This entire response has been comically bad to watch unfold. The type of data and scope of breach were bad enough but add in the bumbling response that reinforced a message of "these guys don't get it" across the industry and press...and it quickly became epic. But I'm inside the industry and have an understanding of how bad it is. What about those friends and family we have outside of industry, who might only find out about this through some apocalyptic local news story? 

I spend a lot of professional time communicating risks to a non-technical audiences (C-suite, boards, etc). I felt it important to do the same for friends and family with this breach. Below is an email I have tapped out and sent to a number of people proactively and after fielding some phone calls. Feel free to copy and use yourself.

---
Hi All,

I assume you've seen the news regarding the Equifax breach, but I wanted to emphasize that this is a big deal in terms of the amount and type of information lost. It is very likely that your personal information has been compromised including: name, date of birth, social security number, drivers license number, and potentially more. This is all the critical information people need for identity theft and fraud. Below are some of my recommendations for preventative and detective controls you can put in place to help protect yourself or get alerted quickly when (not if) something bad happens.


There are three things you should do immediately:
  • Check if your information was compromised at https://www.equifaxsecurity2017.com/
    • Do not enroll in Equifax's credit monitoring program until you read below
  • Enable Two Factor Authentication (2FA) on all financial account websites that offer it
    • 2FA generally involves receiving a unique code (via SMS/email/phone call) that is used as part of a login process for added security
  • Place a 90-day fraud alert on your credit report at one of the four credit reporting agencies: Equifax, Experian, Trans Union, and Innovis. They will communicate it to the others on your behalf. This should be relatively painless and give you some time to implement some of the actions below, which may take more time.


PREVENT:
If your information has been compromised, I would recommend lacing a freeze on your credit reports at Equifax, Experian, Trans Union, and Innovis.

A freeze locks your credit report and will block any inquiry/pull attempts unless you unfreeze the report. This is the strongest preventative control you can put in place to protect your credit and identity. There is a $0 - $15 max cost for placing a freeze on your credit reports depending on state laws. You can find state specific fees here: http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection

Before placing a freeze on your file I highly recommend reading the following article to understand the ins-and-outs: https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

DETECT:
In addition to the freeze, you can put detective controls in place. Detective controls mean you will be alerted if something suspicious happens. These include:
  • Establishing alerts on your bank accounts and credit cards for transactions over a certain threshold. These alerts can be email or SMS.
  • Credit Monitoring*
*I am not a strong believer in credit monitoring based on the cost to subscribe over the course of many years especially if you have a credit freeze in effect and it does not prevent anything.

GENERAL TIPS:
Lastly, some general tips for good security hygiene:
  • Update/patch your computers, mobile phones, and apps as soon as you are notified of updates.
  • Use strong and unique passwords for each website you sign up for
    • Consider using a password manager like KeePass (professional edition, http://keepass.info/download.html) - Happy to give people a tutorial of the software if needed.
    • Never store your usernames and passwords in a file on your computer (exception for managers above, which are encrypted)
    • Writing them down is perfectly fine for home use...just keep in a safe place
  • Vary the usernames you use on websites - if you can see a pattern in your usage so can an attacker

Please don't hesitate to reach out with questions and please feel free to forward this along to family/friends.

Stay Safe,
...

---

Comments on the site are disabled. If you have any edits or concerns drop me an email or contact me on twitter!


UPDATE: 2017-09-14

It appears TransUnion is purposefully obfuscating their process for freezing your credit on their service and instead promoting their own ID Protection service. Reddit user equisux posted a thread detailing changes to the website using Archive.org's Wayback Machine to show changes made aroiund Sept. 11th that bury the freeze option.The post details the new click throughs on the TransUnion website that you need to do and can be found here: https://www.reddit.com/r/personalfinance/comments/6zur5h/transunion_burying_their_credit_freeze_to_sell

Direct phone numbers for all credit institutions are below. Expect massive hold times:
TransUnion Freeze hotline 888.909.8872
Equifax: 800.685.1111 (NY residents 1-800-349-9960 / Canadians 1-800-465-7166) 
Experian: 888.397.3742

China's social credit and surveillance system

Great post by Stanley Lubman (Senior Fellow, Institute of East Asian Studies at Berkeley) that provides a consolidated view of reporting and insight on China's social credit platform compiled over the past year. 

To ignore or not?

Updated 11/16/2016, 11:15AM

Merrimack College's Assistant Professor of Communication and Media, Melissa "Mish" Zimdars created a list of False, Misleading, and Clickbait websites (Google Doc) as a resource for her students who are learning about the media landscape. This list has been making the rounds on social media and it intrigued me for its potential operational uses. For me, this meant loading the sites into a "blacklist" I maintain on a proxy server that all of my internet traffic goes through. The proxy would prevent any content hosted on the domain names from even being loaded. However, most people don't have access to this type of infrastructure, so I started looking at browser plugins like uBlock Origin, which allows for the total blocking of websites based on domains. Using Melissa's list as a source and uBlock's scripting, I can now easily block 80% of the bullshit I see on a daily basis flowing through social media. Success!

I love technology and the quick wins that can impact your life, but too often we don't step back to consider if the win is real or false. Is blocking these sites the best idea? When many people digest memes as fact or get their "news" from bullshit sites, is ignoring the source all together the right thing to do? "Oh, I can't read this. I blocked the domain for bullshittery," is not a convincing counter argument. Especially to someone who would believe a meme as fact or who dabbles in light conspiracy theory. If you don't know what is being said, how can you refute? I was ruminating on this when another article passed in front of my eyes, detailing a solution put together by a Princeton Hack-a-thon Team. Their solution is to simply overlay a button that says "UNVERIFIED" next to any story shared on the Facebook platform that does not meet a list of criteria they set. Perhaps there could be a natural integration of this list with the Princeton team's solution. This prevents wholesale blocking of sites and allows people to proceed with caution. 

Larger questions of information consumption and curation still remain. The Princeton team claims they rely on "AI" to understand if the site engages in bullshittery or not. How much can we trust that process? Mish's list was hand curated, but what qualifications does she have in judging bullshit? I suspect very good ones, but that question needs to be asked of her and every "news" source that crosses your path. What qualifications do I have to write this post? Do I have an authoritative voice for this subject? Not really, but I love asking questions.

The internet has provided the world such an amazing platform. The platform has been monetized by advertising, giving rise to the idea of click-bait. Inflammatory headlines, purposefully skewed facts, memes, and more are all designed to lure people to sites. As people click on those links, money is made by serving ad impressions. Driving traffic to sites is the #1 business case for the internet. So site owners are now incentivized to make headlines wilder and wilder. To play fast and loose with facts. To call their site satire somewhere buried in legalese while every other outward appearance is that of a legitimate site. Beyond that we also have outfits that are purpose built on peddling influence around the globe. A 2015 article detailed Russian Web Brigades, whose sole purpose was to flood the internet with pro-Russian propaganda. Their method was to create multiple sources that seemed to confirm information independently, providing journalists with enough source material to feel comfortable publishing on real platforms. This format was then turned toward US Communities, detailed in another 2015 article about the Russian Trolls. There is even circumstantial evidence that these same trolls were pimping for the trump campaign.

This puts everyone at a disadvantage for finding truth. Does increasing the signal to noise ratio make self-censorship acceptable? Is this action "censorship" when it ultimately results in the removal of half-truths, lies, and manipulation from your information sources? Is there an acceptable level of bullshittery that we can deal with? For example, I removed all satire sites from Mish's list because I can cognitively identify satire...others may not be able to. Do we lose humor to deal with edge case idiocy?

The scale of this issue is beyond memory capacity for humans and new sites could be added to Mish's list every day. Bullshit at internet scale is beyond human comprehension. The Princeton team's solution absolutely helps but how else can we increase the signal to noise ratio? Are blocking tools acceptable? I can barely remember where I've left my keys every day much less remember if some random website is real, fake, partially fake, clickbait, satire, or pure evil. Certainly context of the site and tuning our perception can help filter things out naturally but, again, the scale of the issue is already large and will continue to grow.


Great long-form product from CRS detailing U.S. - EU privacy and data protection history, updates with Privacy Shield and GDPR, as well as forward looking considerations published on May 19, 2016.


Dancing madly on the lip of a volcano



John Oliver spent 18 minutes discussing the latest iteration of the crypto wars sparked by the recent Apple v. FBI case. In his summation, he provided a fantastic metaphor for cybersecurity, "dancing madly on the lip of a volcano". I think this metaphor is especially pointed as we see a greater increase in regulatory intervention by bodies with very limited views or education into security. There is no global consensus on cyber security and the house is on fire as of late.  

Security researcher Matt Blaze (@mattblaze), who was featured in Oliver's piece, tweeted the following:


Verizon Supercookies



The Federal Communications Commission has settled its Verizon Wireless "supercookie" probe, resulting in better consumer controls and transparency between the provider and its customers. The FCC's investigation found that the company had inserted unique, undeletable identifiers into web traffic and used these to identify customers in order to deliver targeted ads from Verizon and other third parties. As a result of this settlement and the FCC investigation, Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers' opt-in consent before sharing UIDH with third parties, and will obtain customers' opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family. The company will also pay a fine.


PrivacyWonk moves to TLS (finally...)

After waiting for what seemed like an eternity, the site finally has a Let's Encrypt certificate!

I took some time to setup TLS properly this evening (total project time: 2 hours), following fantastic guides from Mozilla and other sources (WeakDH.org, Qualys SSL Server Test, and Scott Helme's SecurityHeaders) ensure a secure and modern implementation. See reports below.

Was this necessary for a site that simply serves up my idle thoughts on privacy and security? Absolutely.

Why?

Because if I can do it for my little blog serving an annual readership of 20k (most of which are SEO spammers), you can do it for your web app that collects, uses, and disseminates data. 

It's 2015, it's time for this level of encryption and site protection to become the new normal. Invest in AppSec, invest in Security Engineering, and invest in the trust of your customer or reader.

--------------------- 

Qualys Report: Yahtzee!

SecurityHeader Report: Content-Security Policy and Public-Key-Pins will be future projects for the site


IP analysis shell function

Brian Warehime of nullsecure.org published a new threat intel piece, walking his readers through his analysis of incidents captures through his honeypot. The entire post, http://nullsecure.org/threat-intel-web-crew/, is fantastic and I encourage you to read it top to bottom. One snippet I found incredibly useful was a simple bash shell function that saves a great deal of time when performing IP based analysis.


function ipgrab() { read line; echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; while read line; do echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; done echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; }


Drop this into your .bashrc file and invoke it when analyzing files for IP addresses. For example:
cat /var/log/httpd.log | ipgrab > ips.txt


Breach response for the jaded

I heard about the breach at [$COMPANY_NAME$] and the [$BREACH_QUANTITY$] [$DATA_TYPE$ one of "credit card", "patient record", "social security number", "user login", "hashed passwords", "national security secrets", "Hollywood star's 'selfies'"] compromised. Of course this is a serious matter and is the largest since [$YESTERDAY_DATE$]

The people at [$COMPANY_NAME$] have not yet released details, which is appropriate given an incident response of this magnitude. I understand that they have the [$RESPONDER_NAME$ multiple of "FBI", "NSA", "CIA", "Mandiant", "army of consultants", "Keystone Kops"] involved and have issued a press release.

My guess is that the attackers were able to initially breach the target using a [$ATTACK_TYPE$ one of "phishing attack", "brilliantly clever targeted phishing attack", "piece of custom malware", "cat with a WiFi interface implanted in its head", "SQL injection attack", "basic website vulnerability", "army of ninjas", "variant of Stuxnet"] which is [$UNEXPECTED$ one of "totally unexpected", "the way it usually happens", "innovative", "obscure as hell", "bloody typical"] form of attack that is often used by [$USUAL_SUSPECTS$ multiple of "China", "North Korea", "CIA", "NSA", "Anonymous", "brotherhood of blades", "Bavarian Illuminati", "Trilateral commission", "hackers who have read 'Hacking Exposed'", "any complete newbie"]  Until I know more about it, I can't really guess about the details.

However, this illustrates the basic issues in information security, which is that organizations don't appear to have effective responses to basic malware and/or phishing attacks, and have aggregated critical data into central locations on their networks where it is accessible. Once an attacker gets inside, it is pretty easy for them to escalate privileges, find out where the data is, and exfiltrate it. Organizations with critical data should segregate it off their network, perform regular vulnerability audits and remediation, maintain detailed system logs, and use two factor authentication for administrator access. If it's a large organization, Big Data also helps, but I am not sure how.

Security.

Recent Comments

  • Tim Lisko: Laurel - Thank you for sharing your excellent write up. read more
  • lpapworth: I had a slightly different take on Department of Justice, read more
  • Tim Lisko: pthread1981 -- It's a valid argument. I would imagine search read more
  • pthread1981: pretty interesting. I've heard the main reason they want this read more
  • rainey.reitman: Hi Tim - thanks so much, this is very helpful! read more
  • https://www.google.com/accounts/o8/id?id=AItOawk_X3_5H2aIcqt8yZ7_Z8HzSQoKgHokb2o: One of the best howto articles I've found on such read more
  • maxxxon.myopenid.com: Cool movie! I guess these issues should be advertised wider. read more
  • maxxxon.myopenid.com: I prefer to delete all the metadata after taking photos, read more
  • maxxxon.myopenid.com: Very useful and clear for related Twitter developments. read more
  • https://www.google.com/accounts/o8/id?id=AItOawl8087vvkMW3X3pwJPpreZ_U7Iz5c4vp28: Hi Tim, The thing I like about this video is read more
OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.01