• Welcome to the Internet Infidels Discussion Board.

Equifax hack

 
 
 
B

beero1000

Veteran Member
Joined
Sep 23, 2006
Messages
2,139
Location
Connecticut
Basic Beliefs
Atheist
https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html

Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.
...
“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”
Click to expand...

This is bad. Affects basically every adult in the US and the credit reporting companies have so much important data...
 
They are not handling this well.

https://techcrunch.com/2017/09/07/equifax-data-breach-help-site-leaves-consumers-with-more-questions-than-answers
The company established a website to allow consumers to see if their data was stolen. But it’s broken and sets the user up for TrustedID, a credit monitoring service owned by, wait for it, Equifax.

Equifax says that this site will “indicate whether your personal information may have been impacted by this incident.” That is false as of this post’s publication. The company also says it will provide the checker with an “option” to enroll in TrustedID Premier. That’s also false. When a user inputs their data into the system, a message appears that the user can be enrolled in TrustedID Premier at a later date. Mine was 9/11/2017.

This is completely irresponsible by Equifax.

The site’s terms of service seem to state that by agreeing to use this service, the user is waving their rights to bring a class action lawsuit against Equifax.
Click to expand...

https://www.bloomberg.com/news/arti...utives-sold-stock-before-revealing-cyber-hack
The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
Click to expand...
 
This is disturbing on so many levels.

First off is of course the hack itself. The only solace I can find is that maybe there's so many identities to be stolen that it'll take awhile for the hackers to find mine and exploit it (for whatever it is worth).

Second is the fact that this happened at the end of July and this is the first we're hearing about it. How many people have been ripped off in the last six weeks while Equifax took the time to build their "we fucked up, sorry 'bout that" website/service?

About that service...getting Equifax to fix something incorrect on your credit report is about as easy as landing a top secret security clearance. They've got a misspelled street name on my report from a place I haven't lived in 20 years, but it would be too much of a hassle to fix that. What if their monitoring service does find a problem? Will I have to send them a registered letter to a PO box in Terra Haute and wait six months for a response before anything is done? And while I didn't scour the site completely, I couldn't find anything on there about how long the "free" part lasts.

If it operates like half of every other service in the world, you'll get a few months free and then one day (unless you read the fine print and clicked the hard-to-find box on the web page) they'll start charging your credit card every month AND make it especially difficult to stop the credit monitoring.

And while we're at it, why does a company whose only purpose is to monitor credit reports need to create a separate company whose sole purpose is to monitor credit reports? That strikes me as some bullshit right there.
 
Ford said:
About that service...getting Equifax to fix something incorrect on your credit report is about as easy as landing a top secret security clearance. They've got a misspelled street name on my report from a place I haven't lived in 20 years, but it would be too much of a hassle to fix that. What if their monitoring service does find a problem? Will I have to send them a registered letter to a PO box in Terra Haute and wait six months for a response before anything is done? And while I didn't scour the site completely, I couldn't find anything on there about how long the "free" part lasts.
Click to expand...

Never had any trouble like this.

When I first checked my credit reports the biographic stuff was riddled with garbage, most of it pretty obvious fat-fingers of legitimate information. (For example, we used to live at 7851 <street>. I found 751 and 7051 addresses.) One letter got rid of all but one bit of garbage. A second letter pointing out that the remaining piece of garbage was impossible (the street didn't exist at that address, extrapolation put it inside a Target store) and it also went away.

I've also gotten free monitoring from data breaches. They've never had a credit card to charge, when the time's up it simply goes away. It doesn't really matter anymore, there are services like Credit Karma and Credit Sesame that will notify you of changes in your credit report for free.
 
But at least 3 top executives were able to sell a bunch of the company stock before they dropped the news bomb...whew! And you can also sign up for their premier protection services, just in case some stupid company has a data breach...
 
Google fires James Damore for saying you should hire based on merit not sex meanwhile Equifax info security is headed by female music major.
 
  • Like
Reactions: BH
https://www.cnbc.com/2017/09/08/sus...-might-have-generated-millions-in-profit.html
Unusual trading in Equifax options in mid-August suggests millions of dollars in profit were generated after Thursday's disclosure of a massive data breach at the credit reporting company affecting 143 million consumers and their personal information. Shares of Equifax tumbled nearly 14 percent on Friday in the wake of the disclosure of the breach. Until Thursday, they had been up about 20 percent for the year.

Jon Najarian, a trader and CNBC contributor, said Equifax options trade infrequently. As an example, in the entire month of July, Equifax put options traded just under 260 contracts, or about 13 contracts a day. But Aug. 21 was different. Najarian pointed to activity in Equifax puts that day, when 10 times as many were bought than in the entire preceding month. Specifically, Najarian said, 2,600 contracts, giving the owner the right to sell 260,000 shares of Equifax at $135 in September, were purchased for 60 to 70 cents each. Put options, which give the holder the right to sell an asset at a certain price at a point in the future, are essentially bets the underlying shares will fall. Najarian, also a co-founder of Investitute.com, calculates it was an investment of at least $156,000.

When Thursday's news broke, Equifax shares tanked from $142.72 to an after-hours low of $118. At that low level, the right to sell those shares at $135 would be worth $17 each, which means the profit on them would be $16.30 to $16.40 because they were purchased for 60 to 70 cents each, according to Najarian's math. The trade's total profit would have been about $4.2 million.
Click to expand...
Nothing to see here...
 
https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/ said:
Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
...
A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.

But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.
...
According to Equifax’s own literature, the company has operations and consumer “customers” in several other South American nations, including Brazil, Chile, Ecuador, Paraguay, Peru and Uruguay. It is unclear whether the complete lack of security at Equifax’s Veraz unit in Argentina was indicative of a larger problem for the company’s online employee portals across the region, but it’s difficult to imagine they could be any worse.

“To me, this is just negligence,” Holden said. “In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better.”
Click to expand...

:picardfacepalm:
 
beero1000 said:
https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/ said:
Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
...
A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.

But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.
...
According to Equifax’s own literature, the company has operations and consumer “customers” in several other South American nations, including Brazil, Chile, Ecuador, Paraguay, Peru and Uruguay. It is unclear whether the complete lack of security at Equifax’s Veraz unit in Argentina was indicative of a larger problem for the company’s online employee portals across the region, but it’s difficult to imagine they could be any worse.

“To me, this is just negligence,” Holden said. “In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better.”
Click to expand...

:picardfacepalm:
Click to expand...

Everyone responsible should be in jail. Just following orders isn't an excuse for something like this.
 
Good thing for tight software deadlines, or else we'd get some pretty shoddy technical products out there.
 
https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug said:
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available. Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.
Click to expand...

They are trying to blame a bug that was patched 2 months before the hack began and 5 months before they discovered it. No statement that that was the only vulnerability though, no doubt the other stuff makes them look even worse. admin/admin and so on. :mad:
 
beero1000 said:
https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug said:
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available. Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.
Click to expand...

They are trying to blame a bug that was patched 2 months before the hack began and 5 months before they discovered it. No statement that that was the only vulnerability though, no doubt the other stuff makes them look even worse. admin/admin and so on. :mad:
Click to expand...

Between the "admin/admin" login page, the two executives selling off their stock right before the company tanked and now this, it's pretty clear that the Equifax story is one of either willful or deliberate incompetence.
 
Crazy Eddie said:
beero1000 said:
They are trying to blame a bug that was patched 2 months before the hack began and 5 months before they discovered it. No statement that that was the only vulnerability though, no doubt the other stuff makes them look even worse. admin/admin and so on. :mad:
Click to expand...

Between the "admin/admin" login page, the two executives selling off their stock right before the company tanked and now this, it's pretty clear that the Equifax story is one of either willful or deliberate incompetence.
Click to expand...

Hard to know what happened for sure, but usually it goes something like this:

C-Level (to middle manager): We gotta get this shit done asap
Middle Manager (to developer): We gotta get this shit done asap
Developer (to middle manager): But I can't fix this enormous security vulnerability in two days
Middle Manager: .......

Basically, execs rarely take responsibility for security because it means actually investing time and money in it, or they're just politically savvy but actually pretty dumb and don't realise how big of a mistake they're making.
 
Equifax really needs to be sued into bankruptcy and be shutdown. Need some corporate blood to keep them on their toes.
 
https://www.bloomberg.com/news/arti...suffer-a-hack-earlier-than-the-date-disclosed

Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation.

In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders.
Click to expand...

WTF. And they left the Struts vulnerability un-patched for months after that?!
 
https://arstechnica.com/information...cts-breach-victims-to-fake-notification-site/

In a tweet on Tuesday afternoon, an Equifax representative using the name Tim wrote: "Hi! For more information about the product and enrollment, please visit: securityequifax2017.com." The message came in response to a question about free credit monitoring Equifax is offering victims. The site is a knock-off of the official Equifax breach notification site, equifaxsecurity2017.com. A security researcher created the imposter site to demonstrate how easy it is to confuse a legitimate name with a bogus one. The Equifax tweet suggests that even company representatives can be easily fooled. The tweet was deleted late Wednesday morning, more than 18 hours after it went live.

It turns out Equifax has linked to the same fake domain since at least September 9, as evidenced by tweets here, here, and here. Unlike Tuesday's tweet, the September 9 tweets remained live when this post was going live, but were taken down shortly after that.

...

It would have been much better to host the notification pages on the equifax.com domain, which people instinctively know is the official domain for the credit reporting service. The decision to use equifaxsecurity2017.com instead only desensitizes people to the large number of look-alike domains that attackers use.
Click to expand...

Because of course they did...
 
You must log in or register to reply here.
Back
Top Bottom