Tuesday, September 19, 2017

EQUIFAX - There should be a limit to just how deep you go.


Second opinion piece within one week on the same subject, must be that kind of week.

The type of week that makes it simply too overwhelming to keep my fingers off the keyboard.

As it stands now, it is no longer a big secret that Equifax was not doing what they should have been doing and they exposed a vast amount of extremely sensitive personal information.

LAWSUITS 

The FTC (Federal Trade Commission) in the US has officially commented that they are investigating.  Also of interest, in Atlanta, a lawsuit has been filed for  “gargantuan failures to secure and safeguard consumers’ personally identifiable information … and for failing to provide timely, accurate and adequate notice”  Add to that Massachusetts who just announced legal action for failing to protect its residents and maybe a landslide of lawsuits is just around the corner.

This is very interesting, and I certainly wish someone... anyone.... in Canada decided that these services put together by chimpanzees with duct tape should ALL be investigated and audited to ENSURE that a REASONABLE level of security is in place.  All we have so far... is a rather weak statement from the privacy commissioner. 

TOP QUALITY SECURITY PROFESSIONALS

Something even more fascinating came out, this was the fact that their CSO (Chief Security Officer) was paid a ridiculously large salary which didn't seem to help their security posture since issue after issue have been reported over the last few days. Including the services in one country being accessible with the ever so complexe and secure username ADMIN and password ADMIN.

Several video and audio interviews performed in the past by EQUIFAX's CSO have been pulled from Youtube and SoundCloud.  Luckily the Internet is responding by finding their own copies and reposting them

It seems that watching these videos and listening to the CSO's discussions gave you little doubt that this breach was going to happen.

Luckily they have all been pulled from the Internet, only a few transcripts remain at http://archive.is/6M8mg

Unlucky for us since we cannot view these gems and make our own opinion.

What has surfaced is that the CSO's formal training appears to be in Music (Music Major).  This got the entire Internet in an uproar, however on it's own, it really is meaningless as good security requires intelligence and common sense, and I know plenty of musicians that have both.

This does however become very pertinent when under every stone the Internet lifts up, fumes from a pile of shit seem to rise.

So Equifax in Canada appears to have announced that at least 100,000 Canadians have been exposed, that they are protecting these accounts with their protection services for free, and that the ongoing investigation should conclude within a few weeks when they can finally announce who got screwed.   Fascinating that they are stating that they are protecting the 100,000 people right now, as they publish this news, yet they do not know who they are, and will let them know when their investigation concludes.

So just to recap, so far we have:
1) Hidden the breach for something that appears to be 5 months or more

2) Inside trading as senior execs sold stock after the breach was known and prior to it being announced

3) Someone with intimate knowledge shorted the stock to the tune of 4 million

4) Several senior execs just decided to retire

5) The CSO has no formal training yet is paid a multimillion dollar salary and has also just retired

6) Equifax was reported as compliant to PCI, ISO, SOX II TYPE II, etc.

7) Their critical systems where not patched and up to date

8) At least one system had no valid password to protect the ADMIN account yielding access to all client data

9) Their response to the incident is clearly amateur.

10) Somehow they had unencrypted credit card numbers just sitting there, or their encryption architecture was so so weak... Yes... weak it is as the private keys are accessible in the web panel.

11) They put together a credit monitoring service that is also exposed

12) They put together a site to tell you if your data has been exposed that returns random results.

13) They are erasing any Video/Audio traces of their Musical CSO

14) .....   I could go on, and on and on, but I'm tired of going through tons of notes on the subject... you get the idea....

This folks is how to NOT run an incident response.

SETTING A GOOD EXAMPLE

This week, another significant security breach has surfaced.  CCleaner is a utility program used by millions and it got hacked and ended up deploying malicious code on it's users workstations.

Listen up to how they managed this crisis.

They came out and said the following: (reference article here)

a) We are sorry
b) We screwed up
c) This is exactly how it happened
d) This is exactly what we did to fix it
e) This is exactly what we are doing to address the root cause so this doesn't happen again

So what do you think is going to happen.

It's going to go away.  They took responsibility and didn't cover it up, came right out and came clean.  It's over, move on.

This is clearly not the angle that Equifax is taking.

COMPARING WITH A TARGET

A few years back a significant breach had taken place at a small retailer called TARGET.

They too took the glamorous path of lies and the strategy of downplaying.

Day 1: We may have had a breach
Day 2: Some client data might have been touched
Day 3: Only 10 million client records could have been affected
Day 4: Only 40 million client records might have been affected
Day 5: Only 70 million client records involved
Day 6: Oh to hell with it, all our client records have been hacked.

What happened, the media ate them alive.

At the exact same time, another retailed had had pretty much the exact same breach.

Neiman Marcus had been hacked using the same technic.  They came out day one and said, we are not sure exactly what happened, but it looks like all our customer data was stolen.

The media wrote about it once, moved on.   What else is there to say.  

The Target went on for more then a month because they kept trying to cover it up.


So here we stand, with Equifax doing such a swell job.

ABSENCE OF CANADIAN LEADERSHIP

Where EXACTLY is our Canadian privacy commissioner ??????

Since Equifax is run by big business for big business... is it untouchable in Canada ?
Since they have all of our data, and most people aren't even their client, nor do we really want them to have our data...... is there anything we can do ?

Why aren't our elected officials taking direct, public actions to investigate a company that CLEARLY needs to be verified.

Also in the news this week, JPMorgan CEO calls bitcoins a fraud and says he will fire anyone in his firm that invests in bitcoins....  bitcoins plunge and JPMorgan shorts it and makes millions.   Yet JPMorgan has been fined 13 billion for fraud in that last years...

Just how far in does the apparatus have to be inserted before someone yells "HEY !  That's deep enough!"

In closing, I recommend reading through this post from SPUZ.ME that highlights some of the exchanges with the hackers who broke into Equifax.  The screen shots kinda of give a big secret away.  Equifax has all your shit accessible from the Internet.  

http://spuz.me/blog/zine/3Qu1F4x.html

or visit the hackers current onion site at :  equihxbdrjn5czx2.onion



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com




Saturday, September 9, 2017

Equifax is "SCREWING" their "customers".



This is an opinion piece... so grab a beer or a line of coke like the Equifax execs have been doing.






First they have repeated security issues, many reported to them and they do nothing.  And they have had breaches in the past (2 others in the last year or so).


Second they appear to be taking full advantage of this "breach" in a way that Donald Trump would appreciate.

Hey, business is business, not my fault you happened to be bent over while I was getting ready to...  All right, let's keep it clean.

Researchers (friendly hackers) noticed something really cool about the NEW service being offered by Equifax to check if your data is part of the breach.

Drum roll please.....

It doesn't really matter what you enter, the answers are random and they just want to push you to their TrustedID service.

Coincidentally subscribing to this service means you are agreeing with their terms and you give up your right to sue their sorry asses.

Take a look at this posting from Sarah Buhr at TechCrunch and your aggravation level is certain to rise unless your dead inside.   


PSA: no matter what, Equifax may tell you you’ve been impacted by the hack

A while back I wrote about the Ashley Madison "hack" and the fact that this company had self proclaimed themselves secure with a made up Security Award.  Well... seems they all went to the same business school as what Equifax is doing and how they are responding to this breach is inline with this type of business practice.

Combine all this with the fact that senior executives sold 2 million in stocks prior to the announcement, and then you add to that the unknown person or persons who shorted the stock and made another 4 million.... you have yourself a really nice picture generally called insider trading along with a few more terms not fit for small children.


Suspect trading in Equifax options before breach might have generated millions in profit



This all points to something missing in our wonderful world called PENALTIES.   Not penalties for the enterprise.  The executives do not care if the enterprise has to pay some penalties.  Penalities for the executives including jail time when their actions are criminal in nature.  

I'm not referencing the insider trading, which I hope is considered criminal.  I'm referencing the lack of respect for their customers data and willful blindness when serious security shortcomings are reported up the chain of command.

And by the way, why are we calling ourselves customers, when in fact we are their product, not their customers.  We are forced to deal with companies run by clowns, and the only time we are customers is if we subscribe to one of their shitty services to access our own damned data and make sure they are reporting accurately on our data !!!  What world are we allowing ourselves to live in.

I have to pay a monthly fee to access my data that I never wanted these idiots to have.  Why... because the banks "need" it the authorize my mortgage.  We certainly don't want the banks taking too much risk.  Wait... didn't they seriously screw up a few years back and lend billions of dollars that they shouldn't have and then the US government bailed them out and they all took in BONUSES !

If you want a really good laugh, take a look at Equifax's SOC 2 TYPE II attestation report.

https://www.equifax.com/assets/WFS/the_work_number_best_practices_in_data_security.pdf




Proof again, that traditional auditing mechanism are meaningless because people LIE. 

Listen up folks:  Companies on the stock market are filled with executives who have ONE priority, themselves.  Therefor they LIE, COVER UP, and IGNORE some pretty significant elements that lead to events like this.  Their bonuses are dependant on everything looking great.

So there you have it folks.  A great big company, audited by other great big companies, compromised at all levels including ethically and morally.

No wonder I prefer family run businesses.  My two most significant clients are family run (one is 500m revenue and the other is several billion) and surprise surprise, when something comes up as a security risk, the CIO brings to the the CEO and no one hides anything.   They just manage the risk, takes decisions, figure out how to be better and fix things.  

Wow.... that's revolutionary.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com







Friday, September 8, 2017

Slow News Week


The quality of journalism can certainly be challenged these days.   It seems that in order to keep your job, the title of every article must sound alarming and catastrophic in nature in order to "sell print".

Sad really, since we end up with a feeling of fake news, and many other side effects.

However, a significant mass of people will be reading these articles and believing the negative feelings being conveyed.  

This morning, in Montreal's very popular "Journal de Montreal", we find an article titled "He receives a strangers card" making reference to a medicare card.   Not a credit card, not a drivers license, but a medicare card.

Poor poor man.   How traumatizing to have received your own card along with a strangers.  How will you sleep through the night and get to work on Monday.

If you ordered underwear from Amazon and received someone else's order of socks would you call the newspaper or would you call Amazon to have the error corrected?

This is not the first time a shit article has been written on a shit subject.   Last year, someone received something from the government that was miss addressed and the newspaper did the same type of article.

Lets look at the risk.

The medicare card has only one piece of sensitive information, your birthdate.  Combined with your name, the person who erroneously received your card, now has a piece of plastic with physical countermeasures similar to a credit card, that has your picture, name and date of birth on it.

What is the risk here..... well....  if the person that received it is Frank Abagnale then maybe he can cannibalise the card, change the picture and used it to get free medical services.  Frank wouldn't have your address and know where you bank, so the damages to you are limited to say the least.

In order to sound like a journalist, let me say it this way..... 

"The statistics demonstrate that sending a random medicare card to a random individual will not result in that card being used maliciously"

Did I say statistics... sorry I meant common sense.

"A random citizen does not have access to the talent required to fraudulently use someone else's medicare card"

"A random citizen doesn't have access to the underground networks that use false medicare cards for profite"

Oh oh oh wait.... here is a good one...

"A random citizen can't do shit with your name and date of birth and your ugly mug shot".   Usually considered the same pairing of information that most idiots share with their 800 Facebook "friends".

As an other note.....  news is supposed to be pertinent (in my opinion).  These types of articles only make the security uneducated worry about something that is out of context and of no value.  The fact that a rubber bushing on an envelope stuffing machine felt fat one morning and spewed two cards into an envelope instead of just one is about as newsworthy as watching paint dry or linoleum curl under high humidity. 

Imagine your next family gathering where grandma wobbles over to her security expert grandson and asks "How bad is it dear, am I going to loose my medicare, I read that they sent out my card to the wrong address".

Charming.

I'm pretty convinced that there are large masses of worthy subjects to investigate and report on.   

This happens in security articles too

Take this example: 


Bug in Windows Kernel Could Prevent Security Software From Identifying Malware




According to Microsoft, this isn't a bug, it's a design feature.   Sure we can argue that Microsoft is covering their asses, but the article actually stipulates Microsofts response.   So in my opinion, the article title should have been "Windows Kernel Design makes security software creators work for their money".... but that is far less catchy!

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...