Tuesday, October 3, 2017

Not Whether But When

Richard Smith, the CEO of Equifax while the company leaked personal information on most Americans (and suffered at least one more leak that was active for about a year up to last March) was held accountable for these failings by being allowed to retire with a mere $90M. But at Fortune, John Patrick Pullen quotes him as uttering an uncomfortable truth:
"There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it,"
Pullen points out that:
The speech, given by Smith to students and faculty at the university's Terry College of Business, covered a lot of ground, but it frequently returned to security issues that kept the former CEO awake at night—foremost among them was the company's large database.
Smith should have been losing sleep:
Though it was still 21 days before his company would reveal that it had been massively hacked, Equifax, at that time, had been breached and knew it.
Two years ago, the amazing Maciej Cegłowski gave one of his barn-burning speeches, entitled Haunted by Data (my emphasis):
imagine data not as a pristine resource, but as a waste product, a bunch of radioactive, toxic sludge that we don’t know how to handle. In particular, I'd like to draw a parallel between what we're doing and nuclear energy, another technology whose beneficial uses we could never quite untangle from the harmful ones. A singular problem of nuclear power is that it generated deadly waste whose lifespan was far longer than the institutions we could build to guard it. Nuclear waste remains dangerous for many thousands of years. This oddity led to extreme solutions like 'put it all in a mountain' and 'put a scary sculpture on top of it' so that people don't dig it up and eat it. But we never did find a solution. We just keep this stuff in swimming pools or sitting around in barrels.
The fact is that, just like nuclear waste, we have never found a solution to the interconnected problems of keeping data stored in real-world computer systems safe from attack and safe from leaking. It isn't a question of whether the bad guys will get in to the swimming pools and barrels of data, and exfiltrate it. It is simply when they will do so, and how long it will take you to find out that they have. Below the fold I look at the explanation for this fact. I'll get to the implications of our inability to maintain security in a subsequent post.

To summarize the explanation, it is that real-world computer systems are embedded in real-world organizations. It might be possible to build a system that was secure when embedded in an ideal organization, but it definitely isn't possible to build a system that remains secure when embedded in a real-world organization.

At Bloomberg, Michael Riley, Jordan Robertson, and Anita Sharpe have a detailed report on the organizational background to the Equifax leak of personal information on most Americans, and the earlier problem that allowed the bad guys to file fake tax returns and claim large refunds. They report that initially, CEO Smith considered security a priority but it didn't last:
Not long after becoming CEO, he hired Tony Spinelli, a well-regarded cyber expert, to overhaul the company's security. ... Apparently, gaps remained. After the breach became public in September, Steve VanWieren, a vice president of data quality who left Equifax in January 2012 after almost 15 years, wrote in a post on LinkedIn that "it bothered me how much access just about any employee had to the personally identifiable attributes. ... Spinelli left in 2013, followed less than a year later by his top deputy, Nick Nedostup. Many rank and file followed them out the door, and key positions were filled by people who were not well-known in the clubby cybersecurity industry.
Smith's replacement for Spinelli was:
Susan Mauldin, a former security chief at First Data Corp., to run the global security team. Mauldin introduced herself to colleagues as a card-carrying member of the National Rifle Association, according to a person familiar with the changes.
That alone should have disqualified her; it shows that in her personal life she preferred the security theater of waving a big gun around to the data showing that gun-owners are a bigger threat to their family than to the bad guys. She wasn't effective at making security a priority:
“Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security." ... But one former security leader said he finally joined the talent exodus because it felt like he was working with the “B team.”
That's because he was on the B team. Given the incentives facing a CEO, the A team at the company will always be the one boosting the bottom line this quarter, the pervasive effect of short-termism. At Equifax CEO Smith had things he needed to get done:
Smith acquired two dozen companies that have given Equifax new ways to package and sell data, while expanding operations to 25 countries and 10,000 employees. Business was good—the company’s stock price quadrupled under Smith’s watch,
All two dozen companies had incompatible systems that needed to be integrated into Equifax's by the end of the next quarter so that the stock continued to rise. While, of course, ensuring that these external systems contained no vulnerabilities, that none were introduced during the integration, and that none of the new employees posed an insider threat. In at least one case, this process clearly failed. Brian Krebs reported that:
an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system. ...

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.
It wasn't just employee's information that was at risk:
From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.
Clearly no-one at the C-level in Equifax was going to give priority to the security of some penny-ante dispute resolution portal in Argentina. But it is very likely that, had it been the bad guys snooping around, they would have found links from this system to others on Equifax's network, and been able to get in this way too.

The Argentinian dispute resolvers need to get their work done. They didn't have the resources to pay a top-flight developer to build a system for them, the more so because dispute resolution doesn't fatten the bottom line. So they kludged something together and, not being security gurus, made lots of mistakes.

You may be thinking Equifax is unusually incompetent. But this is what CEO Smith got right. It isn't possible for an organization to restrict security-relevant operations to security gurus who never make mistakes; there aren't enough security gurus to go around, and even security gurus make mistakes. It only takes one mistake, in Equifax's case a delay of more than four days in patching a bug in widely used Web infrastructure, to let the bad guys in:
Information [Nike Zheng] provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software. ... Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta,
The delay was, in fact, far worse. In Congressional testimony, ex-CEO Smith revealed that:
an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect.
Although a patch for the code-execution flaw was available during the first week of March, Equifax administrators didn't apply it until July 29,
Other recent examples of organizational security incompetence include Deloitte:
analyst firm Gartner ... in June named Deloitte the world’s best IT security consultancy for the fifth year in a row.
On September 25th it was revealed that Deloitte was:
the victim of a cybersecurity attack that went unnoticed for months. ... The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016. ... The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”. The account required only a single password and did not have “two-step“ verification, sources said.
This motivated others to start looking at. By the next day, it was obvious that  Deloitte's security wasn't up to scratch. For example(9/26):
a collection of Deloitte's corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.
And also:
Deloitte has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be behind a firewall and/or with two-factor authentication as per industry best practices. ... “Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind.”
Not to mention:
a Deloitte-owned Windows Server 2012 R2 box in South Africa with RDP wide open, acting as what appears to be an Active Directory server – a crucial apex of a Microsoft-powered network – and with, worryingly, security updates still pending installation.
If the "security consultancy of the year" for the last five years straight can't get its act together, and nor can security vendor Kaspersky, what chance has a company like Adobe(9/22):
Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys.
Or Apple(9/26):
There's a vulnerability in High Sierra and earlier versions of macOS that allows rogue applications to steal plaintext passwords stored in the Mac keychain, a security researcher said Monday.
Or the companies targeted in the attack Cisco found that used the popular CCleaner application as a distribution channel, including(9/18):
at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself
Karl Bode at TechDirt has the first one I've found today (10/3), a vehicle tracking company's database in a public Amazon S3 bucket:
this one is notable for its high creep factor. SVR advertises that its technology provides “continuous vehicle tracking, every two minutes when moving” and a “four hour heartbeat when stopped.” That means that a hacker that had gained access to the login data would be able to track everywhere a customer's car has been in the past 120 days.
Richard Forno of Stanford Law School's Center for Internet and Society points out additional reasons for complacency about security:
Companies can purchase insurance policies to cover the costs of response to, and recovery from, security incidents like data breaches. Equifax’s policy, for example, is reportedly more than US$100 million; Sony Pictures Entertainment had in place a $60 million policy to help cover expenses after its 2014 breach.

This sort of business arrangement – simply transferring the financial risk from one company to another – doesn’t solve any underlying security problems. And since it leaves behind only the risk of some bad publicity, the company’s sense of urgency about proactively fixing problems might be reduced. In addition, it doesn’t address the harm to individual people – such as those whose entire financial histories Equifax stored – when security incidents happen.
when cybersecurity problems happen, many companies start offering purported solutions: One industry colleague called this the computer equivalent of “ambulance chasing.” For instance, less than 36 hours after the Equifax breach was made public, the company’s competitors and other firms increased their advertising of security and identity protection services. But those companies may not be secure themselves.  ...  when companies discover that they can make more money selling to customers whose security is violated rather than spending money to keep data safe, they realize that it’s profitable to remain vulnerable.
I could keep going, but you get the idea. The supply of incompetence is endless. So also is the supply of vulnerabilities, as shown by the really important 2010 paper by Sandy Clarke, Matt Blaze, Stefan Frei and Jonathan Smith entitled Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities. They show that, the older a software code base, the greater the rate at which zero-day vulnerabilities are found. So even if an organization is staffed exclusively by infallible security gurus, it will still get compromised via a zero-day.


Fazal Majid said...

Excellent write-up, as always.

One point worth mentioning: the CEO is not "retiring" because he was pushed out, he is doing so to get his $90M payout before the company is sued into bankruptcy, thus preventing him from collecting. It's smart risk management for someone who obviously knows how to look for Number One. Hint: it's neither the Equifux shareholders or the public at large.

In that respect, he is no different in exploiting externalities than the banking executives at too-big-to-fail institutions who loaded up on risky debt because volatility is good for short-term stock options upside, while bad for shareholders and taxpayers.

David. said...

You can't make this stuff up:

"Shortly after we all learned of a massive security breach at Equifax in which the personal information of 143 million 145.5 million Americans and sundry Brits and Canadians was plundered by hackers, the US Internal Revenue Service awarded Equifax a no-bid contract – to provide identity verification services for the tax authority.

People's social security numbers, used by the IRS to identify folks, were among the private information left unencrypted on accessible servers and then stolen from Equifax. Which is now being paid to identify US taxpayers. That totally makes sense."

David. said...

It has only taken Yahoo! 4 years to figure out what happened:

"In a filing on Tuesday to America's financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the total number of user accounts illegally accessed by hackers in 2013 wasn't the 500 million earlier reported, nor the one billion it later confessed, but all of them – all three billion accounts."

David. said...

Cory Doctorow writes:

" At yesterday's Congressional hearings on the Equifax breach, Senator Elizabeth Warren took a moment to enumerate all the ways that Equifax will benefit from doxing 145,500,000 Americans.

For starters, there's the "free" credit monitoring service that was Equifax's initial sop to public outrage over its unforgivable carelessness. While the service is indeed free for the first year, every year thereafter Equifax will autobill you $17/month. If less than 1% of the people who signed up for credit monitoring after the breach forget to cancel, the company will make an extra $200,000,000/year."

That should really motivate Equifax to take security more seriously!

David. said...

Brian Krebs has another installment of the rolling security disaster that is Equifax:

"In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

David. said...

You would think that after blaming the leak of most Americans' details on a single employee, Equifax would have fired the culprit and bullet-proof security would have been restored overnight. Sadly, no:

"The site that previously gave up personal data for virtually every US person with a credit history was once again under the influence of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo."

David. said...

Unlike Deloitte, Accenture was not the "world’s best IT security consultancy" five years running. But they are strong competitors in this field:

"Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.

The data could be downloaded without a password by anyone who knew the servers' web addresses."


"Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext.

Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers."

David. said...

Not to be outdone by Equifax, TransUnion is also competing in the malware distribution market:

"Equifax isn't the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, is also sending visitors to the fraudulent updates and other types of malicious pages."

David. said...

The military claim to be experts at cyber-warfare. Maybe at the attack side, but defense? Not so much:

"A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. ... Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach."

Hat tip to phalse phace at /.

David. said...

The result of Equifax distributing malware is that its $7.2M no-bid contract with the IRS:

"The tax-collecting agency is now temporarily suspending the contract because of another Equifax snafu. The Equifax site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which, when clicked, infected visitors' computers with adware that was detected by just three of 65 antivirus providers. The development means that at least for now, taxpayers cannot open new Secure Access accounts with the IRS."

David. said...

Malvertising from both Equifax and TransUnion was part of a campaign affecting a thousand or so sites via a compromised JavaScript library. Jermome Segura says:

"The reality is that most websites rely on CDNs [content distribution networks] and loading external JS [JavaScript], but that can also be a weakness and expose your visitors to malicious traffic if any of those get compromised."

This is an instance of a huge problem for the Web. As Thomas Claburn wrote back in March:

"The web has a security problem: code libraries. Almost 88 per cent of the top 75,000 websites and 47 per cent of .com websites rely on at least one vulnerable JavaScript library.

As described in a recently published paper, "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web," researchers from Northeastern University in Boston, Massachusetts, have found that many websites rely widely on insecure versions of JavaScript libraries and that there's no immediate way to eliminate this problem."

And, because of Familiarity Breeds Contempt, the older the library the more known vulnerabilities it will have.

David. said...

angryea at Daily Kos makes an excellent point about schedule pressure:

"Programmers, like everyone else, are embedded in an economic system. If there is schedule pressure it does not come from the programmers, who are generally interested in making things. Rather, it comes from the businesses that employ them, who are generally interested in making money. Getting in the way of making money, by, say, holding out for better software, sooner or later leads to unemployment absent any other countervailing factors. Unions are countervailing factors. Professional associations are countervailing factors. Counting on the good will of your employers is not, in most cases, a countervailing factor."

David. said...

This morning's bad news on the security front includes a serious flaw in WPA2 and a flaw in high-security crypto cards:

"The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest."

David. said...

Oh, and the news that private companies can make money re-selling the telcos' ability to track you in real time:

"These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required). These services are doing this with the assistance of the telco providers."

Tip of the hat to Rob Beschizza:

"It knew my name and address and more besides, and located to me to a few hundred feet's accuracy. I certainly never knowingly opted-in to it."

David. said...

Today starts with cryptocurrency mining in the cloud:

"Security outfit RedLock's security trends report [PDF], out this month, said developers and organizations are not securing their AWS, Azure and Google Cloud Platform systems, allowing miscreants to hijack them to steal processor cycles for digging up alt-coins. It's believed hackers are able to get into boxes by using their default credentials.

RedLock says companies stung this way included security company Gemalto and insurer Aviva.

Its investigators “found a number of Kubernetes administrative consoles deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform that were not password protected,” the report stated.

It's one way to save yourself the price of enough iron to mine even one Bitcoin. For example, the Bitcoin Energy Index estimates the total energy consumed by miners over the next year will be 21 Terawatt-hours, and it takes 215 kWH for a single transaction."

215KWh/transaction - think about that for a moment.

David. said...

The IRS does not expect the 143M personal details leaked by Equifax, the company that assures your identity to the IRS based on these details, to have a major effect, because:

"the agency believes a “significant” number of the victims already had their information stolen by cyber criminals.

“We actually think that it won’t make any significantly or noticeable difference,” Koskinen told reporters during a briefing on the agency’s data security efforts. “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals.”

The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.


“It’s an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information,” Koskinen said of the breach on Tuesday, in response to a reporter’s question.

The IRS commissioner advised Americans to “assume” their data is already in the hands of criminals and “act accordingly.”"

So that's OK, then.

But wait! "everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information" and "act accordingly". What exactly are these actions? We didn't give the information to Equifax, we didn't leak it, we didn't set up a stupid identity system based on information that wasn't secret even before Equifax leaked it, the IRS did. Oh, and:

"The IRS itself was the victim of a breach in 2015 that exposed personal information associated with more than 700,000 accounts."

David. said...

Dan Goodin's Microsoft never disclosed 2013 hack of secret vulnerability database reveals what might be called a meta-hack:

"Hackers broke into Microsoft's secret, internal bug-tracking database and stole information related to vulnerabilities that were exploited in later attacks."

Why go to all the work of finding vulnerabilities one-at-a-time when there is a whole database full of them ripe for the picking?

Anonymous said...

«"There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it,"»

There is a legendary quote from the mainframe era, "As far as we know, our computer has never had an undetected error", and a wise friend commented on this "same for an undetected hack".
These are a much deeper quote and comment than it seems.

Anonymous said...

«holding out for better software, sooner or later leads to unemployment absent any other countervailing factors. Unions are countervailing factors. Professional associations are countervailing factors. Counting on the good will of your employers is not, in most cases, a countervailing factor.»

There are several reports of huge PHB pressure on certified civil and mechanical engineers to "stamp" designs even if they have reservations on them. It is illegal to try, but surely bonuses and promotions go only to "team players".
Fortunately for PHBs a lot of engineering work can be outsourced to countries that seem to have a far more flexible approach.

David. said...

Another day, another crypto standard found to have been flawed all along:

"The attack, explained ... here, is in an ancient pseudo-random number generator (PRNG) protocol, deprecated in many products, but still present in plenty including around 25,000 devices made by Fortinet.

The protocol in question is the ANSI X9.31, which lingers from the 1990s. Until 2016 it was approved by the US government's FIPS Cryptographic Module Program, and uses a fixed key as one of the inputs to generate pseudorandom numbers."

Another illustration of the phenomenon explained in Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities.

David. said...

Breaches are always worse than you can imagine. Equifax Was Warned writes Lorenzo Franceschi-Bicchierai:

"Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it—but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline."

It wasn't hard to find the vulnerabilities:

"In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard."

Read the whole thing. It would be hilarious if it wasn't so serious. Or so not serious, as the IRS says, because the bad guys already had all that information.

David. said...

Today's fun-erability from Catalin Cimpanu:

"the AtmosConnect 8 platform comes with a secret backdoor account that allows full access to the platform.

Researcher spotted the backdoor account when they found a function in the AtmosConnect source code that was named "authenticateBackdoorUser".

You don't have to be a rocket scientist to realize what the function does. Investigating the code, researcher realized that the backdoor account username is unique per device, and is the "Post Office" ID showed on each AtmosConnect 8 login screen.

The password is derived from this ID, and anyone can deduce how to compute it just by looking at the AtmosConnect source code and reverse-engineering the authenticateBackdoorUser function."

David. said...

Among the companies that can't keep security-critical information secret is Google:

"Google's platform to deal with bugs and unpatched vulnerabilities had a bug that allowed a security researcher to see a full list of known, unpatched vulnerabilities within Google, creating a kind of bug inception that could have led to more damaging hacks."

David. said...

Bruce Schneier's must-read testimony to the House Energy & Commerce Committee on the Equifax breach is here

David. said...

"Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week."

Hat tip to CNN. The paper is here:

"7–25% of exposed passwords match a victim’s Google account ... We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s."

David. said...

Cory Doctorow reports that Richard Smith's replacement as Equifax CEO:

"has told Congress that he's not really sure if the company has finally started encrypting the detailed, compromising, sensitive data they nonconsensually harvest from every person in the USA."

David. said...

Hack o' the Day - Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says:

"A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate."


"The initial response from experts was, “’We’ve known that for years,’” and, “It’s not a big deal,” Hickey said.

But in March 2017, at a technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Air Lines in the room had no clue.

“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,'” Hickey said."

and the vulnerabilities aren't going to be fixed:

"Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s"

David. said...

Today's headline vulnerabilities include a zero-day in Apple's HomeKit that can comprise your "smart" door-lock, and a "fileless" vulnerability in all versions of Windows that uses NTFS transactions to load malware then rolls back the transaction to make the malware invisible to anti-virus software:

"The good news is that "there are a lot of technical challenges" in making Process Doppelgänging work, and attackers need to know "a lot of undocumented details on process creation."

The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

Process Doppelgänging now joins the list of new attack methods discovered in the past year that are hard to detect and mitigate for modern AVs, such as Atom Bombing, GhostHook, and PROPagate.

David. said...

"Microsoft accidentally left a Dynamics 365 TLS certificate and private key where they could leak, and according to the discoverer, took 100 days to fix the bungle." reports Richard Chirgwin at The Register.

David. said...

Not to mention that, ironically, last Thursday:

"Microsoft has posted an out-of-band security update to address a remote code execution flaw in its Malware Protection Engine."

David. said...

"A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ." reports Iain Thomson at The Register.

And the winner is:

"The top password is, depressingly, still 123456, followed by 123456789, qwerty, password and 111111,"

David. said...

"Researchers working on a technology to detect unannounced data breaches have found, to their dismay, that one per cent of the sites they monitored were hacked over the previous 18 months." Richard Chirgwin at The Register reports on research by Joe DeBlasio at UCSD.

David. said...

"AT&T's DirecTV wireless kit has an embarrassing vulnerability in its firmware that can be trivially exploited by miscreants and malware to install hidden backdoors on the home network equipment, according to a security researcher. ... [Ricky] Lawshae homed in on the Linux-powered wireless bridge, and found it was running a web server. Incredibly, rather than hit a login form or similar, he found the builtin web server would cough up internal diagnostic information." Iain Thomson links to a video of Lawshae getting a root shell in less than 30s. Even the "network experts" can't get the simplest things right.

David. said...

"Revelations from papers leaked by former NSA sysadmin Edward Snowden that the NSA paid RSA Security $10m to use the weak Dual_EC_DRBG technology by default in its cryptographic toolset show that concerns about mathematical or by-design backdoors are far from theoretical." John Leyden at The Register reports on a Black Hat presentation by Eric Filiol and Arnaud Bannier who:

"presented BEA-1, a block cipher algorithm which is similar to the AES and which contains a mathematical backdoor enabling an operational and effective cryptanalysis. “Without the knowledge of our backdoor, BEA-1 has successfully passed all the statistical tests and cryptographic analyses that NIST and NSA officially consider for cryptographic validation,” the French crypto boffins explain."

David. said...

"Electrum has long been one of the most popular Bitcoin software wallets. It’s fast, simple and lightweight. It’s a “light” wallet, that doesn’t require you to download a 150 gigabyte blockchain before you can do anything.

It turns out to have been completely insecure since 2015 — any web page you go to could have stolen your coins." Tavis Ormandy found this, and discovered that a bug report for it was months old:

"Bitcoin users responded to news of the security hole as you might expect, including accusing Ormandy of not understanding computer security"

David Gerard notes:

"The more general problem is that cryptocurrency security is vastly harder than any normal user can be expected to achieve — because every mistake or theft is utterly irreversible, by design."

David. said...

"A leaked set of disclosures made by Equifax to the US Senate have revealed that the breach of 145.5 million Americans' sensitive financial data was even worse than suspected to date: in addition to data like full legal names, dates of birth, Social Security Numbers, and home addresses, it appears that Equifax also breached drivers' license numbers and issue-dates." writes Cory Doctorow. Equifax explains why they didn't reveal this initially:

"the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information."

So maybe they breached our bank account numbers and passwords too. Time may tell.

David. said...

Breaches are always worse than the victims say - Equifax identifies additional 2.4 million customers hit by data breach reports Reuters.

David. said...

"As well as the ... 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too."

Richard Chirgwin at The Register has the latest numbers on the Equifax breach.

David. said...

Brian Krebs has discovered that Equifax operates a second, stealth credit reporting agency called NCTUE. The story is long and pretty amazing, but Cory Doctorow's summary is on point:

"Equifax operates a secondary, noncompliant credit bureau called National Consumer Telecommunications and Utilities Exchange (NCTUE), on behalf of a secretive cartel of owners led by AT&T, but also including mysterious organizations like "Centralized Credit Check Systems."

Freezing your credit report has no effect on NCTUE; what's more, NCTUE operates in a careless and incompetent fashion, with invalid SSL certificates and other glaring errors. NCTUE has a separate system for freezing your credit report there, but it doesn't work -- filling in the form and submitting it just returns obscure errors. You may be able to freeze your report by calling NCTUE, but they might charge you a separate fee, and there's no guarantee you'll get through."

David. said...

Exactis said to have exposed 340 million records, more than Equifax breach by Abrar Al-Heeti reports:

"Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million individual records on a publicly accessible server, Wired reported. Earlier this month, security researcher Vinny Troia found that nearly 2 terabytes of data was exposed, which seems to include personal information on hundreds of millions of US adults and millions of businesses, the report said.

"It seems like this is a database with pretty much every US citizen in it," Troia told Wired."

David. said...
This comment has been removed by the author.
David. said...

Olivia Beavers' House panel issues scathing report on 'entirely preventable' Equifax data breach reports that

"The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information."

The 96-page report was authored by Republicans but attacked by Democrats:

"two Democratic lawmakers also criticized the content of the report.

"The Republican staff report merely reiterated findings by media outlets and the Government Accountability Office about Equifax's cybersecurity vulnerabilities and the company's lack of preparedness to protect breach victims," they said in their statement. "In contrast, the Democratic staff report provides detailed legislative and oversight recommendations to better protect consumers from future cyberattacks."

Cummings and Johnson recommended "requiring federal financial regulatory agencies to report their efforts to protect consumers from cybertheft and identify areas Congress could enhance agencies' authorities to achieve that goal," guidelines for federal contractors to comply with established cybersecurity standards, a comprehensive notification law that dictates how victims of a victim breach must be notified and an amended Federal Trade Commission Act to "strengthen civil penalties for private sector violations of consumer data security requirements."

David. said...

Kate Fazzini's The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme is interesting:

"CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.

But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.

But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies."

David. said...

Brian Krebs reports that First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records:

"The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.
KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents."

David. said...

Sidney Fussell's This Is Exactly What Privacy Experts Said Would Happen recounts the inevitable leak of the Customs and Border Patrol's personal data:

"U.S. Customs and Border Protection announced yesterday afternoon that hackers had stolen an undisclosed number of license-plate images and travelers’ ID photos from a subcontractor. Privacy and security activists have long argued that as law enforcement vacuums up more data without legal limits, the damage of a possible breach scales up. The lack of restrictions on data collection is why, for many experts, this hack feels like an inevitability.

According to an emailed statement to journalists from CBP, an unnamed subcontractor transferred copies of license-plate images and travelers’ photos from federal servers to its own company network, without CBP’s authorization. Hackers then targeted and successfully breached the subcontractor’s network. CBP reports that its own servers were unharmed by any cyberattack."

And, as is usual with data breaches, it is likely to be worse than first revealed:

"The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. “If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data,” Loder told me."

David. said...

In Equifax settles with FTC, CFPB, states, and consumer class actions for $700m Cory Doctorow reports that:

"Equifax's market cap stands today at $16.6B, and it posted $3.412B in earnings in 2018, up 1.48% increase from 2017.

The company has settled virtually all the civil liability from its breach for $700m. The victims of the breach have effectively unlimited, permanent liability from this breach and will face identity theft, fraud and stalking risks for the rest of their lives -- and after they die, their estates will also be under threat from the breach.

The settlement covers federal liability from the FTC and CFPB, class action suits, and most state attorneys general actions."

No biggie - 20% of 2018 earnings.

David. said...

Ethan Wolff-Mann's Equifax used 'admin' as username and password for sensitive data: lawsuit starts:

"Equifax (EFX) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia.

The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail.

“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.

The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website."

David. said...

When I was writing this back in 2017 I should have noticed that 18 months earlier Bruce Schneier had written the definitive account of the problem in Data Is a Toxic Asset, So Why Not Throw It Out?:

"because the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever. Figuring out what isn’t worth saving is hard. And because someday the companies might figure out how to turn the data into money, until recently there was absolutely no downside to saving everything. That changed this past year.

What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous."