Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system.
Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.
However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.
Their employee database including login details all in plaintext. That’s basically giving any amateur blackhat the keys to the kingdom.
They’re certainly not going to protect regular people’s data any better. Regular people aren’t employees or customers after all, they’re merely the product.
i think they do. If they didn’t they wouldn’t be able to store credit card information.
(thats why they wanted to sell it - and haven’t used yet - cracking it will take time, especially if you don’t have resources of a country or agency behind you.)
“Well that’s embarrassing. Equifax mistakenly sent people looking for more information about its recent data breach, which compromised the private data of 143 million Americans, to a mock website that could have stolen the last six digits of their Social Security numbers and other sensitive info.”
It’s true alright. @catsay already linked to the article in post 49 (top link there), so I’ll just quote Brian Krebs from said article:
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
Richard Smith has stepped down as CEO, effective immediately. The board has named Paulino do Rego Barros JR. a seven-year veteran of the company who most recently served as its Asia Pacific region president as interim CEO. Smith will still receive 18 Million US Dollars in pension, while lawmakers say that high profile employees of Equifax should not receive a “big payday” on their way out of the company.
Equifax stock has tumbled 27% since the data breach was announced.
Let’s talk about PCI compliance and encryption real quick. The key phrase everyone focuses on is “Data at rest must be encrypted.”
What does that mean? How do you have your employees efficiently access encrypted data? Turns out whole disk encryption is the path of least resistance here. Your data, at rest, is encrypted, and the encryption/decryption process is completely transparent to your employees, which means no additional work! Hooray!
The problem with the WDE solution is that once the computer is booted, the data is encrypted/decrypted completely transparently, so it’s up to your other security measures to make sure that whoever is accessing the data is authorized to do so. And that’s exactly what failed here.
Now I don’t know one way or the other if WDE is the route Equifax went. Based on Krebs on Security’s quote, it sounds like it very well may have been. Or the portal user (the user that drives the portal service, not the user the baddies logged in as) may have had access to the keys. Or it may be that the keys lay with the user that the baddies logged in as. I don’t know.*
What I do know is that you absolutely should never trust a company when they say their data is encrypted, and leave it at that. The process is key, so to speak.
Edit:
* Clarification here, any of the encryption solutions here represent transparent encryption/decryption, and are good examples of terrible solutions.
Interesting indeed. Fr. Ballecer is right though, that info is time-sensitive and if none of it is for sale yet, there’s more going on than an opportunistic hacker trying to make a few bucks.
Haven’t watched the rest of this week’s show yet, but I have a feeling it’s going to be a good one. Leo is good and all, but Padre always takes it to a whole other level.
Why? I get it, time-sensitive information is held back and not for sale… or it may be encrypted. Or the guy who stole it saw what it is and shat his pants and doesn’t know what to do with it. And even if it’s “state-sponsored”, why China? Why not Russia, Korea, Iran, Syria, Canada, Poland, Madagascar or fucking Limpopo? This finger-pointing is kinda infuriating.
Disks are rarely encrypted, as they do not provide any security at all. (in reality - especially windows)
When the system like windows server etc, boots up the encryption key is loaded into memory - and it can be decrypted easily from that point.
(if you cool down into freezing temp ram, it can be transported to another machine without loosing data in them - so you can read them - they will not loose it right away in sub zero temps.)
The connectionstrings, users, certain datafields on tables in sql are encrypted. Basically content is encrypted. This forces a hacker/cracker to reverse engineer either site code (which can be really hard - since most of the time pci-compliant companies use dll’s located in the system directories, person needs to know what they look for, instead of just reverse engineering site code which will lead to registry keys, which lead to new system dll) Making whole thing go out longer, and much harder for a said hacker - he will be spotted before he finishes those - as there are deamon checks that will drop email to servers if certain reg keys are opened / exported.
Your typical employees like programmers, account managers, and your typical server admins won’t be able to see decrypted information. As there is processes on decrypting the passwords. Which is not known to them, only senior administrators, and certain lead programmers would know how to but then again there are checks and balances so neither could do it on their own. There are clear procedures on how to do those, including log who requested other party to decrypt a record (not whole thing), just one encrypted string.
When there’s redesign of the site, or updates etc to be made; the copy of the site is done without consumer data. The database is cleaned up from encrypted data, and new encryption is set up for that database.
I work for PCI Compliant Company, so I know few things.
Correction. You work for a PCI compliant company that did PCI compliance correctly. I’ve implemented PCI compliance in accordance with the wishes SAs of a few different companies. Just to clear things up, you and I are in complete agreement about the usefulness (or lack thereof) of whole disk encryption. I’m not saying it’s a great way to become PCI compliant, it’s just one of the horrors I’ve seen fly.
there’s a guy coming over every year to check up on it, he failed to identify it. Either way equifax got another couple compliance’s they needed (had, and have)
FedRAMP, CC SRG; if nothing else it was the govt that failed to enforce/check not the company.
(+ people accessing the data, admins etc need another bunch of certs)
