Equifax – The Gift That Keeps On Giving

Update: Sep 15, 2017 – Equifax’s Chief Information Officer (CIO) and Chief Security Officer (CSO) “retired” (AKA were fired) today, effective immediately, according to USA Today.  Hopefully, the Board will ask the CEO to “retire” soon as well.

CIO Susan Mauldin and CSO David Webb are taking the heat for not installing one patch, out of the thousands that they likely install every month, that allowed the hackers to .  Webb received $2.6 million in compensation last year.

The company has appointed an interim CIO and interim CSO at the same time.  Given the dozens of investigations and dozens of lawsuits, the company is going to need to have as many resources available to testify as possible.

One complication firing them presents is that the company no longer has any where near the control over what they might say in court or to investigators.  In fact, to cover their own behinds, they might throw the CEO under the bus saying that they told the CEO that they didn’t have enough staff or money to do the job right and were not given more resources.  It is possible that their retirement package might have conditions on it, but if it says that they must lie to Congress, that probably would not be enforceable.

It’s gonna be interesting before it is all over.

Last week the news was about the 143 million people who’s data was compromised.

This week it is how Equifax is handling the breach.

First it was terms of service that seemed to require consumers to enter data for credit monitoring on a domain that wasn’t even owned by Equifax and give up their right to sue Equifax in exchange for a few bucks worth of free credit monitoring.  They changed their mind after the New York Attorney General said that he would go after them if they tried that.

Then it was the fact that the site that users were flocking to in the aftermath of the breach was vulnerable to a cross site scripting vulnerability that would allow hackers to extract all of the data the the consumers were providing.

Next it came out that Equifax Argentina’s employee web site that was used by Equifax employees to manage credit complaints had an admin account with a userid of admin and a password of admin.  That site has subsequently been taken offline after that bit of news was made public.

Then, of course, there are the 50 or lawsuits that have been filed against them.  So far.  Including one multi-BILLION dollar suit.

Next Senators Wyden and Hatch are asking a lot of embarrassing questions of Equifax like do you have a Chief Information Security Officer (apparently not) and exactly how many full time security professionals do you have on staff.  The Senators seem to understand the potential long term impact on healthcare fraud, tax return fraud and entitlement fraud, all of which the Federal government – and by association you – will get to foot the bill for.

Then it was reported that Equifax spent at least $500,000 in the months leading up to announcing the breach, lobbying Congress to change the regulations so that they wouldn’t have to notify consumers in case of a breach and limiting the legal liability of credit reporting companies.

Of course there was that slight “optics” problem of Equifax execs selling over a million dollars worth of stock between the date the breach was discovered and the date the breach was announced.

And finally, White House Spokesperson Sarah Huckabee Sanders said that the President, who was elected on a platform of removing regulations, would be looking extensively into whether additional regulation is needed to protect user data.  Of course, no one knows if Congress will actually do anything, but still that is a BIGLY about face for the prez.

All in all, not a great week for Equifax.

 

Information for this post came from ZDNet, CNetUSAToday, Vanity Fair and CNN.

The Unpatchable Bug In All Modern Cars

We have seen a number of hacks of cars including the hack of a Jeep driving down the highway at 60 miles an hour – from miles away – on 60 Minutes, but now researchers have come up with a new attack – one that cannot be patched.

The CAN bus or Controller Area Network bus, is the main communications highway in all cars built, at least, in the last 25 years.  The standard, designed in 1983 and in use since 1989 has not really changed very much since then.

In 1983 no one really worried about hackers so the bus has no security, no authentication and no encryption.

Today, almost every single car and light truck is controlled by the CAN buses in it.

Researchers from Trend Micro, Politecnico di Milano and Linklayer Labs discovered that you can overwhelm the bus with error messages.

Right now, today, the attack requires local access to your car.  That was the case with the Jeep attack – until attackers figured out how to do it remotely.

The attack injects error messages onto the bus which can, eventually, cause devices like the anti-lock brake controller or the airbag system to go offline and deactivate.  Since almost all car functions from the brakes to the engine control are computerized and attached to one of the CAN buses, if you can cause those devices to go offline, you will disable those functions.

Worse yet, without redesigning the CAN bus protocol, there is very limited remediation that car manufacturers can make.  On top of that, it is UNLIKELY that any cars currently on the road will ever be fixed because this is not a bug – it is, basically,  a feature.

SO, next time you get into your car… Well, I am not what you can do.

Information for this post came from The Hacker News.

How To Digitally Erase All Your Stuff When You Quit Your Job

Wired ran a piece a few weeks ago with the title of this post.  An alternative title might be “How to get yourself arrested and prosecuted“.

While Wired’s heart was in the right place, they probably should have consulted an attorney before they published the article.

The basic premise of the article is that you should copy all of your personal stuff off your work computer and then wipe your work computer.

The problem is that your work computer is not your property and wiping it could be considered destroying company property and you could be prosecuted under any of a number of laws.  You could be liable for all of the costs to reconstruct the data that was stored on your computer.

That being said, lets look at what they suggested:

  1. Before wiping out your computer entirely, make sure to back up anything important.  PDFs, photos, your resume, anything dear to your heart.  Do it with a flash drive or USB disk.

The problem is that this is about protecting YOUR stuff and not your employer’s stuff.  And, if you do this without your employer’s permission you could be ACCUSED of stealing company information – even if you didn’t.  Remember, being charged with a crime is different than being convicted, other than both will cost you a lot of money, damage your reputation and distract your attention from a new job.

2, Check USB slots for cables, flash drives, etc.

That is probably OK as long as you only take stuff which is yours, personally.

3. Shut down your Voicemail.  Record a new greeting telling people that you left the company and who to bug.  Delete all the messages in your voicemail inbox.

Don’t do this unless your employer approves.  Those voice mails are not your property – they belong to the company.  Ask your employer what they want you to do regarding your voice mails.  More than likely they will want you to preserve them until they have a chance to go through them.  They may or may not want to make your departure public right now, so they may not want you to change your greeting.  In any case, it is their choice, not yours.

4. Shut down your email.  Delete all your emails.  In Wired’s defense, at least here they say make sure it is within your company’s policies to do so.

I doubt your company is going to want to you to delete ANY emails.  They are going to want to back everything up first, then probably they are going to want to go through them.

5.  Wipe your computer.  Wipe the puppy clean, they say.

I say that doing this could subject you to a felony.

6. Wipe your phone.  Here they are partially right.  If the phone is your property, the company cannot tell you what to do with it, but if it is yours, you are probably not going to want to wipe it.

If it is company property, you don’t have the right to destroy the data on it.  Again, potential felony charges, depending on how much it costs the company to reconstruct the data and if they consider it willful destruction of company property or sabotage.

7.  Log out of any applications like Slack, Hipchat or your browser.

I think this one is safe.  If it a company account, they will have the means to log back in.

Bottom line, if the device is owned by the company, coordinate with your manager, HR and/or IT.   If in doubt, don’t do it.  If you own the device you have a lot more latitude in terms of what you can do with it.

One simple way to do things, if your company allows it, is to store YOUR stuff on your own personal flash drive.  Also don’t comingle work and personal email messages.  Keep personal personal and work work.  That way, you don’t store anything on the company computer and you don’t have to remove anything.  Don’t log on to your personal email or social media accounts from your work computer.  Remember, even if log out from social media or email accounts or delete your social media and email passwords, your company may have them anyway in a variety of different ways.

If in doubt, contact an attorney.  Before you act.

Information for this post came from Wired.

 

Making Sense of the Equifax Breach

Earlier this week Equifax, the credit reporting giant, announced that hackers wandered inside their systems between May and July of this year.  143 million records were compromised.  In addition to that, credit card numbers on 200,000 people were compromised and personal identifying information on 182,000 people were also released.

Information compromised includes names, Social Security numbers, birth dates, addresses, credit card numbers and driver’s license information.

Equifax said that the hackers got in by compromising a web application.

The did say that they are going to notify certain people who are affected and also are offering their own credit monitoring service to anyone who wants it, whether they were affected by the breach or not.

Beyond that, Equifax has not said much.

Ultimately, there are going to be a lot of investigations – the states, the feds, Congress, the CFPB and out of them we may find some answers, but if we do, it will be a long time coming.

143 million represents pretty much anyone in the United States that has any credit in their name.

Equifax is offering people a year’s free credit monitoring, but your Social Security number doesn’t expire in twelve months.  All that means is that the hackers will wait a year before they start exploiting your data.

There are some things that you can do.

  1. First, Federal law allows you to get a free credit report from each of the three national credit bureaus once a year.  If you spread that out, you can get a copy of one of your credit reports every four months for the rest of your life for free.  You should do that.   You can do this by going to a web site set up for this purpose.  WARNING:  There are lots of sites that are designed to look like the free government coordinated web site.  The site to go to is AnnualCreditReport.com .   You can also call 877-322-8228 to obtain one.  In addition to the free annual report there are several other situations in which you can get a free report in addition to the annual report, such as if you are turned down for credit due to the contents of your credit report.  Some states also allow you a free annual credit report (like Colorado) in addition to the free Federal report, so if you live in one of those states, you could get a free credit report every other month.
  2. Check your bank statements regularly.
  3. Sign up for your bank’s free text messaging service.  The features vary but most of them will text you if there is a deposit or withdrawal to your account.
  4. Sign up for the free text messaging service for each of your credit cards.  You will get a message every time the card is used.
  5. Monitor your medical bills and insurance information to make sure that someone is not obtaining health care pretending to be you.
  6. If you get a notice from the IRS, do not ignore it.  It is possible that someone used your information to file a fraudulent tax return or something like that.
  7. Consider signing up for Equifax’s free credit monitoring service.  You can do that by visiting www. EquifaxSecurity2017.com .  Note that there is a clause in their terms of service that forces you to arbitrate disputes.  After a “visit” from the New York Attorney General, Equifax issued an announcement that those terms did not apply to the breach, but only to people who bought the paid version of their service.  If you do go to that site, you will be put in queue to sign up (they could not handle 143 million people signing up in one day).  One source reported that you have to provide them with a credit card which they will bill after the free period is up if you don’t cancel.  If this is true, I WOULD NOT sign up.  You can pretty much do most of what they do with more effort by yourself and the principle of having to give them a credit card after they screwed up – well it kinda, sorta upsets me.
  8. Issue a credit freeze.  This is free and asking one bureau to do it will affect all three bureaus automatically, but there is a downside.  If you want to open an account like when you buy cell phone service, they do a credit check and if you have a freeze in place, that will fail.  In that case, you have to remove the freeze, for which they charge you and then put it back in place.

One thing that makes this breach more interesting is that three Equifax  executives sold stock in recent days.  These sales were outside normal scheduled sales that are reported to the SEC in advance.  The three are:

  • CFO John Gamble – $946,000
  •  Rodolfo Ploder – $250,000
  • Joseph Loughran – $584,000

These sales were not scheduled and occurred within 2-3 days after the breach was discovered but before it was announced.  I am sure that this will be part of at least some of the investigations.

Normally, when there is a breach, you know that you have given a business your credit information.  For example, after the Target breach, you could rest easy if you didn’t have a Target credit or loyalty card and you never used your credit card at a Target store.  In this case, you are not the customer.  The banks and stores that issue credit are Equifax’s customer.  You never gave Equifax your information.  This means that you have no business relationship with Equifax.  It is an unusual deal.

It also means that, unlike the Target breach, you cannot close your account in a show of disapproval.  You can’t take your business to another company because you are not their customer.

Since there are only three major national credit bureaus, businesses will likely continue to do business with them.

What is likely is major lawsuits and regulatory fines.  That is probable.  In fact, the first lawsuit has already been filed.

But this is not the first time a breach at a credit bureau has happened.  You may remember the T-Mobile breach from 2015.  That was at Experian.  And there have been others.  Not many, but some.

It is just a mess.  Stay tuned for details.

Information for this post came from CNN,  The Chicago Tribune,  The Washington Post,  The LA Times, Bloomberg,

Who Turned Off The Lights?

The security firm Symantec is reporting that hackers have compromised energy companies in the U.S.  and Europe.

Well that sounds bad enough, but we have to ask the question “what do you mean when you say compromised?”

The answer is a little bit complicated.  For most energy companies, in a bid to make it tougher for hackers, isolate their operations network – the one that controls power generation and distribution – from the administrative network – the one where users get email and browse the web and such.

Except that life is never that clean.  The power companies, as part of their business, need to get data out of their operational network to manage the business, upgrade software and many other things, so the two networks are not really completely separate – but they do try hard.

Well, according to Symantec, in this case, when they mean compromised, they mean that the hackers were into the network far enough that they could turn off your lights.

Symantec says that the group that they are calling Dragonfly is attacking energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry equipment providers.  Companies who were compromised were located in the United States, France, Spain, Italy, Germany, Turkey and Poland.

Assuming these hackers could really “flip the switches”, it would seem like they could do a LOT of damage.  And, depending on what they actually did, it could take a little time or a long time to fix.

Symantec says that this group is likely state sponsored.  Which state they aren’t saying, but I’m betting on Russia.

Symantec provides a lot of details on how the attack works, so if you are interested  go to the Symantec link below for more information.

You may remember that hackers – likely Russians – actually did turn off the lights in Ukraine in the dead of winter in 2015 and 2016.  It is not that far a stretch to think that hackers could do that to the U.S. energy industry.

Homeland Security has been working with the energy industry for the last several years to try and mitigate this threat and they probably have made some headway, but making headway and saying hackers can’t turn off the lights are two very different things.

Of course Homeland Security does not want the American public to panic, so they are going to try very hard to spin things into “this is not a problem;  we have it covered”.  If you believe that line, I have some land I want to sell you in the Florida Keys.

Unfortunately, there really isn’t a lot for the average bear to do.  You can’t fuss at the power company.  Well, you can, but they will likely call you a nut case.

Being knowledgeable on the situation and providing input when possible is a reasonable course of action.  Panicking is not.

I wish I had a better answer, but I don’t.

Information for this post came from Symantec and Wired.

Another Day, Another Amazon Data Exposure – And How Not To Handle It

Last week I wrote about an incident with a vendor to the City of Chicago who left close to two million voter records exposed on Amazon and how the vendor, in spite of the initial mistake of exposing the data, handled the breach very well (see blog post).

Today we have another case and, this time, an example of how not to handle it.

Today’s case also came from researcher Chris Vickery and the data in question was an Amazon storage bucket with resumes for what the news is calling “mercenaries”.  In fact, the company is Tigerswan, a private security firm.

Like many private security firms that cater to the military or paramilitary world, many of the employees and applicants are ex-military and hold or have held high level security clearances.

On July 20th, Vickery discovered an Amazon S3 bucket named TigerswanResumes with almost 10,000 resumes of veterans and others who were interested in working for Tigerswan.  As is typical for resumes, they included a lot of personal details including former activities in the military and clearance information.  This data was totally exposed to anyone who happened on it – including, potentially, agents of foreign powers who might want to blackmail (or worse) these people.

On July 21st Chris emailed Tigerswan about the situation.  He followed up on the 22nd with a phone call and email and was told they were working with Amazon to secure the data.

On August 10th, with the data still exposed, Chris reached out to Tigerswan again and was told that they were unsure as to why the data was exposed and would bring it to the IT director’s attention.

Finally, on August 24th, a month after being notified, Tigerswan the data was secured.

THE ONLY REASON THAT THE DATA WAS SECURED ON AUGUST 24TH WAS BECAUSE CHRIS WAS ABLE TO GET AMAZON TO INTERVENE.

Tigerswan blamed the situation on a former recruiting vendor – in order words, the data was effectively abandoned and unprotected.  No one “Owned” that data.

Chris’s blog post provides a lot of examples of the backgrounds of people who’s information was exposed and, it would seem, this information would be attractive to intelligence agents.  Included in the resumes were police officers, sheriff deputies, people who worked at Guantanamo and many others.

Also on some of the resumes were references with contact information including one former director of the CIA clandestine services.  You kind of get the idea.

The fact that this took a month to secure the data is an indication of a lack of an effective incident response program and also a lack of a program to manage the location and ownership of data inside the company.  The fact that Amazon finally had to intervene makes the situation even worse.  Unfortunately, neither of these is unusual.

While it does take some work to build and maintain the data maps to document data storage locations – which should include data managed by vendors and ex-vendors on behalf of the company – compared to taking a month to fix a problem like this, the cost is low.  Very low.  For the veterans who were affected, the cost, assuming this data is now in the hands of our adversaries (and I can only assume that if Chris could find it, so could the Russians or the Chinese), is high and those veterans and others will have to deal with it.  That could, realistically, be sufficient grounds for a class action lawsuit against tigerswan.

Information for this post came from Upguard and ZDNet.