Skip to content

FireEye pulls Equifax boasts as it tries to handle hack fallout

Oh well, we all new FireEye was more bluster than solid security

Quote

“Brandan Schondorfer of Mandiant registered the domain Equihax.com on Tuesday (5 September), two days before the breach was publicly disclosed”

FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency.

Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the credit reference agency’s systems and accessed all manner of sensitive information.

..

Equifax has reportedly hired incident response experts at FireEye Mandiant to investigate the breach. These experts have also been helping with PR aspects of damage limitation, it seems. Brandan Schondorfer of Mandiant registered the domain Equihax.com on Tuesday (5 September), two days before the breach was publicly disclosed, thereby preventing anyone else intent on poking fun at Equifax – or perhaps worse, run phishing attacks – from getting their hands on the domain.

Other aspects of Equifax’s overall incident response (analysed in depth in a post by security blogger Guise Bule here) have been less assured. For example, security experts at Sophos have criticised Equifax’s use of PINs – based on the date and time of when a request was made – to freeze consumer credit files. Crooks have a far better chance of determining these PINs and unfreezing credit files than if they were randomly generated. Worse yet, compromised server logs might be used to determine PINs

D-Link Router Riddled with Zero-Day Flaws

A pity the poor home internet user. The crap they buy or are given by their ISP makes them think they are protected. Not. Oh wait, the average small business has these also. Ooops.

Quote

A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first.

Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without disclosing the issue to D‑Link beforehand because of a previous negative experience with the firm. He disclosed nine vulnerabilities to D‑Link back in February, but only one of them resulted in a patch from the manufacturer.

“The D‑Link 850L is a router overall badly designed with a lot of vulnerabilities,” Kim offers in a somewhat dismissive summary seemingly borne out of exasperation with the networking kit maker.

..

Kim concludes by referencing his previous negative experiences with D‑Link in explaining why he had gone public this time before advising punters of the vulnerable equipment and to use other kit instead:

Due to difficulties in previous exchange with D‑Link, full disclosure is applied. Their previous lack of consideration about security made me publish this research without coordinated disclosure. I advise to IMMEDIATELY DISCONNECT vulnerable routers from the internet.

dumb hurricane ideas

Quote

“Hurricanes are fake news” guy Rush Limbaugh deservedly took a lot of heat for his comments on Hurricane Irma last week when he essentially accused the media of hyping up the storm as “fake news.” That’s not to say the conservative talk host was entirely wrong. He was correct that it is in the media’s interest to sell hurricanes as huge, whopping threats (be honest, do you watch The Weather Channel at any other time than during a tropical cyclone landfall?). But “the media” doesn’t do this because of some global warming conspiracy theory, Rush; they do it for ratings and clicks.

But what else would you expect from this mindless fat blowhard?

Ten-day forecast” guy Among the most frustrating things during the lead-up to Hurricane Irma’s landfall were the newfound “experts” who seized upon the widespread anxiety to promote the next big threat. During this time, Hurricane Jose represented such a threat. I can’t count how many times I saw someone on social media share a 10-day model forecast for Jose that looped around the Atlantic Ocean before striking the US East Coast. I’m going to pick on Justin Miller below because the national editor of The Daily Beast ought to know better. It is true that the operational run of the European model on Saturday (12z) did show a looping Jose returning to near the East Coast around September 20. And yet… this was a single-track forecast at 10 days, when the average error can often be measured in thousands of kilometers. Moreover, there was little support for a US landfall in the ensemble forecast of the same run (this is the 50 or so additional runs of a model, with slightly different initial conditions, at a lower resolution than the operational model).

This is important because, whereas forecasters use the operational model for five-day forecasts, ensembles become more useful after that time due to increasing uncertainty. In the image below, you can see almost no ensemble members bringing Jose to shore. The operational model, therefore, was a huge outlier to be discounted. The problem with “10-day forecast” guy is that he or she doesn’t have any real interest in being correct. The primary motivation is “look at me.” Having lived through Harvey and writing for shellshocked people in Houston, I can tell you that their greatest fear is that another storm is coming soon, when they are most vulnerable. Constantly, I got questions about Irma—what if it doesn’t turn and comes to Texas? This kind of irresponsible social sharing plays on those fears. Jose may ultimately come to the United States, but there is no truth to be found from “10-day forecast” guy.

So why did Irma miss Miami? About 48 hours before Irma made landfall along the southwestern Florida coast near Marco Island, hurricane forecasts began closing in on that track. At that time frame before landfall, the official forecast from the National Hurricane Center has an average error of about 70 miles.

As a sailor, I follow models closely. Anything over 3 days has such a huge margin of error that I notate it, but discount these when route planning. Of course, I am not motivated by advertising revenue, just my own and my crew’s safety.

“It wasn’t that bad” guy.. Oh, Ann Coulter. Why must you be so horrible? Coulter, who lives in Palm Beach, Florida, tweeted on Sunday morning at about the time that Irma was covering the Florida Keys in water and bearing down on the southwestern coast of Florida.

Ann Coulter @AnnCoulter HURRICANE UPDATE FROM MIAMI: LIGHT RAIN; RESIDENTS AT RISK OF DYING FROM BOREDOM…I wish cables would mention the hurricane. There is a decidedly heavier-than-average morning dew in Miami; Palm Beach bordering on breezy.

First of all, conditions were pretty grim in Miami on Sunday. Secondly, by Friday evening, it was clear that Irma was going to move further west than expected and, instead of hitting southeastern Florida—including the Miami area—it was going to strike the southwestern part of the state. But instead of being inwardly grateful about being spared by Irma or having some empathy for her fellow Floridians, Coulter went full Coulter.

Rush clone Ann – you are a disgrace to your Cornell and University of Michigan Alma Maters.

Facebook Wins, Democracy Loses

Quote

Another reason (among many many) why no one with any shred of intelligence should use Facebook.

On Wednesday, Facebook revealed that hundreds of Russia-based accounts had run anti-Hillary Clinton ads precisely aimed at Facebook users whose demographic profiles implied a vulnerability to political propaganda. It will take time to prove whether the account owners had any relationship with the Russian government, but one thing is clear: Facebook has contributed to, and profited from, the erosion of democratic norms in the United States and elsewhere.

The audacity of a hostile foreign power trying to influence American voters rightly troubles us. But it should trouble us more that Facebook makes such manipulation so easy, and renders political ads exempt from the basic accountability and transparency that healthy democracy demands.


The ads — about 3,000 placed by 470 accounts and pages spending about $100,000 — were what the advertising industry calls “dark posts,” seen only by a very specific audience, obscured by the flow of posts within a Facebook News Feed and ephemeral. Facebook calls its “dark post” service “unpublished page post ads.”

This should not surprise us. Anyone can deploy Facebook ads. They are affordable and easy. That’s one reason that Facebook has grown so quickly, taking in $27.6 billion in revenue in 2016, virtually all of it from advertisers, by serving up the attention of two billion Facebook users across the globe.

[Emphasis added] A core principle in political advertising is transparency — political ads are supposed to be easily visible to everyone, and everyone is supposed to understand that they are political ads, and where they come from. And it’s expensive to run even one version of an ad in traditional outlets, let alone a dozen different versions. Moreover, in the case of federal campaigns in the United States, the 2002 McCain-Feingold campaign-finance act requires candidates to state they approve of an ad and thus take responsibility for its content.

None of that transparency matters to Facebook. Ads on the site meant for, say, 20- to 30-year-old home-owning Latino men in Northern Virginia would not be viewed by anyone else, and would run only briefly before vanishing. The potential for abuse is vast. An ad could falsely accuse a candidate of the worst malfeasance a day before Election Day, and the victim would have no way of even knowing it happened. Ads could stoke ethnic hatred and no one could prepare or respond before serious harm occurs.

Facebook has no incentive to change its ways. The money is too great. The issue is too nebulous to alienate more than a few Facebook users. The more that Facebook saturates our lives, families and communities, the harder it is to live without it.

..

Our best hopes sit in Brussels and London. European regulators have been watching Facebook and Google for years. They have taken strong actions against both companies for violating European consumer data protection standards and business competition laws. The British government is investigating the role Facebook and its use of citizens’ data played in the 2016 Brexit referendum and 2017 national elections.

We are in the midst of a worldwide, internet-based assault on democracy. Scholars at the Oxford Internet Institute have tracked armies of volunteers and bots as they move propaganda across Facebook and Twitter in efforts to undermine trust in democracy or to elect their preferred candidates in the Philippines, India, France, the Netherlands, Britain and elsewhere. We now know that agents in Russia are exploiting the powerful Facebook advertising system directly.

In the 21st-century social media information war, faith in democracy is the first casualty.

Equifax Fails – Results of trying to put on credit freeze – 11 Sep 2017

This morning I went to the Equifax site and check both my and my wife’s SSN for potential impact. For both I was told we were impacted. For my wife when I clicked enroll, I got

“Your enrollment date for TrustedID Premier is: 09/14/2017

Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.”

What? Today is 11 Sept and you will not freeze till the 14th? — Outrageous incompetence Equifax! The FAQ page is just a link back to the original check impact page

For myself, after being told I was impacted, I was instead sent to a form which I filled out. I was then told I would receive an email with further instructions. That email was never received (and not in spam either!) — More Incompetence.

Regulators need to force this company to offer life credit freeze for all those affected for free. Lawyers then need to sue this company into oblivion.

Update 12:44 EDT 11 Sep 2017

So I received the link and went through the steps and it ended with

An error has occurred

We are experiencing heavy traffic right now. Please check back later to resume the enrollment process. Thank you for your patience.

Next I pulled my annual credit report. Transunion OK, but Equifax

System Temporarily Down

The system is currently down for maintenance. We expect to be back up shortly. Thank you for your patience.

Return to Equifax.com

Equifax should be wound down..Part 2

Quote

Equifax has consistently failed in their duty to protect data. The company should be forced to offer a permanent lifetime credit freeze for FREE. Or absent of that, wind them them down. They are completely incompetent and should not be allowed to be in this business in my opinion.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

..

Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so.

That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete.

And why just a year? Who knows? Isn’t this an invitation to the thieves to sit on the data for a while and then use it when all of us have moved on?

Meanwhile, people can’t easily change their Social Security numbers to thwart the thieves. So if any bad actors have your personal data, those numbers will be useful for years, maybe decades, depending on how the credit system changes over time.

Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file at the little-known company Innovis, too. Hey, why not?

..

And then there’s this: A security freeze doesn’t protect you if the thieves break into the vault of the company that maintains the freeze. That’s what happened here, and we will now spend years seeing what happens next.

Equifax should be wound down..Part 1

There is simply no excuse for this bad actor. Terminate the company.

Quote

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.

“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.

Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.

The company handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.

Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.

People can go to the Equifax website to see if their information has been compromised. The site encourages customers to offer their last name and the last six digits of their Social Security number. When they do, however, they do not necessarily get confirmation about whether they were affected. Instead, the site provides an enrollment date for its protection service, and it may not start for several days.

Equifax’s credit protection service, which is free for one year for consumers who enroll by Nov. 21, is available to everyone and not just the victims of the breach.

Equifax is offering consumers the ability to freeze their Equifax credit reports, said John Ulzheimer, a consumer credit expert who often does expert witness work for banks and credit unions and worked at Equifax in the 1990s. Thieves could have information stolen from Equifax and used it to open accounts with creditors that use Experian or TransUnion.

“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.

Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.

Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.

Governments regularly buy stolen personal information on the so-called Dark Web, security experts say. The black market sites where this information is sold are far more exclusive than black markets where stolen credit card data is sold. Interested buyers are even asked to submit to background checks before they are admitted.

“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”

Sen. Mark R. Warner, a Virginia Democrat who co-founded the Senate Cybersecurity Caucus, said he believed the severity of the Equifax breach raised serious questions about whether Congress needed to rethink data protection policies.

“It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” he said in a statement.

Equifax Hack

Quote

“Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone” 143m in US, unknown number in UK, Canada – gulp!

Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population.

In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29. Equifax has called in the FBI and is in contact with regulators in other countries about the case.

CEO Richard Smith said that the company’s core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million Americans were exposed.

Oh, so is that good news? Only 143mil? These are foilks that are SOPPOSED to get security right in the first place! What bozos!

In response to the debacle, Equifax is offering every US citizen a year’s free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.

Yes, the identity theft detection service will be supplied by… Equifax. And if you want to check you’re affected by the mega-hack, you have to supply your last name and last six digits of your social security number. To an outfit that just lost your social security number. Which is no use to peeps in the UK or Canada.

Great comment

‘We pride ourselves on being a leader in managing and protecting data’

Really, you do do you.

I pride myself at being good at detecting bullshit, the needle moved a bit at that statement.

It should have moved off the scale and bent the needle, but I’ve recently re-calibrated it.

HOTSPOT VPN == Spyware

Quote

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim
CDT tries to set fed trade watchdog on internet biz
By Thomas Claburn in San Francisco 7 Aug 2017 at 20:20

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed with the FTC, the company’s software gathers data and its privacy policy allows it to share the information.

Worryingly, it is claimed the service forces ads and JavaScript code into people’s browsers when connected through Hotspot Shield: “The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.”

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

….
IP address and unique device identifiers are generally considered to be private personal information, but AnchorFree’s Privacy Policy explicitly exempts this data from its definition of Personal Information.

“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iFrames for advertising and tracking purposes,” the complaint says, adding that the VPN uses more than five different third-party tracking libraries.

What’s the alternative? Rool your own, set up a VPS or Algo or both

Robocalls Flooding Your Cellphone? Here’s How to Stop Them

So here is a New York Times article on the subject. There are a few good ideas, but another layer is to always block your caller id and only unblock it for contacts you trust. Here is the FULL ARTICLE, but I summarize below

Rule No. 1 The most simple and effective remedy is to not answer numbers you don’t know, Mr. Quilici said.

“Just interacting with these calls is just generally a mistake,” he said.

If you do answer, don’t respond to the invitation to press a number to opt out. That will merely verify that yours is a working number and make you a target for more calls, experts said.

List your phones on the National Do Not Call Registry and report them there!

Use apps such as Truecaller, RoboKiller (fee), Mr. Number (owned by Hiya<below>), Nomorobo (free for landlines, fee for mobile) and Hiya (fee??), which will block the calls.  (Note: I have not reviewed any of these for security issues, so caveat emptor)

Phone companies, such as T-Mobile, Verizon and AT&T, also have tools to combat robocalls. They work by blocking calls from numbers known to be problematic  (Note: Oh yea, after being going through 10 minutes of voice response and being on hold for another 20 minutes)

Turn the tables And then there is the Jolly Roger Telephone Company, which turns the tables on telemarketers. This program allows a customer to put the phone on mute and patch telemarketing calls to a robot, which understands speech patterns and inflections and works to keep the caller engaged.  (Note – I kind of like this idea, but many of these miscreants use fake caller IDs of legitimate business phone numbers. Also note, the services is NOT free, but not that expensive either for that matter.)