Category Archives: Breach

An Equifax Lesson For Everyone To Learn

One of the MANY lessons to be learned from the Equifax breach is how not to handle a breach.  Here is just one of those lessons and it is a lesson for BOTH users and webmasters.

NOTE:  TO SEE A BIGGER IMAGE OF ANY OF THE PICTURES IN THIS POST, JUST CLICK ONCE ON THE IMAGE.

When the breach finally became public – months after it happened – they created a web site for victims to go to in order to find out about the breach.  That web site, equifaxsecurity2017.com, looks like this:

You will notice that it has the Equifax logo on it and that it has the little green padlock indicating that it is encrypted, but, of course, anyone can steal the Equifax logo and put it anywhere they want – like right here, for example:

But that doesn’t mean that the site belongs to Equifax.

You will notice that the web site URL includes the name Equifax, but so does www.equifaxsucks.com (yup, a real site.  Totally benign, but real – see below).  So, just because the word Equifax is in the web site name does not mean that it is owned by Equifax.

In this case, since the word Equifax is probably a trademark, they can, eventually, get this site taken down if they want.   But, Equifaxx is not a trademark (note that there are two xxs and not one).  That site is real (see below) and curiously, it seems to belong to EXPERIAN, their biggest competitor.  Why they didn’t buy up similar sounding web sites for $10 a year each is beyond me and a lesson to learn from this.  Here is Equifaxx.com.

But that is not the worst failure.

Why wouldn’t they send you to a site that you KNOW is theirs. Send people to BREACH.equifax.com or Equifax.con/BREACH or something like that?  At least people know that they are going to a site owned by the company that they are looking for.  In fact, this site was hastily set up and initially, if you looked, it wasn’t even owned by Equifax, it was owned by an Equifax vendor.

Still, that is not the worst failure.

Here is the worst failure and the lesson for everyone – users and webmasters both.

While they secured the site with HTTPS – what we geeks call an SSL (or more correctly a TLS) certificate protected site, they used the cheapest, least secure certificate they could find.  What is called a DOMAIN VALIDATION certificate.  All that certificate proves is that the person who requested it – you, me, my kid, whoever – had sufficient access to the web site to store a file on it.  If the site had been hacked, a hacker could buy that kind of certificate.

THAT IS WHAT A GREEN PADLOCK PROVES.  NOTHING MORE.

Now lets look at Apple’s website for a minute (see below).

Note that the address bar is different from the address bar on Equifax’s breach web site.  This has the name Apple, Inc [US] in green in front of the URL.  This is an EXTENDED VALIDATION certificate.  In order for Apple (or Equifax) to get this, they had to prove they were Apple and not Mitch.  This is a higher level of verification and a more expensive certificate.

It is designed to give the user a higher level of confidence that they really have landed on an Apple – or Equifax – web site.

Why is this important.

One more time, Equifax is the poster child for how to screw up.

Equifax’s offical Twitter account tweeted not once, not twice but three times, an incorrect web site for people to go to.

Instead of sending people to EquifaxSecurity2017.com, they instead sent people to SecurityEquifax2017.com.

Now it turns out that this alter ego site was set up by a security researcher, so even when Equifax’s crisis communications team sent people to the wrong site, it didn’t infect their computer.  But if it was a hacker’s web site, it certainly could have.  Or asked for and stolen even more information.  Here is a look at the wrong web site.  This site proved it’s point so it has been taken down, but the Internet never forgets, so here is a copy from the Wayback machine, the Internet Archive.

Notice that this web site ALSO had a green padlock and was accessed using HTTPS.

Which is why, as users, we need to look for the company name in the address bar and why, as webmasters, we need to pay a little bit more for an extended validation or EV certificate.

In this case, if, say, there was a phishing campaign and it got people to click on the link and it sent people to a bogus web site, the extended validation certificate is much harder to forge.

Be a smart Internet user.  Look for the extended validation certificate.

Now that you are aware, as you surf the web, notice what companies have extended validation certificates.  And which ones do not.

Information for this post came from The Verge.

 

Facebooktwitterredditlinkedinmailby feather

You’re Not Gonna Believe This – Another Equifax Breach

Apparently Equifax had another, separate breach in March of this year, 5 months before the breach that they have already announced.

Equifax hired the security firm Mandiant to check into both breaches, but since they have not said anything about this first breach, we really don’t know much about it.

One assumes that this secret earlier breach will only fuel the fires behind the dozens of lawsuits and separate dozens of investigations.

It will also make people wonder about those executive stock sales – the ones NOT on the SEC sale schedule and which occurred a couple of days before the announcement of the second breach but months after the first breach.

It is possible that they discovered the first breach before any data was stolen, but if that was the case, how do you explain how the second breach, only a few months later, went undetected for several months?  There is no logic that can explain this.

We have also seen cases where the breached company didn’t want to find any evidence of something that would require them to notify anyone.  Breach?  Breach?  What breach?  I don’t see any breach.  If you tell the investigators to only look in one corner where nothing happened, they likely won’t find any problems.  The company said that they have complied with all mandatory notifications regarding the March breach.

The fact that Equifax was lobbying Congress to reduce their breach reporting requirements at the same time that they were investigating the first breach is, shall we say, a bit problematic.  And it has terrible optics.

Is this the final straw that has the board fire the CEO?  I don’t know but I would not be surprised.

Another source is saying that the goal of the attackers may have been to use Equifax to breach some of Equifax’s large banking partners.  At least one bank appears to have been compromised and Equifax says that it is working with its banking partners to mitigate damage.

Information for this post came from Bloomberg.

Facebooktwitterredditlinkedinmailby feather

Equifax – The Gift That Keeps On Giving

Update: Sep 15, 2017 – Equifax’s Chief Information Officer (CIO) and Chief Security Officer (CSO) “retired” (AKA were fired) today, effective immediately, according to USA Today.  Hopefully, the Board will ask the CEO to “retire” soon as well.

CIO Susan Mauldin and CSO David Webb are taking the heat for not installing one patch, out of the thousands that they likely install every month, that allowed the hackers to .  Webb received $2.6 million in compensation last year.

The company has appointed an interim CIO and interim CSO at the same time.  Given the dozens of investigations and dozens of lawsuits, the company is going to need to have as many resources available to testify as possible.

One complication firing them presents is that the company no longer has any where near the control over what they might say in court or to investigators.  In fact, to cover their own behinds, they might throw the CEO under the bus saying that they told the CEO that they didn’t have enough staff or money to do the job right and were not given more resources.  It is possible that their retirement package might have conditions on it, but if it says that they must lie to Congress, that probably would not be enforceable.

It’s gonna be interesting before it is all over.

Last week the news was about the 143 million people who’s data was compromised.

This week it is how Equifax is handling the breach.

First it was terms of service that seemed to require consumers to enter data for credit monitoring on a domain that wasn’t even owned by Equifax and give up their right to sue Equifax in exchange for a few bucks worth of free credit monitoring.  They changed their mind after the New York Attorney General said that he would go after them if they tried that.

Then it was the fact that the site that users were flocking to in the aftermath of the breach was vulnerable to a cross site scripting vulnerability that would allow hackers to extract all of the data the the consumers were providing.

Next it came out that Equifax Argentina’s employee web site that was used by Equifax employees to manage credit complaints had an admin account with a userid of admin and a password of admin.  That site has subsequently been taken offline after that bit of news was made public.

Then, of course, there are the 50 or lawsuits that have been filed against them.  So far.  Including one multi-BILLION dollar suit.

Next Senators Wyden and Hatch are asking a lot of embarrassing questions of Equifax like do you have a Chief Information Security Officer (apparently not) and exactly how many full time security professionals do you have on staff.  The Senators seem to understand the potential long term impact on healthcare fraud, tax return fraud and entitlement fraud, all of which the Federal government – and by association you – will get to foot the bill for.

Then it was reported that Equifax spent at least $500,000 in the months leading up to announcing the breach, lobbying Congress to change the regulations so that they wouldn’t have to notify consumers in case of a breach and limiting the legal liability of credit reporting companies.

Of course there was that slight “optics” problem of Equifax execs selling over a million dollars worth of stock between the date the breach was discovered and the date the breach was announced.

And finally, White House Spokesperson Sarah Huckabee Sanders said that the President, who was elected on a platform of removing regulations, would be looking extensively into whether additional regulation is needed to protect user data.  Of course, no one knows if Congress will actually do anything, but still that is a BIGLY about face for the prez.

All in all, not a great week for Equifax.

 

Information for this post came from ZDNet, CNetUSAToday, Vanity Fair and CNN.

Facebooktwitterredditlinkedinmailby feather

Making Sense of the Equifax Breach

Earlier this week Equifax, the credit reporting giant, announced that hackers wandered inside their systems between May and July of this year.  143 million records were compromised.  In addition to that, credit card numbers on 200,000 people were compromised and personal identifying information on 182,000 people were also released.

Information compromised includes names, Social Security numbers, birth dates, addresses, credit card numbers and driver’s license information.

Equifax said that the hackers got in by compromising a web application.

The did say that they are going to notify certain people who are affected and also are offering their own credit monitoring service to anyone who wants it, whether they were affected by the breach or not.

Beyond that, Equifax has not said much.

Ultimately, there are going to be a lot of investigations – the states, the feds, Congress, the CFPB and out of them we may find some answers, but if we do, it will be a long time coming.

143 million represents pretty much anyone in the United States that has any credit in their name.

Equifax is offering people a year’s free credit monitoring, but your Social Security number doesn’t expire in twelve months.  All that means is that the hackers will wait a year before they start exploiting your data.

There are some things that you can do.

  1. First, Federal law allows you to get a free credit report from each of the three national credit bureaus once a year.  If you spread that out, you can get a copy of one of your credit reports every four months for the rest of your life for free.  You should do that.   You can do this by going to a web site set up for this purpose.  WARNING:  There are lots of sites that are designed to look like the free government coordinated web site.  The site to go to is AnnualCreditReport.com .   You can also call 877-322-8228 to obtain one.  In addition to the free annual report there are several other situations in which you can get a free report in addition to the annual report, such as if you are turned down for credit due to the contents of your credit report.  Some states also allow you a free annual credit report (like Colorado) in addition to the free Federal report, so if you live in one of those states, you could get a free credit report every other month.
  2. Check your bank statements regularly.
  3. Sign up for your bank’s free text messaging service.  The features vary but most of them will text you if there is a deposit or withdrawal to your account.
  4. Sign up for the free text messaging service for each of your credit cards.  You will get a message every time the card is used.
  5. Monitor your medical bills and insurance information to make sure that someone is not obtaining health care pretending to be you.
  6. If you get a notice from the IRS, do not ignore it.  It is possible that someone used your information to file a fraudulent tax return or something like that.
  7. Consider signing up for Equifax’s free credit monitoring service.  You can do that by visiting www. EquifaxSecurity2017.com .  Note that there is a clause in their terms of service that forces you to arbitrate disputes.  After a “visit” from the New York Attorney General, Equifax issued an announcement that those terms did not apply to the breach, but only to people who bought the paid version of their service.  If you do go to that site, you will be put in queue to sign up (they could not handle 143 million people signing up in one day).  One source reported that you have to provide them with a credit card which they will bill after the free period is up if you don’t cancel.  If this is true, I WOULD NOT sign up.  You can pretty much do most of what they do with more effort by yourself and the principle of having to give them a credit card after they screwed up – well it kinda, sorta upsets me.
  8. Issue a credit freeze.  This is free and asking one bureau to do it will affect all three bureaus automatically, but there is a downside.  If you want to open an account like when you buy cell phone service, they do a credit check and if you have a freeze in place, that will fail.  In that case, you have to remove the freeze, for which they charge you and then put it back in place.

One thing that makes this breach more interesting is that three Equifax  executives sold stock in recent days.  These sales were outside normal scheduled sales that are reported to the SEC in advance.  The three are:

  • CFO John Gamble – $946,000
  •  Rodolfo Ploder – $250,000
  • Joseph Loughran – $584,000

These sales were not scheduled and occurred within 2-3 days after the breach was discovered but before it was announced.  I am sure that this will be part of at least some of the investigations.

Normally, when there is a breach, you know that you have given a business your credit information.  For example, after the Target breach, you could rest easy if you didn’t have a Target credit or loyalty card and you never used your credit card at a Target store.  In this case, you are not the customer.  The banks and stores that issue credit are Equifax’s customer.  You never gave Equifax your information.  This means that you have no business relationship with Equifax.  It is an unusual deal.

It also means that, unlike the Target breach, you cannot close your account in a show of disapproval.  You can’t take your business to another company because you are not their customer.

Since there are only three major national credit bureaus, businesses will likely continue to do business with them.

What is likely is major lawsuits and regulatory fines.  That is probable.  In fact, the first lawsuit has already been filed.

But this is not the first time a breach at a credit bureau has happened.  You may remember the T-Mobile breach from 2015.  That was at Experian.  And there have been others.  Not many, but some.

It is just a mess.  Stay tuned for details.

Information for this post came from CNN,  The Chicago Tribune,  The Washington Post,  The LA Times, Bloomberg,

Facebooktwitterredditlinkedinmailby feather

Courts Easing on Requirements For “Standing” in Breach Cases?

One of the things that has always been a barrier for people who’s data was compromised during a breach is what lawyers call “Standing”.  Standing derives from Article III of the U.S. Constitution.  The courts have said that there are three requirements for “standing” to bring an action against another – Injury in fact, causation and redressability.  I am not going to even try to pretend that I am a lawyer, but basically, it says that you have to suffer harm, that the harm can be reasonably linked to the action of the defendant and that a favorable court decision will reasonably redress the situation (Wikipedia).

For the most part, the courts have ruled that, most of the time, people do not have standing and therefore cannot sue.

In February, the Fourth Circuit Court of Appeals made it harder to show standing by ruling that plaintiffs had to show that the data thieves intentionally targeted the personal information that is stolen in the breach.  The decision centers on the hypothetical future harm and whether you were injured.  There have been a number of court rulings like this (Fenwick and West).

However, there are more cases that are starting to rule in the other direction.  Not overwhelmingly, and ultimately, it will likely will have to be decided by the Supremes.

Earlier this week U.S. District Court Judge Lucy Koh ruled that a case against Yahoo due to the breaches in 2013, 2014, 2015 and 2016 can proceed, in part due to the actions of Yahoo in not disclosing for years that the breaches occurred.

Before this is blown out of proportion, Judge Koh is only a District Court judge.  On the other hand, she was the presiding judge in Apple v. Samsung and made companies like Adobe, Google and Intel bow to her will, so her opinion is not like that of some guy in a diner.

Verizon, who bought Yahoo, had hoped that this case would just go away, but at least, for right now, the case will move forward.

Judicial doctrine takes years, even decades, to create.  The doctrine in this case is no different.  When it comes to determining standing with respect to the Constitution, it will take time.  This is just another building block as the courts continue to figure this out.

When companies reimburse people after a credit card breach or offer them credit monitoring, it is to reduce the injury-in-fact part. This, in turn, makes it harder for people to have standing.

The Yahoo case is a little different.  Since they kept the breaches secret for years;  didn’t offer to reimburse people and didn’t offer credit monitoring, they did little to reduce the injury-in-fact part.  In fact they didn’t even tell people so that they could do these things themselves.

Companies have to make this particular decision all the time.  Do we disclose a breach or keep it secret?  Do we endure the bad P.R. or do we hope that word doesn’t get out.    In Yahoo’s case, the shareholders got to take a $350 million haircut in the form of a reduced purchase price, along with having to own responsibility for certain legal costs associated with the breach as a result of that decision.

As this case moves forward, other companies will be watching closely.  Again, this is just one piece in a very large puzzle.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Why An Incident Response Program Is Critical

Do you have a written incident response program?

Do the people who are part of it – the outside legal team, crisis communications team, forensics team, for example – know they are part of it?

Are contracts signed with outside service providers – or at least providers periodically reviewed and selected vendor already approved?

Has the team – both internal and external – conducted a mock disaster drill within the last 12 months?

Are the people answering the phones, email, chat and social media – from reception to help desk – trained in what to do when there is an inbound communication regarding a potential breach (you may remember the FBI called the Democratic National Committee several times last year to warn them but the person who answered the phone thought it was a prank)?

All of this needs to be in place and ready to go so that when (not if) an event occurs you are ready to spring into action.

Case in point.

One of our favorite white hat security researchers, Chris Vickery of Upguard, discovered a cache of voter information of Chicago residents unprotected on Amazon (does this ring a familiar bell – come on folks, lets get it together).  1.8 million voters.  Names, addresses, birth dates, partial socials, drivers license, etc.

He was able to associate it to a service provider to the City of Chicago, ES&S and Chris notified them.

Without regard to the fact that for some reason, someone at ES&S changed the default Amazon permissions from private to public – and I would certainly like to understand that, other than that, they handled the incident well.

Unlike the DNC who blew off the FBI, the email got to the right person.  As a side note, if someone wanted to notify your company, how would they know who to contact?  Is there information on your web site about what to do about security issues, for example?

While the details are still private, based on the results, they had a security incident response program.  They quickly – even though they were notified after business hours – investigated the report and within a few hours, the data was gone from Amazon.

Their crisis communications team released information that the data that was breached was limited and that no vote data was compromised.  They explained that it was a backup of a database that was unprotected, so the vote process integrity was intact.

They notified their customer, the Chicago Election Board.

Bottom line, they responded to a crisis quickly and worked to limit the damage.

I am sure that the City of Chicago will have more questions, but at least from the public side, they did what needed to be done and they did it quickly.

Can you say the same for your company?

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather