How organizations can prevent vulnerability after the Equifax data breach
By Jeff Lizerbram Solutions Architect, Systems Integration:
When the recent news stories broke out across the nation on the data breach at Equifax, one of three main credit reporting companies (the other two which are Experian and TransUnion), the damage was already done almost 3 months earlier. According to the top news sources, over 143 million people in the United States, Canada and the United Kingdom have had their credit data accessible by hackers as early as May 2017. This data includes Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other private financial data. One of the major sources of the vulnerability to blame was the main public Equifax website itself, in which there were un-hardened web application security configurations in place.
The cause of the hacking can go even deeper into the organization, where there may have been a lack of a strong IT security policy enforcement. Can this issue happen to any organization? Of course. As a Managed Services Provider, we see instances of incomprehensible amounts of hacking attempts hitting publicly-facing firewalls all the time. And we are constantly learning that our data is at the mercy of the ever-changing best practices in Information Technology security. Can an organization work to prevent such a massive vulnerability? Absolutely, and here’s one way to accomplish this:
From my own experience in working with best-in-class cloud security solutions, there is a strong need for other factors, including human factors, to be in place, in addition to the security solution itself. A great security product protecting a company’s assets is just one small part of preventing attacks. A strong and secure organization should hold an internal policy foundation which includes 3 important pillars: Security, Audibility, and Accountability. For Security, upgrading to the best-in-breed security products will definitely help. And while most security products out in the market include auditing features, quite often the auditing portion is left in a disabled state and not used. It is crucial to enable auditing to view and alert on sensitive data going out as well as coming into the organization. And finally, security and auditing must result in holding those accountable for correcting any configuration issues that have been alerted. All in all, a good organizational IT policy should have a foundation based on these principals to stay ahead of the bad guys.[/vc_column_text][/vc_column][/vc_row]
Two things people can do right now to protect themselves after the Equifax hack
By Richard Swaisgood Server Engineer, Systems Integration
Unfortunately Equifax has been extremely tight lipped about any technical information. We know that the personal information of at least 143 million Americans was stolen by an unknown group and that they are offering credit protection services for about 1 year to users affected.
The current rumors are that they were using an older API (struts) to serialize and deserialize requests from user facing java applications to their core database, allowing the hackers to inject code into the java user side app to get access to the core database and get the sensitive info. This is of course all a rumor at this point, once more data gets release we’ll have a better understanding.
There are two things people can do right now to protect themselves, sign up for credit monitoring services (preferably not with Equifax) and, if you do not plan on opening any new credit accounts, freeze your credit. Keeping a close eye on the who’s been requesting your credit reports and what accounts have been opened can save you a lot of time as you can issue a credit freeze or dispute any new accounts from being opened relatively quickly. Preemptively freezing your credit will be the best thing to protect you but can cause issues if you are in the process of buying a home, a car or applying for any kind of credit. Unfortunately, with the kind of information leaked you will need to do this for a very long time, as hackers can just wait until the free 1 year of credit monitoring services expire and with the frequency of these attacks it might be better to have the credit monitoring services going indefinitely.
As for Equifax themselves, it’s hard for me to see a way they are able to survive this breach, the effects will be long lasting to nearly half of all Americans and there is already one class action lawsuit filed against them for $70 billion dollars with much more coming their way as people start being directly affected by this breach. Hopefully this breach helps companies understand how just one breach can completely change their business or even end it outright if enough information is lost and the importance of securing your data in today’s world of constant data breaches.
Recently confirmed Myspace hack could be the largest yet
Recently confirmed Myspace hack could be the largest yet
By Sarah Perez as written on techcrunch.com
You might not have thought of – much less visited – Myspace in years. (Yes, it’s still around. Time, Inc. acquired it and other properties when it bought Viant earlier this year.) But user data never really dies, unfortunately. For Myspace’s new owner, that’s bad news, as the company confirmed just ahead of the Memorial Day holiday weekend in the U.S., that it has been alerted to a large set of stolen Myspace username and password combinations being made available for sale in an online hacker forum.
The data is several years old, however. It appears to be limited to a portion of the overall user base from the old Myspace platform prior to June 11, 2013, at which point the site was relaunched with added security.
Time, Inc. didn’t confirm how many user accounts were included in this data set, but a report from LeakedSource.com says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale.
Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack.
That estimation seems to hold up – while there are a number of other large-scale data breaches, even some of the biggest were not of this size. The U.S. voter database breach included 191 million records, Anthem’s was 80 million, eBay was 145 million, Target was 70 million, Experian 200 million, Heartland 130 million, and so on.
The issue with these older data breaches is that they’re from an era where security measures were not as strong as today. That means these passwords are easily cracked. LeakedSource notes that the top 50 passwords from those cracked account for over 6 million passwords – or 1.5 percent of the total, to give you a sense of scale.
The passwords were stored as unsalted SHA-1 hashes, as LinkedIn’s were, too.
That allowed Time, Inc. to date the data breach to some extent, as the site was relaunched in June 2013 with strengthened account security, including double-salted hashes to store passwords. It also confirmed that the breach has no effect on any of its other systems, subscriber information, or other media properties, nor did the leaked data include any financial information.
Myspace is notifying users and has already invalidated the passwords of known affected accounts.
The company is also using automated tools to attempt to identify and block any suspicious activity that might occur on Myspace accounts, it says.
“We take the security and privacy of customer data and information extremely seriously—especially in an age when malicious hackers are increasingly sophisticated and breaches across all industries have become all too common,” said Myspace’s CFO Jeff Bairstow, in a statement. “Our information security and privacy teams are doing everything we can to support the Myspace team.”
However, while the hack itself and the resulting data set may be old, there could still be repercussions. Because so many online users simply reuse their same passwords on multiple sites, a hacker who is able to associate a given username or email with a password could crack users’ current accounts on other sites.
Of course, it’s not likely users even remember what password they used on Myspace years ago, which makes protecting your current accounts more difficult. A better option is to always use more complicated passwords, reset them periodically, and take advantage of password management tools like Dashlane or LastPass to help you keep track of your logins.
Myspace also confirmed that the hack is being attributed to the Russian cyberhacker who goes by the name “Peace.” This is the same person responsible for the LinkedIn and Tumblr attacks, too. In Tumblr’s case, some 65 million plus accounts were affected. But these passwords were “salted,” meaning they are harder to crack.
Myspace is working with law enforcement as this case is still under investigation, the company says.