STE WILLIAMS

Poor Instagram users. If it’s not one thing, it’s another.

Recently, it was a leaky API that led to 6m high-profile accounts getting hacked (and their details subsequently put up for sale at $10 a pop) – including the likes of Emma Watson, Taylor Swift, Selena Gomez and Harry Styles.

Before that, Instagram supplied us with yet another example of why you should be careful with adding friends on the platform (or any social media platform, for that matter)… And why you should be careful of those who you consider your “friends”…

… Namely, the creeps posing as friends who can be found on the creepshot-sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.

And now, we have a new breed of data mosquito sucking off Instagram’s neck: redditors who are out to archive – in other words, to steal – every single Instagram image, be it posted publicly or stored in supposedly locked accounts.

Why? Well, in a nutshell, because they can:

You can see the appeal to those who lack qualms about taking people’s content but who love to hoard data. Consider these Instagram statistics:

• As of January 23 2017, there were 95m images being uploaded per day.
• More than 40bn photos had been uploaded to Instagram as of that date.
• The people uploading those photos are the preferred prey of image stealers: they’re young and quite often female. 31% of American women and 24% of men use Instagram.
• 59% of internet users between the ages of 18 and 29 use Instagram, as do 33% of internet users between the ages of 30 and 49.

The person who kicked off the project to rip every Instagram photo is -Archivist – one of the moderators of the r/DataHoarder subreddit. He told Motherboard that his real name is John, that he’s in his late 20s, and that when he’s not archiving Instagram, he’s “archiving something else”.

As in, for example, porn videos. Turns out he was one of the redditors who came up with a plan to test the ceiling of Amazon’s cloud storage plan, which was killed off in June. (The redditor beaston02 hit nearly 2 petabytes of porn, or about 293 viewing years’ worth of smut, by the time Amazon pulled the plug.)

John first posted his idea to create a distributed Instagram archive on January 5. At that point, by himself, he had already ripped the posts from some 3,400 accounts, or about 2.2m files, which represented about 633 GB of information.

By now, after other redditors joined in, the archive has swelled to around 580TB of Instagram posts.

He did it with an open source program called RipMe that downloads albums in bulk. It pulls in images and videos from public Instagram accounts. It was a sluggish way to do it, though, John told Motherboard:

You can go to anybody’s profile and list their followers, but this list is loaded around 20 accounts at a time. So manual collection of usernames required me to scroll for hours. I initially overcame this by literally stuffing a bit of cardboard into my ‘page down’ key and walking away from my laptop.

We’ve seen others, including Danish researchers who amassed personal data on 70,000 OKCupid users, use scrapers – automated tools – to download user data from websites. We’ve also seen sketchy third-party apps going after Snapchat user data via its public API, and we’ve seen Tinder’s API used by researchers to grab 40,000 profile pictures.

But here’s the thing with relying on APIs to pull in people’s data without their permission: that spigot can be turned off, leaving you high and dry.

But not the Instagram archival project. As John emphasized in an update to his initial post, the project doesn’t rely on Instagram’s API. Instead, it relies on John and his initial dataset, plus the current 30 to 40 people now involved (along with their valuable storage space), plus – and here’s the cherry on top – the addition of a few dozen lines of code that enable collection of photos from around 2m accounts every 24 hours.

The “vast majority” of images are from public accounts, Motherboard reports. But there are photos from private accounts, as well: John chiseled them out of their accounts by creating an Instagram bot programmed to seek out and follow private accounts in the hope that they’d follow the bot back, after which the private contents could be slurped up and added to the archive.

John said the bot has had a 70% success rate at getting followed.

Which leads us back to the injunction cited above: to protect your Instagram account from getting ransacked, be careful about who you friend. It’s all too easy to friend a bot that wants to raid your contents and suck up to your friends so it can expand its reach.

There’s more you can do, too: after the Instagram API sprung a leak and hackers stole all those high-profile user derails, we passed along five additional ways to keep your Instagram profile safe.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BjE74Lcxqeg/

Thanks to Fraser Howard, principal threat researcher with SophosLabs, for the research this article is based on.

Researchers have discovered a new remote-access Trojan (RAT) called Kedi, which can snoop on infected systems, steal data and evade security scanners. It was attached to a spear phishing campaign when it was first discovered last week.

The attacks appear to be targeted rather than widespread and Kedi certainly behaves as most RATs do. But it has more flexibility than most in how it communicates with its command-and-control (C2) center. Among other things, it can use Gmail to receive instructions and transmit data.

The spear-phishing hook

The payload is a 32-bit Mono/.Net Windows executable, written in C#. It masquerades as a Citrix utility, both in its resources (properties) and the splash screen displayed on startup:

The payload installs itself into the %Appdata% within an Adobe folder. At that point, it’s masquerading as an Adobe file. The payload is accompanied by a lock file (.lck) and a folder into which it will presumably save screenshots.

Depending on its configuration, a registry startup hook might be added, making it look like this:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun “Adobe Updates” = c:UsersusernameAppDataRoamingAdobereader_sl.exe

It creates an identifier for the infected endpoint using the MD5 of the machine name, and stores it in the Registry (as binary data):

HKCUSoftwareMicrosoftWindowsCurrentVersionThemesDefaultVisualStyle “HR” = md5 of machine name

Features

The RAT has all the features a researcher would expect to find, including:

• AntiVM/anti-sandbox capabilities
• The ability to extract and run embedded secondary payloads
• File download/upload backdoors
• Screenshot grabbing
• Keyloggers
• The ability to extract usernames, computer names, and domains

Most of these features are command-driven.

Encrypt/decrypt process

To get things started when first run on a machine, the RAT contains some default configuration data.

After trimming and base64 decoding, the data appears to be encrypted:

Code analysis reveals that the RAT protects its configuration data with a simple xor-based encryption loop. It contains an embedded PDF, the SHA256 of which is used as the key string in the decryption loop:

Gmail to command-control

Central to pretty much all RATs is their ability to call home and transfer data between attacker and victim. Kedi is a particularly interesting case because it can do this using Gmail – specifically, the Basic HTML version. It can also talk to its C2 using DNS and HTTPS.

Using Gmail to receive instructions from its C2, Kedi navigates to the inbox, finds the last unread message, grabs content from message body and parses commands from this content. To send information back to command and control, base64 encodes the message data, replies to the received message, adds encoded message data and sends its message.

It’s interesting to see how attackers keep trying to be more inventive in their approach to call home and make it harder for the good guys to detect and block its activity, Howard said.

Defensive measures

As noted above, this does not look like a widespread attack. But that’s cold comfort if you’re the one who’s targeted. For any type of malware, we recommend the following:

• Keep your operating system and applications patched, because the crooks try the easy ways in first.
• Keep anti-virus active and up-to-date, because the crooks update their tricks all the time.

Since this looks like a case of spear phishing, the best way to avoid the trap is to:

• Be careful what you click. If you click through from an email to a website that wants any personal information, don’t fill it in. Go to the website yourself by typing the address in your browser. If you receive links in emails that come from a someone you don’t know, don’t click.
• Check the address bar for the correct URL. The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called TLS (Transport Layer Security) or HTTPS (Hyper Text Transfer Protocol Secure). If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https://before entering your private information. That said, it’s not hard to get an TLS certificate – so check the full URL of the website you’re visiting and check it’s not a fake URL using, say, a digit 1 in place of the letter L.
• Read Don’t fall for phishing and spear-phishing.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gFcZL1-AJYc/

Apple has long been either a privacy hero or headache, depending on which side of the divide you sit.

And based on the beta versions of iOS11, which gets its grand, official introduction on Tuesday at the Apple Special Event, along with the newest iPhone, iWatch and more, it will likely now be even more of a hero to privacy advocates and more of a headache to law enforcement.

Not that Apple has ever made it easy for the cops and intelligence services. Nicholas Weaver, a security researcher at the University of California, Berkeley, noted on the Lawfare blog last week that, “unlike Google or Facebook, which use advertising to extract value from users’ personal information, Apple focuses on selling things that protect a user’s data from all unauthorized access – including by Apple”.

That led, among other things, to the famous clash last year between Apple and the FBI over the agency’s demand that the company provide a way to unlock the iPhone of the deceased San Bernardino terrorist.

While that was “resolved” when the FBI “bought a tool”, according to former FBI director James Comey, it didn’t resolve the overall conflict over whether device makers like Apple should be required to provide a backdoor into their products for law enforcement.

And that conflict is likely to get more intense, now that iOS11 is increasing protections against “unauthorized access”.

Until now, once an iPhone was unlocked – and law enforcement could require a person to use the Touch ID feature to do so without running afoul of the Fifth Amendment – there was no further barrier to, as Weaver put it, “connect the device to a computer running forensics software, or even just iTunes, direct the device to ‘trust’ the new computer when prompted, and download a backup that contains almost all of the relevant information stored on the phone”.

All of which, relevant or not, they could then analyze for as long as they wished, back at the office.

No more. The new iOS will now require the six-digit passcode before allowing it to sync with – or “trust” – a different computer. And giving up that number does have Fifth Amendment protection. Greg Nojeim, director of the Project on Freedom, Security and Technology at the Center for Democracy Technology, said speaking the passcode is considered “testimonial”, while providing a fingerprint is not.

So law enforcement could still manually browse through what they can find on the unlocked phone, but that amount of data will be vastly less than what they could gather from a backup and forensic software using an SQLite database engine, which would in most cases include thousands of deleted messages and call logs.

Weaver said the passcode requirement would be especially significant at border searches, where a legal “exception” allows US Customs and Border Protection to copy all the contents of electronic devices without any probable cause or even “reasonable articulable suspicion.”

Again, while agents would still be able to demand that an owner unlock an iPhone and then manually look through it, they would not be able to make a backup copy without the passcode.

Nojeim applauded the impending change.

We have long said that there has to be reasonable suspicion to access everything on a phone. These devices carry your life – they’re a treasure trove of private information.

In addition to the passcode barrier, iOS11 also provides an “SOS” feature – press the power button five times rapidly and it will let the user make an emergency call, but also disables the fingerprint reader. To unlock the phone would then require the passcode. The feature is, of course, being sold as a way to get help quickly in an emergency, but it obviously could be used to lock the phone down to prevent law enforcement access.

And, as software forensic firm Elcomsoft noted in a blog post last week, law enforcement can’t tell if a potential suspect used that feature to disable Touch ID:

There is no way to tell that Touch ID has been disabled by using the SOS feature. Once the sequence is completed and the user cancels the menu, the iPhone prompts for a passcode in the same manner it uses after Touch ID naturally times out.

Weaver doesn’t see that as a big deal, saying:

There are already a number of ways to rapidly disable the fingerprint reader, such as powering off the phone, using the wrong finger four times, or just waiting long enough for the feature to disable itself. So this is more hype than substance.

Even a locked iPhone doesn’t lock everything out, as Naked Security’s Maria Varmazis noted when she took the beta iOS11 for a test drive. In fact, it actually allows a bit more access than iOS10:

iOS 11 adds viewing the Control Center (the menu that you can pull up from the bottom of the screen) and returning missed calls to options that work despite the lockscreen, in addition to features that were already available on iOS 10. All of these options are turned on by default.

 

Of course, a user can turn them off as well. But the bottom line is that the personal privacy vs protection-of-society debate is likely to get more intense, and make its way into the courts.

Comey, back in March when he was still FBI director, said at a conference in Boston that while “I love privacy,” there has always been a “bargain” in the US that government can invade privacy, “with probable cause and a warrant … The general principle is that there is no such thing as absolute privacy.”

Weaver would agree only in part. He wrote that the iOS11 upgrades “will have some impact on lawful investigations”. But he added: “That isn’t necessarily a problem – the benefits here outweigh the costs.”

Nojeim agreed with that last part, saying:

We are in the golden age of surveillance. There has never been larger or richer collection of data about the private activities and thoughts of people who have committed no crime and done nothing to bring suspicion. Something like this starts to level the playing field just a bit.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dVi8K70kQ2E/

Your daily round-up of some of the other stories in the news

A lawyerbot will help you sue Equifax

As the fall-out from the Equifax hack lumbers on, minds are inevitably turning to lawsuits. And there’s a bot to help you do that, potentially avoiding the need to hire a costly lawyer.

DoNotPay, a bot originally developed by British-born entrepreneur Josh Browder as a side project to help him handle his own parking tickets, was launched when he was 18, and has since helped fight some 375,000 parking tickets in the UK and the United States.

Browder, a student at Stanford University, has also adapted the bot to help asylum-seekers with immigration applications.

The bot helps you fill out the forms to sue in small claims courts, though as The Verge points out, you’ll still have to serve the forms yourself.

Lawyer Scott Nelson from Public Citizen told The Verge: “I am not inclined to think it would be a panacea. Filing and winning a small claims case takes more than just filling in a form.”

Facebook hit with privacy fine

Facebook has been fined €1.2m by Spanish regulators for privacy violations, Reuters reported on Tuesday.

The AEPD, Spain’s privacy regulators, said that the social media giant hadn’t gained adequate user consent for how it collects, stores and uses data for advertising, and found two serious infringments and one very serious infringement, imposing three fines, of €600,000 for the very serious breach, and two of €3,00,000 for the two lesser infringements.

The AEPD said that Facebook had kept information for more than 17 months after users had closed their accounts, and also said that “the social network uses specifically protected data for advertising, among other purposes, without obtaining users’ express consent as data protection law demands – a serious infringement”.

Gang of 10 arrested over Aadhaar breach

Aadhaar, India’s “Orwellian” digital ID scheme, suffered another breach when criminals managed to bypass what’s claimed to be “robust” security to issue more than 8m counterfeit ID cards, Indian media reported on Monday.

NDTV said that Uttar Pradesh police had arrested a gang of 10 men, recovering fingerprint scanners, laptops, rubber stamps, Aadhaar cards, GPS devices and printing materials.

The Uttar Pradesh Special Task Force said that the gang had used cloned fingerprints to carry out fake enrolments on the Aadhaar website, and added that security practices at the UIDAI, the Unique Identification Authority of India, had been repeatedly broken.

Aadhaar cards are required for access to a wide range of services in India, and there has been a great deal of concern about both the over-reach and the security of the scheme.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OxtGnBRPmHU/

If you own a D-Link DIR-850L AC1200 Dual Band Gigabit Cloud router, we have bad news for you on several fronts.

According to researcher Pierre Kim, the product has 10 security vulnerabilities serious enough for him to recommend owners to “immediately disconnect vulnerable routers from the internet”.

That sounds worrying, but it gets worse. First, Kim has made the flaws public without first coordinating with D-Link, an unusual step he says he took after the company responded poorly last year to issues he reported to them in another product, the DWR-932B mobile hotspot router.

Second, D-Link’s slow or non-response (and the fact that the AC1200 router was discontinued some months ago), raises the likelihood that the latest flaws might never be fully patched.

Kim describes the flaws as “zero days”, although given that he has now revealed their existence in uncomfortable detail, strictly speaking that that’s no longer true (zero days being undisclosed, unpatched flaws).  They are, however, show-stopping:

Summarises Kim:

Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.

These include:

• A lack of protection for the router’s firmware on revA hardware that would allow an attacker to upload a new image. The revB has a hard-coded password
• Lots of cross-site scripting (XSS) flaws.
• A litany of weaknesses in the devices cloud protocol implementation
• RevB routers allow backdoor access
• A lack of authentication protecting DNS configuration

This isn’t the first time D-Link has been in the headlines for product security. Naked Security has reported several rounds in recent times, including 2015 problems with the DIR-820L, and clutch of flaws from earlier in 2017 designated CVE-2017-6206.

Earlier in 2017, D-Link even upset the US Federal Trade Commission, which filed a suit regarding the company’s alleged failure to fix flaws in its IP cameras and routers.

Some might be unhappy at Kim for revealing flaws for which there is might not be a fix, but the counter-argument is that knowing they exist is preferable to a blissful but dangerous ignorance.

The issue at the heart of this is that while the company has discontinued a product launched in 2013 and sold (as far as we can tell) until 2016, users will continue using it for years afterwards.

If the company fails to fix flaws that are found after the date the product is superseded, owners must like it or lump it. Legally, companies are not obliged to continue patching flaws into the future – no matter that they shouldn’t have been there in the first place.

Unfortunately, routers do not sell with “use by” dates on the box – perhaps they should.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nDhoKC1L8OU/

A white-hat has taken a good look at whether you can pivot an attack from one machine to others using Microsoft Excel, and you probably won’t like what he found.

The researcher, Matt Nelson of SpecterOps (@enigma0x3) writes that he’s found loose default launch and access permissions, meaning a macro-based attack doesn’t need to interact with the victim.

The nutshell version is this: Excel.Application is exposed via DCOM; it has no explicit launch or access permissions set; since the attacker would have to find some other means for the initial compromise, Microsoft Office Macro security won’t stop the pivot; and Excel.Application can be launched (and interacted with) remotely.

That means the remote attacker can push up an Excel spreadsheet containing a malicious macro, and: “Since VBA allows Win32 API access, the possibilities are endless for various shellcode runners”.

Since it’s a proof-of-concept, Nelson doesn’t do anything especially evil: he merely launches calc.exe, but it’s far too easy to do.

“Just create a new macro, name it whatever you want, add in your code and then save it. In this instance, my macro name is ‘MyMacro’ and I am saving the file in the .xls format.”

The calculator in the demo is spawned as a child process of Excel, but Nelson notes that “since VBA offers a lot in terms of interaction with the OS, it is possible to not spawn a child process and just inject into another process instead.

“The final steps would be to remotely cleanup the Excel object and delete the payload off the target host,” he adds.

While it’s restricted to users with Local Administrator group privilege, the vector remains serious enough. This is, after all, a pivot attack in which Nelson’s assuming a machine in the group is already pwned.

There are mitigations, but he warns they might be troublesome. A sysadmin can manually set remote Launch and Access permissions to Excel.Application, but that might impact other Office applications.

Other mitigations include using dcomccnfg.exe to edit the launch and access discretionary access control lists (DACLs), as well as turning on Windows Firewall and limiting the number of local administrators. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/12/excel_pivot_attacks/

Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.

The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for example.com and various permutations of test.com escaped into the wild.

The absolute end-of-trust date is still some way off, in March 2018, but in this post, Google fills in many of the steps between now and then.

By the death-note date, all Symantec-issued TLS certificates older than June 1, 2016 must be replaced.

Chrome will distrust those certificates as of version 66 – due around March or April 2018, but Google’s going to start adding warnings from Chrome 62 which should land in October 2017.

As we reported in August, Symantec is handing its infrastructure over to DigiCert, and that’s due to be operational by December 2017.

To comply with Google’s July ultimatum, DigiCert will run both the PKI infrastructure and the Managed Partner Infrastructure to oversee certificate sales.

Google says from that point, any certificates issued by Symantec’s old infrastructure will be listed for distrust in “a future Chrome update.”

Chrome 70 is another important milestone as it will kill off “any certificate chaining to Symantec roots, except for the small number issued by the independently operated and audited subordinate CAs previously disclosed to Google.”

That will impact site owners who need to get certificates from Symantec’s old infrastructure between now and December 2017, Google explains, because they’ll need to go through another round of certificate replacement before Chrome 70. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/12/chrome_66_to_reject_symantec_certs/

Equifax has decided it will no longer try and impose arbitration on any of the millions of Americans who try to find out if they’ve been stung in its massive data leak.

Following its 143-million-record megaleak, the company posted a Website meant to let worried people sign up for a credit file monitoring product – if they agreed to arbitration and waived their right to sue.

That, and the fact that “https://www.equifaxsecurity2017.com” was a WordPress site, and therefore hardly a paragon of security, raised eyebrows and criticism from World+Dog.

Now, Equifax has relented – at least in the matter of forced arbitration. In a “Progress Update for Consumers” posted at the same site, the company says:

We “confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.”

Other changes made since the site first landed include:

All of which should quieten one source of anger about Equifax. But it has dozens more to deal with and court dates a-plenty in its future. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/12/equifax_backtracks_on_complaint_of_forced_arbitration/

Your daily round-up of some of the other stories in the news

Virginia to ditch voting machines

Remember Virginia’s easily hacked voting machines that we wrote about more than two years ago? It seems that the state has learned its lesson about the potential vulnerability of voting machines and has decided to ditch all of its direct-voting machines and replace them with ones “that leave a paper trail”.

The State Board of Elections decided in a meeting on Friday that it would replace all of its current generation of voting machines that are vulnerable and plans to replace them all in time for its gubernatorial elections in November.

In its recommendation, published on Friday, the board said that it “believes that the risks presented by using this equipment in the November General Election are sufficiently significant to warrant immediate decertification to ensure the continued integrity of Virginia elections”.

It seems that the board was spurred into action after presentations at DefCon, saying: “Multiple types of DREs [Direct Recording Electronic machines], some of which are currently in use in Virginia, were hacked, according to public reports. Additional troubling reports from DefCon were publicized, including one that expressly stated the password for a DRE that was in use in the Commonwealth.”

Given the broader concerns about interference in last year’s presidential election, the move seems like a smart one.

Chrome will detect MiTM attacks

Chrome users, you’re getting another layer of protection in your web browsing: Google is planning to build in detection for man-in-the-middle (MiTM) attacks – such as the Superfish adware that was installed on some Lenovo computers.

The new feature, created by Sasha Perigo, a former Chrome intern, will detect if a third party is trying to intercept your web traffic, throwing up a warning screen if the browser detects a large number of SSL connection errors.

You can enable the new feature in the Canary developer builds (it’s not enabled by default, though) and it is due to ship in version 63 in early December.

China ‘could ban Bitcoin exchanges’

Bitcoin users were watching China as the price of the cryptocurrency stuttered in the wake of reports that Beijing is planning to ban exchanges that allow trading of Bitcoin and other cryptocurrencies, Reuters reported on Monday.

The reports sent the price of Bitcoin, which had hit nearly $5,000 at the beginning of September, dropping off: at the time of writing it was $4,219.14, having recovered slightly after falling below the $4,000 mark over the weekend.

China moved recently to ban Initial Coin Offerings (ICOs), which have been the flavour of the month for entrepreneurs around the world wanting to raise money for ventures, raising concerns about the unregulated nature of these financial instruments. China said last week that ICOs “seriously disrupted the economic and financial order”, which echoes concerns about the potential for fraud.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TbxnsOIsHME/

FireEye removed an Equifax case study^* from its website in response to a recently disclosed mega-breach at the credit reference agency.

Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the credit reference agency’s systems and accessed all manner of sensitive information.

Equifax back FireEye for hacker defence

The breach, discovered in late July but disclosed only last Thursday, affected 143 million US consumers and an as-yet undisclosed number of Brits and Canadians.

The intrusion began in mid-May and went undetected for two months until 29 July. Criminals had access to names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of millions of Americans as well as the credit card numbers of 209,000 US consumers.

Early indications are that hackers failed to go even deeper and access Equifax’s core consumer or commercial credit reporting databases. Equifax said that hackers exploited an unspecified web application vulnerability to hack into its systems.

Equifax has reportedly hired incident response experts at FireEye Mandiant to investigate the breach. These experts have also been helping with PR aspects of damage limitation, it seems. Brandan Schondorfer of Mandiant registered the domain Equihax.com on Tuesday (5 September), two days before the breach was publicly disclosed, thereby preventing anyone else intent on poking fun at Equifax – or perhaps worse, run phishing attacks – from getting their hands on the domain.

Other aspects of Equifax’s overall incident response (analysed in depth in a post by security blogger Guise Bule here) have been less assured. For example, security experts at Sophos have criticised Equifax’s use of PINs – based on the date and time of when a request was made – to freeze consumer credit files. Crooks have a far better chance of determining these PINs and unfreezing credit files than if they were randomly generated. Worse yet, compromised server logs might be used to determine PINs. ®

Bootnote

^*The Equifax endorsement came in a FireEye white paper entitled Less Secure Than You Think. Thanks to reader Ken L for forwarding a copy (a Google cache snapshot can be found, at least temporarily, here).

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/11/equifax_incident_response_omnishambles/