Sunday, October 01, 2017
The Privacy Foundation at University of Denver Sturm College of Law will host a seminar on October 27th, from 10:00am-1:00pm (with lunch to follow) at the Ricketson Law Building.
Privacy and Cyber Security – Equifax
The seminar will examine the history and current status of interactions between Privacy and Computer Security, with particular emphasis on the recent Equifax data breach.
For more information or to register contact Privacy Foundation Event Coordinator at firstname.lastname@example.org
Speaking of Equifax… However, there is so much information about the techniques of Nation State hackers, that any reasonably competent hacker can understand and use the techniques. Something we try to discourage our students from doing.
The Equifax Hack Has the Hallmarks of State-Sponsored Pros
In the corridors and break rooms of Equifax Inc.'s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren't being disparaging, just darkly honest
… Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software.
The average American had no reason to notice Apache's post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.
… By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax's computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.
… In one of the most telling revelations, Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company's network. That rift, which appears to have squelched a broader look at weaknesses in the company's security posture, looks to have given the intruders room to operate freely within the company's network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax's software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company's grasp through the summer. In an e-mailed statement, an Equifax spokesperson said: “We have had a professional, highly valuable relationship with Mandiant. We have no comment on the Mandiant investigation at this time.”
The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company's challenges may go still deeper. One U.S. government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company. “We have no evidence of malicious inside activity,” the Equifax spokesperson said. “We understand that law enforcement has an ongoing investigation.”
… “Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security."
… Although the hackers inside Equifax were able to evade detection for months, once the hack was discovered on July 29, investigators quickly reconstructed their movements down to the individual commands they used. The company's suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network's internal communications and data traffic. Using Moloch, investigators reconstructed every step.
What’s that saying about mountains and Mohammad?
Apple’s Global Web of R&D Labs Doubles as Poaching Operation
In recent years, Apple Inc. has quietly put together a global network of small research and development labs, from the French Alps to New Zealand.
Nothing unusual about that for a company that spends $11 billion a year on R&D. Look a little closer, however, and you'll notice that many of these labs are located near companies with a strong record in mapping, augmented reality and other areas Apple is pushing into. In several cases, these companies lost employees to Apple not long after the iPhone maker came to town. Apple spokeswoman Trudy Muller declined to comment.
Just last week, Apple posted a job listing for a software engineer in Denver specializing in mapping. Back in May, local media reported the company was close to securing office space in a building that just happens to be two blocks from the headquarters of Verizon Communications Inc.'s Mapquest unit.
For my Computer Security students.
How to stop your devices from listening to (and saving) everything you say