already taken place, according to Equifax’s own timeline.
This revelation opens the possibility that more than one group of hackers broke into the company. And, more importantly, it raises new questions about Equifax’s own security practices, and whether the company took the right precautions and heeded warnings of serious vulnerabilities before its disastrous hack.
The site looked like a portal made only for employees, but was completely exposed to anyone on the internet.
“I didn’t have to do anything fancy,” the researcher told Motherboard, explaining that the site was vulnerable to a basic “forced browsing” bug. The researcher requested anonymity out of professional concerns.
“All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app,” they said. In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax’s customers in 10 minutes: “I’ve seen a lot of bad things, but not this bad.”
While probing Equifax servers and sites, the researcher said that they were also able to take control—or get shell access as hackers refer to it—on several Equifax servers, and found several others vulnerable to simple bugs such as SQL injection, a common, basic way of attacking sites. Many servers were running outdated software. According to one analysis performed in early September, Equifax had thousands of servers exposed on the internet, indicating both massive sprawl and loose control of its infrastructure, which increased the company’s attack surface.
After discovering all these issues in December, the researcher said they immediately reported them to the company.
“It should’ve been fixed the moment it was found. It would have taken them five minutes, they could’ve just taken the site down,”
Tomi Engdahl says:
Equifax Was Warned
https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning
Last year, a security researcher alerted Equifax that anyone could have stolen the personal data of all Americans. The company failed to heed the warning.
Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it—but only after the massive breach that made headlines had already taken place, according to Equifax’s own timeline.
Tomi Engdahl says:
While Equifax Victims Sue, Congress Limits Financial Class Actions
https://it.slashdot.org/story/17/10/29/1817241/while-equifax-victims-sue-congress-limits-financial-class-actions?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Stories are starting to pour in about those impacted by last month’s massive Equifax data breach, which compromised the private information of more than 140 million people. Katie Van Fleet of Seattle says she’s spent months trying to regain her stolen identity, and says it has been stolen more than a dozen times.
It will become harder for consumers to sue their banks or companies like Equifax… The Senate voted Tuesday night to overturn a rule the Consumer Financial Protection Bureau worked on for more than five years. The final version of the rule banned companies from putting “mandatory arbitration clauses” in their contracts, language that prohibits consumers from bringing class-action lawsuits against them.