Tag Archives: Equifax

Equifax, Trans Union and the Software Supply Chain

One more time, Equifax is in the news – but they are not alone!

Users thought that Equifax had been hacked again because when customers went to a particular help page on their web site, they were redirected to a page directing them to download a malicious, fake, Adobe Flash update.

Hopefully, no one is running Flash anymore, so the request to update Flash could be safely ignored anyway.

Given the optics of the whole thing, Equifax immediately took that page offline.

The IRS, who has reputation optics problems of its own and who just renewed a $7 million no-bid contract to Equifax AFTER the first breach, immediately suspended the renewed Equifax contract, even though doing so removed some functionality from the IRS web site.  Given the complexity of government contracting rules, the IRS is limited in what it can and cannot do, but that didn’t stop Congress-critters from trying to score points with their constituents by yelling at the IRS.

In the meantime, researchers discovered that Transunion’s web site for Central America was serving up the same, exact malware!  Within a couple of hours, Transunion said that they had fixed the web site and were scanning their other web sites to see which ones were affected or infected.

It turns out, in this case, that neither Transunion nor Equifax had been breached.

The problem was, as I keep saying at every opportunity, a software supply chain problem.

The software supply chain problem comes from the fact that most web sites integrate some (or a lot of) third party code.  That code can be infected and then infect the user’s of the company’s web site.

In this case, both Transunion and Equifax both used a company called Fireclick.  Fireclick goes though a bunch of gyrations but eventually either displays a fake survey, fake Flash update or another exploit.  Fireclick, part of the conglomerate Digital River, provides web site analytics.  Or should be.  But, apparently, they got compromised and likely compromised HUNDREDS if not THOUSANDS of web site that use their analytic software.

Fireclick, pulls in code from a Fourth party, Netflame.

So the question is – who’s fault is this?

I lay the fault at the feet of companies that use third (and fourth) party code.  As soon as a company decides to do that, they “own” the problem that code causes.  No one cares that Equifax and Transunion use a third or fourth party.  They visited Equifax’s or Transunion’s web site and were served malicious content.

Equifax and Transunion deserve and get the black eye.

So if you develop software, pay others to develop software or use commercial or open source software (which should cover just about everyone with a computer), you need to understand this software supply chain problem and have a policy and procedures to deal with it.

Attackers have figured out time and time again that it is easier to attack your supply chain than to attack you.

AND, if the attackers are successful and your customers are compromised, they are going to come after you and the courts will, most likely, hold you liable.

So, two more things for your to-do list besides creating a software supply chain risk management program, are getting cyber insurance so that you are not left holding the financial bag  when your vendors screw up (while you might, possibly, be able to sue them, even if you are successful, it will take you years to recover any money) and making sure that your contracts with third parties (assuming there are contracts and that you have some say over what is in them) hold those parties responsible and financially liable for damage that they cause to you.  If there are no contracts or you can’t get the vendor to assume the liability of infecting you, you need to make sure that you address that risk in your risk management program.

Information for this post came from SC Magazine, Politico and Ars Technica.

Facebooktwitterredditlinkedinmailby feather

How Good Is Your Cyber Security Program – Ask Equifax

Sometimes Congress can be entertaining, but not usually.  Today was an exception.

FORMER Equifax Chairman Richard Smith, under who’s watch the huge Equifax data breach occurred, testified at the House Energy and Commerce Subcommittee.

What did he say?

#1 – Even though Homeland Security told Equifax (and others) about the Apache Struts vulnerability in March, when they scanned for it, they didn’t find the vulnerable versions of the software.

#2 – As a result, the patch was not applied.  Until today we didn’t know that EVERY system at Equifax that used Apache Struts was not patched.  I, for one, was hoping that it was just one system that they missed, but apparently they missed the boat. And likely the entire ocean.

Those two items are not funny.  Human error. Technical error.  Stuff happens.  It shouldn’t when Homeland Security specifically tells you about something, but sometimes it does.

#3 – They found out about the breach, they now say, on July 31.  Earlier reports say that the hackers were inside their systems as early as March – several months.  They didn’t tell people about it until last month.  Congress was not happy about that.

Rep. Greg Walden (R-Ore.) said “It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,”

He went on to say “How does this happen when so much is at stake?”  And  “I don’t think we can pass a law that fixes stupid.

Rep. Anna Eshoo (D-Atherton, CA) said “It seems to me that you’ve accomplished something that no one else has been able to accomplish … you have brought Republicans and Democrats together in outrage, distress and frustration over what’s happened,”

You have to admit, there has not been very much that the Dems and Repubs have agreed on lately.

Rep. Markwayne Mullin (R-Okla.) told Smith that the company’s response should have been like a fire alarm on the wall, ready at a moment’s notice to be pulled.  This is not humorous.  This is about having a Cyber Incident Response Program, documented, trained and tested, and ready to be put into action when needed.  CLEARLY, they failed at this one.

Some committee members admitted that Congress had failed, too.  Attempts at passing a strong cyber security law have failed over the last several years.  Political pressures have tended to produce very watered down attempts – often significantly weaker than many state laws and superseding those state laws.  As a result, some Congress critters would not vote for a bill that effectively mandated weaker security than residents of their state already had.

Rep. Joe Barton (R-Tx) said that financial penalties were needed to make companies take security more seriously.  If the penalty for a company like Equifax were say, only, five bucks a record compromised, that would be almost a billion dollars.  At that cost, the economics would tilt in favor of spending money to avoid a breach.

Today, companies, for the most part, say I am sorry and maybe offer a year of credit monitoring. In the case of Equifax, that year of credit monitoring was from themselves, so the cost to provide it would be really, really small.

A friend of mine told me of a letter he got from the local state administrative court judge.  The letter said that some jury duty records had been compromised.  The breach, which included Socials, names and birth dates, was not done by a hacker, but rather by the court itself, posting the data publicly, by accident.

The letter went on to say that the recipient MIGHT want to contact one of the credit bureaus and put a fraud alert on their credit file.  Helpfully, the court provided the phone numbers and web sites of the big three credit bureaus.  They, clearly, didn’t feel responsible to make people whole at all. You MIGHT want to, they said.  Nice.

I have no clue whether Joe Barton’s idea of fining companies (AND, I might add, the government should NOT exempt itself from these fines) will go anywhere, but for a Republican to propose fining businesses for lax security is an indication that Capitol Hill is not happy.

When asked at the hearing whether Equifax would pay the fees that the other two credit bureaus will charge those 145 million people to freeze their credit, Smith that they would not pay.  I bet that wasn’t a popular answer.

When asked about several exec’s sale of a million plus dollars worth of Equifax stock, Smith said “They’re honorable men. They’re men of integrity,” – “I have no indication they had any knowledge of the breach at the time of the sale.”  Interesting choice of words – have no indication  that they had any knowledge.  Not a very strong refutation that they didn’t know.

In any case, Smith is scheduled to testify before two more committees this week, so the entertainment is not over.

But, seriously, these are very reasonable questions.

Can you assure your customers that you would know about a vulnerability in a web development framework (or some other similarly obscure software) and get it patched in a day or two, company wide?  Smith said that the company’s policy is to deploy patches within two days.

What about responding?  Does your company have a documented, trained and tested cyber incident response program that you can use, like pulling a fire alarm on the wall? 

If you can’t answer the two questions in red any better than Equifax’s fired Chairman could (err, retired Chairman?), then this is probably a good time to fix that.  Before it becomes a problem.

Information for this post came from the Los Angeles Times.

 

Facebooktwitterredditlinkedinmailby feather

An Equifax Lesson For Everyone To Learn

One of the MANY lessons to be learned from the Equifax breach is how not to handle a breach.  Here is just one of those lessons and it is a lesson for BOTH users and webmasters.

NOTE:  TO SEE A BIGGER IMAGE OF ANY OF THE PICTURES IN THIS POST, JUST CLICK ONCE ON THE IMAGE.

When the breach finally became public – months after it happened – they created a web site for victims to go to in order to find out about the breach.  That web site, equifaxsecurity2017.com, looks like this:

You will notice that it has the Equifax logo on it and that it has the little green padlock indicating that it is encrypted, but, of course, anyone can steal the Equifax logo and put it anywhere they want – like right here, for example:

But that doesn’t mean that the site belongs to Equifax.

You will notice that the web site URL includes the name Equifax, but so does www.equifaxsucks.com (yup, a real site.  Totally benign, but real – see below).  So, just because the word Equifax is in the web site name does not mean that it is owned by Equifax.

In this case, since the word Equifax is probably a trademark, they can, eventually, get this site taken down if they want.   But, Equifaxx is not a trademark (note that there are two xxs and not one).  That site is real (see below) and curiously, it seems to belong to EXPERIAN, their biggest competitor.  Why they didn’t buy up similar sounding web sites for $10 a year each is beyond me and a lesson to learn from this.  Here is Equifaxx.com.

But that is not the worst failure.

Why wouldn’t they send you to a site that you KNOW is theirs. Send people to BREACH.equifax.com or Equifax.con/BREACH or something like that?  At least people know that they are going to a site owned by the company that they are looking for.  In fact, this site was hastily set up and initially, if you looked, it wasn’t even owned by Equifax, it was owned by an Equifax vendor.

Still, that is not the worst failure.

Here is the worst failure and the lesson for everyone – users and webmasters both.

While they secured the site with HTTPS – what we geeks call an SSL (or more correctly a TLS) certificate protected site, they used the cheapest, least secure certificate they could find.  What is called a DOMAIN VALIDATION certificate.  All that certificate proves is that the person who requested it – you, me, my kid, whoever – had sufficient access to the web site to store a file on it.  If the site had been hacked, a hacker could buy that kind of certificate.

THAT IS WHAT A GREEN PADLOCK PROVES.  NOTHING MORE.

Now lets look at Apple’s website for a minute (see below).

Note that the address bar is different from the address bar on Equifax’s breach web site.  This has the name Apple, Inc [US] in green in front of the URL.  This is an EXTENDED VALIDATION certificate.  In order for Apple (or Equifax) to get this, they had to prove they were Apple and not Mitch.  This is a higher level of verification and a more expensive certificate.

It is designed to give the user a higher level of confidence that they really have landed on an Apple – or Equifax – web site.

Why is this important.

One more time, Equifax is the poster child for how to screw up.

Equifax’s offical Twitter account tweeted not once, not twice but three times, an incorrect web site for people to go to.

Instead of sending people to EquifaxSecurity2017.com, they instead sent people to SecurityEquifax2017.com.

Now it turns out that this alter ego site was set up by a security researcher, so even when Equifax’s crisis communications team sent people to the wrong site, it didn’t infect their computer.  But if it was a hacker’s web site, it certainly could have.  Or asked for and stolen even more information.  Here is a look at the wrong web site.  This site proved it’s point so it has been taken down, but the Internet never forgets, so here is a copy from the Wayback machine, the Internet Archive.

Notice that this web site ALSO had a green padlock and was accessed using HTTPS.

Which is why, as users, we need to look for the company name in the address bar and why, as webmasters, we need to pay a little bit more for an extended validation or EV certificate.

In this case, if, say, there was a phishing campaign and it got people to click on the link and it sent people to a bogus web site, the extended validation certificate is much harder to forge.

Be a smart Internet user.  Look for the extended validation certificate.

Now that you are aware, as you surf the web, notice what companies have extended validation certificates.  And which ones do not.

Information for this post came from The Verge.

 

Facebooktwitterredditlinkedinmailby feather

You’re Not Gonna Believe This – Another Equifax Breach

Apparently Equifax had another, separate breach in March of this year, 5 months before the breach that they have already announced.

Equifax hired the security firm Mandiant to check into both breaches, but since they have not said anything about this first breach, we really don’t know much about it.

One assumes that this secret earlier breach will only fuel the fires behind the dozens of lawsuits and separate dozens of investigations.

It will also make people wonder about those executive stock sales – the ones NOT on the SEC sale schedule and which occurred a couple of days before the announcement of the second breach but months after the first breach.

It is possible that they discovered the first breach before any data was stolen, but if that was the case, how do you explain how the second breach, only a few months later, went undetected for several months?  There is no logic that can explain this.

We have also seen cases where the breached company didn’t want to find any evidence of something that would require them to notify anyone.  Breach?  Breach?  What breach?  I don’t see any breach.  If you tell the investigators to only look in one corner where nothing happened, they likely won’t find any problems.  The company said that they have complied with all mandatory notifications regarding the March breach.

The fact that Equifax was lobbying Congress to reduce their breach reporting requirements at the same time that they were investigating the first breach is, shall we say, a bit problematic.  And it has terrible optics.

Is this the final straw that has the board fire the CEO?  I don’t know but I would not be surprised.

Another source is saying that the goal of the attackers may have been to use Equifax to breach some of Equifax’s large banking partners.  At least one bank appears to have been compromised and Equifax says that it is working with its banking partners to mitigate damage.

Information for this post came from Bloomberg.

Facebooktwitterredditlinkedinmailby feather

Equifax – The Gift That Keeps On Giving

Update: Sep 15, 2017 – Equifax’s Chief Information Officer (CIO) and Chief Security Officer (CSO) “retired” (AKA were fired) today, effective immediately, according to USA Today.  Hopefully, the Board will ask the CEO to “retire” soon as well.

CIO Susan Mauldin and CSO David Webb are taking the heat for not installing one patch, out of the thousands that they likely install every month, that allowed the hackers to .  Webb received $2.6 million in compensation last year.

The company has appointed an interim CIO and interim CSO at the same time.  Given the dozens of investigations and dozens of lawsuits, the company is going to need to have as many resources available to testify as possible.

One complication firing them presents is that the company no longer has any where near the control over what they might say in court or to investigators.  In fact, to cover their own behinds, they might throw the CEO under the bus saying that they told the CEO that they didn’t have enough staff or money to do the job right and were not given more resources.  It is possible that their retirement package might have conditions on it, but if it says that they must lie to Congress, that probably would not be enforceable.

It’s gonna be interesting before it is all over.

Last week the news was about the 143 million people who’s data was compromised.

This week it is how Equifax is handling the breach.

First it was terms of service that seemed to require consumers to enter data for credit monitoring on a domain that wasn’t even owned by Equifax and give up their right to sue Equifax in exchange for a few bucks worth of free credit monitoring.  They changed their mind after the New York Attorney General said that he would go after them if they tried that.

Then it was the fact that the site that users were flocking to in the aftermath of the breach was vulnerable to a cross site scripting vulnerability that would allow hackers to extract all of the data the the consumers were providing.

Next it came out that Equifax Argentina’s employee web site that was used by Equifax employees to manage credit complaints had an admin account with a userid of admin and a password of admin.  That site has subsequently been taken offline after that bit of news was made public.

Then, of course, there are the 50 or lawsuits that have been filed against them.  So far.  Including one multi-BILLION dollar suit.

Next Senators Wyden and Hatch are asking a lot of embarrassing questions of Equifax like do you have a Chief Information Security Officer (apparently not) and exactly how many full time security professionals do you have on staff.  The Senators seem to understand the potential long term impact on healthcare fraud, tax return fraud and entitlement fraud, all of which the Federal government – and by association you – will get to foot the bill for.

Then it was reported that Equifax spent at least $500,000 in the months leading up to announcing the breach, lobbying Congress to change the regulations so that they wouldn’t have to notify consumers in case of a breach and limiting the legal liability of credit reporting companies.

Of course there was that slight “optics” problem of Equifax execs selling over a million dollars worth of stock between the date the breach was discovered and the date the breach was announced.

And finally, White House Spokesperson Sarah Huckabee Sanders said that the President, who was elected on a platform of removing regulations, would be looking extensively into whether additional regulation is needed to protect user data.  Of course, no one knows if Congress will actually do anything, but still that is a BIGLY about face for the prez.

All in all, not a great week for Equifax.

 

Information for this post came from ZDNet, CNetUSAToday, Vanity Fair and CNN.

Facebooktwitterredditlinkedinmailby feather

Making Sense of the Equifax Breach

Earlier this week Equifax, the credit reporting giant, announced that hackers wandered inside their systems between May and July of this year.  143 million records were compromised.  In addition to that, credit card numbers on 200,000 people were compromised and personal identifying information on 182,000 people were also released.

Information compromised includes names, Social Security numbers, birth dates, addresses, credit card numbers and driver’s license information.

Equifax said that the hackers got in by compromising a web application.

The did say that they are going to notify certain people who are affected and also are offering their own credit monitoring service to anyone who wants it, whether they were affected by the breach or not.

Beyond that, Equifax has not said much.

Ultimately, there are going to be a lot of investigations – the states, the feds, Congress, the CFPB and out of them we may find some answers, but if we do, it will be a long time coming.

143 million represents pretty much anyone in the United States that has any credit in their name.

Equifax is offering people a year’s free credit monitoring, but your Social Security number doesn’t expire in twelve months.  All that means is that the hackers will wait a year before they start exploiting your data.

There are some things that you can do.

  1. First, Federal law allows you to get a free credit report from each of the three national credit bureaus once a year.  If you spread that out, you can get a copy of one of your credit reports every four months for the rest of your life for free.  You should do that.   You can do this by going to a web site set up for this purpose.  WARNING:  There are lots of sites that are designed to look like the free government coordinated web site.  The site to go to is AnnualCreditReport.com .   You can also call 877-322-8228 to obtain one.  In addition to the free annual report there are several other situations in which you can get a free report in addition to the annual report, such as if you are turned down for credit due to the contents of your credit report.  Some states also allow you a free annual credit report (like Colorado) in addition to the free Federal report, so if you live in one of those states, you could get a free credit report every other month.
  2. Check your bank statements regularly.
  3. Sign up for your bank’s free text messaging service.  The features vary but most of them will text you if there is a deposit or withdrawal to your account.
  4. Sign up for the free text messaging service for each of your credit cards.  You will get a message every time the card is used.
  5. Monitor your medical bills and insurance information to make sure that someone is not obtaining health care pretending to be you.
  6. If you get a notice from the IRS, do not ignore it.  It is possible that someone used your information to file a fraudulent tax return or something like that.
  7. Consider signing up for Equifax’s free credit monitoring service.  You can do that by visiting www. EquifaxSecurity2017.com .  Note that there is a clause in their terms of service that forces you to arbitrate disputes.  After a “visit” from the New York Attorney General, Equifax issued an announcement that those terms did not apply to the breach, but only to people who bought the paid version of their service.  If you do go to that site, you will be put in queue to sign up (they could not handle 143 million people signing up in one day).  One source reported that you have to provide them with a credit card which they will bill after the free period is up if you don’t cancel.  If this is true, I WOULD NOT sign up.  You can pretty much do most of what they do with more effort by yourself and the principle of having to give them a credit card after they screwed up – well it kinda, sorta upsets me.
  8. Issue a credit freeze.  This is free and asking one bureau to do it will affect all three bureaus automatically, but there is a downside.  If you want to open an account like when you buy cell phone service, they do a credit check and if you have a freeze in place, that will fail.  In that case, you have to remove the freeze, for which they charge you and then put it back in place.

One thing that makes this breach more interesting is that three Equifax  executives sold stock in recent days.  These sales were outside normal scheduled sales that are reported to the SEC in advance.  The three are:

  • CFO John Gamble – $946,000
  •  Rodolfo Ploder – $250,000
  • Joseph Loughran – $584,000

These sales were not scheduled and occurred within 2-3 days after the breach was discovered but before it was announced.  I am sure that this will be part of at least some of the investigations.

Normally, when there is a breach, you know that you have given a business your credit information.  For example, after the Target breach, you could rest easy if you didn’t have a Target credit or loyalty card and you never used your credit card at a Target store.  In this case, you are not the customer.  The banks and stores that issue credit are Equifax’s customer.  You never gave Equifax your information.  This means that you have no business relationship with Equifax.  It is an unusual deal.

It also means that, unlike the Target breach, you cannot close your account in a show of disapproval.  You can’t take your business to another company because you are not their customer.

Since there are only three major national credit bureaus, businesses will likely continue to do business with them.

What is likely is major lawsuits and regulatory fines.  That is probable.  In fact, the first lawsuit has already been filed.

But this is not the first time a breach at a credit bureau has happened.  You may remember the T-Mobile breach from 2015.  That was at Experian.  And there have been others.  Not many, but some.

It is just a mess.  Stay tuned for details.

Information for this post came from CNN,  The Chicago Tribune,  The Washington Post,  The LA Times, Bloomberg,

Facebooktwitterredditlinkedinmailby feather