Tag Archives: Equifax

Friday News

Equifax Fallout

Proxy adviser Institutional Shareholder Services is recommending against re-electing 5 directors who sat on the audit and technology committees prior to the recent breach.  Equifax says that the breach will cost them an estimated $439 million through the end of this year and the company is facing hundreds of lawsuits.  The company has lost almost 20% of its market value since the breach was announced (Source: Reuters).

Casino Hacked Via Internet Connected Fish Tank Thermometer

The first question you might ask is why you need to have an Internet connected fish tank thermometer.  But an unnamed casino did and hackers attacked the thermometer and used it to gain access to the casino’s high roller database, which they then sucked out through the fish tank to the Internet.  Apparently, for real.   The moral of the story is that Internet of Things (IoT) security is important (Source: The Hacker News).

LocalBlox Leaks Info on 48 Million

While Facebook/Cambridge Analytica is in the news, other companies are doing the exact same thing.  Chris Vickery of Upgard found an Amazon S3 bucket with the entire dataset of information for 48 million people – names, addresses, emails, IP addresses, jobs, salary.  They get the information from scraping web sites and adding purchased information.  When contacted, they attempted to spin the situation, so you make your own assessment, but if you believe the story they are trying to spin after getting outed, no one would want to hire them. (source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Friday News

It was only a matter of time.  Researchers say that they have discovered “things” on the blockchain.  Not so nice things.  Like child porn.  If true, and I have no reason to doubt the researchers, that would make possession of a copy of the blockchain illegal in 112 countries.  And, since we know that you can’t change the blockchain, now what?  Normally, when the cops find child porn on a web site, they get it removed or shut it down.  Do you have any idea how to shut down a distributed database with tens of millions of copies on every continent of the globe, expect, maybe, not Antarctica.  Me neither.   And think about it.  You could use this technology to distribute any kind of illegal information that you want to.  Hidden in plain sight and unstoppable.  (source: PC Magazine).

Department of Homeland Security Secretary Kirstjen Nielsen testified before the Senate Intelligence Committee this week that they have completed the security clearance process on 20 election officials to be able to share classified intelligence about foreign government attempts to hack into their election systems.  Given there are about 10,000 election jurisdictions, at this rate it may take a while to complete.

Suffice it to say, it would seem that after 14 months, this administration is a tiny little bit behind the 8 ball when it comes to protecting our election process.  (source: Axios).

Possibly in the wake of the Cambridge Analytica “situation”, the Facebook security chief, Alex Stamos quit.  Followed, the next day by Michael Coates, head of security for Twitter quitting.  Followed the next day by Michael Zalewski, Director of information Security Engineering at Google.  Not a great week.  Is someone sending the big guys a message?  (source: National Herald).

Mossack Fonseca, the law firm at the eye of the storm of the Panama Papers leak of millions of documents of the rich and famous announced they are shutting down due to reputational damage, media attention to a company that would rather operate in the shadows and other fallout from their breach.  While their breach was very public, their finances were deep.  However when customers started deserting them like rats deserting a sinking ship, their ship was doomed.  While it took a couple of years, it was inevitable. (source: The Guardian).

The government has filed civil and criminal charges against a former Equifax exec for insider trading.  Jun Ying, a not very smart tech exec at the company heard rumors about a breach and decided it would be a good time to sell all of his vested stock options, netting him almost a million bucks in profit.  And, possibly, ten years at the crossbar hotel.  Not very subtle on his part.  Hopefully only the beginning of going after folks at Equifax, buy who knows.  (source: Reuters)

Facebooktwitterredditlinkedinmailby feather

Reuters Reports CFPB Will Not Investigate Equifax Breach

As the leadership at the Consumer Finance Protection Bureau  has changed to a more business friendly leader, the new head of the CFPB, Mick Mulvaney is not going to move forward with a full scale probe of how Equifax failed to protect the information of over a hundred million consumers.

The former director, Richard Cordray, ordered an investigation right after the breach.  Since then, the CFPB has not done much to investigate Equifax.

In particular, Mulvaney has not issued any subpoenas and has not gotten any sworn testimony from Equifax executives.

The CFPB also, reportedly, rebuffed offers of help from the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency.

While the President can, likely, tell Mulvaney to back off on Equifax,  every state Attorney General is investigating Equifax.  Those AGs, some Democrats and some Republicans, are beyond the reach of the feds ability to control since they will be looking at whether Equifax broke state and not federal laws.

The FTC is investigating Equifax.  The last time they fined a credit bureau, the amount of the fine was $393,000 – pocket change for a multi billion dollar company.

The CFPB fined credit bureaus over $25 million last year alone, which one would assume, was well known by whoever told the CFPB to not investigate things too hard.

Cordray asked bank regulators to do new exams of all of the credit bureaus.  Last month Mulvaney told the regulators that there would be no new exams.

The crux of this may be the dispute between the Democrats and Republicans on what authority the CFPB actually has.  That has been the subject of a seven year long court battle.  TransUnion said that the CFPB has no authority to examine the credit bureaus over cyber security issues and that certainly is possible.

That being said, 50 Attorneys General, all of whom have political aspirations, should be able to effectively get Equifax’s attention.

Congress, for its part, has done nothing to increase the oversight of the credit bureaus since the breach, even though months have passed.  That should not seem like much of a surprise for a Congress that can’t even fund the government for more than a couple of weeks at a time.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Equifax, Trans Union and the Software Supply Chain

One more time, Equifax is in the news – but they are not alone!

Users thought that Equifax had been hacked again because when customers went to a particular help page on their web site, they were redirected to a page directing them to download a malicious, fake, Adobe Flash update.

Hopefully, no one is running Flash anymore, so the request to update Flash could be safely ignored anyway.

Given the optics of the whole thing, Equifax immediately took that page offline.

The IRS, who has reputation optics problems of its own and who just renewed a $7 million no-bid contract to Equifax AFTER the first breach, immediately suspended the renewed Equifax contract, even though doing so removed some functionality from the IRS web site.  Given the complexity of government contracting rules, the IRS is limited in what it can and cannot do, but that didn’t stop Congress-critters from trying to score points with their constituents by yelling at the IRS.

In the meantime, researchers discovered that Transunion’s web site for Central America was serving up the same, exact malware!  Within a couple of hours, Transunion said that they had fixed the web site and were scanning their other web sites to see which ones were affected or infected.

It turns out, in this case, that neither Transunion nor Equifax had been breached.

The problem was, as I keep saying at every opportunity, a software supply chain problem.

The software supply chain problem comes from the fact that most web sites integrate some (or a lot of) third party code.  That code can be infected and then infect the user’s of the company’s web site.

In this case, both Transunion and Equifax both used a company called Fireclick.  Fireclick goes though a bunch of gyrations but eventually either displays a fake survey, fake Flash update or another exploit.  Fireclick, part of the conglomerate Digital River, provides web site analytics.  Or should be.  But, apparently, they got compromised and likely compromised HUNDREDS if not THOUSANDS of web site that use their analytic software.

Fireclick, pulls in code from a Fourth party, Netflame.

So the question is – who’s fault is this?

I lay the fault at the feet of companies that use third (and fourth) party code.  As soon as a company decides to do that, they “own” the problem that code causes.  No one cares that Equifax and Transunion use a third or fourth party.  They visited Equifax’s or Transunion’s web site and were served malicious content.

Equifax and Transunion deserve and get the black eye.

So if you develop software, pay others to develop software or use commercial or open source software (which should cover just about everyone with a computer), you need to understand this software supply chain problem and have a policy and procedures to deal with it.

Attackers have figured out time and time again that it is easier to attack your supply chain than to attack you.

AND, if the attackers are successful and your customers are compromised, they are going to come after you and the courts will, most likely, hold you liable.

So, two more things for your to-do list besides creating a software supply chain risk management program, are getting cyber insurance so that you are not left holding the financial bag  when your vendors screw up (while you might, possibly, be able to sue them, even if you are successful, it will take you years to recover any money) and making sure that your contracts with third parties (assuming there are contracts and that you have some say over what is in them) hold those parties responsible and financially liable for damage that they cause to you.  If there are no contracts or you can’t get the vendor to assume the liability of infecting you, you need to make sure that you address that risk in your risk management program.

Information for this post came from SC Magazine, Politico and Ars Technica.

Facebooktwitterredditlinkedinmailby feather

How Good Is Your Cyber Security Program – Ask Equifax

Sometimes Congress can be entertaining, but not usually.  Today was an exception.

FORMER Equifax Chairman Richard Smith, under who’s watch the huge Equifax data breach occurred, testified at the House Energy and Commerce Subcommittee.

What did he say?

#1 – Even though Homeland Security told Equifax (and others) about the Apache Struts vulnerability in March, when they scanned for it, they didn’t find the vulnerable versions of the software.

#2 – As a result, the patch was not applied.  Until today we didn’t know that EVERY system at Equifax that used Apache Struts was not patched.  I, for one, was hoping that it was just one system that they missed, but apparently they missed the boat. And likely the entire ocean.

Those two items are not funny.  Human error. Technical error.  Stuff happens.  It shouldn’t when Homeland Security specifically tells you about something, but sometimes it does.

#3 – They found out about the breach, they now say, on July 31.  Earlier reports say that the hackers were inside their systems as early as March – several months.  They didn’t tell people about it until last month.  Congress was not happy about that.

Rep. Greg Walden (R-Ore.) said “It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,”

He went on to say “How does this happen when so much is at stake?”  And  “I don’t think we can pass a law that fixes stupid.

Rep. Anna Eshoo (D-Atherton, CA) said “It seems to me that you’ve accomplished something that no one else has been able to accomplish … you have brought Republicans and Democrats together in outrage, distress and frustration over what’s happened,”

You have to admit, there has not been very much that the Dems and Repubs have agreed on lately.

Rep. Markwayne Mullin (R-Okla.) told Smith that the company’s response should have been like a fire alarm on the wall, ready at a moment’s notice to be pulled.  This is not humorous.  This is about having a Cyber Incident Response Program, documented, trained and tested, and ready to be put into action when needed.  CLEARLY, they failed at this one.

Some committee members admitted that Congress had failed, too.  Attempts at passing a strong cyber security law have failed over the last several years.  Political pressures have tended to produce very watered down attempts – often significantly weaker than many state laws and superseding those state laws.  As a result, some Congress critters would not vote for a bill that effectively mandated weaker security than residents of their state already had.

Rep. Joe Barton (R-Tx) said that financial penalties were needed to make companies take security more seriously.  If the penalty for a company like Equifax were say, only, five bucks a record compromised, that would be almost a billion dollars.  At that cost, the economics would tilt in favor of spending money to avoid a breach.

Today, companies, for the most part, say I am sorry and maybe offer a year of credit monitoring. In the case of Equifax, that year of credit monitoring was from themselves, so the cost to provide it would be really, really small.

A friend of mine told me of a letter he got from the local state administrative court judge.  The letter said that some jury duty records had been compromised.  The breach, which included Socials, names and birth dates, was not done by a hacker, but rather by the court itself, posting the data publicly, by accident.

The letter went on to say that the recipient MIGHT want to contact one of the credit bureaus and put a fraud alert on their credit file.  Helpfully, the court provided the phone numbers and web sites of the big three credit bureaus.  They, clearly, didn’t feel responsible to make people whole at all. You MIGHT want to, they said.  Nice.

I have no clue whether Joe Barton’s idea of fining companies (AND, I might add, the government should NOT exempt itself from these fines) will go anywhere, but for a Republican to propose fining businesses for lax security is an indication that Capitol Hill is not happy.

When asked at the hearing whether Equifax would pay the fees that the other two credit bureaus will charge those 145 million people to freeze their credit, Smith that they would not pay.  I bet that wasn’t a popular answer.

When asked about several exec’s sale of a million plus dollars worth of Equifax stock, Smith said “They’re honorable men. They’re men of integrity,” – “I have no indication they had any knowledge of the breach at the time of the sale.”  Interesting choice of words – have no indication  that they had any knowledge.  Not a very strong refutation that they didn’t know.

In any case, Smith is scheduled to testify before two more committees this week, so the entertainment is not over.

But, seriously, these are very reasonable questions.

Can you assure your customers that you would know about a vulnerability in a web development framework (or some other similarly obscure software) and get it patched in a day or two, company wide?  Smith said that the company’s policy is to deploy patches within two days.

What about responding?  Does your company have a documented, trained and tested cyber incident response program that you can use, like pulling a fire alarm on the wall? 

If you can’t answer the two questions in red any better than Equifax’s fired Chairman could (err, retired Chairman?), then this is probably a good time to fix that.  Before it becomes a problem.

Information for this post came from the Los Angeles Times.

 

Facebooktwitterredditlinkedinmailby feather

An Equifax Lesson For Everyone To Learn

One of the MANY lessons to be learned from the Equifax breach is how not to handle a breach.  Here is just one of those lessons and it is a lesson for BOTH users and webmasters.

NOTE:  TO SEE A BIGGER IMAGE OF ANY OF THE PICTURES IN THIS POST, JUST CLICK ONCE ON THE IMAGE.

When the breach finally became public – months after it happened – they created a web site for victims to go to in order to find out about the breach.  That web site, equifaxsecurity2017.com, looks like this:

You will notice that it has the Equifax logo on it and that it has the little green padlock indicating that it is encrypted, but, of course, anyone can steal the Equifax logo and put it anywhere they want – like right here, for example:

But that doesn’t mean that the site belongs to Equifax.

You will notice that the web site URL includes the name Equifax, but so does www.equifaxsucks.com (yup, a real site.  Totally benign, but real – see below).  So, just because the word Equifax is in the web site name does not mean that it is owned by Equifax.

In this case, since the word Equifax is probably a trademark, they can, eventually, get this site taken down if they want.   But, Equifaxx is not a trademark (note that there are two xxs and not one).  That site is real (see below) and curiously, it seems to belong to EXPERIAN, their biggest competitor.  Why they didn’t buy up similar sounding web sites for $10 a year each is beyond me and a lesson to learn from this.  Here is Equifaxx.com.

But that is not the worst failure.

Why wouldn’t they send you to a site that you KNOW is theirs. Send people to BREACH.equifax.com or Equifax.con/BREACH or something like that?  At least people know that they are going to a site owned by the company that they are looking for.  In fact, this site was hastily set up and initially, if you looked, it wasn’t even owned by Equifax, it was owned by an Equifax vendor.

Still, that is not the worst failure.

Here is the worst failure and the lesson for everyone – users and webmasters both.

While they secured the site with HTTPS – what we geeks call an SSL (or more correctly a TLS) certificate protected site, they used the cheapest, least secure certificate they could find.  What is called a DOMAIN VALIDATION certificate.  All that certificate proves is that the person who requested it – you, me, my kid, whoever – had sufficient access to the web site to store a file on it.  If the site had been hacked, a hacker could buy that kind of certificate.

THAT IS WHAT A GREEN PADLOCK PROVES.  NOTHING MORE.

Now lets look at Apple’s website for a minute (see below).

Note that the address bar is different from the address bar on Equifax’s breach web site.  This has the name Apple, Inc [US] in green in front of the URL.  This is an EXTENDED VALIDATION certificate.  In order for Apple (or Equifax) to get this, they had to prove they were Apple and not Mitch.  This is a higher level of verification and a more expensive certificate.

It is designed to give the user a higher level of confidence that they really have landed on an Apple – or Equifax – web site.

Why is this important.

One more time, Equifax is the poster child for how to screw up.

Equifax’s offical Twitter account tweeted not once, not twice but three times, an incorrect web site for people to go to.

Instead of sending people to EquifaxSecurity2017.com, they instead sent people to SecurityEquifax2017.com.

Now it turns out that this alter ego site was set up by a security researcher, so even when Equifax’s crisis communications team sent people to the wrong site, it didn’t infect their computer.  But if it was a hacker’s web site, it certainly could have.  Or asked for and stolen even more information.  Here is a look at the wrong web site.  This site proved it’s point so it has been taken down, but the Internet never forgets, so here is a copy from the Wayback machine, the Internet Archive.

Notice that this web site ALSO had a green padlock and was accessed using HTTPS.

Which is why, as users, we need to look for the company name in the address bar and why, as webmasters, we need to pay a little bit more for an extended validation or EV certificate.

In this case, if, say, there was a phishing campaign and it got people to click on the link and it sent people to a bogus web site, the extended validation certificate is much harder to forge.

Be a smart Internet user.  Look for the extended validation certificate.

Now that you are aware, as you surf the web, notice what companies have extended validation certificates.  And which ones do not.

Information for this post came from The Verge.

 

Facebooktwitterredditlinkedinmailby feather