The Equifax breach.
The Equifax breach dominated this week's news (The CyberWire). It's large, serious, and will have far-reaching consequences, not only for cybercrime, but for technology, policy, and regulation as well (New York Times). On Friday Equifax released a brief, relatively comprehensive account of their investigation so far (Equifax).
Extortionists claimed to have the stolen data and said they'd release all if Equifax didn't pay 600 Bitcoin (roughly $2.5 million) by Friday, but they seem to be just scammers (Motherboard). More serious criminals are expected to appear soon (Motherboard).
Other security lapses at the credit bureau.
Various problematic aspects about the company's security posture surfaced after the breach. Observers noticed, for example, that shortly after the company disclosed the incident, Equifax quietly pulled its mobile apps from both the Apple Store and Google Play (Fast Company). A researcher from Redacted Security, curious as to why this was done, took a look and determined that the apps only superficially encrypted data: authentication was by https, but other areas of the apps exchanged data with http. Thus the apps' transactions with the company's servers were open to interception (LinkedIn). When the researcher reported the issue to Equifax late on September 7th, the company responded immediately and took the apps down. Quick work (even if they were, as the researcher put it, "freaked out") but the sense among those commenting is that the vulnerability shouldn't have been there in the first place (Fast Company).
Hold Security found bad password practices and more potential exposure in Argentina (many employee passwords were simply the employees' last name, for example). Equifax's choice of passwords for admin accounts in its Argentina operations were also problematic (username "admin," password, "admin," too, which would seem easy enough to remember). Equifax does business in a number of Latin American countries. Besides Argentina, these include Brazil, Chile, Ecuador, Paraguay, Peru and Uruguay (KrebsOnSecurity).
Comodo found three-hundred-eighty-eight sets of Equifax credentials for sale on the dark web, evidently stolen in a pony attack. Among the exposed passwords were those belonging to the Chief Privacy Officer, CIO, VP of Public Relations, and VP of Sales.
An object lesson in the importance of patching.
The Apache Struts vulnerability (CVE-2017-5638) exploited against Equifax was patched in March. The attackers hit the company two months later, and were present in May and June at least, only discovered at the end of July. While patching this sort of open-source code isn't trivial, it's not prohibitively difficult either (Ars Technica). The consensus in the industry press is that there seems to be no good reason Equifax delayed in patching (WIRED).
And another object lesson in incident response planning.
Equifax has been excoriated for poor incident response, and marketing communications form part of that response. It is positively painful to read the company's self-description on their website. The CEO's statement of values begins, "Equifax helps people make better decisions by weaving unique knowledge and insights into knowledge that makes a difference" (Equifax). Unfortunately many of the people now making better decisions on the basis of that tapestry are doing so on the black market. (The website also has videos depicting "Our People," "Our Value," and "Our Community," but we haven't watched them. They require Flash.)
Given the more than forty days that elapsed between discovery and disclosure, Equifax seemed surprisingly unprepared to deal with consumer calls for help (New York Times). Call centers had difficulty handling the volume of calls, the help website sometimes malfunctioned, ability to process requests would be delayed by days, etc. Other consumers were upset by Equifax's initial decision to charge them for placing a freeze on their credit and the appearance initially given that they would be upsold credit and identity protection once their free period expired. Both issues were eventually clarified—there would be no charge for a credit freeze, and free protections wouldn't be used to sell further services—but they left a sour taste in many mouths.
There were also security issues with the sites established to help people with their credit freezes. For one thing, the PINs it was assigning customers to control their freezes were simply numerical data time stamps, so easy to guess they're hardly worth the trouble of brute-forcing (Ars Technica).
These issues are all matters that would have been far less troublesome, had an incident plan been formulated and exercised in advance (New York Law Journal).
Consequences of a data breach (for the business that sustains it).
Two Equifax executives appear to have taken the fall for the breach. The company's chief information officer, Susan Mauldin, and chief security officer, Dave Webb, are "retiring," the company said Friday in a terse announcement (CNN Money). It seems unlikely they'll be the last ones to go.
The company's share price stood at $142.72 on Thursday, September 7th, just before the breach was disclosed. On Friday, September 15th the stock (NYSE: EFX) closed at $92.98.
The company is exposed to considerable civil litigation. Class action suits are already in the works (Data Center Knowledge). And DoNotPay, a chatbot robolawyer built to fight traffic tickets, is offering to help consumers sue Equifax in small claims court for amounts up to $25,000 (Forbes).
Equifax also faces stiff Federal scrutiny, from both regulators and Congress. The Federal Trade Commission has opened an investigation of the breach (Washington Post) and the Consumer Financial Protection Bureau is likely to be taking a look into Equifax and the entire credit industry as well (Bloomberg). Senators are calling on the Securities and Exchange Commission to investigate three executives' sale of Equifax stock in the interval between the breach's discovery and disclosure (Bloomberg). Equifax has said the three were unaware of the breach when they sold the stock.
The House has summoned Equifax CEO Smith to testify before one of its subcommittees next month (The Hill). The Senate will probably follow suit: Senator Schumer (D-New York) for one has called the breach the "worst case of corporate malfeasance since Enron" (Chicago Tribune). Individual states are opening their own investigations (Reuters); Georgia and New York are thought likely to be particularly active (The CyberWire).
Equifax was not the only data breach or exposure this week.
Australia's Department of Human Services issued new Medicare numbers to one-hundred-sixty-five individuals on Friday. That's chickenfeed, of course by the standard set in the six-orders-of magnitude larger Equifax breach, but it's another instance of how data can be exposed. In this case the activity is clearly criminal (Computerworld). The Department's action addressed fallout from the darknet "Medicare Machine" scandal uncovered in July (Computerworld).
In the US, another political campaign data broker has been involved in a compromise (ZDNet). In this case it was a CouchDB database found openly accessible on the web (not even password-protected) where it stayed until it was secured and taken offline Monday. Discovered by security researchers at Kromtech, which has been finding a lot of these, lately, the data were compiled by TargetSmart, a political campaign data broker. The compromised information includes name, address, date of birth, ethnicity, marital status, voting preferences, political issues and causes an individual might be lobbied on, the ages of a person's children (if any), household income, and whether or not the voter is a homeowner. TargetSmart says it's not to blame, a third-party who licensed some of the data from TargetSmart, Equals3, is the outfit that exposed the information.
You may not be interested in the data broker, but the data broker is interested in you.
The credit industry as a whole is receiving a great deal of odium, and many are calling for a comprehensive regulatory and legal overhaul (Quartz).
A striking fact about both the Equifax breach and the Alaska voter database exposure is that the people placed at risk of fraud and identity theft aren't even customers at all, but rather individuals on whom the credit bureau or the campaign consultants collected information to sell to organizations interested in assessing either their credit worthiness or likely voting behavior.
This is why a number of observers, Bruce Schneier among them, think that securing such data will require regulation. It's not susceptible to market correction because, they argue, there's no obvious transaction between the people described by the data and those who sell the data. It's not as if someone applying for a loan could opt out of being assessed by a credit bureau. To do so, even if you could, would involve opting out of the credit market entirely. And it would probably mean you'd decided to live off the grid entirely.
Demographically targeted advertising also depends upon such collection. Social media companies tend to be particularly voracious accumulators of data. As Schneier points out, he doesn't use Facebook, but Facebook has compiled a remarkably comprehensive dossier on him, just in case.
Influence operations: tactics, techniques, and procedures.
Influence operations are nothing new, but they appear newly frightening given the ease with which social media and other online sources disseminate propaganda. A Russian media company has operated effectively as a "troll factory" (Moscow Times). And the textbook on psychological warfare you'd have use if you were an aspirant at MGU has also been made available; its tactics, techniques, and procedures rest on fundamentals with Soviet roots (Moscow Times).
Influence operations grow in popularity as they seem to grow in success, with authoritarian regimes taking a particular interest in them (Foreign Affairs). China has also been active in this field. Notes are out on how they manage things in social media from Beijing (or Shanghai).
The goal of such operations, especially under Russian direction, and especially as they target the US, tends to serve the overarching purpose of eroding trust (The CyberWire).
There are, unfortunately, more immediately lethal ways in which online influence and inspiration make their effects felt, as the bombings in London Friday show. Investigation is in progress and arrests are being made (Telegraph); as usual the terrorists leave their spoor online, and as usual people in authority want to see something done (Independent).
The data supply chain, machine learning, and data integrity.
The US National Geospatial Agency (NGA) has an interesting offer it's talking through Congress. Director Robert Cardillo wants to swap some of his agency's data for access to industry's cutting edge artificial intelligence tools (Federal News Radio). Like other agencies in the US Intelligence Community (The CyberWire), NGA sees artificial intelligence as its future. AI offers speed, economy, and accuracy (when properly trained) that's seen as an indispensable adjunct to human analysts and watchstanders. Cardillo wants "cutting-edge algorithmic development" in exchange for his agency's data, and he'd like to negotiate a partnership with industry and academia that's "fair" and "transparent."
Artificially intelligent systems need to be trained, and such training requires very large quantities of credible data. This establishes a data supply chain. So far incursions into that supply chain have mostly taken the form of theft (as in data breaches) or denial (as in destructive or ransom attacks). But if one of the most common goals of adversaries in cyberspace is erosion of trust, it's prudent to be alert to another possibility: the corruption of data with a view to shaping a battlespace, influencing decision or sentiment, corrupting artificial intelligence, or destroying physical systems (The CyberWire).
Some organizations have more than enough data to train their own AI; others will depend upon external sources. In both cases data scientists are likely to assume a new role as curators and assayers of data (The CyberWire).
BlueBorne bugs Bluetooth.
The BlueBorne vulnerability in Bluetooth (whose discovery Armis Lab announced Tuesday) may have been addressed by both Microsoft and Google in their most recent patches, but estimated rates of susceptibility to attack through this vector are astonishingly high. More than five billion devices worldwide are thought to be vulnerable (Ars Technica). Patching them all will prove, effectively, impossible. Until you're sure you're patched and up-to-date, experts are advising people to turn off Bluetooth when it's not in use (WIRED).
Expected spike in point-of-sale attacks.
Kromtech Security has found more than 4000 ElastiSearch servers hosting files related to AlinaPOS and JackPOS, both strains of point-of-sale malware. Most of the affected ElastiSearch servers are to be found in Amazon Web Services (Bleeping Computer).
US DHS tells Executive Branch to stop using Kaspersky software.
On Wednesday the US Department of Homeland Security issued Binding Operational Directive 17-01, directing that all US Government Executive Branch agencies stop using Kaspersky security software within ninety days Acting Homeland Security Secretary Elaine Duke issued the order, which, as the DHS public statement says, "calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days, to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and at 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems."
The directive is based on an assessment of risk, and DHS has not presented evidence publicly of any Kaspersky wrongdoing. It has, however, explained the risk in terms of concerns "about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks."
White House Cybersecurity Direct Robert Joyce said the assessment of risk is based on requirements in Russian law that companies cooperate with the FSB intelligence agency. "It was a risk-based decision and the right call," he said. "It's unacceptable that a company could move data to Russia, where law requires it to cooperate with the FSB" (The CyberWire).
The Binding Operational Directive may not be so final as it might appear. DHS says, at the end of its statement, that it's providing Kaspersky with the opportunity to submit a written response addressing or mitigating security concerns. Anyone else who has an interest in the matter will also be afforded the opportunity to comment. Watch the Federal Register for Notices affecting Binding Operational Directive 17-01.
Eugene Kaspersky says the perception of risk is baseless, that his company's caught in a geopolitical crossfire, and that he welcomes his invitation to appear before Congress (Forbes).
This week's patches.
Microsoft, Adobe, and Google all issued patches this week. Microsoft addressed eighty-one vulnerabilities, thirty-nine of those critical remote-code execution bugs. Adobe fixed two bugs in Flash Player, and Google's Android update patched eighty-one vulnerabilities, none of which appear to be undergoing exploitation in the wild (Register).
Industry notes.
In industry news, AppGuard announces that it's closed a $30 million round of Series B funding. Silent Circle is buying Kesala, and Thales completes its purchase of Guavus. Tanium is said to be planning a secondary share offering before its IPO (City A.M.). And Cybrary has secured $3.5 million is Series A funding (BusinessWire).