This article presents more evidence about EquiFax Inc., and the threat they, and others, still pose to our private data. It demonstrates that none will enhance cyber security, until it costs more to not protect our data via fines and penalties implemented in law. As a cyber security professional, I am naturally judgmental and biased towards organizations like EquiFax Inc. when they bumble a breach and continue to have poor cyber security practices. Thus, I'm afraid when our information is handled by any entity related by them. I highly encourage ANY corporation using EquiFax or their subsidiaries to avoid this company until they demonstrably prove they are committed to protecting personal data. A company’s reputation and data is tied to their ineptitude. Without further digressions, I present a case of EquiHack, holding Tax data and asking for more! This investigation started when I received an electronic W-2 is ready email notification. Great I can start the heinous process of doing my taxes now. But in order to obtain said W-2 (oh boy did I ever forget what I was dealing with) I had to go through certain steps with a certain company. "Please visit this website:" https://www.mytaxform.com. "Okay, no problem" until I see the following footer at the bottom of the web site: Damn. Equifax. I have a personal bias and loathing for them. They didn't handle their MONUMENTAL breach well and I don't trust them. So I scrutinize this company/subsidiary of theirs, TALX Inc. which holds my data. See my list of what I found disturbing about this subsidiary of Equifax Inc. followed by varying degrees why each item is disturbing.
1. Their Privacy Policy ...dates to 2013. After Equifax Inc. just had an egregious cyber security breach. It also states they will sell to 3rd party affiliates. This is not okay to me. This is my tax information. I do not want ANY of my tax information sold to 3rd party affiliates. My Tax information is not for sale, at least I thought it wasn't. 2. The Security Policy... ...sounds good to a lay person. But it demonstrates a marketing or inexperienced person wrote it by boasting that "portions of our site make extensive use of Secure Socket Layer (SSL) encryption...password-like identifying information" though there's no reason to not use SSL for all of the data (cost or otherwise) and the term password-like does not mean anything. It's made up? What is a password-like password? A known-word? Anyway, they also boast they take "great care to safeguard all information that is transmitted to us and stored by us...using network intrusion prevention and detection technology as well as other industry accepted security practices...independent auditing firm KPMG completes their SAS 70 Type II audit" which is not true. If they did they'd SSL encrypt the entire site. They would not ask for MORE information, and they would not throw out a large name company who also suffered from an embarrassing cyber security breach, as shared by cyber security professional Graham Cluley, to instill confidence. 3. Uses easily obtained information as a username (SSN) The username for this company is your SSN (Social Security Number), even though Equifax Inc. lost ~154 million of these, and it contradicts their security policy claim as it is not an "industry accepted security practice" at all; it is Personally Identifiable Information not to be used as a username. Higher education had to go through the process of removing SSN as Student Identifiers already. But apparently it's okay for Private companies; there's no law. Why not. 4. and 5. Weak Password policy and process I remember when I originally signed up for an electronic W-2 that I had to do an all numeric 4-16 character password. This is not an industry best practice. So I hoped, when I reset the password recently, it would allow a secure one. But nope, see screenshot below. So, let me try some easy passwords to change it too, such as 1234, or 0000. Both were accepted. One good practice, they did not allow me to reuse old passwords. So they're retaining the passwords used already (hopefully encrypted). They use SMS text messaging for a 2nd factor to login. Our own government states this is a bad idea (June 2017) and why in laymen terms is reported by Wired Inc. here. 6. Requests Additional Personal Information
Upon login with my SSN/Username and Numeric only password, the site then requests additional information to store, for my safety. They want, a personal email address, though I received an email already telling me my W-2 was ready, personal phone number, last 4 of my social (which I already used to login), and my Date of Birth, which umm they already lost via the EquiFax breach and is easily obtainable. This is not extra security. A motivated teenager can hack me at this point. Also, if they're requesting additional information, this means they do not have it, and they are storing it in yet another database/location, which means additional copies of my information are spread around and poses more security risks. 7. Attempts to use Adobe Flash Upon signing in I notice the site attempts to utilize Adobe Flash Player to display information before failing over to alternative methods. Adobe Flash Player is being retired and most security aware companies have already migrated off of it as it has proven it is no longer secure. Yet this site shows additional risk by using it, and another method to display my information and interact with the site. The more complicated a site is, the harder it is secure, and we've already demonstrated cyber security is not this companies forte. 8. Using Symantec SSL Certificate While not inherently bad, in the cyber security realm Symantec SSL certificates have shown a serious lack of integrity. Symantec has some good products, but it's SSL business was not among them. Google and other major web browsers are no longer going to trust them, meaning your site is considered not secure while using SSL technology with Symantec Certificates because of a lack of integrity. An SSL Certificate is the 3rd party responsible for being the trusted entity that assures us our data is secure. Unfortunately, Symantec lost the community trust in 2016/2017 and thus continuing to use their certificates shows a lack of security awareness. Am I being overly hard on EquiFax and it's owned companies. Yes. Do I have a reason to be? Yes. This is yet another reason why we need Federal Regulations enforcing good cybersecurity practices. Organizations WILL NOT do this on their own. Humans have a tendancy to not want to do things until it's painful to them. This seems like the perfect case-study for why we need to create similar laws to that of Europe to protect our personal data, and penalize companies who do not care about it as much as we do. EquiFax has yet to demonstrate they care about me, you, or our data, and property. To that I plead.... Help us US-LEGISLATURE-KENOBI, you're our only hope.
3 Comments
Below I present my report on the 2017 Holiday Hack Challenge. It's in PDF, because, well I put a lot of effort into the report to make it pretty and readable for the SANS folks. The challenge was a lot of fun, and I highly encourage anyone even remotely interested to give it a crack, it will always keep you learning. Happy Hacking and best wishes! Few information security experts will argue that personal privacy rights have slowly eroded over the last few hundred years in the United States. In the past two decades, following the terrorist attacks of 9/11/01 in the United States, they eroded exponentially. That attack plucked a note of fear the likes which many Americans had never experienced, but which are almost the norm in other countries. But it happened to us, the US, and as a beacon of freedom, democracy, opportunity, and liberty the world watched in horror, mourned, raged, and vowed support. We held a position of great responsibility, and our approach to such an egregious sucker punch was swift, and we toppled nations, fought wars, and passed laws. Laws driven by emotions rather than logic and reason. The legislative response was to militarize data gathering, and to hack everything, monitor everywhere, and justified by statements like the one in the title of this blog entry, "If you have nothing to hide, then you have nothing to fear." This argument is fallacy. Privacy is not evil, it is a piece of our humanity. It was included in our Bill of Rights for this reason and I would pit any of the writers of the United States Constitution and the Bill of Rights against our current legislatures in a debate over privacy, and I assure you they would crush modern politicians in the debate. The Bill of Rights Amendment 4 (Article IV) is clear about what can and cannot be done when it comes to my Government searching and seizing us or our stuff. The article is timeless, it's a basic human right to have privacy in our persons, during procreation for example, or when changing clothes. It's fair that my home where I feel comfortable and safe, or should feel this way, be private. I do not want or need everyone knowing what merchandise I have, or where I keep valuables. It makes sense that my spoken words, letters, emails, pictures, digital or physical, are secure. They are personal, private, and if I want them out in the public, I post them myself. This article states these are secure against unreasonable searches and seizures, and shall not be violated, and no Warrants shall issue, BUT upon probable cause with supported testimony and describing what will be searched and where. Article [IV] (Amendment 4 - Search and Seizure) The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Did 9/11/01 change everything? Yes. We cannot ignore growing terrorist threats in other nations who threaten our security. We must rethink our approach allowing military applications of unwarranted spying and collection of information against civilians and ensure they are targeted. We must rethink our laws and actions and not let fear dictate our laws and actions. We let the only real tool terrorists have, beat us, fear. Fear eroded our sense of freedom and safety. We responded by violating our sacred principles, our rights. Terrorists know they cannot win against our economy, our military, our police. They know they can only strip away all of our freedom, liberty, and privacy incrementally by inciting fear. Our elected officials should not be afraid to fix this, and we can fix this. It took a lot of bright people, debating civilly, a long time to come up with a Bill of Rights. They didn't rush it, they were meticulous. There's no valid reason to throw it away because we're afraid; especially given that I don't recall hearing about any massive terrorist attacks being stopped in the 17 years since 9/11 here in the US. Even though there remains egregious violations of civilian privacy; and I assure you that any thwarted attack would be touted publicly if it were the case. Do I feel our military intelligence, police forces, and country's offensive and defensive agencies should be the best at violating privacy? When WARRANTED, hell yes! NSA/CIA/FBI I want you to do what you do best, and I will help you do it wherever I can when warranted. Spy the hell out of other nations, go ahead, get your spy on. We know you're the best, and I'm proud about it. It is a standard national practice, and always has been. Spying on our enemies balances the scales, because everyone does it. Hell spying on our allies even makes sense, in some circumstances, when warranted. FBI, you better be good at spying on criminals and suspected terrorists, that's your job and you've done pretty well at it. Please don't drown yourselves in unnecessary data and additional investigations when you don't have the people to investigate it all. Right now companies and corporations are gathering so much data that they can't analyze it, but they're keeping it. How the hell are we supposed to find the real threats against us through all that data? A great example, borrowed from Bruce Schneier's book Data and Goliath highlights the failures as a result of all this data gathering; specifically the Boston Marathon bombing, which by the way is AFTER we have a plethora of privacy violating activities happening. But spying on me and my wife getting frisky in the bedroom, or my children watching you tube on an iPad? I'm afraid I don't see the value. The Boston Marathon bombing was possible, because there is TOO much information out there being gathered, and real threats are lost in the ocean of data. The answer isn't more data gathering, it's more targeted data gathering, like we used to do, which Bruce Schneier nailed in his book again, I mean, really he is an expert. We need to trust experts when we don't know things, unless they violate that trust. George Orwell called, he wants to sue the US for infringing on his copyright for his plot in his book 1984...... I'm weary after hearing about more and more of my personal and private data getting leaked by whistle blowers and idiot employees, or stolen by Governments and hackers in cyber security breaches. OPM breach? Yup that was my data, I was a Federal worker and served in the Armed Forces. EquiFax? Yup that's my data, dammit. All these military-grade cyber attack payloads and personal data get leaked and utilized against us civilians and result in attacks such as the Wannacry ransomware attacks, Tax fraud, and bank accounts being drained.
Whenever we intentionally weaken our security in products and in technologies by embedding back-doors and weak security it destroys the world's faith in our ability to sell secure, safe computing equipment. The standards our Internet and digital security are based on are suspect. Not because of a whistle blower, but because it was done in the first place. There is no secret that can be kept, but for the one not spoken. Eventually, the secret gets out, or is independently discovered, and exploited. The worst part is we don't know who is exploiting it then; we are just wishin' and prayin' it's not found out by our enemies or criminals. Back doors, and weak cryptograhy will only harm our business further. Secretly coercing companies to share data without divulging the facts will only further diminish faith, and profits, in those companies. The really smart bad guys aren't going to use those businesses or services anyway, so adding them to your repertoire of leads is going to only aid in drowning yourselves in data, or as I experienced and shared with my team in my security operations while trying to analyze an overwhelming amount of network traffic logs, we were drinking from the fire hose of information. We can do better. Let's regroup. It's not working. Privacy IS important. If it weren't then the very people (the Mark Zuckerberg's and Eric Schmidt's) who claim it's gone wouldn't be buying isolated homes and trying increase the buffer zone between their home and the world. It's only gone if we let it be gone. I don't want to live in a world where I or my children can't use the restroom without fear of being recorded. The next time someone says, "If you have nothing to hide, then you have nothing to worry about" just nod and smile, and maybe give them a copy of Data and Goliath. Please. Stay safe, I'll do my part to help where I can, and God Bless America, and all of us. For what it is worth, the opinions expressed here are mine. I'm an American, I do what I can to help our country remain strong, militarily and on the civilian side too. I believe in loyalty to country, practicing kindness, tolerance, apologizing when wrong, and love. I am fallible, and make mistakes, like ALL of us. In some ways I am broken. Yet, I remain a loving father, husband, brother, son, and I'm most certainly still proud to be an American, and a human being. |
AuthorI am a Doctoral Scholar at Colorado Technical University and a graduate of the Cyber Security Operations and Leadership program from the University of San Diego. I work in cybersecurity, and have accumulated twenty years in the IT industry. There are few IT roles I have not performed, which gives me great insights into making sense of all the IT confusion. Archives
February 2022
Categories
All
|