I
wish the GAO would do this more often. Makes an interesting case for
my Computer Security class.
US
government releases post-mortem report on Equifax hack
The Government Accountability Office (GAO) has
published a report to detail how the Equifax hack went down and how
the credit reporting company answered during and after the incident.
The
report comes a day before the one-year anniversary of
the
public announcement of the Equifax breach that exposed the
personal details of 145.5
million Americans, but also of millions of British and Canadian
citizens.
… Equifax IT administrators circulate this
advisory on an internal mailing list. Unbeknownst to its IT
administrators, the mailing
list was out-of-date and did not include all its systems
administrators, indirectly leading to an incomplete patch
of Equifax's servers.
… A week after the US-CERT advisory, Equifax
staff scans its own systems for the presence of the Struts
vulnerability, but the dispute portal does not show up as vulnerable.
… During this second intrusion, Equifax says
attackers issued queries from the online dispute portal systems to
other databases in search of personal data.
"This search led to a data repository
containing PII, as well as unencrypted usernames and passwords that
could provide the attackers access to several other Equifax
databases," the report says.
This data helped attackers to expand their initial
access from three databases to 48. Logs showed attackers then ran
approximately 9,000 queries to gather Equifax customer info.
The GAO report says this happened because Equifax
failed to segment its databases into smaller networks. This, in
turn, allowed the attacker direct and easy access to all of its
customers' data.
… Equifax said that the reason hackers were
not detected for 76 days was because a device meant to inspect
network traffic had been misconfigured and didn't check encrypted
traffic for signs of malicious activity.
Interesting. A Russian in Georgia.
A Russian man accused of launching a major hacking
campaign against U.S. financial institutions was extradited to the
United States on Monday, the U.S. Attorney’s Office for the
Southern District of New York announced
Friday.
Andrei Tyurin was extradited from the country of
Georgia and arrived in the U.S. on Friday.
… “Tyurin’s alleged hacking activities
were so prolific, they lay claim to the largest theft of U.S.
customer data from a single financial institution in history,
accounting for a staggering 80 million-plus victims,” U.S. Attorney
for Manhattan Geoffrey Berman said in a statement.
No comments:
Post a Comment