Loading... Please wait...

Blog

Equifax: What Happened and What You Can Do

Posted by

Part One: Technical

Feel free to skip this section if you are not interested in how Equifax was hacked. I’m not going into extreme detail, just enough for the average person to have some idea of what happened.

The reported source of the breach, a bug in Apache Struts (CVE-2017-5638), was first discovered in March 2017 and patched on the day it was discovered. Since the access to Equifax’s systems occurred May through June, well after the patch was available, there is only one possible root cause: Equifax failed to deploy the patch. The bug allows an exploit of file uploading in which specifically crafted content-type headers contain remotely executed arbitrary commands.

Another bug, CVE-2017-9805, has been claimed to be responsible, but this was before Equifax itself confirmed that CVE-2017-5638 was the bug in question. It is likely that 9805 was incorrectly guessed to be the source because it is another severe bug that allows remote code execution by an unauthenticated user.

Additionally, other security professionals have identified numerous issues with Equifax’s systems in the aftermath. These include administration web panels being open to public access, incredibly weak credentials for authentication (one panel reportedly accepted “admin” as a valid login, both username and password), and data both on those web portals and in data supplied by the hackers was unencrypted plaintext.

For any non-technical readers still with me at this point: default username/password in a web panel like admin/admin is a security horror. Publicly accessible administration sites are sometimes necessary, but good IT practice is to secure these sites as far as possible, though a much better option is to keep such sites inside a corporate network (ie, not open to the internet) and have remote employees access them via VPN. But the worst of this is that confidential information was stored in plain text in a database. Typically that sort of information should be either encrypted or at a minimum obfuscated.

Part 1 TLDR: Equifax’s poor security is to blame for this hack, and for the potential impact of the data exposed.

Part Two: What Was In The Breach?

Short answer: enough to easily commit identity fraud against about 100 Million Americans.

Long answer: social security number, full name, addresses (probably the entire history the agency kept), credit score and possibly account balances, and possibly driver’s license numbers. Approximately 143 Million records were exposed, of which just under 100 Million were of US Residents. The other records include Canadian and South American consumers. Equifax denies that any of its credit reporting data or history was accessed at this point, but given the nature of the data exposed and the poor security practices, it’s hard to be confident of this claim.

Part Three: What Can I Do Now?

FREEZE YOUR CREDIT

Freeze your credit, and perhaps use some credit monitoring to make sure nothing else happens. Freezing your credit will prevent anyone from pulling your credit report. You are able to either unfreeze it or create temporary codes for specific creditors to access your report, and also create temporary lifts of the freeze so that your credit is accessible for a short period.

Bad news and good news: credit reporting agencies charge for this service, however how much they can charge is limited by state laws, and in some states this service is free. Here is a list of total costs to freeze your credit by state. Equifax has waived its fee temporarily. Additionally, some US Senators have introduced a bill that would make credit freezes free.

Additionally, there are two smaller credit reporting agencies with which you may want to initiate a freeze. These agencies will each give you a PIN (or allow you to select one) that you will need to unfreeze or temporarily life a freeze; be sure to keep it!

Links to security freeze online:

WAS YOUR DATA EXPOSED?

Please follow these steps precisely, as Equifax’s site is a bit awkwardly designed.

  1. Visit https://www.equifaxsecurity2017.com/enroll/
  2. Click the “Begin Enrollment” link
  3. Enter your last name and the last six digits of your SSN.
  4. Click the “I am not a robot” checkbox and follow the instructions to complete the anti-bot check.
  5. Click “Continue”
  6. If the following message says “Based on the information provided, we believe that your personal information may have been impacted by this incident.”, everything detailed in Part Two here is now likely as good as public information.
  7. If not, thank goodness, but I still recommend freezing your credit.
  8. Equifax is offering credit monitoring service for free; at first the agreement for this included a binding arbitration agreement (meaning you had to agree not to bring a legal suit against them, but to instead follow arbitration protocol, which involves a mediating third party and negotiations), but that clause has since been removed, so it may be safe to sign up for, but in the case that legal advice is readily available to you, it may be prudent to seek that before you do.

Part Four: What *Else* Can I Do?

First, bringing a lawsuit against Equifax is not likely to work out well. A class action suit is probably already under way, and the total liability probably greatly exceeds the company’s actual value. Basically, there’s good reason to suspect that Equifax may be put out of business, and the cost of obtaining any kind of monetary compensation from them may exceed the likelihood of being able to actually collect.

Additionally, and I must preface this with the fact that I am not a lawyer, it is likely that consumers whose data was taken could not successfully bring a suit unless their data was actually used. This would provide actual dollar values for damages on which the value of a suit could be calculated. It may also be that a successful suit in small claims court might prevent further suits when a consumer’s data is actually used later on. That is to say, suing now could feasibly make it harder or impossible to sue later when your stolen data is actually used to harm you. But as I said, I am not a lawyer, and seeking the advice of a lawyer is always preferable to guesswork.

You can and should write your Senators and your Representative in the House. You can look them up at senate.gov and house.gov. Perhaps needless to say, there's already been quite a bit of motion on this issue in Congress, but your input in the political process is always valuable. It is no small problem that these credit reporting agencies hold significant and confidential data on you, and you have never specifically agreed to do business with them. They make money off of data they have basically laid claim to with no real public assent.

Further, if you are in a position in your own organization to push for better security policies with user data, or even to implement such policies, please do so. Network security, and data security generally, are paramount issues that few organizations take as seriously as they should. Public education on electronic security is insufficient to the cause, and consumer services and devices are riddled with security flaws that in many cases could have been adequately addressed by available software patches or basic security procedures. Where you can, push for software to be updated, patched, and security audited.

Personally you can begin by changing all of your passwords online to long, unique (do not re-use passwords), and hard-to-guess phrases (do not use personal information). A password manager like LastPass, DashLane, KeePass, or 1Password will help.

Sources

Equifax Official Statement: https://www.equifaxsecurity2017.com/consumer-notice/

Apache Statement: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

Apache Follow-Up: https://blogs.apache.org/foundation/entry/media-alert-the-apache-software

NIST CVE-2017-5638 Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-5638

NIST CVE-2017-9805 Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-9805

ValuePenguin Freeze Costs: https://www.valuepenguin.com/states-where-freezing-your-credit-will-cost-you-most

Lifehacker Password Managers: https://lifehacker.com/5529133/five-best-password-managers

The War on the Internet

The principal that all data transmitted online is equal was one of the founding philosophies of the internet as we know it today. This principle is commonly known as Net Neutrality.This philosophy is what allowed small online businesses and content creators to thrive into some of the web based behemoths we are all well accustomed [...]

Read More »


New Routers & Sabai OS 7

Finally here and better than ever! We're very excited to introduce 5 new routers powered by Sabai OS! In addition to new hardware, we're releasing Sabai OS 7. If you are a current customer, we'll be sending upgrade instructions and additional information in the next few weeks (so be sure you're signed up for our mailing [...]

Read More »


VPN Router Comparison Chart

#NewsContent { float: inherit; } VPN ROUTER FEATURE COMPARISON CHART  Features (listed below) Asus RT-N12    Linksys E2500 Netgear WNR3500L Asus RT-N66U Asus RT-AC56U Netgear R6300 Asus RT-AC66U Netgear R7000 Netgear R8000     Asus RT-AC3200 Operating System Sabai OS Sabai OS  Sabai OS  Sabai OS Sabai OS Sabai OS Sabai OS Sabai OS Sabai OS Sabai OS Wireless Type 2.4GHz 2.4GHz 2.4GHz 2.4 & 5GHz 2.4 & 5GHz 2.4 & 5GHz 2.4 & 5GHz 2.4 & 5GHz 2.4 & 2 x 5GHz 2.4 & 2 x 5GHz RAM 32 MB 64 MB 128 MB 256 MB 256 MB 256 [...]

Read More »


How to choose the right VPN provider

What makes a good VPN provider? In the wake of recent news of at least one free VPN provider selling its users' bandwidth, we've compiled a list of things to consider when selecting a VPN provider to make sure you're keeping yourself safe online.Where is the company and its servers located?What encryption protocols do they use [...]

Read More »


Meet the New Routers!

We are so excited to announce the line-up of our newest routers here at Sabai Technology! We've added three new routers to our product line: the Asus RT-AC56U, the Asus RT-AC68U and the Netgear Nighthawk R7000. These additions mark the greatest leap in router technology in our company's history!  ASUS RT-AC56U The Asus RT-AC56U packs a powerful [...]

Read More »


For our expat friends: The easiest way to use VPN technology

At Sabai Technology we understand that not everyone knows about VPN. Living as an expat is exciting and fun but we’re all human and we like what is familiar. Everyone gets homesick at times and expats especially miss being able to access the internet content familiar to them from their home country. Sabai Technology has [...]

Read More »


Setting up the DAP-1320 Range Extender with your Sabai Technology VPN Router

Just recently we released a new line of accessories, including a few streaming devices, a VOIP phone, some extra security devices, and the DAP-1320 Range Extender. Customers constantly ask how to get more range and we’ve normally just recommended any old extender you can pick up at your local store. Now that we are carrying [...]

Read More »


Sabai Technology Compatible VPN Providers

Sabai Technology continues to bring our unique brand of revolutionary VPN Routers to an increasing number of providers and customers. This largely became possible with the release of OSv5, which expanded Open VPN compatibility. Below is a (growing!) list of VPN providers that are either affiliated with or are known to work with Sabai VPN [...]

Read More »


Sabai Technology Wins 2013 InnoVision Small Enterprise Award

Sabai Technology is the winner of the prestigious 2013 InnoVision Small Enterprise Award. The only award of its kind, the InnoVision awards distinguish outstanding leadership, innovation, and technological excellence in South Carolina. Presented by McNair Law Firm, the awards were judged by a group of independent panelists from outside the state. Judging is based on [...]

Read More »


REFER FRIENDS, EARN CASH

View Cart Go To Checkout

View Cart Go To Checkout