Sophos Cloud Optix
Updates as of 2017-09-14:
Sophos CISO Norm Laudermilch has put together four simple steps that you can take to make sure your family gets through this with identities and finances intact.
***
Equifax has quietly updated its FAQ, clarifying that it was breached using a vulnerability in Apache Struts:
We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.
We first wrote about CVE-2017-5638, a critical RCE (Remote Code Execution) flaw in the Apache Struts framework in March. The bug was widely reported and patches have been available since March, two months before Equifax was breached in “mid-May”.
Updates as of 2017-09-12:
ZDNet’s Zack Whittaker reports that a XSS (Cross-site scripting) vulnerability exists in the Equifax fraud alerts website.
Reflected XSS vulnerabilities allow criminal hackers to create specially crafted links that make websites do things they aren’t supposed to do, such as giving you malware or stealing your cookies.
If you stick to legitimate links you cannot be harmed by an XSS vulnerability. Unfortunately the only legitimate links exist on sites ending in .equifax.com and at this point it seems foolish to make assumptions about the security of those sites.
If you want to visit the fraud alerts website you should type https://www.alerts.equifax.com directly into your browser’s address bar.
https://twitter.com/zackwhittaker/status/907404250371813376
Updates as of 2017-09-11:
Equifax has told the New York Times that it is fixing the flawed PINs that it issues when people freeze their credit files. We’ve updated our article woeful PINs put frozen credit files at risk with what we know.
Updates as of 2017-09-10:
Since Friday our advice to people affected by the Equifax breach has been to freeze your credit files (see the “Updates as of 2017-09-08” section below). Frozen credit files can’t be accessed by creditors, which should stop thieves who stole your identity during the breach from taking out a line of credit in your name.
It has emerged since then that the PINs used to secure frozen credit files aren’t the randomly created, all-but-unguessable secrets you might expect them to be: they are simply the date and time of your freeze.
This is a terrible way to generate PINs but we still think you should freeze your credit files, and those files will still enjoy a degree of protection, but you should know that they are not nearly as well protected as they can and should be.
For more on this issue read our explanation of why Equifax’s woeful PINs put frozen credit files at risk.
Updates as of 2017-09-09:
Struts confusion
A report by William Baird & Co claims that Equifax was breached by criminals exploiting a flaw in Apache Struts, a software framework for creating web applications. The report only mentions Struts in passing and offers no detail beyond this statement:
Our understanding is data retained by [Equifax] primarily generated through consumer interactions was breached via the Apache Struts flaw
An analyst at the company has repeated the claim to the New York Post but provided no further details.
We’ve reported on two very serious Struts vulnerabilities this year: CVE-2017-5638 in March and CVE-2017-9805 on 4 September 2017.
If, as some have speculated, Equifax was breached in mid-May by an attack against CVE-2017-9805 then the breach would predate widespread knowledge of the vulnerability by four months. That would make it a 0-day vulnerability – a flaw that Equifax wouldn’t know about and couldn’t patch – at the time it was exploited.
The Apache Software Foundation has now released a long statement of its own that points out this unlikely (but not completely impossible) scenario and corrects some other inaccuracies in the reporting of the latest Struts vulnerability. It does not address the central question of whether Equifax was breached by a Struts flaw, which means that thus far neither Equifax nor the Apache Software Foundation has indicated that Struts played a part in this breach.
ICO tries to find out who’s affected in the UK
So far the information and advice coming out of Equifax has focussed on potential victims in the USA. Anyone in the UK and Canada who might be affected is still largely in the dark. The Information Commissioner’s Office in the UK has now released a statement about the Equifax breach that suggests it’s in the dark too, but trying to shed some light on the situation.
The full statement reads:
Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.
We will be advising Equifax to alert affected UK customers at the earliest opportunity.
In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.
Updates as of 2017-09-08:
Various security experts have advised people to place a security freeze on their credit files with Equifax. Sophos CTO Joe Levy agrees. In fact, he believes reporting agencies should make the process easier:
After this incident, it’s time for the reporting agencies to step up and make freezing and thawing effortless. How about an app that operates like today’s easy-to-use push notification multi-factor authentication systems? I’d forgo my participation in the coming class-action suit if they would instead agree to that.
The general thinking is that a freeze is better than the typical credit monitoring companies offer after a breach. As Brian Krebs of KrebsOnSecurity has noted in the past, credit monitoring services do little if anything to stop thieves from stealing your identity. A security freeze, on the other hand, blocks creditors from looking at your file in order to, as Krebs put it, “grant that phony new line of credit to ID thieves.”
It’s a case of prevention being better than the cure. Levy put it this way:
Credit monitoring is useful in the way an intrusion detection system is useful, but their evolutionary descendants, intrusion prevention systems, provide more practical value. It’s time the monitoring agencies evolve in similar fashion.
There is a site for those who want to initiate a freeze with Equifax.
***
Original story:
To understand how bad the data breach at Equifax is, consider this: the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.
The company said in a statement that cybercriminals “exploited a US website application vulnerability” to access certain files:
Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
What kinds of customer data did the culprits access? Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to Equifax chairman and CEO Richard Smith. In addition, he said, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.
And there’s more. Smith said:
As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.
Many questions
There are a lot of questions surrounding this breach. Bloomberg reports that three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach – but before Thursday’s disclosure. That’s bound to fuel anger from customers who will want to know why.
Equifax will also have to explain what it means by a “website application vulnerability.” Were the hackers exploiting a 0-day vulnerability in server software or one which was known, and for which there was a patch? Or was it perhaps something as simple as a SQL injection vulnerability in the website — the same type of vulnerability that compromised TalkTalk.
Speculation also abounds that the compromised data was stored in plain text, though at the time of writing it remained unclear if that was the case.
Defensive measures
Details of what exactly happened will become clearer in the coming days and weeks. For now, customers need to know what they can do to protect themselves. Naked Security’s Paul Ducklin and Mark Stockley conducted a Facebook Live session this afternoon to offer guidance. You can watch a replay here:
(Can’t see the video directly above this line? Watch on Facebook instead.)
We’ll update this article as more details become available.
I grow tired of being told to make my passwords more difficult, when it is the companies giving away my data!!! What good will my complicated P4$$w0rd!! Be then???!!!
I immediately changed mine to
iS0LemnlySw3arThat*EquifaXisUP2n0GooD!
…which should remain un-crackable for at least another twenty minutes.
Wait. crap.
Is Australia affected?
Equifax have only mentioned the USA, UK and Canada.
Most high profile breaches has nothing to do with bad passwords, but rather corporate responsibility. Stored passwords in plain text? Really? Are you kidding me? If this is the case here. The CEO should go to jail. This is pure negligence.
Equifax have not said that passwords were included in the breached data so the speculation about data being stored in plain text mentioned in the article relates to SSNs, credit card numbers etc. You might encrypt those things (although that actually doesn’t help for the most common type of breaches) but the kind of hashing you’d do with passwords isn’t suitable for that data.
I live in the Washington State. This nation is wholly owned by parasitic business scumbags, who NEVER go to jail for robbing the masses. 9 times out of 10, at the WORST the criminals pay a fine massively less than their stolen “proceeds”. NO individual is charged, or at most, The Boss dumps it all on some low level functionary to take the fall. Great deterrent, eh? And most of The Herd is too brain dead to realize it. Frankly, I blame my fellow citizens more than the tie-wearing sociopaths. If it ain’t news about the Kardashians, or a the latest Pokemon app, they pay ZERO attention. Sociopaths robbing idiots.
I love it that Equifax is giving us a date to enroll in free ID theft protection and credit monitoring services. I’m sure the ID thieves will wait a week or so to go on their sprees. 😉 In the meantime, Brian Krebs has a helpful tip that’s also recommended by the U.S. Public Interest Research Group (US-PIRG): take out a credit freeze on all three major data brokers (Equifax, Experian, TransUnion), and the lesser-known (to consumers) Innovis — a credit bureau that’s often used by businesses.
As of Thursday evening, some of the sites to do so online were locking up (getting a bit of traffic, I’m sure!), but you can get to them by phone if necessary. Equifax: 800-685-1111. Good luck, Godspeed!
What Jane Said ^^
It’s 10 p.m., not 4 a.m.!
Sophos (and NS) isn’t likely hosted in your hometown. However even if so, administrators usually define cloud server times in a local context for their authors. I’m guessing you’re on PST (not PDT)? Your date may be wrong as well if you post after 16:00 your time.
Sophos Headquarters: Abingdon, United Kingdom (so they use UTC)
Why on earth did Equifax set up a special domain for this, solicit you to enter SSN and last name and yet not have a high-end certificate that provides ownership information? There’s already a breach, and I’m going to some web site I’ve never heard of it, give personally identifiable information and that doesn’t even provide ownership information?
I thought the same thing. I entered fake info and the website said my details had not been compromised. Then I entered my real info (with skepticism) and it told me my details “may” have been compromised.
After looking a little closer, it appears the TrustedID service is actually a part of Equifax – not an independent company. Why would I trust Equifax to protect my identity if they cannot protect my data? Am I missing something here?
Check out the NYTimes piece on this. Quoting, “On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand. By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.”
“… an offer for free credit monitoring.” After which, let me guess, you’ll automatically be charged $$$$ a month for this “monitoring”. Surprise, surprise, the criminals have already worked out a way to milk THEIR ERROR into a money making scheme to ROB YOU and ENRICH THEMSELVES. The problem here is a global economic system that assures the most sociopathic will have the greatest power. A system which fabulously, insanely enriches VIRTUALLY NO ONE, at the expense of VIRTUALLY EVERYONE. And what are we in the US doing in response? Electing leaders whose primary goal is to eliminate “Burdensome regulations” on greed (I’m sorry, I meant BUSINESS). Utterly insane.
And then you have people suggesting tying access to encryption to verified ID… (See last monday’s article)
With hacks like this, it sounds like an even worse joke…
“the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.”
The other half of the population are children, so virtually everyone who has established credit have been compromised.
25% of the US population is under 18. Not “the other half.”
My review of these credit bureau web sites indicates they gather data on all consumers whether you have a Social Security Number or not.
All I want from Equifax is a simple YES/NO answer as to whether or not my data has been compromised! When I click the “See if you were impacted” button on the Equifax website, it tells me NOTHING…and invites be back to enroll in their cheese-wizz credit monitoring in a few days. WTF does that mean?!? Does that mean I was DEFINITELY impacted?!? My God who is running that company and what are they still doing in business?!?
It’s been over 30 business days since Equifax found out about this and all they can manage to do is sell off some of their whale’s stock.
Why haven’t they placed a Fraud Alert on the affected accounts? And why haven’t I received the written notice within 30 days as required by law? That’s the least they could do.
Freezing our accounts is the best option for the time being. We need legislative action to eliminate the annual fee and re-application process each credit agency requires for this!
Personally, I would like to see all these agencies shut down and the function taken over by the government under a single organization. The potential economic and privacy consequences make this a matter of national security.
I had the same initial reaction, as in, What, is Equifax competing with Yahoo for sluggish data breach notification? But realistically, if they called in the FBI immediately (which I would hope they did), law enforcement could have told them to keep quiet about it, perhaps in the hopes of not tipping off the intruders and thus maybe collecting more information on them while they were in the act. That’s an optmistic take that I hope, and presume, is perhaps more likely than my initial cynical take..
“Personally, I would like to see all these agencies shut down and the function taken over by the government under a single organization.”
You can’t be serious. If you think things are bad now with the existing credit bureaus (and yes, they ARE bad), stop and consider how it would be with government bureacrats in their place.
Nothing is perfect I’ll give you that. However, one organization vice four and counting is an improvement for having such power over my data. It’s about shrinking the attack surface since it seems these computer breaches will continue indefinitely. Besides, the government created the identity data in the first place. Plus the government has no profit motive and our they are bound to serve our national security interests.
The comments above about checking if your name has been compromised are correct, but the problem is even worse than we could imagine:
Equifax is using a standard browser username/password combination interface to check our data. Internet Explorer asked me if I wanted to save my password for the site. So, that “last six-digits of your social security number” is being stored (in their servers) as a simple password.
Considering they couldn’t protect their (and my) data in the first place, why are they now adding browser-vendors’ security into the mix?
This just goes from bad to worse.
It doesn’t quite work that way. Internet Explorer doesn’t know, and can’t work how, how or if the data will be stored on the server and it does this based on its own rules, not because the website asked it to or not.
It’s like a random person stood at the door watching people walking into the a nightclub. That person can look at how the people going in are dressed and make assumptions about what kind of things might be going on inside but they aren’t actually looking inside and have no idea if they’re correct or not.
Yes, but my point is that they used a form interface that mimics (or uses) a standard password box. Now, I trust Internet Explorer (a heck of a lot more than I trust Equifax), but using that form text box now requires three layers of security all work flawlessly: Equifax’s internal security, SSL/TLS, and IE’s password storage mechanism. If ANY of those are compromised, then the compromising agent now has the last 6 digits of my SSN.
It’s not storing anything on their site. They set it as a password field so that your SSN information isn’t displayed on screen when you type it in. Internet Explorer is asking If you want to save the “password” only because that is what the field is set to on the page. If you click yes, it’s only stored on your PC. You don’t have to save it, and if you do, you can delete it later. It’s not really being used as a passsword.
“then the compromising agent now has the last 6 digits of my SSN.”
I thought the breach itself means they already have all nine.
This is all well and good but the form is for Americans. It doesn’t accept a SIN format. Please advise Sophos!
This breech only affects Americans. The 3 credit reporting bureaus (Equifax, Experion, and TransUnion) monitor Americans for American companies. So if you are not American and do not have an SSN, you’re not impacted.
So Im confused. I never had a online account made on the equifax site before. do I still need to do this security freeze? what is it freezing up exactly and if the breach happened to equifax, then isn’t going back onto the equifax site not helping?
The people affected by this breach are people that Equifax have data on – people who have applied for loans, credit cards and the like – not just people with an account on the Equifax website.
Prior to entering your data on the Equifax site to see if you’ve been affected, please read the “terms of service” so you know what you’re agreeing to. They included an arbitration clause that may limit your possibilities if you have serious damages from this.
For years we have been saying Executives do not take security seriously.
For years we have seen supposedly impenetrable fortresses of network components being taken down by adolescents.
For years we have allowed ourselves to bear the brunt of incompetence, greed, and poor decision making.
For years we have been waiting for this to happen, indeed, we did it to ourselves.
For fifteen years I have been a professional auditor, both on the business and IT side of things. I can’t tell you how many audit issues I have reported out to several Boards in America and seen absolutely nothing done.
There is no legal mandate, there is no understanding, there is only greed and the idiotic idea of running a business from the budget. Combine that with the fact that the overwhelming number of IT professionals are social misfits who can’t think outside of a line of (compromised) code, a significant number of whom can only pull objects from libraries, and there is no reasonable reason to think that any other result is possible.
IT security has always been a joke. It’s time the profession stopped coddling “management” and took the fight to government.
Not that that would help considering how utterly corrupt they are, they’d probably just set up a separate credit service for Congress critters. And why the hell is there no requirement for Equifax to place a credit freeze on everyone’s account as a matter of course?
Why is SSN still used as a primary identifier?
etc.
There is no solution as long as people shy away from the fact that criminals lead companies for personal gain. Every last CEO in a global company is a criminal, and as long as you believe otherwise, you will keep getting screwed.
This is what regulation is for.
“The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.”
Given that 74 million Americans are children (and won’t be registered with Equifax), the percentage of adults is much higher than 50%.
As I understand it, when you place a freeze on your account at one of the credit bureaus, you lose the ability to monitor your credit report until you “unfreeze” it. And you pay $10 each time, both ways. So if you use, say Credit Karma to monitor your credit reports (free monthly reports), I assume a freeze will prevent them from getting your info.
Equifax’s crack IT team strikes again:
If you go to their special anti-breach website, the check page asks you to input your last name and the last six digits of your SSN. Here’s the problem: if you correctly enter your SSN, the website displays a green checkmark. If you enter an incorrect six digits, it displays a red checkmark. In other words, Equifax’s anti-breach website has provided a nice, easy tool for any crook who wants to confirm or crack someone’s SSN.
Essentially, the breach check site itself openly has this insecure loophole that would allow anyone running a program to easily check or crack the real six final digits of a person’s SSN. If it guesses wrong, Equifax spits out a red checkmark. If it guesses right, Equifax displays a green checkmark, letting the attacker know he’s hit the target. Finding the first three digits with public records based on location of birth, it is then trivial to discover someone’s real SSN.
Seriously, the Equifax Board of Directors needs to fire every single officer and executive and rebuild this company from scratch. And if they don’t, the shareholders should toss out every member of the Board and elect a new one who will take care of business.
Three weeks and counting since the breach was announced and still nothing done. No congressional inquiry, no written notice in the mail, basically no more than a great big public yawn. I guess the market is happy with the CEO’s retirement announcement too since the stock price is bouncing back up on the news. So no meaningful change here.