Equifax data breach defense: the latest updates

Updates as of 2017-09-14:

Sophos CISO Norm Laudermilch has put together four simple steps that you can take to make sure your family gets through this with identities and finances intact.

***

Equifax has quietly updated its FAQ, clarifying that it was breached using a vulnerability in Apache Struts:

We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.

We first wrote about CVE-2017-5638, a critical RCE (Remote Code Execution) flaw in the Apache Struts framework in March. The bug was widely reported and patches have been available since March, two months before Equifax was breached in “mid-May”.

Updates as of 2017-09-12:

ZDNet’s Zack Whittaker reports that a XSS (Cross-site scripting) vulnerability exists in the Equifax fraud alerts website.

Reflected XSS vulnerabilities allow criminal hackers to create specially crafted links that make websites do things they aren’t supposed to do, such as giving you malware or stealing your cookies.

If you stick to legitimate links you cannot be harmed by an XSS vulnerability. Unfortunately the only legitimate links exist on sites ending in .equifax.com and at this point it seems foolish to make assumptions about the security of those sites.

If you want to visit the fraud alerts website you should type https://www.alerts.equifax.com directly into your browser’s address bar.

Updates as of 2017-09-11:

Equifax has told the New York Times that it is fixing the flawed PINs that it issues when people freeze their credit files. We’ve updated our article woeful PINs put frozen credit files at risk with what we know.

Updates as of 2017-09-10:

Since Friday our advice to people affected by the Equifax breach has been to freeze your credit files (see the “Updates as of 2017-09-08” section below). Frozen credit files can’t be accessed by creditors, which should stop thieves who stole your identity during the breach from taking out a line of credit in your name.

It has emerged since then that the PINs used to secure frozen credit files aren’t the randomly created, all-but-unguessable secrets you might expect them to be: they are simply the date and time of your freeze.

This is a terrible way to generate PINs but we still think you should freeze your credit files, and those files will still enjoy a degree of protection, but you should know that they are not nearly as well protected as they can and should be.

For more on this issue read our explanation of why Equifax’s woeful PINs put frozen credit files at risk.

Updates as of 2017-09-09:

Struts confusion

A report by William Baird & Co claims that Equifax was breached by criminals exploiting a flaw in Apache Struts, a software framework for creating web applications. The report only mentions Struts in passing and offers no detail beyond this statement:

Our understanding is data retained by [Equifax] primarily generated through consumer interactions was breached via the Apache Struts flaw

An analyst at the company has repeated the claim to the New York Post but provided no further details.

We’ve reported on two very serious Struts vulnerabilities this year: CVE-2017-5638 in March and CVE-2017-9805 on 4 September 2017.

If, as some have speculated, Equifax was breached in mid-May by an attack against CVE-2017-9805 then the breach would predate widespread knowledge of the vulnerability by four months. That would make it a 0-day vulnerability – a flaw that Equifax wouldn’t know about and couldn’t patch – at the time it was exploited.

The Apache Software Foundation has now released a long statement of its own that points out this unlikely (but not completely impossible) scenario and corrects some other inaccuracies in the reporting of the latest Struts vulnerability. It does not address the central question of whether Equifax was breached by a Struts flaw, which means that thus far neither Equifax nor the Apache Software Foundation has indicated that Struts played a part in this breach.

ICO tries to find out who’s affected in the UK

So far the information and advice coming out of Equifax has focussed on potential victims in the USA. Anyone in the UK and Canada who might be affected is still largely in the dark. The Information Commissioner’s Office in the UK has now released a statement about the Equifax breach that suggests it’s in the dark too, but trying to shed some light on the situation.

The full statement reads:

Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.

We will be advising Equifax to alert affected UK customers at the earliest opportunity.

In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.

Updates as of 2017-09-08:

Various security experts have advised people to place a security freeze on their credit files with Equifax. Sophos CTO Joe Levy agrees. In fact, he believes reporting agencies should make the process easier:

After this incident, it’s time for the reporting agencies to step up and make freezing and thawing effortless. How about an app that operates like today’s easy-to-use push notification multi-factor authentication systems? I’d forgo my participation in the coming class-action suit if they would instead agree to that.

The general thinking is that a freeze is better than the typical credit monitoring companies offer after a breach. As Brian Krebs of KrebsOnSecurity has noted in the past, credit monitoring services do little if anything to stop thieves from stealing your identity. A security freeze, on the other hand, blocks creditors from looking at your file in order to, as Krebs put it, “grant that phony new line of credit to ID thieves.”

It’s a case of prevention being better than the cure. Levy put it this way:

Credit monitoring is useful in the way an intrusion detection system is useful, but their evolutionary descendants, intrusion prevention systems, provide more practical value. It’s time the monitoring agencies evolve in similar fashion.

There is a site for those who want to initiate a freeze with Equifax.

***

Original story:

To understand how bad the data breach at Equifax is, consider this: the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.

The company said in a statement that cybercriminals “exploited a US website application vulnerability” to access certain files:

Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

What kinds of customer data did the culprits access? Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to Equifax chairman and CEO Richard Smith. In addition, he said, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.

And there’s more. Smith said:

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.

Many questions

There are a lot of questions surrounding this breach. Bloomberg reports that three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach – but before Thursday’s disclosure. That’s bound to fuel anger from customers who will want to know why.

Equifax will also have to explain what it means by a “website application vulnerability.” Were the hackers exploiting a 0-day vulnerability in server software or one which was known, and for which there was a patch? Or was it perhaps something as simple as a SQL injection vulnerability in the website — the same type of vulnerability that compromised TalkTalk.

Speculation also abounds that the compromised data was stored in plain text, though at the time of writing it remained unclear if that was the case.

Defensive measures

Details of what exactly happened will become clearer in the coming days and weeks. For now, customers need to know what they can do to protect themselves. Naked Security’s Paul Ducklin and Mark Stockley conducted a Facebook Live session this afternoon to offer guidance. You can watch a replay here:

(Can’t see the video directly above this line? Watch on Facebook instead.)

We’ll update this article as more details become available.