The Equifax Hack Has the Hallmarks of State-Sponsored Pros

The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.

Source: The Equifax Hack Has the Hallmarks of State-Sponsored Pros – Bloomberg

The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company’s challenges may go still deeper. One U.S. government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company. “We have no evidence of malicious inside activity,” the Equifax spokesperson said. “We understand that law enforcement has an ongoing investigation.”

Equifax Breach Response Turns Dumpster Fire

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.

Source: Equifax Breach Response Turns Dumpster Fire — Krebs on Security

Configure Windows telemetry in your organization (Windows 10)

Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user’s device. If we determine that sensitive information has been inadvertently received, we delete the information.

Source: Configure Windows telemetry in your organization (Windows 10)

Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks

Security experts counter that such arguments ignore the fact that even end-to-end encrypted technology leaves a trail of metadata behind that can be used to parse who is talking to whom, when and where. “Encryption is really good at making it difficult to hide the content of communications, but not good at hiding the presence of communications,” said Matt Blaze, a computer security expert at the University of Pennsylvania.

Source: Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks

South Korea-backed app puts children at risk

In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software, a first-of-its-kind move, according to Korea University law professor Park Kyung-sin. The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app, which is free.

Source: APNewsBreak: South Korea-backed app puts children at risk – Houston Chronicle

Children’s phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app’s 380,000 users could be compromised at once.

Almost None of the Women in the Ashley Madison Database Ever Used the Site

When you look at the evidence, it’s hard to deny that the overwhelming majority of men using Ashley Madison weren’t having affairs. They were paying for a fantasy.

Source: Almost None of the Women in the Ashley Madison Database Ever Used the Site

The question is, how do you find fakes in a sea of data? Answering that becomes more difficult when you consider that even real users of Ashley Madison were probably giving fake information at least some of the time. But wholesale fakery still leaves its traces in the profile data. I spoke with a data scientist who studies populations, who told me to compare the male and female profiles in aggregate, and look for anomalous patterns.

Online Cheating Site AshleyMadison Hacked

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

Source: Online Cheating Site AshleyMadison Hacked — Krebs on Security

Encryption “would not have helped” at OPM, says DHS official

But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

Source: Encryption “would not have helped” at OPM, says DHS official | Ars Technica

A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root.

Chinese hack compromised security-clearance database

Last week, the OPM announced that a database containing the personal information of about 4 million current and former federal employees was hacked. Privately, U.S. officials said the Chinese government was behind the breach. The administration has not publicly pointed a finger at Beijing.

Source: Chinese hack compromised security-clearance database – The Washington Post

I’m surprised the Washington Post continues with this Chinese narrative as there has been no official condemnation of China over this and determining the true source of an intrusion is extremely difficult if not impossible in many cases.  They still haven’t caught the culprits in the Target and Home Depot data breaches.  The list of suspects with motive to obtain this kind of data is probably quite long so it’s irresponsible to assume a guilty party before any evidence has been leaked.  No doubt consultants are working furiously tracing log records but at least wait until there is something concrete.  The Washington Post is an institution with top notch journalists so they should know better.

And here’s the blurb that made me laugh.

Offensive actions might include directing a U.S. agency to locate the servers holding the stolen data and deleting or altering the data, the former official said.

Haha.  Like whoever did this wouldn’t have backups 6 ways to Sunday of every bit gathered.  There’s no way to delete anything digital once it’s out in the ether.  Why would anyone publish a statement like that?  The only thing an offensive cyber attack can accomplish is making the US government behave like the criminals who they denounce.

TrueCrypt doesn’t contain NSA backdoors

A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group for Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised.

via TrueCrypt doesn’t contain NSA backdoors.