The Privacy
Foundation at University of Denver Sturm College of Law will host a
seminar on October 27th,
from 10:00am-1:00pm (with lunch to follow) at the Ricketson Law
Building.
Privacy
and Cyber Security – Equifax
The seminar will examine the history and current
status of interactions between Privacy and Computer Security, with
particular emphasis on the recent Equifax data breach.
For
more information or to register contact Privacy Foundation Event
Coordinator at sbrunswick@law.du.edu
Speaking of Equifax… However, there is so much
information about the techniques of Nation State hackers, that any
reasonably competent hacker can understand and use the techniques.
Something we try to discourage our students from doing.
The Equifax
Hack Has the Hallmarks of State-Sponsored Pros
In the corridors and break rooms of Equifax
Inc.'s giant Atlanta headquarters, employees used to joke that
their enormously successful credit reporting company was just one
hack away from bankruptcy. They weren't being disparaging, just
darkly honest
… Nike Zheng, a Chinese cybersecurity
researcher from a bustling industrial center near Shanghai, probably
knew little about Equifax or the value of the data pulsing through
its servers when he exposed a flaw in popular backend software for
web applications called Apache Struts. Information he provided to
Apache, which published it along
with a fix on March 6, showed how the flaw could be used
to steal data from any company using the software.
The average American had no reason to notice
Apache's post but it caught the attention of the global hacking
community. Within 24 hours, the information was posted to
FreeBuf.com, a Chinese security website, and showed up the same day
in Metasploit, a popular free hacking tool. On March 10, hackers
scanning the internet for computer systems vulnerable to the attack
got a hit on an Equifax server in Atlanta, according to people
familiar with the investigation.
… By the time they were done, the attackers
had accessed dozens of sensitive databases and created more than 30
separate entry points into Equifax's computer systems. The hackers
were finally discovered on July 29, but were so deeply embedded that
the company was forced to take a consumer complaint portal offline
for 11 days while the security team found and closed the backdoors
the intruders had set up.
… In one of the most telling revelations,
Equifax and Mandiant got into a dispute just as the hackers were
gaining a foothold in the company's network. That rift, which
appears to have squelched a broader look at weaknesses in the
company's security posture, looks to have given the intruders room to
operate freely within the company's network for months. According to
an internal analysis of the attack, the hackers had time to customize
their tools to more efficiently exploit Equifax's software, and to
query and analyze dozens of databases to decide which held the most
valuable data. The trove they collected was so large it had to be
broken up into smaller pieces to try to avoid tripping alarms as data
slipped from the company's grasp through the summer. In an e-mailed
statement, an Equifax spokesperson said: “We have had a
professional, highly valuable relationship with Mandiant. We have no
comment on the Mandiant investigation at this time.”
The massive breach occurred even though Equifax
had invested millions in sophisticated security measures, ran a
dedicated operations center and deployed a suite of expensive
anti-intrusion software. The effectiveness of that armory appears to
have been compromised by poor
implementation and the departure of key personnel in recent years.
But the company's challenges may go still deeper. One U.S.
government official said leads being pursued by investigators include
the possibility that the hackers had help from someone inside the
company. “We have no evidence of malicious inside activity,” the
Equifax spokesperson said. “We understand that law enforcement has
an ongoing investigation.”
… “Internally, security was viewed as a
bottleneck,” one person said. “There was a lot of pressure to
get things done. Anything related to IT was supposed to go through
security."
… Although the hackers inside Equifax were
able to evade detection for months, once the hack was discovered on
July 29, investigators quickly reconstructed their movements down to
the individual commands they used. The company's suite of tools
included Moloch, which works much like a black box after an airliner
crash by keeping a record of a network's internal communications and
data traffic. Using Moloch, investigators reconstructed every step.
What’s that saying about mountains and Mohammad?
Apple’s
Global Web of R&D Labs Doubles as Poaching Operation
In recent years, Apple Inc. has quietly put
together a global network of small research and development labs,
from the French Alps to New Zealand.
Nothing unusual about that for a company that
spends $11 billion a year on R&D. Look a little closer, however,
and you'll notice that many of these labs are located near companies
with a strong record in mapping, augmented reality and other areas
Apple is pushing into. In several cases, these companies lost
employees to Apple not long after the iPhone maker came to town.
Apple spokeswoman Trudy Muller declined to comment.
… Denver
Just last week, Apple posted a job listing for a
software engineer in Denver specializing in mapping. Back in May,
local media reported the company was close to securing office space
in a building that just happens to be two blocks from the
headquarters of Verizon Communications Inc.'s Mapquest unit.
For my Computer Security students.
How to stop
your devices from listening to (and saving) everything you say
No comments:
Post a Comment