Equifax’s Failure to Apply Security Patches Enabled Massive Hack

Equifax’s Failure to Apply Security Patches Enabled Massive Hack.
Last week, a massive hack of the credit bureau Equifax stole critical personally identifiable information (PII) on 143 million US citizens.
The company’s response to the incident has been strongly criticized, and now we know the incompetence isn’t limited to the customer-facing sections of the company.
The flaws that allowed hackers to penetrate Equifax and steal its customer data were patched several months ago.
It’s described as a flaw in file upload handling, which “allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.” This flaw was fixed on March 6, 2017.
There’s a reason I say that.
If I know your social security number, address, and date of birth, I know far more than I need to know to steal your identity.
Thanks to Equifax, everyone’s data is out there forever, in one handy and convenient file breach.
The FTC is Investigating The FTC has announced that it’s looking into the hack and may open an investigation into Equifax.
“However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.” There’s no word yet on what action the FTC might take, or what the penalties could be for Equifax’s cataclysmic losses.

Here’s why Equifax and other credit agencies will survive the data breach

Fewer sales of credit-monitoring services to consumers and the potential for clients to defect to rivals?
Both Equifax’s and rivals’ business of collecting financial and personal data from consumers and selling it to lenders is what keeps the credit spigot open. “The biggest X-factor is: Does this prompt any regulatory changes that will increase costs of doing business,” says Horn. “The reports sold by the three largest consumer reporting companies are used in determining everything from consumer eligibility for credit to the rates consumers pay for credit,” according to the Consumer Financial Protection Bureau (CFPB).
Roughly 40% of Equifax’s business comes from its core credit bureau business, with the rest from international operations (25%) and new lines of business, such as selling credit-monitoring plans directly to consumers (13%) and generating revenues from its “workforce solutions” segment (20%-plus), which includes services like verifying employment status and other data requests from corporate clients.
Equifax could see business in its consumer- and workforce-focused businesses hurt due its damaged reputation for failing to protect key personal data, analysts say.
Consumers may question why they should pay for monitoring services from a firm that has shown it can’t keep data from cyberthieves; corporations may fear their employment data could end up in the wrong hands.
The “entrenched oligopolistic position” of the core credit bureau business creates “high barriers to entry” for upstarts to break into the business, says Mornginstar’s Horn.
Banks, mortgage lenders and credit card companies rely on credit reports from the three major credit bureaus to make financially sound lending decisions.
The economy can’t really function without a working credit-reporting system.

A top senator calls for an investigation into Equifax in a scathing letter

A top senator calls for an investigation into Equifax in a scathing letter.
Democratic Sen. Mark Warner of Virginia on Wednesday asked the Federal Trade Commission to examine the recent hack of Equifax, the credit-reporting agency.
He requested an investigation into the firm’s cybersecurity practices and questioned its response to consumers who may have been affected by the breach.
Equifax last week reported a massive data breach, saying hackers may have accessed the personal details, including names and Social Security numbers, of more than 143 million customers from mid-May to July.
Equifax, which says it learned of the breach in late July, said credit card numbers for about 209,000 people and certain documents for another 182,000 were also accessed.
The disclosure was swiftly met with criticism because of the delay in alerting the public to the hack, as well as problems with the website Equifax set up for people to check whether their details were at risk.
Three senior executives dumped almost $2 million worth of stock days after the company learned of the breach.
Equifax’s stock is down 5.7% on Wednesday.
It has tumbled 23% since the news broke last week.
The full letter from Warner is below: Sen. Warner Asks FTC to Probe Equifax by MarkWarner on Scribd

Hackers’ Latest Weapon: Cyber Extortion

Instead of simply stealing passwords or credit-card data, or locking access to victims’ systems as with ransomware, extortionist hackers try to unearth corporate secrets that they then threaten to make public if victims don’t pay.
Because the extortionists threaten to expose sensitive material —embarrassing emails or intellectual property like unreleased movies and scripts, for example—the crime can be “more damaging and impactful to victim organizations than other types of theft of intellectual property” said Charles Carmakal, a vice president with cyber investigations firm FireEye Inc. FEYE 0.61% Adding to the insidiousness of cyber extortion, those targeted by such efforts often have a difficult time determining how much data the hackers really have—and in some cases the extortion attempts are simply bluffs, he said.
Law-enforcement agents and private investigators say both types of attack are on the rise.
The hackers have leaked unreleased episodes of HBO shows such as the comedy “Ballers,” script notes for its hit show, “Game of Thrones,” and other data such as usernames and passwords used by HBO employees.
In many ways, Hollywood is an ideal target for hackers.
The sender claimed to have taken over their systems and threatened to go public—a risk not only to their studio but to its clients, including Netflix, which had hired it to work on “Orange is the New Black.” When technical staff checked the Larsons’ computers, they found all information had been wiped except a brief ransom note.
The hackers demanded ransom of 50 bitcoins, at the time about $50,000, or they would post an unreleased episode of “Orange is the New Black” on New Year’s Day.
The hackers called themselves “The Dark Overlord.” The next weeks felt “like we were living in one of the episodes of the TV shows we do,” Ms. Larson said.
Then the hackers tried to extort money from Netlflix too, the Larsons said.
Investigators say other victims also are paying ransom demands, and that encourages further attacks.

My Three Years in Identity Theft Hell

Back in August 2013, wielding a driver’s license with my name and his picture, he opened accounts at four banks in two days and got a credit card with Bank of America.
And it wasn’t just banks.
Every time I entered or left the U.S., I’d be pulled aside, my bags searched, and let go up to an hour later.
Mine wasn’t the only life my impostor was living, and it didn’t always go so well for him.
When the manager went to make a copy, the guy ran out of the branch and jumped into a getaway vehicle, according to an affidavit filed by the FBI agent investigating the case.
I spent hours on the phone with Bank of America, explaining to one representative that I’d never had their card.
representative that I’d never had a Bank of America credit card.
“Thank you for being a Bank of America customer,” she said toward the end of our call.
Here’s what I sent them, in the end: a signed statement saying I was me and that the accounts were fraudulent, an affidavit I’d filed with the Federal Trade Commission swearing I’d had my identity stolen, copies of my driver’s license, passport, and Social Security card, a lease, two phone bills, a letter from the Justice Department, the criminal complaint filed by the prosecutors, and Bank of America’s own credit card records.
I got security questions very much like those when I went to the website of one of the three major rating agencies to get a copy of my credit report and entered my Social Security number and date of birth.

Identifying ‘key indicators of compromise’ crucial to data breach detection

Which is why organisations should do more to look out for “key indicators of compromise”.
Odd endpoint activity The first thing includes strange activity on employee endpoints, like smartphones, tablets and laptops.
Logons often are the first step to gaining access to an endpoint with valuable data on it.
Anything more than two logins from that kind of person should be enough to alert you to a breach.
Lateral movement Lateral movement is the process of jumping machines in an attempt to locate and access a system with valuable data — something that’s necessary for most attacks because a hacker’s initial foothold is often a low-level workstation with no access rights to anything of significant value.
and authentication (read: logons) can point to indicators of a breach.
Location is also an important factor — valuable data normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter.
The last indicator of compromise is access to an abnormal amount of data.
It’s difficult for an attacker to cause damage to your organisation unless they are able to compromise a set of employee credentials.
By monitoring logon activity more closely, you can identify compromises before key actions, such as lateral movement and data access, take place.

Massive credit bureau hack raises troubling questions

While not the largest breach — Yahoo attacks leaked data on as many as one billion accounts — the Equifax incident could be the most damaging because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.
Some reports suggested Equifax data was being sold on “dark web” marketplaces, but analysts said it was too soon to know who was behind the attack and the motivation. “This is the kind of information I would go after if I were a nation-state, to set up psychographic targeting for information and political warfare.”
– National security risks – Peter Levin, chief executive at the data security firm Amida Technology Solutions and a former federal cybersecurity official, said he is concerned over the national security impact of the breach, which follows a leak of data on millions of US government employees disclosed in 2015.
Because most federal employees also have credit reports, “those people have now been hacked twice,” Levin said, offering potential adversaries fresh data to be used against them.
Some analysts expressed concern that a company with a mission to safeguard sensitive data allowed a breach of this scope to take place.
At least two class-action lawsuits on behalf of consumers were filed following the disclosure claiming Equifax failed to adequately protect important data.
– How to respond- The potential impact of the Equifax breach prompted some experts to suggest the government revisit the idea of social security numbers issued for life. “The government should consider changing social security numbers since there have been so many breaches,” Hayes said. “Companies will put more into cybersecurity if there are tough penalties associated with data breaches,” Hayes said.

Build it right with NIST’s Cybersecurity Framework

Build it right with NIST’s Cybersecurity Framework.
Published by the National Institute of Standards and Technology, and based on important research from the Information Technology Laboratory, this publication offers a comprehensive set of security controls to help you protect your data.
[ Read reviews of today’s top security tools and bookmark CSO’s daily dashboard for the latest advisories and headlines.
The level of potential risk is your starting point in developing and building solid cybersecurity defenses.
Before you can select the right set of security controls, you must consider the importance and sensitivity of the data.
Having established the potential impact levels, you can select a security control baseline.
You must weigh in regulations, emerging threats, new and legacy technologies and systems, plus your business goals, to arrive at the right blend for your organization.
Without in-depth, regular assessments you have no idea if your security controls have been implemented correctly, if they’re operating as intended, or if they’re meeting your expectations for security.
Continuous monitoring You’ve set a baseline, tweaked it to fit your needs, implemented it and tested to ensure that it’s working properly, now you can take it easy, right?
You might adopt a new system, integrate a new third-party service, or change your business goals.

Fitness Tracking Startups Are Sweating Due to EU Privacy Regulators

Fitness Tracking Startups Are Sweating Due to EU Privacy Regulators.
Startups hoping to sell health tracking devices and software to corporate customers are worried European regulators will torpedo their business model.
Employers should also be barred from accessing data from their devices their employees wear, even if it is only aggregate data for the entire workforce or anonymous data, the EU body said.
But the EU advisory body – which goes by the esoteric name the Article 29 Working Party and is composed of data regulators from each of the EU’s 28 member states – said in its opinion that such transparency was probably insufficient.
“Even if the employer uses a third party to collect the health data, which would only provide aggregated information about general health developments to the employer, the processing would still be unlawful.” Fitbit has more than 1,300 organizations using its devices as part of corporate wellness programs, encompassing more than 2.6 million people, the company said in a statement.
Fitbit declined to comment directly on the EU data privacy group’s opinion but said it believes all corporate wellness programs should be voluntary and protect employees’ privacy. “We believe the responsible integration of connected health devices into the health care system, including through corporate wellness programs, has the potential to significantly improve the health and well-being of society, and are actively working with hospitals, research institutions, and health care providers to explore this promising field,” Alexis Normand, head of business to business sales for Nokia Digital Health, said in a statement.
“We are concerned that if a company is being transparent with their employees and wants to look at aggregate data, we might not be able to provide that service in Europe,” he said.
The new regulation says that when considering any employee tracking, businesses should select “the most data privacy friendly solutions” available.
David Plans, the chief executive officer of BioBeats, a London-based company that uses wearable sensors and a mobile app to help employees better manage stress, said he welcomed it.

What does Google know about you? Its new privacy dashboard should reveal all

What does Google know about you?
Google is rolling out an update to the Google dashboard with new features and a redesign aimed at making it easier to use on mobile.
The Dashboard is the place where Google shows users a snapshot of the Google services they use and what data it’s collecting, such as Maps location history, photos stored, search history, and YouTube history.
The new page in the right-hand image has larger logos for Google products, prioritizes popular products, and offers a link at the top of the page from where users can download all their data.
Previously the link to Google’s Takeout site where users can download their data was available in My Account, but not the dashboard.
The redesign is also meant to make it easier to get an overview of Google products used and personal data in each of them.
The Takeout download feature launched in 2011, and since then Google says people have downloaded over one exabyte — or a billion gigabytes — of data from the service.
Google’s billion-plus users are creating a million exports per month.
Also, “tens of millions” of people have used Google’s Privacy Checkup feature since it launched as part of My Account in 2015.
Google launched My Activity last year and claims 150 million people have used it to find content they’d previously found through a Google search.