The IT Nerd

Politico is reporting that the $7 million dollar contract that the IRS gave Equifax to do fraud prevention…. Yes that same Equifax that was pwned in epic fashion…… Has been suspended:

The IRS plans to continue reviewing the security of Equifax’s systems during the suspension. The agency had previously said its hands were tied and it had to keep the contract with Equifax.

“The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract. The contract suspension is being taken as a precautionary step as the IRS continues its review,” agency spokesman Matthew Leas said in a statement.

What could they possibly be reviewing? This is a company that had such craptastic IT practices that it was on the wrong end of the most epic pwnage in history. If that’s not of a reason to steer clear of them, I do not know what would be.

Sometimes, you have to just shake your head.

The hits keep coming from the saga of Equifax getting pwned in epic fashion. First up is this story that a reader pointed me towards:

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info that looked like this:

He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.

Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. 

Wow. Now when the post that I linked to went online, the attacks stopped. So it is possible that Equifax got control of things again. But the fact that this even happened suggests that these clowns have learned nothing from being pwned.

But I’m not done yet. It now seems that as part of the epic pwnage of Equifax 10.9 million U.S. driver’s licenses were stolen: 

10.9 million U.S. driver’s licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers’ records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver’s licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency’s system..

The higher amount of UK customer info that was swiped was something that I told you about yesterday. But the 10.9 million drivers licenses is new. That sort of information could cause havoc for years. I truly feel that we are still just learning how bad this pwnage was and perhaps (though unlikely) not even Equifax truly knows how much they were pwned. And we may never find out for sure. But every detail that does come out shows that this is bad….. And getting worse.

According to The Telegraph, the number of UK Citizens that were affected by the pwnage of Equifax has increased to 700,000 from 400,000. The source of this info? Equifax:

Equifax has admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. 

The credit rating firm said it is contacting nearly 700,000 customers in the UK to alert them that their data had been stolen in the attack, which was revealed in September.

The company originally estimated that the number of people affected in the UK was “fewer than 400,000”. 

But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers.

Hackers potentially compromised a further 14.5 million records that could have contained names and dates of births. 

Things keep going from bad to worse when it comes to this situation…. For the consumer. This is yet another reason why these clowns need to punished in the most server way possible. Companies cannot be allowed to think that they can be complacent with information security and control customer information at the same time.

The dumpster fire that is Equifax flared up again with news that Equifax had a site that allowed one to get salary and work histories with as little as a Social Security Number and a date of birth. Details via Brian Krebs:

In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

This is another reason why there needs to not only severe punishment for this stupidity, but there have to be strict regulations to ensure that this stupidity doesn’t happen. We’re seeing what can happen in the absence of both and this isn’t a nice place to be.

I am not sure that the IRS got the memo, but Equifax was pwned in spectacular fashion not too long ago. Thus you have to wonder what the logic is behind the IRS giving them a $7 million fraud prevention contract:

The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans. A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award. The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract. Lawmakers on both sides of the aisle blasted the IRS decision.

This is truly a WTF moment as it makes no sense to give a contract like this to these clowns who have proven to be totally and completely inept when it comes to protecting personal information. The humans at the IRS who thought that this was a good idea need to be called onto the carpet to explain why this decision isn’t from some alternate reality.

It seems that Richard Smith who was the CEO of Equifax until they got pwned by hackers in epic fashion and then “retired” very quickly started attending a variety of Congressional hearings today. In his testimony today, he issued an apology but deflected any blame for this epic pwnage:

During the hearing, Smith gave an inside perspective on how Equifax lost all that data. He opened with an apology, taking responsibility for the breach and the botched response. 

The door was opened for the breach earlier this year. Equifax had learned in March about a weak spot in the Apache Struts software in a key computer system, but never patched it. Smith said Equifax did everything it was supposed to, but still failed to protect its data.

In his testimony, Smith laid the blame on a faulty scanner for not flagging the vulnerability on March 15 and on a single Equifax staffer responsible for mishandling patches on March 9. He did not name the person.

“Both human deployment and the scanning did not work. But the protocol was followed,” Smith said. 

Wait… He was the CEO at the time. That means the buck stops with him as he is the leader of that company. Right? Isn’t that was leadership is about? I guess he doesn’t see it that way. I should note that he somehow didn’t ask if customer data was swiped and he couldn’t remember when he had spoken to people about the epic pwnage. None of that passes the smell test.

Oh, there was also this tidbit.

The company, which has 9,900 employees, only had one person in charge of its patching process, Smith said.

Clearly security wasn’t a focus for this company despite the fact that they handle all sorts of personal information. #EpicFail. One politician summed it up this way:

Several House committee members suggested federal laws to regulate credit monitoring companies like Equifax. [(R) Rep. Greg] Walden bluntly noted that it would be difficult to stop cyberattacks from human errors like the one Equifax suffered.

“I don’t think we can pass a law that fixes stupid,” Walden said.

No, but I think you can pass a law that punishes stupid stuff like this.

The epic pwnage of Equifax may have been the work of Chinese intelligence says Bloomberg:

Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software.

The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.

Before long, hackers had penetrated Equifax. They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group—known as an entry crew—handed off to a more sophisticated team of hackers. They homed in on a bounty of staggering scale: the financial data—Social Security numbers, birth dates, addresses and more—of at least 143 million Americans. By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax’s computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.

The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the U.S. Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.

Now there’s no smoking gun as such, but this story does paint a picture that the responsible party were the Chinese. There’s one more thing. It seems that part of the reason this went undetected for so long is due to fact that a dispute between Equifax and Mandiant got in the way. The latter was brought-in to help deal with a different security problem, just as the attack was getting underway. Equifax accused Mandiant of using the classic consulting sales trick of using the A-team to sell its services and sending in the B-team after the contract was signed. So Equifax ignored what Mandiant said and the pwnage continued.

You can be sure that this will come up when various congressional committees quiz Ex-CEO Richard Smith this week.

Ex-CEO of Equifax Richard Smith is going to Washington next week to participate in the public flogging known as congressional hearings. I am sure that 143 million Americans, 400 thousand Brits and 100 thousand Canadians really want to hear about how he absolutely screwed up to this degree before he “retired”. Examples of this #EpicFail include hiring a CSO with no IT experience or not applying a patch for Apache Srtuts for months, or having a publicly accessible database with username of admin and the password of (you guessed it) admin. I could go on but you get the idea.

In any case, if you want to hear what he has to say, here’s the schedule of where he’s going in Washington next week:

• Tuesday, Oct. 3, 10:00 a.m., House Energy and Commerce Committee. Rayburn House Office Bldg. Room 2123.
• Wednesday, Oct. 5, 10:00 a.m., Senate Committee on Banking, Housing, & Urban Affairs. Dirksen Senate Office Bldg., Room 538.
• Wednesday, Oct. 5, 2:30 p.m., Senate Judiciary Subcommittee on Privacy, Technology and the Law. Dirksen Senate Office Bldg., Room 226.
• Thursday, Oct. 6, 9:15 a.m., House Financial Services Committee. Rayburn House Office Bldg., Room 2128.

I fully expect this to be a public flogging given the scale of the pwnage that took place. Thus this will be very interesting to watch on TV. Set your PVR and get the popcorn ready.

It seems that the heat is too much for Richard Smith who up until a few minutes ago was the CEO of Equifax. Because he’s suddenly “retired”:

The retirement is effective Tuesday, according to the statement. Mark Feidler, a current board member will serve as Non-Executive Chairman. Paulino do Rego Barros, Jr., president of company’s Asia Pacific region, has been appointed as interim CEO.

I guess he decided to get out and chances are that if he “retired” he’d get paid a nice pile of cash. All in the wake of the most epic pwnage the world has ever seen. Hopefully this doesn’t stop him from being called in front of the public flogging known as a congressional hearing to explain how hand why things went so horribly sideways.

From the “you have got to be kidding” department comes via ARS Technica the news that a tweet from the official Equifax Twitter account is sending people to an apparently fake notification site:

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: “Hi! For more information about the product and enrollment, please visit: securityequifax2017.com.” The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

The level of incompetence displayed by Equifax is beyond mind blowing. Clearly the person running their Twitter account wasn’t up to date as to what he should have been posting. But he’s just a symptom of a larger problem. Which is that Equifax is not only incompetent, but they don’t take the security of the personal information that it holds seriously. I hope the politicians and the various agencies in several countries are paying attention so that these clowns get the punishment that they deserve.