Equifax: The Work Number

Everyone has heard about the Equifax security breach that had compromised an unknown number of Americans. but not everyone has heard about another of Equifax’s services: The Work Number

Screen Shot 2017-10-09 at 8.03.01 AM

The Work Number is a service that provides an individual’s detailed salary and employment history. It was designed to provide automated employment and income verification to employers. It can also provide proof of income should someone be applying for a loan.

With such a large database of private information and the above image the first thing you see when going to: www.theworknumber.com/Employees you would expect a large number of security protocols defending it. Initially, yes, but after the recent Equifax breach, maybe not so much.

To access he information requires one to input their employer’s code, which would be easy to look up if the Equifax system wasn’t down for maintenance. Then it asks for a “User ID” which in most cases it your SSN or a portion of it. Finally it asks for your “PIN” which is defaulted to be some variation of your Date of Birth (mm/dd/yyyy or yyyy/mm/dd). After gaining access is does require you to change the PIN and set up half a dozen security questions for verification. Then it allows you to access any of your income or employer history on its database.

The troubling thing about this is that in the Equifax security breach some of the major pieces of information stolen was DOB and SSN, allowing someone to access your information as long as they could learn who your current employer is, in order to get the employer code. After they gain access to the Work Number, a potential hacker can change your PIN and set up security questions and lock you out of the whole system.

-Spencer Mycek

source: Krebsonsecurity
Advertisements

How Equifax got Hacked

I’m sure almost everyone has heard about the Equifax data breach at this point, but what we haven’t really known at this point was how exactly the hack was done. Information was just recently released by the hackers themselves to a writer on the website spuz.me. What we know know is this breach is entirely Equifax’s fault.

Basically, Equifax had many “management panels” on their servers, each with a different function. Some of these panels were even publicly available to see, can be found on the IoT searching site shodan.io. In these panels, there was barely any security. The password for one of them was “admin:admin” Now the hackers confirmed not all the passwords were that easy, but the private keys for the panels were actually stored in the panels themselves. Not only that, but over 300 employee admin usernames and passwords were stored in plaintext in a javascript file.

The hackers are currently asking for 600BTC (~$2.2 million at the time of writing) for a full public dump of the data, or 4BTC (~$15k) for 1 million entries of the data. At the time of writing, no money has been sent to the bitcoin address.

It’s very scary how bad the security practices were in this scenario. This is a credit agency after all, and their security was laughable. How many other huge corporations out there have practices this bad? I guess only time will tell.

– Noah Kalinowski

Source

“Equifax Data Breach Could Affect half the U.S. Population”

Equifax is a very large credit reporting company who has experienced a cyber attack over the summer. The attack was discovered on July 29 but didn’t become public information until last Thursday, the 5th of September. This data breach could have affected 143 million people. The information that was exposed includes social security numbers, address, and birthday information. Equifax is also saying 209,000 credit cards were exposed including some from the UK and Canada. A big problem with this attack is Equifax was a service used to protect from identity theft but now the integrity of the site has been compromised by this attack.

Once Equifax discovered the breach they began working with private security companies to figure out what happened and how they should go about fixing it. The FBI is also investigating the attack to try and find who is responsible. Another big problem with this breach is it could affect you even if you have never been a customer of Equifax. Equifax collects info. from credit card companies to create credit scores so it is possible your card is one of the ones exposed.

The hack has been reported to have been caused by a vulnerability from a “website application” Not much has been said on the details of the hack. Another problem has popped up from this attack. Equifax has created a website to enter your information and see if you have been exposed to this attack. According to George Weidman Founder of the security firm Shevirah “It’s teaching people entirely the wrong things about using the internet securely”. If this new website has vulnerabilities it could expose even more people.

-Levi Walker

Sources:

http://abcnews.go.com/Technology/wireStory/equifax-data-breach-49724230

https://www.nbcnews.com/tech/security/massive-equifax-data-breach-could-impact-half -s-population-n799686

GitLab Tokens Visible in URL

GitLab, the web-based Git repository manager, recently patched a vulnerability that exposed users to possible session hijacking attacks.

Daniel Svartman, a security researcher, discovered the vulnerability during a penetration test of GitLab. Svartman noticed that his session token was fully visible in his URL. With the token he was given access to every actionable item on the GitLab platform.

What made this vulnerability worse was Svartman’s second discovery – GitLab uses private session tokens that never expire. In addition, tokens were only 20 characters long, which made them susceptible to brute-forcing, according to the researcher.

“If an attacker successfully brute-forced an account, the attacker would be able to manage the account, dump the code, perform updates to it, and of course steal potentially sensitive information, such as new versions of software unreleased to the public,” Svartman said, “Also, in other scenarios, by performing updates to the code, the attacker would be able to embed any kind of malware into it.”

Svartman wasn’t the first to report the threat to GitLab; he later saw it mentioned on GitLab’s support forums. GitLab fixed a similar vulnerability last November within days of its discovery, but it’s unknown how long the recent vulnerability existed until it was fixed.

Brian Neel, Security Lead at GitLab stressed that on its own the fact GitLab uses private tokens isn’t a problem. However, GitLab has decided to stop using private tokens to fetch RSS feeds and instead use a read-only RSS token that would only reveal RSS feed data if exposed.

Neel states that GitLab’s use of private tokens should not be considered a vulnerability. “Improvements have been made to how this feature is implemented but users should not feel at risk simply because they run a version of GitLab that allows private tokens.”

– Antony Lin

Sources:

https://threatpost.com/session-hijacking-bug-exposed-gitlab-users-private-tokens/127747/

https://www.incapsula.com/blog/blocking-session-hijacking-on-gitlab.html

FCC Not Moving Forward with IoT Security Mandates

fcc_logoCurrently facing backlash from the widespread DDoS attacks last week, the FCC is being pressed on how they plan to manage and regulate the increase of IoT devices on the market. Many in congress are pressuring the FCC to regulate IoT devices as different entities than traditional computers, saying that their impact on network infrastructure is fundamentally different.

The current commissioners are pretty unanimous in their belief that the Open Internet Order gives ISP’s the correct amount of leeway to handle threats similar to the recent DDoS attacks themselves. The Open Internet Order grants ISP’s “Reasonable Network Management”. If that sound’s extremely flexible, that’s intentional.

Mostly, the FCC wants to keep their hands out of this mess, opting instead for a more advisory role.

You can read more on this subject by clicking here.