Second opinion piece within one week on the same subject, must be that kind of week.
The type of week that makes it simply too overwhelming to keep my fingers off the keyboard.
As it stands now, it is no longer a big secret that Equifax was not doing what they should have been doing and they exposed a vast amount of extremely sensitive personal information.
LAWSUITS
The FTC (Federal Trade Commission) in the US has officially commented that they are investigating. Also of interest, in Atlanta, a lawsuit has been filed for “gargantuan failures to secure and safeguard consumers’ personally identifiable information … and for failing to provide timely, accurate and adequate notice” Add to that Massachusetts who just announced legal action for failing to protect its residents and maybe a landslide of lawsuits is just around the corner.
This is very interesting, and I certainly wish someone... anyone.... in Canada decided that these services put together by chimpanzees with duct tape should ALL be investigated and audited to ENSURE that a REASONABLE level of security is in place. All we have so far... is a rather weak statement from the privacy commissioner.
TOP QUALITY SECURITY PROFESSIONALS
Something even more fascinating came out, this was the fact that their CSO (Chief Security Officer) was paid a ridiculously large salary which didn't seem to help their security posture since issue after issue have been reported over the last few days. Including the services in one country being accessible with the ever so complexe and secure username ADMIN and password ADMIN.
Several video and audio interviews performed in the past by EQUIFAX's CSO have been pulled from Youtube and SoundCloud. Luckily the Internet is responding by finding their own copies and reposting them.
It seems that watching these videos and listening to the CSO's discussions gave you little doubt that this breach was going to happen.
Luckily they have all been pulled from the Internet, only a few transcripts remain at http://archive.is/6M8mg
Unlucky for us since we cannot view these gems and make our own opinion.
What has surfaced is that the CSO's formal training appears to be in Music (Music Major). This got the entire Internet in an uproar, however on it's own, it really is meaningless as good security requires intelligence and common sense, and I know plenty of musicians that have both.
This does however become very pertinent when under every stone the Internet lifts up, fumes from a pile of shit seem to rise.
So Equifax in Canada appears to have announced that at least 100,000 Canadians have been exposed, that they are protecting these accounts with their protection services for free, and that the ongoing investigation should conclude within a few weeks when they can finally announce who got screwed. Fascinating that they are stating that they are protecting the 100,000 people right now, as they publish this news, yet they do not know who they are, and will let them know when their investigation concludes.
So just to recap, so far we have:
1) Hidden the breach for something that appears to be 5 months or more
2) Inside trading as senior execs sold stock after the breach was known and prior to it being announced
3) Someone with intimate knowledge shorted the stock to the tune of 4 million
4) Several senior execs just decided to retire
5) The CSO has no formal training yet is paid a multimillion dollar salary and has also just retired
6) Equifax was reported as compliant to PCI, ISO, SOX II TYPE II, etc.
7) Their critical systems where not patched and up to date
8) At least one system had no valid password to protect the ADMIN account yielding access to all client data
9) Their response to the incident is clearly amateur.
10) Somehow they had unencrypted credit card numbers just sitting there, or their encryption architecture was so so weak... Yes... weak it is as the private keys are accessible in the web panel.
11) They put together a credit monitoring service that is also exposed
12) They put together a site to tell you if your data has been exposed that returns random results.
13) They are erasing any Video/Audio traces of their Musical CSO
14) ..... I could go on, and on and on, but I'm tired of going through tons of notes on the subject... you get the idea....
This folks is how to NOT run an incident response.
SETTING A GOOD EXAMPLE
This week, another significant security breach has surfaced. CCleaner is a utility program used by millions and it got hacked and ended up deploying malicious code on it's users workstations.
Listen up to how they managed this crisis.
They came out and said the following: (reference article here)
a) We are sorry
b) We screwed up
c) This is exactly how it happened
d) This is exactly what we did to fix it
e) This is exactly what we are doing to address the root cause so this doesn't happen again
So what do you think is going to happen.
It's going to go away. They took responsibility and didn't cover it up, came right out and came clean. It's over, move on.
This is clearly not the angle that Equifax is taking.
COMPARING WITH A TARGET
A few years back a significant breach had taken place at a small retailer called TARGET.
They too took the glamorous path of lies and the strategy of downplaying.
Day 1: We may have had a breach
Day 2: Some client data might have been touched
Day 3: Only 10 million client records could have been affected
Day 4: Only 40 million client records might have been affected
Day 5: Only 70 million client records involved
Day 6: Oh to hell with it, all our client records have been hacked.
What happened, the media ate them alive.
At the exact same time, another retailed had had pretty much the exact same breach.
Neiman Marcus had been hacked using the same technic. They came out day one and said, we are not sure exactly what happened, but it looks like all our customer data was stolen.
The media wrote about it once, moved on. What else is there to say.
The Target went on for more then a month because they kept trying to cover it up.
So here we stand, with Equifax doing such a swell job.
ABSENCE OF CANADIAN LEADERSHIP
Where EXACTLY is our Canadian privacy commissioner ??????
Since Equifax is run by big business for big business... is it untouchable in Canada ?
Since they have all of our data, and most people aren't even their client, nor do we really want them to have our data...... is there anything we can do ?
Why aren't our elected officials taking direct, public actions to investigate a company that CLEARLY needs to be verified.
Also in the news this week, JPMorgan CEO calls bitcoins a fraud and says he will fire anyone in his firm that invests in bitcoins.... bitcoins plunge and JPMorgan shorts it and makes millions. Yet JPMorgan has been fined 13 billion for fraud in that last years...
Just how far in does the apparatus have to be inserted before someone yells "HEY ! That's deep enough!"
In closing, I recommend reading through this post from SPUZ.ME that highlights some of the exchanges with the hackers who broke into Equifax. The screen shots kinda of give a big secret away. Equifax has all your shit accessible from the Internet.
http://spuz.me/blog/zine/3Qu1F4x.html
or visit the hackers current onion site at : equihxbdrjn5czx2.onion
_______________________________________________
Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on:
Twitter @ericparent
LinkedIn : EVA-Technologies
www.eva-technologies.com