STE WILLIAMS

Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz’s IT security breach on a single member of the company’s security team.

In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news about Apache Struts, that protocol broke down at Equifax due to human error, meaning no one was told to apply patches for the flaw.

Equifax CEO falls on his sword weeks after credit biz admits mega-breach

READ MORE

Hackers ultimately exploited the Struts bug on Equifax’s systems to infiltrate the organization and swipe sensitive personal records, including social security numbers, of more than 140 million folks in the US, UK and Canada.

“The human error was the individual who is responsible for communicating in the organisation to apply the patch, did not,” Smith told the subcommittee at around the 1:05:15 mark in the video below.

Congressman Greg Walden sought clarification of that statement, asking “Does that mean that that individual knew the software was there, and it needed to be patched, and did not communicate that to the team that does the patching? Is that the heart of the issue here?”

Smith’s reply was: “That is my understanding, sir.”

Smith said the company had otherwise followed its protocol of distributing information on necessary patches and that in the case of CVE-2017-5638 its procedures were observed, except by the individual mentioned above.

The former CEO said the second cause of the attack was a failure of automated scanning conducted a week after the patch should have been applied. For as-yet-unknown reasons, scans did not detect the presence of un-patched Struts implementations.

Youtube Video

Smith spent more than two-and-a-half hours testifying and, after apologising and taking responsibility for the hack, spent much of that time defending Equifax’s decision to withhold news of the hack for many days after discovering it. Smith repeatedly justified the delay on grounds of avoiding further attacks and ensuring consumer protection measures could be in place.

“It did not help that hurricane Irma took down two of our larger call centres in the early days after the breach,” he said.

Committee members were not kind to Smith, who did not flinch in the face of stern criticism of Equifax’s security practices and response. He even fired back a little, suggesting that “we need a public-private-partnership to best secure Americans’ data going forward.” That idea was modified a little by his interrogators, who suggested regulation of credit bureaux rather than the wider economy. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/

OpenWorld 2017 Oracle’s founder and chief technology officer Larry Ellison put on his best salesman act Tuesday during his second keynote at the tech giant’s OpenWorld gabfest – this time playing up the impact high-profile IT security breaches have had on organisations and increasing concerns over state hackers.

“The people we’re competing against aren’t the normal competitors … it’s not an easy task to defend yourself against nation states,” Larry Ellison told his audience in San Francisco.

Ellison laid it on thick for the first 20 minutes of his talk, before revealing some more detail of the security solution Oracle will offer as part of its incoming autonomous database.

The Oracle Management and Security Cloud – which Ellison teased in his first keynote on Sunday – is pitched as a highly autonomous system that will detect threats in real-time and automatically take remedial action to shut down attackers and secure data.

The system will ingest information from a range of data sources and then unify and enrich it so the records have similar formats. Ellison said that process will make it possible to use natural language queries such as “show me all the failed logins on the general ledger”.

“The current legacy security systems, there’s lots of data,” Ellison said. “It’s very hard to use data log analytics in a security situation. It’s extremely difficult to do when the data is separated into several different silos.”

As an example, he said: “A Linux log has a different format to an Oracle database log; that’s why it’s so bloody hard for an analyst to go through all these records and figure out what’s going on.”

He added that even in systems that do analyse logs, “there’s no automatic remediation”, as users need to use a completely separate system to take action or patch a database.

Big Red’s offering, he promised, will manage information across all assets – whether that’s cloud or on-premise, Amazon, MongoDB or Oracle cloud – and put it all in Oracle’s cloud for analysis.

Event log data will be enriched with relevant configuration data, Ellison said, meaning that plain English text is added to the complex log records and enabling natural language queries.

“You can’t do anything remotely like that with a lot of separate logs that look entirely different,” Ellison said. “You can’t automate the system unless you have all of that configuration data.”

He added that the information would be enriched with third party information, for instance whether a URL is “bad”, such as if it is associated with malware or ransomware. Customers would be able to add their own third party databases or subscribe to additional Oracle feeds, Ellison added.

Machine learning technologies will be used to detect normal patterns in the data, and take programmed actions when an anomaly is identified, in real-time, such as changing a password or turning on 2FA if a person’s behaviour is unusual.

“We unify, analyse data, detect anomalies and remediate,” he said. “It’s one system and it’s relatively easy to use.”

The system, Ellison noted later, can also be used to monitor performance and improve productivity or other issues – but “security is number one”.

Interestingly, Ellison chose to define Oracle’s forthcoming efforts by saying they’re not what one would expect from Splunk.

“It’s not simply an analytics system like Splunk,” Ellison said. “You can use Splunk to investigate logs … but they stop at the analytics page, they don’t do the remediation. It’s not a connected system.”

The CTO also dedicated a slide to pointing out the differences between the two firms’ tech, which, as one analyst pointed out on Twitter, might actually be a compliment for Splunk. ®

MyPOV – Best indication that somebody does a good job is – when @Larryellison picks on you. Check @Splunk stock prices… ;-) #OOW17

— Holger Mueller (@holgermu) October 3, 2017

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/04/openworld_larry_ellison_second_keynote/

On 14 December 2016 Yahoo revealed that a jaw-dropping billion accounts had been affected by a data breach in August 2013. The disclosure arrived hot on the heels of a 22 September admission that 500 million Yahoo accounts had been compromised in a different attack in late 2014.

The announcements changed what we mean by “big”, when we talk about big data leaks. They seemed preposterous and unwieldy, and at the time we marvelled at the scale and wondered – how on earth did it take them three years to notice?

What we didn’t know, didn’t expect, was that Yahoo had badly low-balled the number of affected accounts.

It would be left to Verizon, Yahoo’s new owners, to finally unearth the truth of it – that every last one of Yahoo’s accounts was compromised in the August 2013 incident:

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.

The announcement doesn’t say how many accounts that amounts to but both Reuters and the Associated Press put the figure at 3 billion.

Yahoo reports that the types of information lost in the breach are unchanged:

…stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

It also advises that you change your password and security questions, and, even though payment card and bank account data wasn’t compromised in the breach, to “remain vigilant by reviewing your account statements and monitoring your credit reports”. If you used your Yahoo password on any other sites, change it on those sites too and try not to dwell too long on the fact that criminals have had four years in which to crack Yahoo’s subpar password hashing.

If you did all that in 2016, after the first announcement, then you don’t need to do it again.

Yahoo says it’s “notifying potentially affected users by email”. Don’t wait for an email from Yahoo though, or a scammer pretending to be Yahoo, assume you’re affected, don’t click on anything in any purpled-branded emails, just go straight to yahoo.com and work your way to the right place.

If, when you get there, you change your password and security questions, I admire your loyalty. If I could close my account again I would, but it’s been closed since December 2016.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WFHAHUEGvVw/

The plugin gurus at WordFence have this week found three critical security holes in third-party WordPress extensions that are being actively exploited by hackers to take over websites.

The team was investigating a number of hacking attacks that looked unusual and back-traced the intrusions to a PHP object injection vulnerability. This programming cockup was present in three plugins for the publishing platform WordPress, and patches to close the hole have now been prepared for the following code:

• Appointments by WPMU Dev (fixed in version 2.2.2)
• Flickr Gallery by Dan Coulter (fixed in 1.5.3)
• RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 3.7.9.3)

The flaw can be exploited to force an unpatched website to pull in a remote malicious file and save it on the host machine, giving miscreants a means to install a backdoor on the box. For the Flickr plugin, it was even less complicated: just send the malicious code in a POST request to the site’s root URL and it would install and run it.

Once the attack code is activated, an intruder can take complete control of the site in a matter of minutes and do with it what they like. Script kiddies like the Daesh-bag hacking groups should find this very useful for defacing unpatched websites.

Thankfully these aren’t massively popular apps with barely 20,000 users so far – but that’s still potentially 20,000 websites that can be used as a starting point for more nefarious activities. Administrators are advised to either remove and reinstall the software with the latest version, or simply upgrade. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/03/three_wordpress_plugins_critical_flaws/

With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide.

In a filing on Tuesday to America’s financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the total number of user accounts illegally accessed by hackers in 2013 wasn’t the 500 million earlier reported, nor the one billion it later confessed, but all of them – all three billion accounts.

The miserable web giant said that following its 2016 takeover by Verizon – which has its own security consultancy – it “recently obtained new intelligence” that indicated that the network intrusion was much larger than had previously been thought. In fact, it was as large as it could be.

That means account records – including names, addresses, phone numbers, and weakly hashed passwords – for three billion accounts worldwide were exposed to hackers. In its statement today to the SEC, Yahoo! admitted:

Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” added Chandra McMahon, chief information security officer for Verizon.

“Our investment in Yahoo! is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

2016: Yahoo: 1bn accounts hacked

2017: Yahoo: Make that 3bn.

2020: Alien life found on Mars

2021: Yahoo: Yeah, they were hacked too.

— The Register (@TheRegister) October 3, 2017

Despite their words, Verizon management are most likely seething about the news. When the initial hack was disclosed, the telco managed to knock $350m off the $4.8bn asking price for the company. Had it known about the size of the actual hack it could have got a considerably biggest discount.

As for the hackers themselves, the US authorities have indicted four men over the infiltration. American prosecutors claim the hack was ordered by the Russian intelligence services and carried out by hackers-for-hire. One of those alleged miscreants is now in a US jail awaiting trial.

You’d also imaging Yahoo!‘s erstwhile CEO isn’t too bothered. After negotiating the deal Marissa Meyer laughed all the way to the bank with a $55m golden parachute, and is now reportedly looking around for another challenge before retiring. Equifax needs a new CEO – just saying. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/03/yahoo_says_one_beeelion_user_hack_figure_wrong_its_three/

Shortly after the massive security breach in which the personal information of 143 million 145.5 million Americans and sundry Brits and Canadians was plundered by hackers, the US Internal Revenue Service awarded Equifax a no-bid contract – to provide identity verification services for the tax authority.

The tech contract was awarded on September 29, the same month the network intrusion was revealed, and will be worth $7,251,968 to the troubled credit reporting agency. The fact that the deal was signed off after the news of the massive security failure broke last month suggests someone at the IRS either doesn’t read the headlines, or just doesn’t care one way or the other.

“This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service,” the contract notification, dated September 30, stated.

“A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse.”

Then again, the IRS has form with crap IT security. In 2015, the tax agency admitted about 100,000 US citizens had had their personal information slurped from its servers by miscreants, so it may feel right at home dealing with the klutzes at Equifax.

On Tuesday, Equifax’s former CEO Richard Smith faced a mild grilling from American politicians over the company’s woeful handling of the database breach. Smith blamed the entire hack on a single staffer who knew about a flaw in Apache Struts that the hackers exploited to break in but who didn’t insist the IT department patch to protect systems.

Not that he looked too bothered, sitting before the US House Energy and Commerce Committee. Smith, along with the credit agency’s CIO and CSO, haven’t been fired but instead have simply resigned, er, retired and floated away on their golden parachutes. Smith himself got a payoff of abougt $90m after his incompetence put most of the adult population of America at risk of identity theft. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/03/equifax_irs_contract/

Custom roles for Cloud Identity and Access Management will give users full control of 1,287 public permissions in the Google Cloud.

Google today released a beta version of custom roles for Cloud Identity and Access Management (IAM) on the Google Cloud Platform (GCP) that provides more granular control over data access permissions.

IAM has three basic roles for Owner, Editor, and Viewer, and more than 100 service-specific predefined roles that combine curated permissions to perform tasks on the GCP. Predefined roles are often used to control access to GCP services; for example, the Cloud SQL Viewer role combines all the permissions needed to let users browse and export databases.

Custom roles give users precise control over the 1,287 public permissions for GCP services. This tightens data security in the case someone like an auditor needs to access a database and gather data, but doesn’t need to read the actual information. Admins can build a “custom role” so auditors have permission to access databases but cannot export their contents.

Google advises building custom roles by starting with a predefined role and adjusting it for the organization’s needs. IAM supports custom roles across projects and full organizations to centralize role development, testing, maintenance, and sharing.

Read more details on the new Google offering here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/google-updates-cloud-access-management-policies/d/d-id/1330035?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The BGP Path Validation draft standards were designed to ensure that Internet traffic flows only along digitally signed, authorized paths.

Industry efforts to strengthen the critical Border Gateway Protocol (BGP) system that the Internet’s core routers use to direct traffic received a boost this week with the release of new draft standards by the Internet Engineering Task Force (IETF).

The standards center around a security feature called BGP Path Validation and are designed to ensure that Internet traffic is not accidentally or maliciously intercepted and rerouted as it travels from one point to another. Such interception has resulted in network disruption, eavesdropping, and financial theft in recent years and has heightened concerns about the vulnerability of the BGP system to targeted attacks.

The new BGPsec standard describes the use of digital signatures on BGP routers so traffic from one point to another on the Internet only flows along an authorized, digitally signed path, the National Institute of Standards and Technology (NIST) announced Tuesday. “Employing this idea of “path validation” together with origin validation could deter stealthy attacks intended to reroute data without the recipient realizing it,” NIST said.

BGP routers direct traffic on the Internet. Each autonomous system (AS) – or network on the Internet – has a BGP router containing routing information for thousands of Internet destinations. The BGP routers exchange the information with each other to ensure that traffic is routed safely from source to destination.

BGP has been in use since at least 1989. It is widely regarded as lacking sufficient protections to prevent malicious attackers from injecting poisoned routing data into the system and rerouting Internet traffic to their networks.  As far back as 2013, Internet service provider Dyn recorded multiple instances of traffic from individual IP blocks being misdirected to unintended destinations via BGP tampering. One of them involved traffic from the networks of major financial institutions, ISPs, and governments being rerouted to an ISP in Belarus. Another involved route hijacks from Iceland.

BGPsec is part of a broader industry initiative known as Secure Inter-Domain Routing (SIDR) to address the vulnerabilities that enable this sort of hijacking. One part of the SIDR effort has focused on BGP origin validation, ensuring that BGP routers are able to filter out unauthorized routing updates and only accept valid connections. The second component, which is what BGPsec addresses, is focused on validating the path that traffic takes as it flows from source to destination.

“BGP Origin Validation standards were completed in 2012-2013 and are implemented in most commercial routers,” says Douglas Montgomery, a NIST researcher and manager of the NIST BGP project. All of the Resource Public Key Infrastructure (RPKI) that is required to support BGP origin validation is already in place at all five Internet regional registries, he says.

“The community’s current focus is on expanding the adoption of RPKI and BGP-OV as the logical first step towards improving BGP security,” Montgomery says. 

The implementation of new BGP path validation standard will take place in three stages.

First, commercial router implementations and RPKI services must become available for path validation. Then enterprises and network operators need to enter their address blocks, autonomous systems, and route origin in the RPKI. Finally, network operators need to use the RPKI information to identify forged BGP announcements and develop local policy to deal with the attempted hijacks, Montgomery said.

“It is hard to predict when BGP-PV will be widely deployed in the Internet,” he says. “The design and standardization work in the IETF was conducted with the expectation that significant deployment might require [about] 10 years. “

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• Securing BGP Not As Difficult As You’d Think
• Researchers To Offer Free BGP Security Alert Tool Via Twitter
• Traffic To Hosting Companies Hijacked In Crypto Currency Heist
• 8 Most Overlooked Security Threats

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-standards-will-shore-up-internet-router-security-/d/d-id/1330038?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Every single Yahoo account was affected in a 2013 data breach, bringing the total from 1 billion to 3 billion.

Yahoo has confirmed that every single account that existed in August 2013 was likely compromised in a massive data breach, bringing the total affected to three billion. This means the affected victim pool is three times larger than the initial one billion accounts reported in December 2016.

“In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website,” the company reported Tuesday.

The breach enabled attackers to access email addresses, passwords, telephone numbers, and birthdates. New information indicates stolen data did not include plaintext passwords, bank account information, or payment card data. Yahoo is notifying additional user accounts affected by the 2013 breach.

This update comes after new intelligence was collected during Yahoo’s integration into Verizon, which is folding both Yahoo and AOL into a new subsidiary called Oath.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/yahoo-all-3-billion-accounts-affected-in-2013-breach/d/d-id/1330039?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s National Cybersecurity Awareness Month (NCSAM) and this week’s theme is simple steps to online safety. Here’s a simple step for you: see if you have Google’s Your Timeline turned on and, if you do, switch it off.

Google’s Your Timeline

Using GPS, Wi-Fi and cell tower data, Google’s Your Timeline can paint a very accurate picture of your daily life. If you’ve got it switched on, it stores every step you take and everywhere you go.

And the thing is, lots of people seem to have it switched on without even realising, including me, and my favourite hats come in tinfoil.

I was surprised it had slipped past me so I started asking other people if they had it switched on too. More often than not, without making a conscious decision to let Google follow them around, they had.

In the end I decided to ask 20 people at random and write down the answers. The result of my short, non-scientific survey? 95% of the people I asked – a mixture of people in technical and non-technical roles – had location history, or its slightly less obnoxious iPhone equivalent Frequent Locations, turned on, tracking their every step, without realising.

Check for yourself. On Android it’s under Settings Location Google Location History.

It’s your Timeline (and Google’s)

So what exactly is Google Timeline? Google says: “Your timeline in Google Maps helps you find the places you’ve been and the routes you’ve travelled. Your timeline is private, so only you can see it.”

Only you. And Google.

Google’s reasoning for the timeline feature is that, if you want to remember the name of that bar or café you visited yesterday, last week, last month, last year… you can simply visit Your Timeline. The technology behind this is impressive, but the privacy and security implications are, for some, quite terrifying.

Where you go says everything about you: where you live, where you work, where you hang out, the places you visit, how often and at what time. If you’re a frequent visitor to your local hospital’s cancer clinic, Google knows. If you’re having an affair, it’s in there. If you’re a courier moving large amounts of cash, that data is being shared over the internet and stored in a data centre somewhere. If you’re in the military or the police it knows where you’re stationed and, if you’re moving, your direction of travel.

Even if the data were stored anonymously (and it isn’t clear if it is or not) that would be cold comfort. Anonymous data has a way of being less anonymous than you think, and the more anonymous data you have, the easier it is to unmask the individuals involved.

So what does Google know?

To discover what Google Timeline knows about me, and you, I removed my tinfoil hat and opted to let it store my location history again.

Here’s a journey from Oxford to London by car (indicated by the dark blue line) that’s been accurately tracked to the point of tagging me at a service station I visited en-route.

Once in densely populated South London, using the telephone masts, local Wi-Fi and my phone’s GPS, Your Timeline accurately plotted my movements. The colour of the tracking goes from dark blue to light blue as I change speed from driving to walking.

After accurately tracking my taxi journey into Clapham, Google Timeline then has a go at tagging me in a restaurant, Café Sol. Google will use this data to add to publicly available information such as “Popular Times”, shown for Café Sol below:

Google provides the following statement in its support documentation on the anonymity of this data:

To determine popular times and visit duration, Google uses aggregated and anonymised data from users who have opted in to Google Location History.

My memories of the evening are mildly hazy, but Google Timeline can tell me exactly what I did and where I went.

I’m not too bothered about Google using my boozy night for helpful data research, but it isn’t about one night. It’s about every day and every night and the pattern of my daily life. It’s about all this data being stored and accessible by… I don’t know who, now and in the future.

Google will store this data for years, as you can see in my screenshot below.

So how did I, and almost all the people I asked at random, end up with Location History turned on?

The option appears when you set up Google Now. For me that happened after a factory reset. When you’re busy clicking ‘next’, ‘next’, ‘finish’ and don’t have two hours to spend reading everything on screen, it’s easy to miss:

My tinfoil hat is back on now.

On Android 7 it was as simple as going to Settings Location (under personal) Google Location History and selecting ‘off’. For comprehensive details on switching off and deleting your location history, go to Google’s Manage or delete your Location History page.

Apple iPhones have a similar feature hidden deep within their settings. Go to Privacy Location Services System Services Frequent Locations.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BNodjcCRJMQ/