Skip to content

Security News

Why Equifax & others will Fail at Self Policing

The simple answer is they will not do anything to hurt their own business. They sell your information and rake in too money doing so. A credit freeze prevents that. I finally found a good article to share on this by Brice Schneider.

Quote

This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer — everyone who wants to sell you something, even governments.

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you — almost all of them companies you’ve never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You’re secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don’t have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations — just in case I ever decide to join.

The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

This market failure isn’t unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

If you don’t like how careless Equifax was with your data, don’t waste your breath complaining to Equifax. Complain to your government.

FireEye pulls Equifax boasts as it tries to handle hack fallout

Oh well, we all new FireEye was more bluster than solid security

Quote

“Brandan Schondorfer of Mandiant registered the domain Equihax.com on Tuesday (5 September), two days before the breach was publicly disclosed”

FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency.

Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the credit reference agency’s systems and accessed all manner of sensitive information.

..

Equifax has reportedly hired incident response experts at FireEye Mandiant to investigate the breach. These experts have also been helping with PR aspects of damage limitation, it seems. Brandan Schondorfer of Mandiant registered the domain Equihax.com on Tuesday (5 September), two days before the breach was publicly disclosed, thereby preventing anyone else intent on poking fun at Equifax – or perhaps worse, run phishing attacks – from getting their hands on the domain.

Other aspects of Equifax’s overall incident response (analysed in depth in a post by security blogger Guise Bule here) have been less assured. For example, security experts at Sophos have criticised Equifax’s use of PINs – based on the date and time of when a request was made – to freeze consumer credit files. Crooks have a far better chance of determining these PINs and unfreezing credit files than if they were randomly generated. Worse yet, compromised server logs might be used to determine PINs

Equifax Fails – Results of trying to put on credit freeze – 11 Sep 2017

This morning I went to the Equifax site and check both my and my wife’s SSN for potential impact. For both I was told we were impacted. For my wife when I clicked enroll, I got

“Your enrollment date for TrustedID Premier is: 09/14/2017

Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.”

What? Today is 11 Sept and you will not freeze till the 14th? — Outrageous incompetence Equifax! The FAQ page is just a link back to the original check impact page

For myself, after being told I was impacted, I was instead sent to a form which I filled out. I was then told I would receive an email with further instructions. That email was never received (and not in spam either!) — More Incompetence.

Regulators need to force this company to offer life credit freeze for all those affected for free. Lawyers then need to sue this company into oblivion.

Update 12:44 EDT 11 Sep 2017

So I received the link and went through the steps and it ended with

An error has occurred

We are experiencing heavy traffic right now. Please check back later to resume the enrollment process. Thank you for your patience.

Next I pulled my annual credit report. Transunion OK, but Equifax

System Temporarily Down

The system is currently down for maintenance. We expect to be back up shortly. Thank you for your patience.

Return to Equifax.com

Equifax should be wound down..Part 2

Quote

Equifax has consistently failed in their duty to protect data. The company should be forced to offer a permanent lifetime credit freeze for FREE. Or absent of that, wind them them down. They are completely incompetent and should not be allowed to be in this business in my opinion.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

..

Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so.

That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete.

And why just a year? Who knows? Isn’t this an invitation to the thieves to sit on the data for a while and then use it when all of us have moved on?

Meanwhile, people can’t easily change their Social Security numbers to thwart the thieves. So if any bad actors have your personal data, those numbers will be useful for years, maybe decades, depending on how the credit system changes over time.

Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file at the little-known company Innovis, too. Hey, why not?

..

And then there’s this: A security freeze doesn’t protect you if the thieves break into the vault of the company that maintains the freeze. That’s what happened here, and we will now spend years seeing what happens next.

Equifax should be wound down..Part 1

There is simply no excuse for this bad actor. Terminate the company.

Quote

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.

“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.

Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.

The company handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.

Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.

People can go to the Equifax website to see if their information has been compromised. The site encourages customers to offer their last name and the last six digits of their Social Security number. When they do, however, they do not necessarily get confirmation about whether they were affected. Instead, the site provides an enrollment date for its protection service, and it may not start for several days.

Equifax’s credit protection service, which is free for one year for consumers who enroll by Nov. 21, is available to everyone and not just the victims of the breach.

Equifax is offering consumers the ability to freeze their Equifax credit reports, said John Ulzheimer, a consumer credit expert who often does expert witness work for banks and credit unions and worked at Equifax in the 1990s. Thieves could have information stolen from Equifax and used it to open accounts with creditors that use Experian or TransUnion.

“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.

Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.

Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.

Governments regularly buy stolen personal information on the so-called Dark Web, security experts say. The black market sites where this information is sold are far more exclusive than black markets where stolen credit card data is sold. Interested buyers are even asked to submit to background checks before they are admitted.

“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”

Sen. Mark R. Warner, a Virginia Democrat who co-founded the Senate Cybersecurity Caucus, said he believed the severity of the Equifax breach raised serious questions about whether Congress needed to rethink data protection policies.

“It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” he said in a statement.

Equifax Hack

Quote

“Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone” 143m in US, unknown number in UK, Canada – gulp!

Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population.

In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29. Equifax has called in the FBI and is in contact with regulators in other countries about the case.

CEO Richard Smith said that the company’s core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million Americans were exposed.

Oh, so is that good news? Only 143mil? These are foilks that are SOPPOSED to get security right in the first place! What bozos!

In response to the debacle, Equifax is offering every US citizen a year’s free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.

Yes, the identity theft detection service will be supplied by… Equifax. And if you want to check you’re affected by the mega-hack, you have to supply your last name and last six digits of your social security number. To an outfit that just lost your social security number. Which is no use to peeps in the UK or Canada.

Great comment

‘We pride ourselves on being a leader in managing and protecting data’

Really, you do do you.

I pride myself at being good at detecting bullshit, the needle moved a bit at that statement.

It should have moved off the scale and bent the needle, but I’ve recently re-calibrated it.

HOTSPOT VPN == Spyware

Quote

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim
CDT tries to set fed trade watchdog on internet biz
By Thomas Claburn in San Francisco 7 Aug 2017 at 20:20

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed with the FTC, the company’s software gathers data and its privacy policy allows it to share the information.

Worryingly, it is claimed the service forces ads and JavaScript code into people’s browsers when connected through Hotspot Shield: “The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.”

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

….
IP address and unique device identifiers are generally considered to be private personal information, but AnchorFree’s Privacy Policy explicitly exempts this data from its definition of Personal Information.

“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iFrames for advertising and tracking purposes,” the complaint says, adding that the VPN uses more than five different third-party tracking libraries.

What’s the alternative? Rool your own, set up a VPS or Algo or both

Police say fridges could be turned into listening devices

Quote

Just say NO to IOT

Your fridge could be turned into a covert listening device by Queensland Police conducting surveillance.

The revelation was made during a Parliamentary committee hearing on proposed legislation to give police more powers to combat terrorism.

Police Commissioner Ian Stewart said technology was rapidly changing and police and security agencies could use devices already in place, and turn them into listening devices.

“It is not outside the realm that, if you think about the connected home that we now look at quite regularly where people have their security systems, their CCTV systems and their computerised refrigerator all hooked up wirelessly, you could actually turn someone’s fridge into a listening device,” Mr Stewart said.

Share on Facebook SHARE
Share on Twitter TWEET

Queensland Police Commissioner Ian Stewart said the proposed new laws were necessary to keep people safe.
Queensland Police Commissioner Ian Stewart said the proposed new laws were necessary to keep people safe. Photo: Glenn Hunt

“This is the type of challenge that law enforcement is facing in trying to keep pace with events and premises where terrorists may be planning, they may be gathering to discuss deployment in a tactical way and they may be building devices in that place.

“All of that is taken into account by these new proposed laws.”

The Counter-Terrorism and Other Legislation Amendment bill would give police more powers during and following attacks.

Nasty Hole in Skype

Nothing to see here, says Microsoft, just more crappy code

Infosec researchers have discovered a nasty and exploitable security vulnerability in older versions of Skype on Windows.The stack buffer overflow flaw allows miscreants to inject malicious code into Windows boxes running older versions of Skype, bug hunters at Vulnerability Laboratory warn: The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched.The CVE-2017-9948 bug involves mishandling of remote RDP clipboard content within the message box.Microsoft said the bug isn’t a problem for those running the latest version of its software.”Users on the latest Skype client are automatically protected, and we recommend upgrading to this version for the best protection,” a Microsoft spokesperson told El Reg.Vulnerability Laboratory’s Benjamin Kunz Mejri responded that although Microsoft had fixed this issue with version 7.37, widely used versions 7.2, 7.35 and 7.36 are still vulnerable to what he described as a “critical” security issue.
Source

If you are using XP you are screwed maybe as 7.36 is the last version… but

CVE-2017-9948 allows local or remote attackers to execute own codes on the affected and connected systems via Skype.
CVE-2017-9948 Fixed in v7.2, v7.3.5 & v7.3.6 Skype Versions

“In a software update of the v7.2, v7.3.5 & v7.3.6 version of Skype, a limitation has been implemented for the clipboard function”, researchers explain. Users of older versions of Skype are advised to update to the latest version as soon as possible to avoid becoming victims of malicious attacks.

Also, it’s important to note that the security risk associated with this flaw is high, as the exploitation of the buffer overflow software vulnerability requires no user interaction and only a low privilege Skype user account.

Source
https://sensorstechforum.com/cve-2017-9948-severe-skype-flaw/

Petya Ransonware

I have been busy so no chance to write the blog. But I had few minutes this AM to collect some links of articles on the Petya Ransomware.

Good Summaries
https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html
https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe

Up to Minute Updates from ESET (L4 Networks is an ESET Partner)
https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/

How to protect yourself (From ESET)

  • Use reliable antimalware software: This is a basic but critical component. Just because it’s a server, and it has a firewall, does not mean it does not need antimalware. It does! Always install a reputable antimalware program and keep it updated. [L4 Note: And just because you have a hardware firewall, it does NOT mean you do not need an application level firewall. You DO! ]
  • Make sure that you have all current Windows updates and patches installed
    Run ESET’s EternalBlue Vulnerability Checker to see whether your Windows machines are patched against EternalBlue exploit, and patch if necessary.
    For ESET Home Users: Perform a Product Update.
    For ESET Business Users: Send an Update Task to all Client Workstations or update Endpoint Security or Endpoint Antivirus on your client workstations.