By now we’re all probably very aware of the massive Equifax hack that exposed 143 million Americans social security numbers, birth dates, addresses and drivers’ licenses. There was also a small subset of credit cards and personal identifying documents released with limited personal information to an uncertain amount of Canadian and UK citizens being accessed as well. According to a statement released by Equifax the breach occurred from mid-May through July 2017. They discovered the breach on July 29th, which means attackers were actively working well over a month, if not more, at exhilarating this treasure trove of data. Equifax also stated that criminals exploited a vulnerability in their web application to gain access to sensitive data as the means of compromising their site.
This wasn’t the first time Equifax has been in the news regarding weak application security with one of their sites. Last May criminals were able to gain access to Equifax’s W-2Express site and allowed for weak authentication to be used to access customers W-2’s. This security incident was only a precursor to what the company was in store for in the next 12 months.
Over the next couple days and weeks we’ll learn more about the breadth and scope of the Equifax hack, but it’s being reported that attackers took advantage of a vulnerability in the open-source software Apache STRUTS to compromise their application. Now with this being said, let’s try and shed some light on exactly what this means based off the timeline of events Equifax has given us. There was a new STRUTS vulnerability (CVE-2017-9805) released on 9/4/2017 and many people have correlated these two events together incorrectly since Equifax announced they noticed the attacks occurring in July. It sounds, based off this timeline, that there was either an unpatched vulnerability that wasn’t dealt with or the attackers were using a zero day exploit to gain access. This being surmised from the dates of the breach being detected on July 29th and a new exploit in STRUTS occurring after the detection.
As CBS2’s Carolyn Gusoff reported, the personal information of nearly 150 million Americans was stolen. Experts are offering advice on what consumers can do to protect their identities.
It’s extremely important to gain proper insight into your applications security. We don’t know if this hack was achieved through an old vulnerability or via a zero day, but either way we as a community need to get better at application security in general. I personally see a greater lean in the security community towards network and endpoint security and hope after this wake-up call we as industry will start taking more notice on the importance of application security. A few things we should do in light of this hack from an application security standpoint:
- Let’s grab hold of the work being given to us by OWASP on a silver platter and start implementing their work into our applications. The OWASP group has done some amazing work that’s free and at your fingertips. Get to know their work and determine how you can involve their recommendations into your application security process today.
- Perform continuous vulnerability scanning (static and dynamic) with prioritized risk findings to guide your efforts. It’s not enough that you scan for vulnerabilities on a schedule. There needs to be a continuous effort to hunt down weakness in your code and stop it before someone else exploits it. Doing this continually and making it part of your security DNA will help towards limiting your exposure to risk.
- Establish processes for incorporating security in your SDLC and releases to find flaws earlier. The quicker in the development process you find flaws the less expensive it is to fix them and the more likely you won’t open up yourself to exposure.
- Get serious about patching and config management! Yeah, this is easier said than done, but patching for known risks in your code and applications needs to be better as a whole. We’ve seen this happen too many times and using a WAF doesn’t mean you’re free to leave vulnerable systems on the internet. Understand how applications are configured and validate they’re up to proper security standards before being released, otherwise pull them down.
- Incorporate layers into your application defense (E.g WAF, scanners, monitoring, frameworks, threat intel, etc). As we mentioned early don’t rely on one layer to protect your application. There are tools that should be implemented to defend and monitor against attacks and processes that should be followed to develop secure code. These together build your program.
- Utilizing tokenization as substitute for sensitive data (E.g Social Security Numbers) should be used as frequently as possible. We’re not sure of the actual details of the Equifax hack and if this would have protected against it, but it goes without saying to add features to protect your sensitive data and customers privacy at all costs.
- Start seeing the benefits of how bug bounties can harden your applications. This is still a controversial idea, but starting a private bug bounty program and possibly graduating on to a public program could be a good way to determine your applications security risks in the real world.
- Aim towards adopting frameworks (E.g BSIMM an OWASP) that will push your security posture forward. With these and similar frameworks your programs has rails, guidance and milestones to achieve and work towards. You’re no longer doing what you consider secure only, but are following a time proven standard written by the community. These frameworks help guide your AppSec program that will be developed for your unique business objectives.
How a company responds to a breach is a sign of how prepared they were before it happened. There were some stumbling blocks early on for Equifax, which seemed odd since they hired Mandiant to assist with the incident after they determined they were breached. Mandiant is normally brought in after large beaches occur and have done a fantastic job in assisting with the world’s largest data breaches to date. A few things that made me feel Equifax was a little rushed with their responses or not completely prepared were:
- They decided to use a website equifaxsecurity2017.com that’s hosted on WordPress and doesn’t include the actual domain name of their company. This was very confusing to people when it first came out and was initially flagged by many web and spam filters as a malicious domain name. Instead of hosting the incident response notification page as vanity URL or linking back to their current domain they created another site, which caused unneeded confusion in an already stressful time. Communication is key during an incident and this started off the process wrong.
- Equifax announced that in order to determine if your personal information, including your SSN, were compromised you needed to enter not only 4 digits of your social security number, but 6. First of all that’s never done and you’re giving too much information away to begin with, but second the wound was still raw and asking for your social security number after a breach of the same data was taken as a slap in the face. Many people didn’t trust this site and those that did submit their information were told it was for credit monitoring. This page also gave different answers depending on whether you entered this information on your mobile phone. To make matters worse there was confusing language after entering your information that said by submitting this information customers weren’t able to take legal action against Equifax (which Equifax have said is not the case). The irony of asking customers to sign up for identity monitoring from a site that was breached, by giving the information that was stolen didn’t go over well with the public.
- During the breach it was found that multiple Equifax executives had sold stock before the notice was made public. This could have been a coincidence as it was only a small subset of the stock they owned, but the timing has caused unneeded suspicion and there’s currently an investigation occurring regarding it.
- On September 8th there was an update to their equifaxsecurity2017.com site that mentioned they were having issues with their call centers and customers looking to get hold of them for answers. It’s surprising to me that this wasn’t thought of first, seeing the sheer amount of data and people there were affected by the breach. Much of this seemed to have been done without a clear plan in mind, but during a breach many things don’t always go as planned.
- Having a written incident response plan is much different than having a tested incident response plan. Everyone has a plan but, when an incident actually happens will this plan be battle ready? Utilizing table top sessions at all areas of the organizations (E.g management, engineers, call centers, etc) will increase your odds of handling the breach in public.
Now that the data’s been compromised where is it? Who’s done this and why? Well, these are questions everyone’s wondering and speculating about right now. The data that was stolen and the sheer vast quantity of it is very valuable to hackers. Right now I can think of two possible scenarios:
- This data in the unground is considered “Fullz” since it has name, address, social security number and in some cases credit card numbers. This is like hitting the lottery for a cyber-criminal. Normally you’d see criminals package up this data in particular formats and start shopping around pieces of it to shops to show the quality and value of their new stolen product. Depending on how they’re looking to have it hosted there might be a vetting period with the site. This site will most definitely be hosted on the dark web and would probably be known for purchasing stolen identities. It’s interesting though that the data hasn’t been seen on the dark web as of this writing. Normally, after exhilarating data of this kind hackers are quick to turn them over for sale to make profit on their stolen goods. It’s possible that the dataset is still being packaged or those responsible are considering what type of consequences they’ll face if found. In my opinion there’s a more nefarious possibility, which we’ll discuss next.
- In 2014 the Office of Personnel Management was hacked leaking 21.5 million government employee’s information that included their applicants, spouses, and relatives. This data also included SSN’s, fingerprint data, and bank account information. Also, in 2015 the Anthem data breach occurred having 80 million records pilfered that included the health records of their members. The combined 100 million records of these hacks have not been found for sale on the dark web. It’s very common for companies to realize they’ve been hacked after the data’s been released and is being sold on the black market and both of these previous examples have not made their way for purchase and have been attributed to the Chinese. The Equifax hack was determined to have occurred on July 29th and as of yet we haven’t seen any valid data on the black market for these records. If we don’t see anything soon it leads me to think a nation-state is behind this attack that’s building profiles on American citizens. This includes addresses, social security, healthcare, and government workers with these three hacks combined. It allows adversaries to create profiles on targets for future hacks and look for weaknesses to exploit. I find this a lot more dangerous than a hacker group looking to make money.
What does the future hold after Equifax hack? Well for starters you’ve probably heard people talk about freezing your credit to protect yourself and I couldn’t agree more. This works way better than a credit monitoring service and will lock down your identity from having others, including yourself, open additional inquiries into your credit. If you’re not opening a credit card, getting a loan, etc in the near future you might have to unfreeze your credit, but I’d recommend doing this in the near future. There’s a cost of around $10 per credit bureau (for a total of around $30), but worth it to protect yourself from potential scammers using the stolen Equifax data. You’ll still be able to use your current credit cards with a credit freeze, you just won’t be able to open anything new while it’s frozen.
Also, expect phishing. I mean a lot of phishing. There are phishers out there looking to ride the coattails of the Equifax hack and have been sending out emails and phone calls looking to use the fear of stolen identities to trigger victims into answering or clicking on their malicious schemes. A large breach is a phishers dream, so be careful when opening attachments, texts or links from people you don’t know regarding the hack. Also, if you receive an email regarding similar information from any of the credit bureaus it would be wise to visit their site or call their customer support number to validate it came from an authoritative source.
Lastly, I wouldn’t be surprised if additional legislation spawned due to this breach. I’d also hope that Experian and TransUnion are watching and hardening their systems during this time. If the attackers hit Equifax the odds are they attempted similar reconnaissance against the other two bureaus. It would also be interesting to hear if they’ve assisted with the breach response by offering threat intelligence based of IoC’s from the attack. If anything comes out of this breach from an industry standard, similar to how PCI was born, it’s the credit bureaus need to work together. I don’t always feel that creating more regulation is the answer, but when you have information of this sensitivity and really only three organizations performing the function they should at the very least be creating their own mini ISAC to share threat intel (if they aren’t already doing so).
In closing we’re not looking to rub salt in the wounds of Equifax in any way. Everything posted here was public information and we attempted to shed additional light on the current situation. This is one of the largest, most devastating breaches on record and its put millions of people in jeopardy. After this breach the social security number is no longer private and half the country’s had their identity stolen in one fell swoop. The attackers will continue to press on and we must do the same. I won’t lie to you, this one hurt pretty bad and all we can do is continue being diligent in the future, learn from our shortcomings and move on.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate, Security Blogger, and is the Cybersecurity Practice Manager at CCSI. He holds multiple information security certificates and has had the opportunity to write and speak about cybersecurity for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email mpascucci@ccsinet.com