Equifax: WTF

Sorry. I waited to weigh in on the “dumpster fire” (credit to Brian Krebs) that is the Equifax breach because I wanted to see if those impacted expand beyond the US. They do.  If it was Apache Struts. It was. And if things got worse. Don’t cry for me Argentina but they just did.

How do you say I’m sorry for losing the confidential data of 143 million people who are your customers? You don’t. Certainly not if you are Equifax, one of the three largest bureaus for credit reports on consumers globally. You make them wait. And then, you sell them a half-baked service to fix the problem you made.  The site known as equifaxsecurity2017.com (sorry – not linking it here) is, in the words of Brian Krebs, “completely broken at best, and little more than a stalling tactic or sham at worst”.  It was flagged as a phishing site, and provided inconsistent responses.

And help comes with big strings. The offer for a year of free credit monitoring by the same firm that f*cked up in the first place has some dual-edged fine print to absolve Equifax of their responsibilities, originally stating that those who consent forfeit their rights to participate or launch a class action suit, or receive any benefits from a suit. They have since amended the injurious clause (see – I can speak legal too!) to say it “does not apply to this cybersecurity incident.” Insult to injury is that victims would have to pay for all the subsequent years of credit monitoring.  Freezing your credit is far cheaper, and effective.

We should be worried. Over 200K Visa and Mastercard holders are at risk of fraudulent purchases at the least because attackers have their account numbers, expiration dates and cardholder names.

Now, let’s talk about “Apache Struts”. Which has been flagged three times this year. Struts is hard to patch because it requires more migration and a lot more testing, which is impact and cost to business, but it happens to be used in over 60% of corporations on their major web server applications. There was a massive critical patch alert issued back around March for a zero day being actively exploited. Zero day means you’re not ready to fix it but attackers are ready to move. Guess what? The Struts flaw was unpatched back in May, when the attackers hit.

Jeff Williams is the co-founder and CTO of Contrast Security and explained the severity of this flaw which allows attackers to take over a Web host with just one HTTP request.

“This vulnerability was scored CVSS 10/10 – the highest rating. Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing…Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack.”

And then there is what happened in Argentina. Earlier this week,  it was reported by investigators who were looking into the risk to Argentina that “an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.” I can’t even. The good news is that they took the portal down after Krebs gave them a call.

Do I sound bitter? Sorry not sorry. And so far, I am not one of the confirmed compromised. But oh, I am waiting for that shoe to drop. It has taken a ridiculous length of time for anyone in authority in Canada to address this. I get that we are polite to the point of complacency but come on! Thursday our privacy commissioner, Daniel Therrien, finally stepped in, claiming he had learned via complaints and the press, not from the source. The US has more regulations on credit reporting agencies than we have in Canada, where they are regulated by individual provinces and territories. According to Tamir Israel, who is a staff lawyer with the Canadian Internet Policy and Public Interest Clinic in Ottawa, “because of that mismatch, it falls through the cracks a little”. Per an article by Nestor Arellano in IT Canada Online:

“We have advised Equifax to provide information to affected Canadians as soon as possible and we expect the company to adopt measures to help affected Canadians,” Therrien said. “…Our office is urging Equifax to find a solution to permit Canadians to find out if they are affected as soon as possible.”

Now there is full on call for investigation. Meanwhile, the Canadian Automobile Association has informed 10,000 of its members they are at risk. Per Ian Jack, CAA managing director of communications and government relations, the information of those Canadian members who signed up for the identity protection program was stored with – wait for it – Equifax USA. That would be the sound of the other shoe dropping.

But wait – there is a happy-ish ending. News is just being released that both the CIO, David Webb, and CSO, Susan Mauldin, of Equifax are retiring. Immediately. That’s the first good news we’ve had.










1 Billion Accounts Breached: Are YOU in here?


If you haven’t heard, there are currently about 1 billion accounts caught in two massive breaches: Exploit.in and AntiPublic. I’m one of that billion, and so was a family member. So are work colleagues. So that’s why I’m writing this – for the people I want to protect.

Security researcher Troy Hunt has been actively working on these breaches and getting notifications out. Among the key concerns raised was credential stuffing.

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

As Troy lays out -and we need to be reminded of – this matters to us because:

  • It’s enormously effective due to the password reuse problem
  • It’s hard for organisations to defend against because a successful “attack” is someone logging on with legitimate credentials
  • It’s very easily automatable; you simply need software which will reproduce the logon process against a target website
  • There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing

You can read his site to see more. So what that leads to is stuff like this:

Exploit.in is 111 text files large at 24 GB, a mountain of email addresses paired with passwords Given Troy’s research do far, of the 593,427,119 unique email addresses contained, there are accurate ie valid creds and data that isn’t already compromised so fresh kill. There are only 222 million duplicates between the lists, so that means 63% of the accounts in Exploit are different from the 457,962,538 addresses in AntiPublic.

The numbers are staggering, but what we need to be “impressed” by is what led to this. It’s the same root causes, known failings and weaknesses and bad habits that have accumulated as data has accumulated. We all know how much easier it is to fix a problem in the early stages.

So the AntiPublic tool verifies how legitimate hacked credentials are, and there are data breach services that pop up to buy and sell these credentials. I have contacts who tell me that everytime these dumps happen they find a significant number of compromises in their regions, regardless of how many recycled creds are in there. Troy gathered some explanations on how this works:

the tool itself is for sale here [redacted]
it’s pretty cheap
it’s mostly used in Russia, but he does sell an english version
most common use-case: someone buys a dump on x forum, uses the tool to verify which ones are legit
similar to sentryMBA and account hitman
you will often see a uniqueness score associated with the sale based on output

I really appreciate the work done by security researcher Troy Hunt and his site HaveIBeenPwned .  This is a quick and easy way for anyone to check the status of their email or username, as well as to receive notifications of when they may be caught up in a breach. Because the sooner you can change your passwords, the better.


Always Watch for the Dark Horse: Brazil Enters the Cybercrime Ring

We’ve seen it happen in horse races and elections.  Two well-known hot contenders go neck and neck. Everyone is so completely focused on the two leads that no one sees the dark horse come charging up the middle. Until it’s already there.

In the murky waters of deepweb cybercrime, that dark horse is Brazil.  China and Russia may be attribution’s favourite poster twins but we cannot afford to lose sight of other, future contenders. “Nobody saw it coming” are the wrong words to hear when dealing with cybersecurity. And over the past year, breach after massive breach has shown that, despite our best efforts, we can’t seem to stay ahead of the curve. It isn’t just about the threats and attacks, but about who and why. We really need to know our adversaries. Brazil is the new kid on the block, and he’s big.


As early as 2011, InsightCrime was reporting a surge in cybercrime out of Latin America. What country did they identify at the epicenter? Brazil.  Both Norton’s Cybercrime Report and Symantec’s Intelligence Reports for 2011 put Brazil in that same top spot. Fast forward to July 2014.  Purported as what could be the largest electronic theft ever reported, a cybercrime op was discovered by RSA security. Approximately $3.9 billion was stolen through  “Boleto Bancario”. That catapulted Brazil into the headlines, establishing what had been building steadily yet unnoticed and unchecked for three years, since 2011.

The unnerving truth about cybercrime is that a lot can happen in just a very short time.  Which is why Brazil should have registered earlier on threat radar. The country is a perfect storm for cybercrime. The stats speak volumes. Per Kaspersky, Internet users in Brazil are the most targeted by cybercriminals in Latin America. Out of 400 million incidents logged over a period in 2015, 31% affected Brazil versus 21% in Mexico, Peru, Colombia and Venezuela.  There has been a drastic increase in new users corresponding with an increase in malicious activity of 197% between 2014-2015. This relates directly to the fact that users have no idea of what they should be doing to stay safe.  Avast reports that 65% of wireless network routers still used the default ID and password.  Symantec showed that in 2013 61% of adults connected to unsecured and public wireless.  And what about the fact that Brazil has the highest internet penetration for the region?  Or that Brazil is going through some economic turmoil, which means cuts, and that includes cuts to security.

How does that play out in a country where there is no requirement to disclose any information about breaches? Apparently, not well. At least 75% of those who use the internet in Brazil have been victims of online crime. Brazil passed its first cybercrime law in 2012, but that proved to be ineffective and inefficient.  Penalties are little more than a slap on the wrist, with house arrests or fines being levied. The lack of staff and lack of funding further limit any real action.  And here’s the kicker:  there is no law currently in place to protect personal information. That means – wait for it – that this info, this PII we fight so hard to protect, can be sold or given to anyone in Brazil, legitimate or criminal, with no repercussions.

PandaLabs Report Q1 2015 Infection rates

PandaLabs Report Q1 2015 Infection rates

According to Juan Andres Guerrero, senior security researcher with Kaspersky Labs:

“As far as global fraud is concerned Brazil is almost exclusively at the top …They are fantastically creative …Brazil actually takes an inordinate amount of time [to monitor] because of the amount of malware, the amount of schemes. They are constantly creating these phishing campaigns. They are incredibly elaborate.”

Brazil is a nation plugged in and online banking reigns supreme, at 41% of all transactions, according toe Trend Micro’s white paper from 2014 “The Brazilian Underground Market:  The Market for Cybercriminal Wannabes.”  One of Brazil’s better-known exports are banking trojans, perfected for the “Boleto” payment system there.  malware changes the bar codes on the boletos to redirect payments to attackers.  DNS poisoning is also employed to redirect users. Fake browser windows scoop credentials that are keyed in. Malicious browser extensions capture personal data and send it off to attackers.  That bestowed upon Brazil the dubious ranking of second worldwide for online banking malware infections, and almost 9% of global malware infected systems.


From Trend Micro white paper “The Brazilian Underground Market” 2014

William Beer, Managing Director of Cybersecurity at Alvarez & Marsal, told ZDNet

“There is a lack of focus on cybersecurity both in the public and private sector. Senior executives at organizations don’t really see that as a priority.”

High internet penetration rate, high credit card penetration rate, high user base unaware of good security practices, and a unique banking payment system based on “boletos” have set Brazil apart by creating a cybercrime training ground that’s open for business.  For the entry level fee of $579 US, wannabe cybercriminals can learn fraud training, FUD crypter programming, trojan coding. Like its peers, Brazil offers the same range of choices as China and Russia. And in the true spirit of staying competitive, the price of crimeware and service offerings in Brazil has steadily gone down since 2011. But wait – there’s more! They’ve been very good at evading security researchers and law enforcement.

It doesn’t bode well when the criminals openly use social media to flaunt and advertise their business.  Whereas cybercrime tends to opt for obscure channels to remain untraceable, the Brazilians are all over Facebook, YouTube, Twitter and WhatsApp to communicate and organize their lives and their business.  And why shouldn’t they, in a country where the gains far outweigh the risks. All of which makes Brazil very appealing, and very much the dark horse threat we should have been watching for.

My Top 10 List: So What Did We Learn in 2014


There is no question that 2014 has been a most eventful year for InfoSec – and that’s not necessarily a good thing.  Data breaches, malware attacks, compromised Point-of-Sales systems, more data breaches. And of course – the Sony hack. A lot of painful lessons have been learned, many at high cost. So as the year draws to a close, let me present my Top 10 List of what I hope we learned from this year of events we wish we could forget.

1. PATCH IT. Patch it good! System software patches are an integral part of keeping your business, and yourself, safe.  Windows, Linux, Adobe, Oracle to name a few, all offer regular patches to cover those vulnerabilities that leave them exposed to hackers looking for a way in. Ideally, you should have a regular ie monthly schedule where patches are checked and updated.  Another thing to remember: test patches before you apply them. Microsoft has had two terrible months in a row issuing then recalling bad patches, but not before inflicting some major headaches on those who already applied them.   http://www.darkreading.com/application-security/time-to-rethink-patching-strategies/a/d-id/1318256?_mc=RSS_DR_EDT&utm_source=dlvr.it&utm_medium=twitter

B5fDUybIUAMF2IG2. THINK before you click that link.  Phishing and malvertising have reached prolific levels, and are designed so well it’s easy for everyone to fall for the bait. The onus is on us to be certain we know and trust the sender before we open attachments or click on links. Visiting popular websites or social media hopping is an open invitation to a nasty case of malware because many of these destinations have now become choice phishing holes. Don’t get lured in.   http://www.esecurityplanet.com/malware/dridex-and-email-a-nasty-social-engineering-team.html

3. Pass on that Password. This is your first and your best defence to secure anything of value.  Here is how to do it right. Ideally a length of 16 characters, with a mix of upper and lower cases, including numbers and special characters. Oh – and take a tip from Sony. Don’t file under “Passwords”. http://www.wired.com/2014/09/dont-get-hacked/?linkId=9521469

4. AntiVirus Protection. There are a range of options, and many good SOHO programs are even free, though I would strongly encourage paying more to invest in additional protection against cyber threats.  And yes – you definitely need to have this on your phone & tablet. Mobile devices are targets of choice. Given how much of our lives we keep on our phones, why would you put that at risk? Finally, don’t rely on out-dated or lapsed programs. In the constantly evolving world of malware and viruses, yesterday’s solutions won’t cut it. Always keep your AV updated.hacking-sony

5. Breach Protocol 101. If you get breached, handle the situation correctly and professionally. Your customers deserve the decency of being informed as soon as possible to protect themselves and take appropriate action. As in the case of Home Depot, don’t make customers wait for the bad news. Because you can’t put a price on trust and reputation. http://www.theglobeandmail.com/report-on-business/international-business/us-business/home-depot-shares-drop-after-chain-investigates-data-breach/article20308768/?cmpid=rss1&click=sf_rob

6. Secure your SOHO tech. Especially routers. Update, upgrade.

7. WiFI Hotspots: Use with extreme caution! In this holiday season of travel and shopping, convenience may be king but letting your guard down isn’t worth it. Secure your tech first – ‘Free’ comes with a price  http://www.onguardonline.gov/articles/0014-tips-using-public-wi-fi-networks

8. Things aren’t so fantastic when you pay in plastic. This year has proven repeatedly that credit cards are not secure. But given that so much our retail and online world run on plastic, what can you do to stay safe? For starters, Always Check Your Statements. Be in charge of your accounts and know everything coming or going. Secondly, cover the keypad when you enter a PIN anywhere.  Because there really are “eyes in the skies” that are waiting for you to enter the magic number.

malware29. You get what you paid for. When you buy pirated software and 3rd party apps, you often get a free gift-with-purchase, but trust me, it’s one you don’t want. Malware, browser hijackers etc. It’s a headache to huntdown and then remove these nuisance products. You’re better off paying for the real deal.  http://www.scmagazine.com/pirated-joomla-wordpress-drupal-themes-and-plugins-contain-cryptophp-backdoor/article/385552/

10. Best for Last. HAVE A PLAN. When it happens – and it will – have a real Disaster Recovery/Business Continuity plan in place.  According to exper Dejan Kosutic, “It is the combination of people and technology that keeps a business running, not computers only, and this is exactly why the concept of business continuity has prevailed in the last couple of years.” According to CISCO, “60% of Canadian businesses either don’t have a security strategy in place, or don’t know if their current one accounts sufficiently for change and evolution to effectively meet threats.” http://www.itworldcanada.com/article/majority-of-canadian-firms-not-prepared-for-cyber-threats-cisco/100226

And on that cheery note, let me wish you all a safe and successful 2015!