“Equifax Data Breach Could Affect half the U.S. Population”

Equifax is a very large credit reporting company who has experienced a cyber attack over the summer. The attack was discovered on July 29 but didn’t become public information until last Thursday, the 5th of September. This data breach could have affected 143 million people. The information that was exposed includes social security numbers, address, and birthday information. Equifax is also saying 209,000 credit cards were exposed including some from the UK and Canada. A big problem with this attack is Equifax was a service used to protect from identity theft but now the integrity of the site has been compromised by this attack.

Once Equifax discovered the breach they began working with private security companies to figure out what happened and how they should go about fixing it. The FBI is also investigating the attack to try and find who is responsible. Another big problem with this breach is it could affect you even if you have never been a customer of Equifax. Equifax collects info. from credit card companies to create credit scores so it is possible your card is one of the ones exposed.

The hack has been reported to have been caused by a vulnerability from a “website application” Not much has been said on the details of the hack. Another problem has popped up from this attack. Equifax has created a website to enter your information and see if you have been exposed to this attack. According to George Weidman Founder of the security firm Shevirah “It’s teaching people entirely the wrong things about using the internet securely”. If this new website has vulnerabilities it could expose even more people.

-Levi Walker



https://www.nbcnews.com/tech/security/massive-equifax-data-breach-could-impact-half -s-population-n799686


Recent Excellus Hack

Excellus Blue Cross Blue Shield, a local Rochester based health insurance provider that operates in Central and Western New York State has learned of a major breach within their system. According to the Excellus website, they insure about 7 million customers and patients, but over 10 million people were affected because the breach also included associates Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies, and Univera.

It has been found that there was unauthorized access to Excellus’ IT systems as early as December 2013 and it is estimated that 10.5 million records have been compromised. With help from Mandiant, a cyber-security firm, it was found that names, birth-dates, Social Security numbers, addresses, phone numbers, member id numbers, financial  information and even medical records were affected. However, it has not yet been determined if this information was removed from the Excellus systems, and there have been no reports of any of this information being used in any malicious or inappropriate way.

Executives from Exellus stated that their data was encrypted but hackers gained unauthorized administrative access to their systems, allowing them to access the data. On the home page of the Excellus website as well as all of it’s affected associates’, a notice appears giving information about the recent cyber attack. Excellus is offering free identity protection to all who are affected, and the FBI is currently investigating this attack.

Excellus Website: https://www.excellusbcbs.com/wps/portal/xl/

Article on SC Magazine: http://www.scmagazine.com/excellus-bluecross-blueshield-announces-breach-105m-records-at-risk/article/437651/

Robert Abbott

Apple Malware Theft

Today Apple had what quickly becoming know as their largest account theft, due to malware. Palo Alto Networks and Weip Tech came across a server that held over 225, 000 valid user names and passwords that had been stolen via a new malware family named KeyRaider in the iOS.

The malware only effects users with jailbroken iOS devices has struck users in 18 countries. According to Claud Xiao, “The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”

KeyRaider is also stealing Apple’s push notifications and private keys, but it’s also sharing the App store’s purchasing information. These stolen credentials eventually allow users to make purchases for free using iOS jailbreak tweaks.

They’ve also been locking down devices, and holding them for ransom. It disables unlocking operations, and demands a ransom without going through the Apple push servers.

According to Jonathan Sander (the Lieberman Software VP), and Tim Erlin (Tripwire’s Director of IT Security and Risk Strategy), jailbreaking your iPhone paints a target on your back, and in this case it was taken advantage of.

~ Kathleen Justen


Chip and Pin Bank Cards

US banks are finally rolling out a new and more secure type of debit and credit card technology that should strengthen their security. Currently cards use a magnetic strip that holds the card number and expiration date which provides very little security since the card number is being transmitted over the point of sale device and the magnetic strip makes it easy to clone a credit card with stolen information. The EMV “smart card” technology (a joint effort of Europay, MasterCard, and Visa) cards have a built in chip that replaces the functionality of the magnetic strip. However, the chip provides much more security because every time it is used, it generates a one-time transaction code that is cryptographically signed and transmitted. This means that if thieves are able to skim a point of sale terminal or hack into a retailer’s network the codes they steal are worthless. This could have prevented much of the damages caused by breaches like Target, where millions of card numbers where stolen.
These EMV card are not exactly new technology since they have been available since the early 2000’s and most of the rest of the world has already adopted them as the gold standard. The roll out in the US has been very slow because of the great costs of issuing new cards and upgrading point of sale terminals at retail locations. However, with the rise in identity theft and credit card fraud at an all time high, the credit card companies are pushing for the new more secure technology. They are forcing the retailers to transition to the EMV chip and pin terminals by setting a deadline of October 1st, 2015. After that all any company that accepts credit and debit card payments but doesn’t have chip and PIN readers in place could face increased liability and fines for fraudulent transactions incurred if card data is stolen from them.
Author: Charles Leavitt

Source: http://www.wired.com/2015/04/hacker-lexicon-chip-pin-cards/

JPMorgan Chase Bank Hacked

JPMorgan, the largest bank in the United States, was hacked over the summer. Earlier this year we saw reports that a hack had potentially occurred and the perpetrators were Russian, and back in August the bank made a statement that it was cooperating with law enforcement officials over the suspected incident, which happened in July.

Just a few days ago, it was revealed that a hack had actually occurred. The damage? 76 million households and 7 million small businesses had their information stolen during the breach.

Interestingly, this comes during a string of other attacks targeting other banking organizations in the United States, and after the attacks on Target and Home Depot.

While JPMorgan states that no financial data has been obtained by the hackers, the user contact information compromised included names, addresses, phone numbers, email addresses and internal customer data. There’s no evidence, however, that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised. Further, there has been no fraud seen related to the breach, and JPMorgan has said that customers are not liable for any fraudulent charge.

Even without any direct banking information being compromised, JPMorgan fears that the hackers will come back with a wave of spear phishing attempts and seeks to push awareness of such an attempt – along with other methods – to the forefront of customer minds.

A JPMorgan official says: “Customers of all banks should be more worried about identity theft, that someone in Eastern Europe or Russia or elsewhere steals your identity to get a credit card to say, buy a car or any other item.”

This person notes that “JPMorgan along with all other banks has teams of workers specifically monitoring both customer credit and debit card accounts to detect and stop fake charges as well as cyber hacking activity.”

Thankfully they, along with the FBI, are working on the case. They had better be.