Equifax breach

The data breach at credit bureau Equifax has gotten a lot of attention in the last week. It seems that the company has been guilty of at least two significant blunders: unpatched software and default authentication credentials.

Unpatched software

Equifax has at least one web application built on Apache Struts, a category of software called a web application framework. Web developers use frameworks to build their applications, because the frameworks provide components common to many web applications, components that do things like handling input typed into a web form, generating HTML for web pages, etc. Frameworks allow web developers to skip over routine tasks and focus on the business logic specific to the application.

Like any software, frameworks have versions and updates. Equifax was using a version of Struts that had at least one serious and widely-known security vulnerability. When the Struts developers (not Equifax, but the people who make the Struts framework) became aware of the vulnerability, they released an update to the Struts framework. The Struts developers released this update months prior to the Equifax data breach. For whatever reason, Equifax didn’t update Struts on their site.

Default authentication credentials

Equifax hosts a web application that their Argentinian employees use to manage credit report data. That web application had a poor choice of authentication credentials: the username was admin, and the password was also admin. Logging in with those credentials allowed an attacker to retrieve the usernames and passwords of Equifax employees, which would in turn allow the attacker to retrieve Equifax customer information.

How does this happen?

Why didn’t Equifax apply the Struts update? A few possibilities come to mind:

  1. The didn’t know about the update. Equifax must have developers, system administrators, and security analysts. Maybe they were all blissfully ignorant of the update for over four months.
  2. Maybe the update was incompatible with the web application they built on the Struts framework. If that were the case, they should have identified and fixed the problem and then run the update. That might take days, but it shouldn’t take months.
  3. They probably have change control processes that delay an update. They wouldn’t immediately run the update on their live production servers. First they’d load it in a test environment, and then they’d test their application after applying the Struts update. But that should take at most days, and probably hours, especially with an update that addresses serious security vulnerabilities.

None of these is an excuse for waiting months to run the update, and there’s really no defending the admin/admin thing at all.

What this might mean to you

Brian Krebs has been a long-time advocate for security freezes, and I’m considering doing this. The only reason I haven’t done this yet is that it just seems like one more pain in the ass when my day job, the current political climate, and other stuff leave me wanting to do little more than read a book or sit in front of the TV binge-watching The Flash and Supergirl (which is why I haven’t been posting on this blog much lately).

The implications of the Equifax breach to a story-teller are obvious enough. If your character needs to break into a web site or computer network, she should look for out-of-date software or default authentication credentials. This sort of thing isn’t supposed to happen to a big company that should know better about how to protect the personal information of millions of people. But it does happen, which can make it a plausible plot device in your fiction. I see that nmap has a test to look specifically for the Struts vulnerability found on the Equifax site, and there are plenty of open-source tools to run brute-force password attacks.

The implications of the breach on a computer user are obvious, too. This is why it’s so important to run software updates on everything. Criminals are well aware of security vulnerabilities and are actively exploiting them. We all need to be running updates:

1. operating system and application software updates on our computers and mobile devices

2. firmware updates on the routers we use for our broadband internet connections

3. updates to self-hosted blogging software like wordpress (plugins, too)

And we need to be picking good passwords for everything. Did you ever change the password on your broadband router? Does “facebook” appear in your facebook password?

Advertisements

CrashPlan discontinuing home plans

I’ve used Crashplan as an offsite backup solution for several years and have really liked it. Today the company announced that they are transitioning to being an enterprise-only solution, and that they are ending support for personal and family plans.

This is pretty disappointing. It’s been a good product at an affordable price, and now I have to find something else. The company is going about this in a nice way: they’re giving their users 14 months’ notice. I’ll post about this again when I figure out what I’m going to do. And I’m certainly open to suggestions.

July 2016 updates from Apple

Apple has recently released updates to many of its products. These updates address problems that are believed to be remotely exploitable, so it’s time to run updates on your Macs, iPhones, iPads, and everything else with an Apple logo. Here are the security bulletins for OS X and iOS, but there are also updates for iTunes, Safari, Apple watch, and others.

Two-factor authentication

Many online services offer two-factor authentication (2fa) to protect users’ accounts. When you enable 2fa on an account, it means that you still log in with a username and password, but then you have to enter a one-time code before you can access your account. How you get the code (typically a six-digit number) depends on the implementation: twitter sends you the code in an SMS text message, while others (like google and facebook) have you look up the code in a mobile app. Either way, you generally get the code with your phone. The point of this is to make it harder for someone to break into your online account, because they’d have to know your password and have access to your phone.

So logging in with 2fa means taking an extra step which at times can feel like a nuisance. The way I look at it is that it’s a minor inconvenience for me, but it’s a significant inconvenience to someone who wants to steal my account.

2fa isn’t a new innovation. I knew someone in the late 1990s who worked for a government-funded research facility, and he carried around a little device in his pocket. When he needed to log in to one of the facility’s computers, he’d have to look at the code that appeared on the device’s screen and enter that code in order to complete his login process. It worked very much like modern 2fa implementations.

More and more online services are offering 2fa, and I encourage you to start using it wherever you can. The Two Factor Auth (2FA) web site provides of list of who does and who doesn’t offer 2fa login features. This can be a good place to see which of your accounts have 2fa available, and the 2fa site typically has a link to the documentation on how to set up 2fa for each service.

2fa makes it a lot harder for someone to take over an account, but it’s not perfect (and this is the part that might be useful to a writer who needs her main character to defeat a 2fa-protected account). Someone gained control of the twitter account of political activist DeRay Mckesson, an account that had 2fa enabled. The criminal contacted Verizon (Mckesson’s mobile provider) and convinced the billing department that Mckesson’s cell phone number had changed. So SMS messages that should have gone to Mckesson instead went to the criminal’s phone. The criminal then used twitter’s “forgot my password” feature and received an SMS message with the code the criminal needed to complete the account theft.

This is a good reminder of how effective social engineering can be. Some people will do anything to end a phone conversation with an angry-sounding customer. Sometimes the best hacks exploit people, not computers.

By the way, that Naked Security post (near the end) has some tips on how to enable security features on the accounts of several mobile providers, including Verizon. That might or might not have made a difference in DeRay Mckesson’s incident, but it might have made it easier for him to regain control of his Verizon account.