Podcast Episode Details
Back to Podcast Episodes
Equifax Data Breach Details Released, More Google+ API Bugs, Supermicro Strikes Back – WB47
Watch this episode on our YouTube channel!
This is your Shared Security Weekly Blaze for December 17th 2018 with your host, Tom Eston. In this week’s episode: Equifax data breach details released, more Google+ API bugs and Supermicro strikes back.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
A report released last week from the U.S. House of Representatives Committee on Oversight and Government Reform about the Equifax data breach, known as the largest consumer data breach in US history, shows that the breach could have been entirely preventable. The 96-page report, which we’ve linked in the show notes for a very stimulating and exciting read, goes into great detail on how attackers were able to exploit an Apache Struts vulnerability on an application called the Automated Consumer Interview System (or known as ACIS). For 76 days Equifax failed to detect the breach even though massive amounts of data was being exfiltrated. The report said “Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times”. The breach went undetected because the device used to monitor ACIS network traffic was inactive for 19 months due to an expired SSL certificate on the data exfiltration monitoring system. Ironically, at the same time, Equifax had also allowed at least 324 other SSL certificates to expire and “including 79 certificates for monitoring business-critical domains”. Once the SSL certificate was renewed for the data exfiltration service, it was then immediately identified that a data breach was taking place. One of the interesting highlights I noticed in the report was about how the attackers were able to deploy 30 “web shells” (which are essentially backdoors) across the Equifax network due to the Apache Struts vulnerability. Because of these web shells, they were able to find a file containing unencrypted credentials which gave them access to 48 databases outside of the ACIS environment. After that, the rest is history.
The other shocking, but not so shocking part of the report was the very passive and pretty much voluntary recommendations from the committee. Some of the recommendations include requiring credit agencies to offer a free summary of all data that they’ve collected about you, consider offering more than one year of pre-paid identity theft protection, and giving the Federal Trade Commission more power to monitor data security practices of credit agencies like Equifax. There was no mention of any federal law or government enforcement that would penalize credit agencies for maintaining poor cybersecurity. In my opinion, this is unacceptable. How many more data breaches will it take for the government to take the security and privacy of our personal data seriously? Only time will tell and we have a b
Published on 7 years ago