Articles Posted in Cybersecurity

Published on:

As the Equifax breach continues to become a complicated issue, certain lessons can be learned for other businesses handling personal information. Namely, what not to do in their business operations?  In the wake of the cybersecurity breach, it had been reported that Equifax was aware of the security gaps, and did nothing to remedy them. So, where exactly did Equifax go wrong in its data security plans? How was it informed about the open holes in its security infrastructure?  What can a business owner do to avoid becoming an encore of Equifax’s folly? Is there any way to determine gaps in security policies and procedures?

Where did Equifax go wrong?

Effectively, Equifax appears to have failed at multiple levels, resulting in this breach. This is best summarized into one large mistake. There were no updates implemented to the computer systems Equifax used on its networks.  This was due to a delayed response to a known vulnerability in the Apache Struts web application. This framework is well known, it is used in the business community, and is an open-source framework for developing Java applications. In short, the delay was exasperated by the company’s failure to detect the vulnerability during a security scan.

Published on:

As the Equifax breach has developed recently, another issue has come up, namely the arbitration provision within its website, which has caused consumer outrage and confusion. So, why does this provision matter? If consumers want to get their credit frozen, or check to see if they were affected, surely Equifax wouldn’t add insult to injury to the consumers who are suffering from its mistakes. Certainly, it would appear to be bad business to do so, or at least, unwanted attention. However, Equifax cannot be said to avoid adding insult to injury. Instead, Equifax has implemented that arbitration provision, and later removed it. So again, why would Equifax implement this provision? What impact might it have on the consumer? Why might this be important for businesses everywhere to observe?

What is the arbitration provision?

The arbitration provision that had insulted many consumers was attached to Equifax’s offer of free credit monitoring. In exchange for the service being performed (after the security breach) Equifax demanded that consumers settle any dispute with them through arbitration. In general, arbitration is a private and less costly way to settle disputes outside of the courtroom. While the results of the arbitration may be binding, it gives broader latitude to discovery, time, and may be faster and less formal than a formal trial.  While Equifax later clarified this provision would not apply to the current breach, however, nevertheless consumers were upset at the revelation.

Published on:

Let us move on to the ways to protect ourselves in the future by using a credit freeze or fraud alert.  These options can protect your personal, private, and confidential information after a security breach and effectively add extra protection against identity theft. We have discussed them briefly in the past, although now, it seems appropriate to dive into further analysis. What are credit freezes and fraud alerts? How do they add more protection against identity thieves? What other actions might someone take to create additional safeguards?

Credit Freeze

The first and most basic way to prevent harm from identity theft is through a credit freeze, also known as a security freeze. A credit freeze is more or less what it sounds like–i.e., it “freezes” your credit where no lender can get access to your credit unless the consumer decides to lift it. Even then, the freeze cannot be undone without a pin number issued at the time of the freeze.

Published on:

Equifax presents an interesting question to consumers. Somehow, an entity that no consumer may have had an actual interaction with has their information, and had leaked it out onto the world. For example, names, phone numbers, credit card numbers, social security numbers, addresses, e-mails were collected and released to unauthorized individuals. They may not have given consent, at least none they could remember. Yet, the information was with Equifax. How did the breach occur? What exactly is Equifax? How did it obtain your personal information? And perhaps most importantly, what comes next?

What is Equifax?

Equifax is a credit reporting agency. The purpose of entities like Equifax (as well as Experian and TransUnion) is to collect and share credit information on consumers. The credit reporting agency tells businesses which consumers are worthy of credit. Effectively, it is a way to outsource due diligence that may otherwise be more costly or time consuming for the business to perform on its own.

Published on:

Now that we’ve discussed Catfishing as a scam, let’s go into further detail regarding the motives.  Like any scam, there must be some benefit to the scammer. This benefit is the primary motive for anyone to commit a catfishing scam.  Previously, we mentioned that among other things, the perpetrator may ask for photographs, or for some information to “verify” a person’s age, or to enable their transportation to be “closer” to their target. So, what are the major risks to these actions? What exactly does a catfishing perpetrator want to get from a victim? How might the information provided be used against you?

For Financial Information

The more dangerous elements of catfishing tend to prompt for, as we discussed before, a financial component. This would include asking for money–to get transportation to the person’s location, clothing, or whatever reason the scammer may present–or for credit card information. In the case of the latter, this is usually done in conjunction with asking the individual to sign up through a different, new dating site compared to what the potential victim may be using, and generally to “verify” the age or identity of the person involved.

Published on:

In March 2017, the WannaCry ransomware attack occurred which was believed to be one of the largest ransomware attacks in history. Discussions of this past attack and who should take the blame has been previously discussed in our blog and newsletter. Now, just a few months later there has been another major cyberattack. At the end of June 2017, another large ransomware attack occurred, which has been called Petya. This ransomware attack is similar to WannaCry in that it locks up the computer files using encryption and demands a ransom in order to unlock the files. This ransomware also takes advantage of the vulnerability within the Microsoft Windows computers that have not yet updated to the latest software.

This attack began in Europe and spread to the United States. The North American Treaty Organization (NATO) says that a “state actor” was behind the Petya ransomware attack. NATO also stated that there is a possibility that the attack was not done by a state actor, but that it would have been done by a non-state actor who had the approval and support from another state. They believe this because Petya was very complex and expensive to run.  According to NATO, if it is found that Petya was done by a state actor, then it would mean that this cyberattack could potentially be viewed as an act of war.

The Petya attack has hit over 12,000 different devices in 65 countries. More than 30% of the institutions that were affected by this attack were financial organizations.  Industrial organizations, such as, utilities, oil and gas, transportation, and other companies were also targeted and it is believed that they made up half of the targets.

Published on:

Identity theft is an epidemic impacting people across America. During 2016, an estimated 15.4 million consumers experienced some kind of identity theft. This is an increase from 13.1 million in 2015. Another staggering statistic is that 1 in every 16 adults in the United States is a victim of identity theft.

This increase in identity theft notwithstanding the fact that 2016 was the first year that retailers were forced to accept EMV chip cards. The belief was that by switching to these EMV chip cards it would almost entirely eliminate card cloning, which is a major type of identity theft.  Instead of lessening the amount of credit card fraud this switch has made criminals move away from card cloning and into different types of fraud. More criminals are starting to make online purchases where swiping or inserting a physical card is no longer necessary.

Over the past few years, we have seen numerous data breaches. Data breaches have been hitting financial, health, commercial, government, and education institutions. These breaches have ranged from password management services like LastPass, the OneLogin security breach, and Target security breach.  All of these different breaches compromise our data and our identity. The above companies are just a few that have been hit by a security breach.

Published on:

OneLogin recently suffered from a major security breach. This breach has compromised private and confidential information, which is managed by its datacenter. OneLogin provides a service that is used by organizations to secure their data. It is basically a password manager for corporations. It allows employees, customers, and partners to gain secure access to the company’s cloud and applications on any device.  It allows its customers to integrate other websites and services like Microsoft Office 365, Slack, Amazon Web Services, Cisco, Webex, LinkedIn, and Google Analytics. The OneLogin website says that it currently has over 2,000 enterprise customers across 44 different countries. This includes well-known companies like Indeed, Pinterest, Midas, and Yelp.

How did this breach occur?

The breach occurred because the intruders were able gain unauthorized access to the OneLogin datacenter. Alvaro Hoyos, who leads the company’s risk management, security, and compliance efforts posted a blog about the risks. He wrote that a threat actor used one of our AWS keys to gain access to the AWS platform via API from an intermediate host with another, smaller service provider in the United States.  He said his company’s staff was able to detect and stop the intrusion very quickly.

Published on:

President Donald Trump has signed an executive order on cybersecurity as a response to the WannaCry ransomware attack. This executive order is entitled as “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The executive order contains three main sections and a fourth category that includes some definitions of terms that are contained in the order.

The first section of the executive order is regarding Cybersecurity of Federal Networks. This section states that the United States Information Technology (IT) should have the data secured responsibly by the United States Government. The President said that he will also be holding the heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprises. One of the findings included in this first section is that the executive branch has been too accepting of IT in that it is antiquated and difficult to defend. To manage these risks, the first section includes a risk management section, which includes ideas of how to reduce future cybersecurity risk.  For example, the head of each agency must provide a risk report to the Secretary of Homeland Security and Director of Office of Management and Budget.

The second section of the executive order is regarding Cybersecurity of Critical Infrastructure. This section states that support must be provided to the critical infrastructure that faces the greatest risk. It also describes how the Secretary of Commerce and Secretary of Homeland Security will both go through an open process to try and improve how resilient the internet is, so they can reduce threats of automated attacks.

Published on:

On May 12, 2017, what is believed to be the largest ransomware attack in history occurred on the internet.

A global search is heating up trying to locate those who are responsible for the attack.

While this search is occurring, there is also a question of how much blame for the attack should be placed on Microsoft. This is because the WannaCry attack took advantage of a weakness that was already existing in the Microsoft operating systems.