STE WILLIAMS

Something small but potentially significant thing happened in the world of Tor this week: the app has added the security slider from the desktop Tor browser, meaning it’s easier for users to set predetermined levels of privacy without getting bogged down in settings they might not fully understand.

The news emerged in the latest Android version of Orfox to reach the Play Store and The Guardian Group’s GitHub repository, version Orfox-1.4-RC-3 running on mobile Firefox 52.2.0.

Since the Orweb app was shuffled into retirement in 2015, Orfox’s beta has been the browser the Tor project offers to Android users to access the network, in conjunction with the partner Orbot proxy client on which it runs.

From its earliest days, the point of Orfox was to offer the same privacy that Tor users would get from the Project’s desktop browser – but without making configuration a chore.

In other words, there’s not much point offering a high level of privacy if the app is difficult to configure – and if it’s hard to configure, it can leave users exposed.

However, the Tor developers haven’t really known how users configure the browser because the browser doesn’t collect data on how users interact with it.

Nevertheless, after old-fashioned testing with a small group of users, says Tor:

This was the first time Tor did a full development cycle following UX best practices.

“UX” stands for user experience, and Orfox’s solution to making it easier for users was to turn the settings question into a simple slider with three settings: “standard”, “safer” and “safest”.

You could argue this is just a re-badging of the old “high”, “medium” and “low” labels in which JavaScript and HTML5 video become tap-to-play and HTTPS Everywhere and NoScript are the default as users opt for the two higher settings (the downside being higher settings break some websites).

But the adoption of UX best practice principles bodes well as Tor tries to turn Orfox into something with mainstream appeal.

Why does this matter? Mostly because it underlines how Tor is on the cusp of moving from being an anonymity network used mainly by desktop users to one dominated by mobile.

By some measures, 2016 was the year that mobile web traffic exceeded that from desktops for the first time, especially in the developing countries that could one day be Tor’s heartland. These are also countries full of older Android versions, which explains why Orfox maintains compatibility as far back as v4.1.

It’s tempting to try and hunt for differences between the desktop Tor browser and Orfox – but that would be to miss the point.

The security risks of using Orfox aren’t inside the app itself or even the possibility of it being compromised from the Android side – it’s the big bad web that’s the worry.

Mobile users gravitate towards online services that ask them to log in. The minute people do this it’s game over for anonymity, even if ad tracking is reduced. That’s not perhaps how people use Tor but it’s how a lot of people use the web on mobile – and indeed, Android is a prime enabler.

Resistance isn’t futile by any means, but we must understand that software alone can’t shield us from a world stripped of privacy.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZqGMflrUW5w/

We know you’ve probably heard about the Equifax breach many times already, and read all sorts of advice about it, but we also know that many of you – especially outside America – still aren’t quite sure what it all means and what to do.

Paul Ducklin and Mark Stockley can help you with that!

Rather than writing a pre-prepared list of answers, they went live online to take your questions and help you figure out what we should be doing about breaches of this sort.

For example:

• What is Equifax, and how do you even know if you’re a customer?
• What happened here, and how could you stop it happening in your company?
• How did Equifax respond, and was there a better way they could have dealt with it?
• What should we do now?
• Would GDPR have made any difference, if this had happened a year from now in Europe?

Watch now…

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OzFm7xpHD2Q/

HSBC has been faulted for redirecting business customers to a website that is not obviously secure.

Rob Jonson, director of Hobbyist Software, who alerted us to the issue, was concerned that he’d fallen victim to a phishing scam.

I logged into my HSBC business account, and the site failed to give me any info.

Then I looked again at the URL and saw it was not showing as secure.

I started worrying that I had clicked on a bad link from Google.

I clicked back to hsbc.co.uk (green padlock) and clicked again on the business tab at the top left. It sends me to http://www.business.hsbc.uk/?DCSext.nav=foot-mat (yup – not https).

Notice the subtle domain change as well (hsbc.co.uk to hsbc.uk)

Surely the one company that would never mess around with changing domains, and which would always show the ‘safe’ green padlock would be a large international bank….

My conclusion is that HSBC is just shamefully bad.

Before we go any further, The Reg wants to make it clear that HSBC does not show account details through non-https sessions.

Scott Helme, an independent information security consultant and an expert in website security, agreed that Jonson had a point.

“It’s certainly not a great practice to downgrade the user like that, especially not with the change in domain,” Helme told El Reg. “Once on https, we should remain on https. We’re also constantly trying to combat phishing by teaching users to ensure they’re on the correct domain. How do they know if we keep bouncing them between domains (click login and the domain changes back again)?

“Consistency in the UI is crucial if we want the user to spot unexpected change. Just clicking a few basic links on that site takes me between http, https with DV, https with EV and three different domains.”

Jonson explained that the issues are:

• Some pages are non-https (as outlined previously, HSBC doesn’t show account details through non-https sessions)
• Bouncing around the domains, and
• Some https pages are not fully secure (generating a Chrome warning as a result)

Jonson has further reservations about HSBC. “When you set up mobile banking (Android app), they essentially switch you from a token generator to a password. Naturally, they have strict requirements on that password. Including… not more than eight characters long.”

Independent security consultant Paul Moore confirmed the password feature while talking down the significance of the issue. “The app is very limited in terms of what you can do after you’ve logged in,” Moore explained. “For instance, you can’t pay/transfer to a new payee without first logging in via the site (which requires the PIN too). You can only pay people you’ve previously paid before. The eight-character limit is pretty bad, however, there are multiple layers of security to prevent brute force attacks from the front-end.”

We’ve asked HSBC for comment and will update when we hear back. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/08/hsbc_business_banking_crypto/

Credit reference agency Equifax has been criticised for its breach response in the wake of the disclosure on Thursday of a megahack that affected the data of up to 143 million people in the US alone.

The credit reference agency admitted that criminals may have been able to access data including names, social security numbers, birth dates and more belonging to its US customers from mid-May after exploiting a vulnerable website application. There’s no evidence of unauthorised activity on Equifax’s core consumer or commercial credit reporting databases, according to the credit reference agency.

Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

READ MORE

The breach was discovered on 29 July but Equifax only disclosed the problem 40 days later. “The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” it said.

Also accessed were “credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers.”

Personal information on an undisclosed number of UK and Canadian residents was also disclosed in the breach, Equifax admits. Specifics on what might have been spilled are unclear.

Data privacy watchdogs in the UK – namely the Information Commissioner’s Office – are already in touch with Equifax, advising it to “alert affected UK customers at the earliest opportunity”.

Equifax had weeks to prepare for its breach notification, so its decision to do so via a basic WordPress site (oh, err) using a free shared CloudFlare SSL cert is somewhat puzzling. “For some reason Equifax used the 6 weeks to set up a new domain asking for SSN numbers, with anonymous Whois on Cloudflare,” said security consultant Kevin Beaumont.

The whole approach already seems to have gone awry, with OpenDNS flagging up the site as a potential phishing locale in an apparent false positive. The Register has received emails from concerned readers who believed it may be a phishing site.

Free credit file check

Equifax’s breach notification site – https://www.equifaxsecurity2017.com – invites consumers to “enroll and activate your complimentary identity theft protection and credit file monitoring product, called TrustedID Premier”.

While signing up to TrustedID Premier allows concerned parties to confirm whether or not they have been personally affected, some have voiced concerns that the wording of its terms of service may mean signing away rights to file a lawsuit and agreeing to arbitration instead. To manage demand, interested parties can’t sign up to TrustedID Premier immediately anyway, instead receiving a future enrolment date.

The service, once activated, is complimentary for the first year only.

“Equifax’s customer service and incident response may have been better if the potentially 143 million people affected were customers — they’re not,” said Jeremiah Grossman, chief of security strategy at SentinelOne.

Criticism over the breach notification was widespread but far from universal. Some experts were more inclined to cut Equifax some slack.

“The Equifax breach announcement. Generally good, but a bit alarming that they knew in July and only announced now,” said breach notification guru Troy Hunt, the security researcher behind the haveibeenpwned breach notification service.

Rick Holland, VP of Strategy at Digital Shadows and a former incident responder, is even more sympathetic. Holland reckons a month to communicate the incident “is not that long”. In a blog post, Holland speculated that the likely root cause of the breach was a SQL injection vulnerability. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/08/equifax_breach_notification/

To understand how bad the data breach at Equifax is, consider this: the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.

The company said in a statement that cybercriminals “exploited a US website application vulnerability” to access certain files:

Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

What kinds of customer data did the culprits access? Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to Equifax chairman and CEO Richard Smith. In addition, he said, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.

And there’s more. Smith said:

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.

Many questions

There are a lot of questions surrounding this breach. Bloomberg reports that three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach – but before Thursday’s disclosure. That’s bound to fuel anger from customers who will want to know why.

Equifax will also have to explain what it means by a “website application vulnerability.” Were the hackers exploiting a 0-day vulnerability in server software or one which was known, and for which there was a patch? Or was it perhaps something as simple as a SQL injection vulnerability in the website — the same type of vulnerability that compromised TalkTalk.

Speculation also abounds that the compromised data was stored in plain text, though at the time of writing it remained unclear if that was the case.

Defensive measures

Details of what exactly happened will become clearer in the coming days and weeks. For now, customers need to know what they can do to protect themselves. To that end, we suggest the following:

• Equifax says people can click a link on its website to see if they’ve potentially been impacted by submitting their last name and the last six digits of their Social Security number. Go there now. Furthermore, those affected will be given a date to enroll in free ID theft protection and credit monitoring services.

• Change your password and other secret credentials.

• If you used the same password on other accounts, change those passwords, too. AND DON’T RE-USE PASSWORDS AGAIN.

• Make all new passwords different and difficult to guess. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
• Include upper- and lower-case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos  How to Pick a Proper Password video for creating stronger passwords.
• Be careful with your security questions: information such as your mother’s real maiden name is easy to track down. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember.
• Use two-factor authentication wherever possible.

We’ll update this article as more details become available.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k-DoanI2rKo/

Your daily round-up of some of the other stories in the news

How not to be a cybercrook

It’s not really the done thing to laugh at other people’s misfortunes, especially when they’re just kids…

…but what if the target is a precocious 13-year-old cybercriminal who was hoist by his own petard?

Bleeping Computer just reported the case of DaddyL33t, who seems to be an avid collector of malware who’s recently branched out into running his own IoT botnet.

(“L33t”, by the way, is hacker-speak for “leet”, which is hacker-speak for “elite”, which is hacker-speak for a top-grade hacker. L33t can be an adjective too, as in “leet skillz”.)

Unfortunately for DaddyL33t, it seems that the Skype ID he used when promoting his botnet services is the same Skype ID that he used to look for paid vacation work.

That’s the sort of ID mistake that you don’t want to make if you’re a crook, even a teenage crook.

Apparently, DaddyL33t has expressed the opinion that his identity doesn’t matter because he’s young enough to steer clear od prosecution – though the accuracy of that statement depends on his jurisdiction.

In England, for example, you can be charged with criminal offences once you’re 10 years old (it’s 12 in Scotland).

Evidence, of course, seems to lie around unforgivingly and unforgettingly on the internet, so DaddyL33t may have many years yet to wonder whether his past will catch up with him.

Hackers dig into voting software

The Chaos Computer Club (CCC) have been exercising their considerable hacking brawn in an effort to prise open German voting software. The alarming summary of their research into PC-Wahl, a program used to capture, aggregate and tabulate votes during elections, pulls no punches:

The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake … elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations

And if that hasn’t got your attention, this might:

The broken software update mechanism of PC-Wahl allows for one-click compromise

And the Club’s beat down didn’t finish there.

Effective protective measures have been available for decades, there is no conceivable reason not to use them

The Club’s analysis shouldn’t put anyone off voting in Germany’s forthcoming elections, it says, but voters should be sure to watch vote tallying closely.

Twitter lists go missing

Twitter users have been finding their lists – the ones created to manage and sort accounts they follow into, for customised feeds – have been vanishing. Some users have also found their private lists now open to the public.

So is twitter going to kill lists or what? They currently just don’t work. Why did they break?

How is this a decision that an adult made?

— harper (@harper) August 31, 2017

my lists are gone D: what happened😭

— 太一 (@wonshikuro) September 7, 2017

A Twitter spokesperson confirmed that the disappearances are due to a bug on Twitter for iOS but, while the company works on a fix, lists ‘should’ be visible on twitter.com.

It’s not been a good few weeks for Twitter, this problem follows hot on the heels of the bug that ‘unblocks’ users.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oVg6ShoxUFA/

Microsoft says its upcoming Windows 10 Creators Update will include new capabilities in the Windows Defender Advanced Threat Protection security suite.

Redmond says the updated Defender ATP tools are now open for public preview and will hit general availability this fall with the Creators Update.

“This focused security investment combines the best of Windows Defender ATP and the Windows security stack,” wrote Windows Defender group program manager Raviv Tamir.

“We integrated Windows 10’s new prevention technologies, enhanced our built-in sensors to better detect script-based attacks, added new response capabilities and opened up powerful analytics.”

Among the new features will be the ability for Defender to provide alerts and notifications to administrators, after users click on a known malicious URL and are notified by Defender. Additionally, the security suite will be able to log when banned applications attempt to load and view logs of firewall blocks.

The new alert report trees (click image to enlarge)

Microsoft also says Defender ATP will sport a new management screen that is designed to provide admins with a clearer picture of event logs and alerts in Defender Antivirus, Firewall, SmartScreen, Device Guard and Exploit Guard. The new interface will include updated analysis and reporting screens, as well as APIs for importing data into other applications.

“We continue to evolve our detection capabilities to gain more visibility into dynamic script-based attacks, network explorations, and keylogging alerts,” said Tamir.

“We enhanced our alert capabilities, showing more data to help security teams better understand the story behind the alert, introducing automatic detection correlation and grouping of related alerts.”

The new features deliver on the promise Microsoft made back in June to overhaul Defender ATP with the Creators Update to better support mobile devices and to provide admins with a clearer picture of security events and attacks. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/windows_defender_preps_for_creators_update/

A teenage tearaway with a passion for building botnets was apparently caught using the same Skype ID he used for hacking activities when applying for jobs.

Researchers at NewSky Security claim they spotted the 13-year-old’s Skype name on job ad message boards and a website called Daddyhackingteam, which hosts numerous code snippets for building armies of online soldiers out of hijacked Internet of Things devices. Ever since Mirai hit the headlines, such networks of compromised gadgets are all the rage with wannabe cyber-gangsters: the commandeered machines can be used to launch massive attacks against victims’ servers, and so on.

And it seems this kid, or someone pretending to be a kid anyway, set up this website to share malicious code, and hoped to build an army of hijacked CCTV cameras.

From June to August, the teen made numerous inquiries on his forum about subverting internet-connected cameras. It appears he was somewhat successful, and began to build a small botnet using a Gr1n malware variant – which takes over internet-facing devices by brute-forcing their login passwords. This itself is a fork of the Poole software nasty.

While researching the upstart botnet herder, NewSky’s bods noticed the kid was using his or her Skype ID on IT job websites. In one post, the person publicly answered a ‘help wanted’ job advert for running servers during his school holidays with their hacker Skype ID.

“We found it either bold or immature of a malware author to use the same contact information for job hunting as well as for malicious activities,” said Ankit Anubhav, principal researcher at NewSky, on Tuesday. “However, in his job search attempt, he mentions that he is 13 years old, which pretty much explains the dual use.”

The researchers messaged the character and engaged in a conversation. The teenager cheerfully admitted to infecting 300 devices to build a mini botnet, although the cyber-tyke complained they still hadn’t cracked any CCTV cameras.

When the infosec pros explained who they were and that what he or she was doing was highly illegal, the little rascal said they were aware that it was naughty, but didn’t think they’d get into serious trouble because they are a minor.

“While various laws do have less harsh sentences for juveniles, in this case, we see this person taking advantage of that,” noted Anubhav.

The researcher reckons setting up a botnet is literally child’s play these days, in part because malware authors are giving away the code on GitHub and elsewhere to easily install and run. He suspects this is because IoT botnets are difficult to monetize and it’s still a new area of research.

We’ve pinged the teen – aka quickscopegoespro69 – for comment, and will let you know if they get back to us. ®

Updated to add

Quickscope has been in touch to say, and we repeat this verbatim:

im somewhere and im almost positive i wont be found. I just came to the botnet community because i found it as a way to enhance my coding skillset I was planning to get out after i mastered python and C but now the feds gonna be all over my ass i bought plane tickets im leaving the country i will be amazed if im caught by the time my flight leaves

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/iot_botnet_herder_caught/

Analysis When Edward Snowden revealed the extent of illegal operations carried out by American spy agencies, many wondered whether the US Congress was either unaware or had simply turned a blind eye toward them.

Nevertheless, Congress did act, restricting some programs and declaring others illegal. Even the notoriously secretive FISA Court, which scrutinizes some of Uncle Sam’s surveillance activities, got some much-needed sunlight shined on it.

As time has gone on, however, that desire to clamp down on abuse of power has lightened, with only Senator Ron Wyden (D-OR) continuing to openly challenge the agencies’ conduct and highlight discrepancies between what is claimed and what is actually done.

Between now and the end of the year, a second critical battle between the spy agencies and Congress is going to play out as the NSA and FBI desperately try to retain the ability to spy illegally on American citizens, and lawmakers assess how far they should push back and limit those actions.

In this case, the issue is Section 702 of the Foreign Intelligence Services Act (FISA), and it has to be renewed by Congress by December 31 or it will cease to exist. If it is not renewed, it will take with it the NSA’s ability to intercept traffic from foreign intelligence targets.

That isn’t going to happen, so the question is: how far will Congress go in tying the spy agencies’ hands to stop them from storing information on US citizens?

Earlier this month, we saw the start of the NSA pushback effort: first, an unusual public document defending the use of Section 702 in which it pushes the well-worn line that the program “saves lives and protects the nation” – the same argument put forward for protecting other programs that were subsequently declared unconstitutional.

Revival

At the same time, President Trump also announced out of the blue a decision to revive the Privacy and Civil Liberties Oversight Board (PCLOB), which had been dead for over a year after four of its five board members and its executive director either resigned or did not have their terms renewed following a huge restriction on its powers by Congress. That restriction followed several highly critical reports of spying programs, including Section 702.

NSA ramps up PR campaign to keep its mass spying powers

READ MORE

Trump announced that he was nominating Adam Klein to become the chair of the PCLOB. It is no coincidence that just one month earlier, Klein had written an op-ed for the Wall Street Journal in which he explicitly defended the most controversial aspect of Section 702 – a vast database of information on US citizens that has been built through a willful misreading of the law and which the FBI is allowed to search in looking for leads in domestic crimes.

The spy agencies’ defense of Section 702 cannot reference the database on US citizens as helping them carry out their work because they are specifically prevented from doing that under the law.

But an independent lawyer can make that argument. And he did. And then he was nominated to become chair of the PCLOB – the independent agency that advises the president on privacy and civil liberties issues when it comes to laws about terrorism.

On paper, it would seem obvious that Congress will clamp down on Section 702 – especially given what has emerged thanks to tireless efforts by many to reveal the true extent of the program. Americans have long been opposed to their government spying on them.

And yet, even with business writing a specific list of five things they want to see changed in the law, Congress – and in particular the Committees charged with overseeing the spy agencies – have gone unusually quiet on the issue.

I can’t hear you

We checked in with the Senate’s Judiciary Committee and despite this being the last session of Congress before the deadline, there are so far no hearings scheduled to consider reauthorization of FISA. A staffer pointed us instead to the hearings held in March.

Making public pronouncements and getting an unwitting president to announce a new position is one thing: getting independent lawmakers to forego their strong commitment to American independence of thought and spirit is quite another.

Which is what makes an investigation by McClatchyDC this week all the more interesting.

The Washington, DC-based news agency dug into the issue of staffing at the House and Senate intelligence committees and discovered that at least a third but as much as half or even three-quarters of the staff on some sub-committees are themselves former employees of the spy agencies.

In a detailed background check of each staffer, the agency was able to confirm a third of staffers had previously worked at the CIA, NSA or Defense Intelligence Agency. Many more had little or no discoverable background – which, in itself, is a strong indicator that they had worked for the intelligence services.

The article also spoke to a number of current and former members of the intelligence committees, most of whom were explicit in their view that not only were a majority of staffers former employees of the spy agencies, but that the overall number of staffers was far too small to adequately oversee the sprawling, secretive world of intelligence work.

“There are big areas in the intelligence community that very few people in Congress have any idea of,” national security expert Arthur Rizer told the agency.

A former CIA analyst and House intelligence panel staffer, Fred Fleitz, also noted the same staffer shortfall. “We have fairly small committees with small staffs overseeing a huge intelligence bureaucracy of 17 intelligence entities, tens of thousands of employees and billions of dollars of spending,” he told McCatchyDC.

Fleitz noted that there were only two staff members who monitored the CIA’s entire budget when he was on the panel. The CIA has a budget of $15bn, the largest slice of an approximately $50bn budget held by the 16 intelligence agencies.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/ever_wonder_why_congress_doesnt_clamp_down_more_on_spy_agency_excess/

Vid Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population.

In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29. Equifax has called in the FBI and is in contact with regulators in other countries about the case.

CEO Richard Smith said that the company’s core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million Americans were exposed.

Here’s Smith explaining himself to the world this afternoon in a video:

Youtube Video

As for folks’ credit card numbers, Equifax said payment card details for around 209,000 US consumers were also swiped by miscreants. In addition, “certain dispute documents with personal identifying information” belonging to 182,000 Americans were also illegally accessed. An unknown number of Canadian and UK customers have also had their private data pinched.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Smith.

Bad timing

Three Equifax bosses sold company stock just days after the intrusion was detected on July 29, and therefore about a month before details of the mega-hack were announced today. Chief financial officer John Gamble flogged $946,374 in shares while senior execs Joseph Loughran and Rodolfo Ploder dumped $584,099 and $250,458 respectively.

The biz’s stock price is now down 13.52 per cent in after-hours trading to $123.42 apiece.

“I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

In response to the debacle, Equifax is offering every US citizen a year’s free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.

Yes, the identity theft detection service will be supplied by… Equifax. And if you want to check you’re affected by the mega-hack, you have to supply your last name and last six digits of your social security number. To an outfit that just lost your social security number. Which is no use to peeps in the UK or Canada.

Having said that, as responses go, that’s better than we’ve seen from other companies, which usually just tell potential victims to keep an eye on their credit card bills. Then again, since the credit-rating giant does commercial identity theft monitoring, giving it away isn’t too expensive for their accountants.

To avoid hackers, ensure you use lower and uppercase characters, and at least one symbol, in your social security number #equifaxadvice

— The Register (@TheRegister) September 7, 2017

After such a monumental IT cockup, Equifax has called in a professional security firm to lock down its systems and pick apart the event, gathering evidence as to what has been stolen and possibly gaining clues as to who has it. Smith pledged that the company would not stop until its servers were secure.

“I’ve told our entire team that our goal can’t be simply to fix the problem and move on,” he said. “Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/