Late last week, Equifax – one of the four largest credit reporting bureaus in the United States – disclosed that in July, they experienced a massive data breach that cloud very well represent the largest compromise of significant personally-identifiable information (PII) ever. As reported by the company, data on over 143 million people was compromised, and the scope of that data included some of the most sensitive data that exists regarding individuals: names, addresses, birth dates, and Social Security numbers were captured, along with credit card numbers and other PII for a subset of those persons whose data was breached. Equifax disclosed that the compromised data included residents not only of the United States, but also Canada and the UK.
As regular readers of the EiQ blog know, we’re suspicious of the Internet of Things (IoT), the massive collection of Internet-connected devices that don’t fall into the traditional “computer” category. From “smart” energy meters, to in-car technology, to Internet-connected home appliances, the IoT is an incredibly broad spectrum of technologies that can gain value – in some cases, significant value, in other cases, more dubious – by connecting to other devices and networks.
In our previous post, we discussed the Black Hat conference in Las Vegas, and some of the key trends we saw at that event. However, this time we’d like to talk about Defcon – the older, dressed-down brother of Black Hat that’s now in its 25th year, and really draws out a lot of the hardcore hacking (in the good sense of the term) community.
This week marked the annual descent of thousands of security professionals, hackers, security product vendors and journalists into 100-degree-plus weather in Las Vegas for the venerable Black Hat conference. This week in Vegas always includes three significant security events: the community-minded B-Sides security conference early in the week, the deeply technical DefCon conference later in the week, and the most mainstream event – Black Hat – wedged in the middle. All three events provide a forum for those involved in the security industry to get together and share exotic vulnerabilities and attack vectors, talk about the politics related to security (such as privacy and government monitoring), and in the case of Black Hat, see what tools and technologies vendors are coming up with to improve the security posture of organizations.
Not too many years ago, Microsoft Corporation was viewed somewhat suspiciously in the information security community for what was perceived to be a lackadaisical approach to patching their software and (in particular) their Windows operating systems. Fast-forward to today, and Microsoft is recognized almost universally as having one of the most effective and timely security patching programs in the industry. Of course, Microsoft isn’t the only OS vendor to experience known vulnerabilities; although Apple for many years boasted that it’s software “doesn’t have security holes”, the fact is that the venerable OSX operating system, while a very mature BSD UNIX variant, still encounters periodic security issues which – to their credit – Apple addresses through frequent patch deployments. Even Linux, which runs so much of the Internet’s infrastructure, periodically has major security issues discovered in its supporting software, including a major vulnerability discovered just last week within systemd, a critical piece of software that provides name resolution services.
Picture this: you walk up to an ATM that’s the same brand as your bank. The ATM itself is in a well-lit area, there are lots of families walking around, and there’s even a police officer right on the corner. Everything seems safe, right? You slide your card into the ATM, conduct your transaction, and conclude your business as normal.
22 years ago, Irish actor Pierce Brosnan took his first turn as MI-6’s perennial agent James Bond. In that particularly great outing, everyone’s favorite international spy took out a satellite network known as GoldenEye, spearheaded by two satellites named Mischa and Petya. While the fictional GoldenEye satellites delivered an electro-magnetic field (EMF) of radiation that took out all electronics within a 30-mile radius, this week the world was hit with a real Petya: the “GoldenEye” strain of the ransomware that was at the root of last month’s massive WannaCry outbreak.
It’s been a busy week among software companies and OEM’s, as both Microsoft and Adobe have released a flurry of patches. Microsoft’s current “Patch Tuesday” bundle features fixes for almost one hundred flaws in Windows and other Microsoft software. Adobe’s updates continue to patch their Flash and Shockwave technologies, both of which are unfortunate poster children for insecure software.
In early March, the State of New York’s Department of Financial Services (DFS) adopted a new set of rules in support of the state’s Financial Services Law. Normally, this is not something that would be particularly news-worthy, as the DFS is chartered to implement rules of governance and management for financial services companies all the time; over the past few years, the DFS has issues rules regarding financial dispute resolution, debt collection, and even the use of Bitcoin and other virtual currencies. What makes the March resolution – titled “23 NYCRR 500” – so interesting is that, for the first time, it defines specific cybersecurity governance requirements for all financial services companies operating in the state. As you might expect, as New York City is one of the top three financial centers of the world, this ruling has a substantial impact.
The old adage goes, “there are only two certain things in life: death and taxes”. Increasingly, however, it looks like identity theft needs to get added to that list. Earlier this week, security blogger Brian Krebs reported that TALX, a division of Equifax (one of the “Big Three” credit bureaus), experienced a significant data breach of personally identifiable information (PII). As is often the case in mass data theft scenarios, TALX was unable to identify the exact number of records or the scope of PII compromised.