For most people, the internet is a very magical place, full of possibilities and the occasional troll. People browse the news, check their social media, chat with their friends, shop online, then fall asleep while watching a movie. Dig a little deeper, however, and you will find a chaotic void of vulnerabilities, traps, viruses, and data theft that grows with every day that passes. It’s a hacker’s paradise where anyone can just fire up the cannons and shoot ransomware indiscriminately at an unsuspecting public that still believes to a large extent that all of their problems are solved by installing a security suite. It’s a world where your Personally Identifiable Information or PII is a honeypot for hackers. Technological revolution has now led to today, where we find a new resource beneath a virtual sea of data we like to call the internet: Personally Identifiable Information which includes the social security number, address, bank account information, credit card details, and every intimate bit of juicy info you could find about a person lies somewhere underneath the veil of a company’s website.
There are, of course, those situations are at least somewhat in the control of the potential victim. One could simply exercise prudence to get out of these situations. On the other hand, there are situations in which a massive attack happens to a company that stores millions of peoples’ PII. On the other hand, there are situations in which a massive attack happens to a company that stores millions of peoples’ Identifiable. Once this data is stolen, it is sometimes very difficult to fathom how the victims of the attack could have prevented it on their own. On the 10th of September, Equifax–an agency that provides credit reports to both individuals and businesses across the United States–has been hit with an attack that compromised its database and exposed the data of 143 million users.
It may not have been the largest attack in history (although it without a doubt manages to get a spot somewhere around the top 10), but it certainly can be considered the most damaging because of the enormous amount of highly sensitive customer data that was exposed.This includes social security numbers, credit card information, and addresses. (it’s a treasure trove of data that will give any identity thief a large selection of John Does to steal from.
The gravity of this attack is what made us find it necessary to explain a few things (as well as dispel a few myths) about this particular subject.
There are dangers in relying on narrow industries.
Equifax is part of a narrow industry involving only three companies: Itself, Transunion, and Experian. These are the only major credit reporting agencies in the United States that have the broad capabilities necessary to provide reports on individuals. This means that whenever someone’s having their credit checked up, the entity asking for the report chooses one of these companies to receive it.
These companies have earned a very secure position in their industries because they have had the trust of the public and comply with a series of highly strict regulations. It all worked very well until a hacker decided to plow through Equifax’s database and grab every single bit of information that he could get his hands on.
The attack was actually not that sophisticated.
You would expect hackers attacking one of the world’s largest repositories of U.S. individuals’ financial information would need to go through a significant amount of trouble, perhaps even experiencing a little bit of frustration. It doesn’t seem to have been the case, since the website that Equifax created to explain the breach said, “Criminals exploited a U.S. website application vulnerability to gain access to certain files.” The language of this part of the statement seems to suggest that the hackers just used a simple exploit (like an SQL injection) to gain access to files and perhaps even some of the database.
Details of the attack couldn’t entirely be confirmed until Equifax posted a new statement revealing that hackers exploited a flaw in Apache Struts, a model-view-controller framework that allows for the creation of Java web applications. The specific flaw is cataloged as Apache Struts CVE-2017-5638. According to a report of the vulnerability, it mishandles the file upload procedure, allowing hackers to execute arbitrary commands. The exploit was discovered on March 2017, yet Equifax discovered its breach on July. This suggests that the hacker may have even compromised their site even after Apache Struts was patched, although there is no concrete proof of this aside from the gap between the incident and Equifax publicly announcing the discovery of the breach. What we do know is that exploits like these are quite common and don’t require an incredible amount of ingenuity to execute.
And then we have a look at the website we just linked to above, which not only notifies people of the attack, but also provides a platform with which they can verify if they were affected by the breach. According to an investigation into the new site:
- It’s asking for six digits of your 10-digit social security number, all while running the entire system on a stock version of WordPress.
- Because it was running on a stock version of WordPress, one could easily access the username of the administrator by looking through the “wp-json” directory. All a hacker would need to do is type in the default URL for this and it’ll just pop up.
- The domain name wasn’t initially even registered to Equifax, which led to OpenDNS blocking access to the domain because it posed a risk for phishing.
- The TLS certificate didn’t check for revocation, which is necessary for moments in which a certificate authority needs to invalidate a certificate because it was improperly issued.
All of this does not necessarily make the website an easy target for hackers, but it does demonstrate that it was not managed with the security considerations you might expect coming from a credit reporting agency that just suffered a breach. The same report has been updated to show that Equifax has taken some steps to correct these problems before they led to another incident.
Freeze your credit… Now…
If you’re reading this and haven’t done so already, place every call you need to put a freeze on your credit. It might stunt you a bit, but it will prevent attackers from creating new accounts in your name. They can still make transactions from your existing accounts, but this is more manageable than the possibility that someone opens new accounts everywhere the sun is shining. So, in addition to doing this, you should also carefully monitor your bank transactions to sniff out any strange purchases before they become a serious issue.
Personal data is becoming a valuable resource.
A long time ago, people would find this strange black liquid laying on the ground, which would light aflame under the right conditions. Little did they know that it would prove to be one of the most sought-after and valuable resources in the world, eventually providing mankind with the fuel it needed to travel long distances and the precursor to plastic products that we now take for granted.
We eventually found more under the ground, and so began an unprecedented technological revolution. Identity is the new petroleum. And there are thousands upon thousands of hackers willing to venture as far as they could to attain it.
It’s time we put our heads together and do our best to protect a resource that—as it stands right now—is the most valuable in the world to each individual that owns it. We have to do everything we can to protect our identities. It is for this very reason that we started PerfectCloud.