Equifax Breach Impacts An Additional 2.4 Million

Equifax has managed to come back into the news. Three weeks ago (March 1), Equifax released an update to the hack that happened over 6 months ago (June 2017). For those of you who do not know, Equifax is one of three credit reporting agencies in the United States. All financial information passes through at least one of these agencies. This includes bank accounts, loans, credit cards, etc. Almost everyone in the United States has used one of these companies in their lifetime, if not all of them. I will go further in depth about the several security issues Equifax dealt with back in June as well as in September, but for now I’m going to provide information on the most recent update.

Originally Equifax released the news that 143 million people had their personal information stolen. This information includes names, SSNs, birthdates, addresses, driver’s license numbers, and credit card numbers. The population of the United States is 325.7 million (2017), meaning nearly half of all Americans (44.67%) had their information stolen. If you consider the fact that this hack really only affects adults as children haven’t necessarily needed to use Equifax in the past, the percentage goes up to over 50%. When they released the new update, an additional 2.4 million people have been said to be affected by the breach. While that number is much smaller than the original, this number is also coming 6 months after the initial announcement. Hackers have had the personal information of 2.4 million people for 9 months (6 plus the 3 that it took them to mention it to the public, more on that later) without those people knowing. With this new information, the number rises to ~58% of all adult Americans who have had their information stolen through the Equifax breach. It is one of the largest hacks of personal information in history.

The attack itself happened somewhere between May and July and came from a flaw in the web application back-end Apache Struts. This allowed the hackers initial access to the Equifax computer system. By the time they were finished, the hackers had 30 separate entry points into Equifax’s systems. The only reason they were caught is because they were so deeply embedded in the systems that the company was forced to shut down a consumer complaint portal for 11 days while the security team figured out what was happening.

There are also reports that the company was notified 6 months in advance (December 2016) of the threat of a potential attack due to the security measures in place. An anonymous hacker found a flaw in the website that would allow anyone to pull information from all people in the database in a couple of minutes. This information included SSNs, names, and birthdates of all the individuals. This could be done through forced browsing, a technique that plugs various strings into a browser. Not only that, but the hacker also managed to find ways to get shell access to several Equifax servers, as well as several SQL Injection vulnerabilities. From reading several articles, it seems like Equifax’s main security policy was “Security by Obscurity”.

Now, most people think that the only issue was the breach that happened between mid-May to July. This is only part of Equifax’s downfall. Besides announcing 2.4 million people had been hacked 9 months after the incident happened, Equifax is credited with many mistakes that a student in CSEC 101 could’ve prevented. But first, let’s go over how Equifax handled the situation.

In July 2017, Equifax learned that it had been breached. The company then waited 6 weeks to tell the public that the breach had taken place. This meant that hackers had the personal information of hundreds of millions of people for 3 months and Equifax failed to announce it for over a month. Before announcing the company had been hacked, the top level executives at Equifax sold millions of dollars worth of stocks. Perhaps the one good practice they had was to provide a one year protection plan for anyone affected by the breach. However, this too had its downsides. In most cases, a year of protection isn’t enough. Because of the information that was leaked and how long it can take to decipher it, the attacks on the individual people may not even happen for another 5 to 10 years. What’s more, once the one year free trial runs out, you are automatically enrolled into the paid protection plan regardless of if you asked to be or not. You have to manually cancel your plan after the year of protection expires. Also, by agreeing to this protection plan, you enter an agreement with Equifax stating that you can no longer sue the company. However they did update this, by allowing the people who signed up to send a written letter within 30 days to Equifax to opt out of the agreement.

In order to find out if you have been hacked, they require you to go to their site (https://www.equifaxsecurity2017.com) and sign up to find out if you have been affected by the breach. And I wish I could say that Equifax stopped messing up there, but the story continues. Cyber security experts criticize Equifax for creating this website. They say it would have been more secure for them to have instead used their own website and provide an additional subdomain where people could enroll. And Equifax should have listened… A software engineer decided to show the world the security disasters that could derive from this situation. A new website securityequifax2017.com (it has since been taken down) was created to show how this affects the people trying to use Equifax’s website. The site copied the actual Equifax site, but added the line “Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?” to the title of the page (shown below).

Now this site was so “convincing” that Equifax tweeted to the fake website, not once, no that’s not the Equifax way, but seven times. The official Equifax twitter account tweeted to a fake website made to specifically demonstrate the security risks involved with making a long url with the title “Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”. 200,000 people had signed up on the fake website before the creator took it down, proving his point about the security concerns involved.

Next on the list, Equifax’s website in Argentina. This is actually a separate hack that just happened to come about at the same time the news was being released about the previous hack. A cybersecurity firm was testing the strength of Equifax’s website and found that the username and login information for the database storing all the South American employee information was admin/admin. With this information, the firm was able to figure out Argentine SSN equivalents, names, and emails of over 100 employees of Equifax.

– Michael

Links:

Advertisements

Trustico Servers Compromised

When you surf the web, your web browser requests and receives data from some remote server. If you are logging into a website, you would want to have your login info secure, meaning when you send that information to the remote server for verification, you don’t want the data to be in plaintext such that it can eavesdropped by someone on the network. This is where SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols come in. These protocols are used when then website you visit has HTTPS instead of HTTP, with the ‘S’ standing for “secure”.

These protocols are based on a public key and a private key. These keys separately can be thought of as half of a whole key, and the whole key can be used to determine whether the information sent or received is from a source you expect, allowing you to know the data has not been compromised by another party. This is because data encrypted using somebody’s public key can only be decrypted using the same person’t private key. Suppose you are sending data to A from B. Then B uses A’s public key to encrypt the data, and when A receives the data, A can uses its private key to decrypt the data. Therefore, it is important to keep the private key locked up and secret.

This is where companies who issue SSL certificates come in. There are various ways to encrypt the data to make it secure, and various companies claim there algorithm is more secure or meets whatever criteria required for the server’s use, including warranties, browser support, subdomains, speed, and other additional exclusive features in a package.

On March 1, a user with the Twitter handle @svblxyz has noticed that he was not able to validate his certificate issued by Trustico, a certificate re-seller, and the site was instead sending curl requests (an application used in scripts for downloading various data) as displayed in the application logs. Another user with the Twitter handle @Manawyrm revealed that it’s possible to trick the script on the server doing the curl request to use some other command, also known as code injection. The most shocking thing about that was that the application logs showed that the command was run as root (highest privilege, no restrictions), meaning that script was running as admin. Another user by the Twitter handle @ebuildy also helped reveal that the company doesn’t use proxies, meaning that it is possible to inject code that would display all of the IP address of their LAN devices.

Having a code injection vulnerability on a server is bad enough since you let anyone to essentially mess around with. Having a code injection vulnerability that allows you run things as root is even worse since you then have complete access to the server. Having all that on a server which validates SSL certificates, and you have a complete nightmare. Following the tweets, it did not take the internet long to put Trustico’s server offline. One bad thing that have happened is someone wiping all data on the server, possibly without hopes for recovery or someone installing a bunch of backdoors on their server (allowing the person to get back in even after Trustico fixed the problem).

However, the worst thing that could have happened is private keys for SSL certificates being compromised. The user by the Twitter handle @ebuildy was able to figure out that Trustico doesn’t use proxies because when using code injection to display their localhost info, the results returned their own certificate under the company’s name. This means their private key could have been compromised and anyone could use code injection to run a command see the data unencrypted if they wanted to. Anyone who sends their SSL certificates for validation would have their certificates compromised. As of now the exploit is fixed and their old certificate was revoked and replaced with a new one.

A few days before the security flaw was found, Trustico was meaning to revoke security certificates by Symantec/DigiCert. Mozilla and Chrome browsers were rejecting DigiCert certificates after misissuing of over 30,000 of them. As a result Trustico decided it was better to switch from DigiCert to Comodo. According to a statement by Trustico, “We believe the orders placed via our Symantec® account were at risk and were poorly managed. In good conscience we decided it wasn’t ideal to have any active SSL Certificates on the Symantec® systems, nor any that didn’t meet our stringent security requirements”.

After they requested DigiCert to revoke the certificates to replace them with Comodo ones, DigiCert declined to do such unless they were compromised. Trustico then proceeded to email them the private keys of the certificates, and thus compromising them, providing insight that their certificate validation tools logged private keys of certificates. According to Jeremy Rowley from DigiCert, “Trustico not has provided any details how the private key leaked or how did they acquire the keys”, now leading to skepticism on whether any stored private keys were accessed by unauthorized during the time the code inject vulnerability was present.

— Alex Baraker

 

Sources:

  1. https://www.instantssl.com/ssl-certificate-products/https.html
  2. https://info.ssl.com/faq-what-is-a-private-key/
  3. https://www.instantssl.com/ssl-certificate.html
  4. https://twitter.com/svblxyz/status/969220402768736258
  5. https://twitter.com/Manawyrm/status/969230542578348033
  6. https://twitter.com/cujanovic/status/969229397508153350
  7. https://twitter.com/ebuildy/status/969230182295982080
  8. https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/BLvabFwcJqo
  9. https://gbhackers.com/google-announces-final-distrusting-symantec-ssl-certificates/
  10. https://www.trustico.com/news/2018/symantec-revocation/certificate-replacement.php
  11. https://bitkan.com/news/topic/69234
  12. https://gbhackers.com/23000-ssl-certificates-revoked/

Security Without Communication is Worthless

Security without communication is worthless. This is because if the public doesn’t understand security terms, they will be affected. This can be due to the fact that security policies use very technical terms to describe things. They were technical enough that people were either affected that they didn’t follow the terms correctly, or they didn’t care. For example, the industry doesn’t use the prefix “cyber” on its own as most people don’t interpret it as hacking. Another technical term is “black market”, which means the dark web in the general way. The new cyber security guide aims to bridge the communication gap, so anybody can understand it.

This is because in order for one to get his/her way of things, he/she must communicate it in a way that the other person thinks. For example, if one talks about his/her position to someone who isn’t in the same field they may or may not understand what the position does. Or, when you are helping someone with their homework, it is best to explain it in their way of thinking, so they can understand your message. This is because in security, if one says it the technical way and the general public doesn’t understand, people in security are wasting his/her time explaining. The solution to this problem is the “new cyber security style guide”. This means that it will use terms that the general public uses and understands so security protocols can be followed in a correct manner.

-Anil Adharapurapu

Source: https://www.csoonline.com/article/3258851/security/new-cyber-security-style-guide-helps-bridge-the-communication-gap.html

AI? In my Software? It’s more likely than you think.

A cyber security company, Vectra, recently announced that it had raised $36 million to farther its development with security software that introduces machine learning which will help it detect anything suspicious in a customers’s network traffic, and provides a warning if something appears wrong.

The basic idea of machine learning consists of the idea that using pattern recognition to learn from previous computations to produce decisions and results that are reliable and repeatable.

By using machine learning in order to develop the cyber security software, Vectra is able to just monitor the program, and not have to update it every time the methods that attackers use changes. Instead, the software itself can change how it deals with attacks.

Machine learning has recently grown in popularity, thanks to the growing volume and varieties of data, and processing that is cheaper and more powerful. For the future, this could mean that there will be more secure software that will be able to detect any attacks easier. If we decide to invest in learning about Machine learning now, it is likely that we will have a job in the future.

 

Sources:

Machine Learning: https://www.sas.com/en_us/insights/analytics/machine-learning.html#

Vectra information: https://venturebeat.com/2018/02/21/vectra-raises-36-million-for-its-ai-cybersecurity-technology/

Tesla’s Amazon Cloud Account hacked and used to mine Cryptocurrency

Tesla recently has had an Amazon cloud account hacked and used to mine cryptocurrency. This hack also exposed Tesla’s data. This hack was reported to Tesla by RedLock, a cybersecurity startup, who discovered this intrusion because they were trying to figure out who left an Amazon Web Services account open to the Internet.

 

This type of hacking (called cryptojacking) has been around for a little while but has recently seen a resurgence because of the price of cryptocurrencies increasing exponentially in the recent year. RedLock reaffirmed this by saying “The recent rise of cryptocurrencies is making it far more lucrative for cybercriminals to steal organizations’ computer power than their data.” Cloud environments, like the one that Tesla had hacked, are bigger targets because of how little security there exists for clouds. The hackers were able to keep themselves undetected by keeping CPU usage low and masking their IP address behind CloudFlare.

 

With the rise of cryptocurrencies and the lack of securities for cloud based servers, according to RedLock, 8 percent of organizations will face attacks by cryptojackers, however because of the lack of resource and network monitoring on these servers, most of these attacks will go undetected.

 

In order to reduce the amount of attacks on cloud servers, both the providers and the organizations using these servers have to work together to try and stop them. Because cloud security is so lacking, it is not only up to the providers (in this case Amazon) to improve cloud computing security, but also the organizations that use these servers to monitor the usage of the servers for things such as “risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities”.

 

-Ryan Lei

Sources:

http://fortune.com/2018/02/20/tesla-hack-amazon-cloud-cryptocurrency-mining/

https://gizmodo.com/teslas-cloud-hacked-used-to-mine-cryptocurrency-1823155247