The IT Nerd

The number of Canadians affected by the Equifax hack has finally been disclosed. The number is 100,000. Equifax says that they will be notified and be offered credit protection. Though they said that in the US and also forced people who took this offer to give up their right to sue. It will be interesting to see if that happens in Canada. In any case, the info that is out in the wild includes names, address, SIN and “limited cases” of credit card numbers.

Charming.

Hopefully the Privacy Commissioner of Canada who are conducting an investigation into this pwnage slaps these idiots silly for exposing so many people to the horrors of identity theft and who knows what else.

Bloomberg is reporting that Equifax has admitted to being pwned by hackers five months earlier than the epic hack that we are all talking about. Here’s the details:

In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday.

Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said.

The thing is, we are only finding out about this hack now as Equifax didn’t disclose this hack. But I am guessing that it had to because given the attention that is focused on Equifax at the moment, someone was bound to find out about it. At least this way they control the message. But it highlights that IT security was an issue at Equifax for much longer than what has been admitted to. It also makes one wonder what other digital skeletons that Equifax has hiding in their closets.

You might recall that between the time that Equifax discovered that they got pwned and when it was announced, several execs at Equifax sold shares. Now the party line from Equifax was “nothing to see here” but apparently the US Department Of Justice thinks there is something to see here as they’ve launched an insider trading probe:

Prosecutors are looking at the stock sales by Equifax chief financial officer John Gamble, president of U.S. information solutions Joseph Loughran and president of workforce solutions Rodolfo Ploder, said two people, who asked not to be named because the probe is confidential.

Having watched some of these investigations play out in the past, by the time the feds knock on your door, you’re likely guilty. Sucks to be these execs. Well…. Actually it doesn’t because this company has let the personal info on millions of people out into the wild and if they did try to profit off of this before the news was public, they should be punished to the fullest extent of the law. Period.

Yesterday, Equifax put out a statement that says a couple of things. First, it says that the Chief Information Officer and Chief Security Officer are retiring. The latter being Susan Mauldin who had no formal IT education. The former being David Webb who’s profile is still on the Equifax website for some weird reason. Though I am using a cached copy of the page from the Equifax website if Equifax decides to change that. The interesting thing is neither was mentioned by name in the statement. What’s up with that? Also, what’s up with this “retirement” thing? Is this another way of saying that they were fired with a nice big golden parachute?

The second thing is that they also put out a timeline of what happened and what they did. I am sure that they’re doing this so that they can manage the message and I’ll let you read it yourself so that you see what their message is, But abruptly canning the CSO and CIO as well as putting out a timeline like this says three things to me:

1. Equifax’s internal investigation (perhaps aided by Mandiant who is the outside firm that Equifax hired to investigate this mess) shows that this mess is considerably worse than what has been publicly revealed so far.
2. Equifax CEO Richard Smith is clearly trying to save his own job. Thus the CSO and CIO have been thrown under the bus. Though you could make an argument that they were also negligent in their respective positions. It’s also a safe bet that more people will be tossed under any bus that’s available before this is over.
3. Financially, Equifax is screwed because the lawsuits are going to increase exponentially from this point onwards. Not only that, nobody is going to use their services going forward. Not consumers. Not credit card companies, banks, or any other financial institution. But worse than that is the overwhelming demand by millions of consumers to freeze their credit reports. Equifax (along with Experian and Trans Union) makes a lot of money selling credit information to banks so that they can offer credit cards to you. Credit freezes prevent that. Every new credit freeze is another hit on the annual bottom line. Equifax is bleeding from millions of tiny cuts, and it will only get worse.

Based on the above, this gong show is going to be better to watch than any soap opera because the hits to Equifax are going to keep coming. You should stay tuned to see this company and its CEO get smacked silly.

From the “are you serious department?” comes this story from Marketwatch which details the fact that the Chief Security Officer of Equifax had no formal IT background as she was a music major:

Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile lists no education related to technology or security.

This is the person who was in charge of keeping your personal and financial data safe — and whose apparent failings have put 143 million of us at risk from identity theft and fraud. It was revealed this week that the massive data breach came due to a software vulnerability that was known about, and should have been patched, months earlier.

A person with no IT training working as a CSO for an organization that has the personal data of millions? That sounds like an #EpicFail. If that’s not stunning enough, there’s more:

Reporting by a few tech-savvy blogs has found that as soon as the Equifax data breach became public, someone began to scrub the internet of information about Mauldin.

Her LinkedIn page was made private and her last name replaced with “M.” Two videos of interviews with Mauldin have been removed from YouTube. A podcast of an interview has also been taken down.

Unhappily for the scrubbers, the internet archives some material and a transcript of one interview has survived.

This illustrates that once something gets put onto the Internet, it’s very hard to remove it.  But let me get to the key point. On top of having shoddy IT practices and not patching their infrastructure in a timely manner, this failure to have someone who actually knows what they are doing in terms of securing the personal information of millions underscores the fact that it should be no shock that these clowns got pwned in epic fashion. It also underscores that they need to be punished for their absolute stupidity in the most severe way possible to ensure that others who think that this sort of behavior is acceptable changes their mind immediately.

The hits keep on coming for Equifax. Canada’s Privacy Commissioner has launched an investigation into the epic hack that has put the personal info of millions of people at risk. Not much is said in the release that the Privacy Commissioner put out. But it does have some interesting facts in it:

• Equifax has committed to notifying all impacted Canadians in writing as soon as possible. The company will also offer free credit monitoring to those individuals.
• The company is still working to determine the number of Canadians affected by this incident. At this point in time, it is not clear that the affected data was limited to Canadians with U.S. dealings.

The key thing is that the investigation is a priority for the Privacy Commissioner. That’s not good if you’re Equifax because Canada’s privacy laws actually have some teeth to them. Thus I am hoping that Equifax will get some of the punishment that it deserves.

I’m going to go out on a limb and say that in the words of Russell Peters, “someone is gonna get a hurt real bad.” I say that because Reuters is reporting that Equifax is going to get investigated in terms of that massive data breach by the FTC. How do we know this? The FTC in a unusual move actually said so:

“The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” spokesman Peter Kaplan said in a brief email statement.

That’s not good if you’re Equifax. It pretty much means that you’re about to get slapped silly. And that’s even before the lawsuits and public floggings known as congressional hearings happen. Let’s hope the FTC does its job and punish these guys for this colossal mess that they have put millions of people in.

Equifax has apparently admitted that a failure to install a patch on its website led to the biggest data breach in the history of the universe. Here’s what they posted on their www.equifaxsecurity2017.com/ site:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

Now, here’s why this is a #fail. CVE-2017-5638 was reported on March 10 2017 as per this NIST notification. The key part of this notification is this:

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

So, what that means is that Equifax had to be running a version of Apache Struts that was earlier than either 2.3.32 or 2.5.10.1. Which implies if they upgraded to either of those versions, they would have been fine. But it appears that this did not happen. What’s worse is that according to Equifax, they were pwned in “mid May 2017”  and figured it out in July 2017. So if we work back from “mid May 2017” to the time that the security issue was discovered, Equifax had nine to ten weeks to install an updated version of Apache Struts. But they didn’t, and now we have pwnage on a scale that has never been seen before.

Clearly this is another data point that shows that Equifax dropped the ball here. And to be frank, it’s as bad as having a public facing database with a username of admin and password of admin. Hopefully, everyone from politicians to the average consumer is paying attention so that this company can get the punishment that it deserves.

Noted security expert Brian Krebs has discovered that credit monitoring firm Equifax who were pwned by hackers which in turn led to  the largest data breach in history and significant fallout had an employee tool based in Argentina that could be accessed by using the user name “admin” and the password “admin”. By using those credentials, he got access to records that included the Argentine equivalent of a social security number.

#fail

This is straight up horrible IT security. No wonder these clowns were pwned. The entire planet needs to sue them out of existence. Not only that, governments in the countries that Equifax operates in need slap them silly from a legislation perspective. Because frankly, this is unacceptable.

With yesterday’s hack of credit monitoring service Equifax being recognized is the biggest leak of personal data in the history of mankind comes a lot of fallout. Let me list what’s happened in the last few hours:

• Yesterday I noted that Equifax had set up a site to help consumers who were affected by this hack. But according to CNN. if you accept Equifax’s help, you forfeit the right to sue the company. On top of that, you won’t get help right away, and the company won’t help to fix your credit. So what kind of help is this precisely?
• Yesterday I noted that the company had known about the hack for some time before disclosing it to the public which was a #EpicFail. That #EpicFail is now greater since it has been disclosed that execs at Equifax sold stock before the pwnage was public. I guess that was a good decision on their part as Equifax stock is down by almost 18% as I type this. But it’s highlights that those execs are out for themselves and don’t care about the millions of people who’s info is out in the wild. Not that I am shocked by that or anything. It also makes the YouTube Video that Equifax CEO Rick Smith posted last night seem hollow and insincere.
• For those who want some payback for this pwnage, this might be one avenue to get it. Bloomberg is reporting that there’s a class action lawsuit that is being filed with the potential of damages to the tune of $70 billion being awarded across the US. The lawyers who are running this are known for big class action lawsuits, thus this will likely get a lot of traction.

Finally, what is the real impact of this hack? Here’s what you need to know. In short, someone exploited a flaw in the Equifax website to walk in and swipe data. What data was swiped? Seeing as providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers is required to get everything from a loan or a mortgage to a cell phone, it’s a safe bet that all this sort of info was swiped. Thus making it too easy for an evil doer to commit identity fraud. Not to mention what a hostile government could do with it. This is a bloody big deal and Equifax needs to be severely punished for not securing this data properly as this is one hack that will take years to get past…. If we get past it at all.

In short, you should be really pissed.