More on The Equifax Hack

I am still hopping mad about this, but there is more that needs to be said.

Equifax has been the focus of researchers since they admitted to the hack. One new thing has come to light which sort of highlights the casual disregard for security that the company has. Equifax used the word ‘admin’ for the login and password of a database. That’s right, the security login and password for a web server (in Argentina) used a Userid of “admin” and a password of “admin.” If there is a better indication that security was a joke at Equifax, I can’t think what it might be.

Massachusetts announced plans Wednesday to file a lawsuit, which will maintain that the company failed to adopt appropriate safeguards to protect the sensitive data. New York, Illinois, Pennsylvania and Connecticut and other states are also investigating, while nearly two dozen class-action lawsuits have already been filed.

Aside from the Argentina fiasco – they shut down the website, but are tap dancing around the issue – as I said earlier, this is an unmitigated disaster. I think it means we need to stop using the Social Security number for bank accounts, brokerage, credit scores, etc. I don’t know what we should use, but Equifax has effectively destroyed it as a unique ID.

Equifax had a responsibility to safeguard data. And they fucked up. Big time. This isn’t fixed by a year or 2 of credit monitoring. Or even a passive approach to monitoring credit. 143 million people have had their Social Security Numbers compromised. That is criminal negligence as far as I am concerned. I’m sure the courts will see it differently and the managers/executives who couldn’t be bothered to spend money on security (and then sold shares in the company before this was made public) will suffer NO effects. Well their stock options will be worth less, but no one will go to jail, and if anyone loses their job it will be the guy who was trying to justify a bigger security budget. (Because obviously he didn’t perform miracles on a shoestring budget.)

Advertisements

The Equifax Hack

I’ve been trying to write something about this all day, but it has me so wound up…

This isn’t like when my credit card got stolen as part of the Target, or Home Depot or Chipotle Hacks. I had to get a new credit card. Inconvenient, but easy enough.

143 million Social Security Numbers have been compromised. This isn’t fixed with a year or 2 of credit monitoring. (Whether or not Equifax attaches a bunch of strings – as it looks like they are trying to do.) For as long as any of those 143 million people are alive, they have to live with the fact that their SSN has been stolen by some bad actors. And not just the SSN, but a lot of other info that makes using the SSN as any kind of “secure” ID a joke for banking/whatever. And even after they pass, estates will have to deal with it for some time as well.

This well and truly sucks.

The folks at Equifax (and everywhere else) who put their heads in the sand and ignored the issues of application security, should be held criminally liable for negligent behavior. And financially liable for all the future headaches this will cause. But of course, they won’t be. (Whenever Congress thinks about security, they just seem to want to outlaw cryptography – and the math that is behind it.)

You’re Keeping “Private” Photos on Instagram?

No, that will never get hacked, or will it? Instagram hack: Company advises high profile users to be careful after breach

Just to review, Instagram is owned by Facebook, the company that basically says privacy is an outdated concept.

And they got hacked. What a shock.

Bosses at the technology firm, owned by Facebook, confirmed the hackers were also able to access stars’ email addresses and phone numbers as a result of a glitch in their software.

What, you expect Facebook to spend time and money writing software that is secure? Why? Privacy is SO 20th Century!

Selena Gomez had her account hacked, and nude photos of Justin Bieber were posted. Apparently hers is merely the first account to get this treatment.

Celebs are hastily deleting nude private photos in the hopes that “It’s not too late.” Whatever.

Security Cameras Are Supposed to ENHANCE Security

Too bad the companies that produce them never thought about security of the devices themselves. App streams private webcams online | WTSP.com

On the app, we found a security camera in Bradenton. It shows you a clear shot of the driveway, so you can see when the homeowner leaves his home.

Home ready to be burglarized.

The app supports viewing of MILLIONS of webcams. MILLIONS.

This is beyond stupid. And I blame the engineers, programmers, product managers, company executives. No one should produce a product this stupid.

Social Security Admin: Enabling Identity Theft at Every Opportunity

So what happens when you put a .gov bureaucracy in charge of sensitive data? They completely ignore the issues of security. Because security isn’t their job. And thinking outside the box in a bureaucracy gets you pounded down, not rewarded.

Let’s start with the low-tech problems. Social Security Administration Correspondence Containing Full Social Security Numbers. That’s right. They were sending out letters through the US Mail that contained everything needed to screw up your life. Name, address and FULL social security number. Because no one’s mail would ever get stolen by someone hoping to steal an identity. And besides, security isn’t my job.

That is beyond stupid, and sending out that kind of info hasn’t been a good idea EVER.

So if they have that little regard for your sensitive data in snail mail, how do you think they handle stuff in the online realms? Not much better.

Remember how government was going to get more efficient by doing more things online? Yeah, they got more efficient at allowing fraud. Unauthorized my Social Security Direct Deposit Changes in Calendar Years 2014 Through 2016.

In May 2012, the Social Security Administration (SSA) introduced my Social Security —an Internet services portal that allows individuals to create a personal online account to access their own information. In January 2013, the Agency enhanced my Social Security to allow individuals to change their direct deposit bank information. Shortly after SSA made this change, the Agency and the Office of the Inspector General began receiving fraud allegations related to unauthorized direct deposit changes.

It seems that they weren’t doing very much to ensure that these changes – to where Social Security payments were being made – were legitimate. 20 million dollars were stolen, of which about 9 million were recovered. That leaves the .gov on the hook for $11 million that wasn’t recovered. All because online security wasn’t an issue with Social Security. (So does that qualify as ironic? Given it is .gov, probably not.)

Hat tip to the Ink Well.

No Security In Home Robots? What Could Go Wrong?

The tag line for this article: “An early taste of the robot uprising.” Watch Hackers Hijack Three Robots for Spying and Sabotage | WIRED

They are walking (or moving anyway) cameras and microphones. With no security they are more like mobile spy devices. But that isn’t the surprising thing really.

The “Chucky” video is either frightening or enlightening, depending on what you expect these things to do.

Because why should I be worries about security on a toy robot? What could go wrong?

Someday executives will wake up to the fact that their products are worse than crap. And maybe someday one of them will be held accountable for the damage they do. But I doubt it will be anytime soon.

NHS Patient Data Hacked

Because in 2017 companies and organizations still haven’t figured out how to implement security. Hacker claims to have stolen data on 1.2 million NHS patients | V3

But not to worry, the company that got hacked, SwiftQueue, says they didn’t have that much data. OK then. So only all the data you had got hacked. What a relief. Here, let’s give you more data. NOT.

SwiftQueue operates an appointment booking service for eight NHS Trusts; it also operates patient-operated check-in terminals in waiting rooms. After it discovered the breach, the company got in touch with the Metropolitan Police’s Cyber Crime unit.

It sure is a good thing that patient data is online and available for doctors and nurses and other hospital staff. Too bad that seems to mean it is also available to hackers.

If I had to guess… none of the data in question is encrypted, because that is hard. Sort of. There is no info on how the breach occurred. I wonder if the standard procedure in the UK is offer those whose data was hacked 2 years of credit monitoring services, as usually happens in this country. (Though I didn’t see anything about Chipotle Mexican Grill offering credit monitoring services after they got hacked.) My next guess is that this will have no impact on anyone at NHS or their contractor. Because bureaucracies look after their own.