At the time of this posting, there hasn’t been a statement on the specific nature of the hack – no information on the attack vector or even how many people have truly been affected. I will not concentrate on those juicy details.
Instead, let’s talk about what this hack means for us in the InfoSec field and what it means for those we protect.
I remember the Target hacks of 2013. I was just cutting my teeth as a network engineer studying to get my security certifications. This hack could not have happened at a more coincidental time for me.
Though the hack wasn’t incredibly sophisticated, it was incredibly effective. Malware was installed on a secure payment processing system, credentials were compromised via an insecure third-party HVAC vendor. The malware likely entered a worm-like phase and delegated itself to payment terminals across Target’s 1700+ stores. It was able to pull customer credit card numbers out of RAM before the CPNI was encrypted and sent across the wires. This data was stored on a Target server that had become commandeered by the hackers. It was a considerable amount of time before the security guys within the organization were aware of the attack, and even longer before the details of the hack went public. The hack potentially hit 70 million customers.
Arby’s had been hit by a similar hack in early 2017. Malware had spread to point-of-sale systems across America and 350,000 accounts potentially had been compromised – a mere 0.5% of the amount of people effected by the Target hack a few years before. Arby’s had their information together and was ready to inform the public in about three weeks.
Fast-forward to September 2017. The Equifax hack hits the news like a sack of bricks. An estimate of 143 million Americans have the most confidential of their data, protected by one of the three behemoths of credit reporting, compromised by hackers.
This should be absolutely appalling to anyone – inside or outside of the field of Information Security.
It doesn’t end there folks! Not long after, it came to light that the tool was pretty bogus, returning random results on whether or not your confidential information had been compromised.
Let’s outline this madness.
- Equifax gets hacked.
- 143 million people compromised.
- Equifax creates a tool to check if your information was lost.
- Using said tool waives your right to a class-action lawsuit against them.
- The tool turns out to spit out garbage results, a farce to buy more time and give a false sense of security.
There are too many failures to count here. Negligence, deception, and world-class ass-covering.
I won’t take time to point fingers or accuse anyone on that corporate ladder at ol’ Equifax. But it seems that they did not have the best talent, the best alerting software, or even the best tactics to undo the damage they let happen. The facts stand – this hack has the potential to be the most damaging ever. Your information may already be on the black market and in use if you haven’t frozen your credit through all three credit reporting agencies.
Why haven’t corporations learned from mistakes of the other giants? Why is security still considered a secondary thought in our ever-connected world? Why is more money spent on the graphic design of our application and software infrastructure than securing it? That goes from the developer to the administrators keeping the systems safe.
We live in the age of information. The pirates of our era can reach into your home from across the world (or from inside the same open WiFi SSID at your local coffee shop) and take your data, which represents the real YOU, and steer your ship into the ground.
Corporations cannot think of these hacks as a cost of doing business. We citizens cannot let those whom we trust with our most pertinent and confidential data get off the hook for this as we have in the past. Many companies have done the right thing and tried as best they can to repay the damage they let fall upon their customers.
- Citizens: don’t let Equifax off the hook.
- Corporations: be responsible and hire the best minds that you can.
- InfoSec Pros: keep getting better. The nature of our work never stops changing.
I could keep ranting, but will not. I have a Blue Apron to make and wine to drink. After dinner, I will do more research to try and understand how I can be better. If I do not, I could one day be a cog in the machine that allows millions of people to be at risk.