Major Data Breach - Equifax

[Newt]

On 9/11/2017 at 8:06 PM, RV_ said:

I am just finished with my bank and insurance company which both are from the same company. They suggested I increase my security. In addition to my ID and password, then the pin, and then a security question, they will now cybertext me with a six digit additional random password generated with each transaction and they send it to me in text. Thankfully we are simple folks and all our credit cards, bank accounts, and checking savings accounts are all with them. So we both enabled three factor cyber text security and I feel confidant that draining our accounts will be difficult.

I am going to enroll in the free Identity theft protection offered by Equifax. That and the additional security we just instituted for our accounts should be all we need.

Sorry Derek

 

That just tickled my funnybone.  LOL

 

Newt

[RV_]

Amen Dennis.

[RV_]

Newt,

LOL! I see it too, almost an oxymoron.

[RV_]

I hear ya Dennis.

[GlennWest]

7 hours ago, Newt said:

Sorry Derek

 

That just tickled my funnybone.  LOL

 

Newt

I have a hard time remembering 4 digit passwords. Don't believe 6 is going to work

[Kirk W]

3 hours ago, GlennWest said:

I have a hard time remembering 4 digit passwords. Don't believe 6 is going to work

If you search "Password safe" you will find a large choice of programs to encrypt your passwords that you can keep on a computer or smart phone, or on both and thus you would only need to remember 1 password. We keep a copy of PWsafe on each of our computers and our phones and that way we just copy & paste the passwords when needed. We also allow the program to generate our passwords for things financial or personal ID related and no two are the same. It took a bit of getting used to, but once you do so it really isn't a big deal. 

[DJW]

Kirk

The last place I am keeping a copy of all my passwords is on a smart phone or a computer that is ever hooked up to the internet.  I don't care what you have ever heard or read that encryption can and is broken every day.  The best way to get you to give it up is by convincing you that it cannot be done.  That is called disinformation and the world is full of it.  What you see is only what I want you to think that you see.

Dennis

 

[Pat & Pete]

From the very first days of existence : "Nothing is as it seems" .

[GlennWest]

I keep most passwords on my hard drive in my PC. Know not safest place but I can't remember them. Debit card in my billfold. Again, I use it daily and sometimes forget it. My wife just as bad. She got to get new pin for debit card since she forgot hers and keeps no backup. 

[Kirk W]

3 hours ago, DJW said:

The best way to get you to give it up is by convincing you that it cannot be done.

None of those encryption programs make that sort of claim, so I'm not sure what makes you think that I believe it???  But passwords can also be broken and the more you use the same one the higher the probability that it will happen and especially so if it is something logical that is easily remembered. What you speak of is a degree of risk. The most secure that is possible is to have each password different from every other one and each one made up of random characters, changing all of them frequently.  Or you could keep all of your money in a box and sit close by while well armed to protect it so that there is no possibility of ever being hacked. 

You can't do much of anything without accepting some degree of risk. 

[RV_]

A possible cause is coming out. It seems their IT pros are not patching their software despite known vulnerabilities becoming public back in March on some of their main main software systems. If indeed that was the fault of the IT department, that bodes ill of how the security of the rest of the software hardware is maintained company wide:

Excerpt:

"Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack

The company said the March vulnerability was exploited by hackers.

Equifax has confirmed that a web server vulnerability in Apache Struts that it failed to patch months ago was to blame for the data breach that affected 143 million consumers.

In a brief statement, the credit rating giant said:

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted."

"We know that criminals exploited a U.S. website application vulnerability," the statement added.

"The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

For its part, Equifax still has not provided any evidence to support the claim.

The cited Apache Struts flaw dates back to March, according to a public vulnerability disclosure. Patches were released for the vulnerability, suggesting that Equifax did not install the security updates."

The full article is here: http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=19724681974700635514865380622813

Since the vulnerability to software they depend on was fixed and a patch made available last March, their not having patched their systems to date, if true, means that level of IT department laziness and sloppiness pervades all of their website, server, and data repositories. I'd fire and prosecute the IT department if indeed it were true, as well as the CEO, and the department head.

I did enroll in Equifax's ID protection a few minutes ago and giggled while thinking of the almost an oxymoron of getting the company that caused the breach of my info to protect my info as second. That was funny Dennis.

Dennis I agree about password managers. Why? Well all the criminal element needs is my master password, that is a different animal from hacking all of them offline on a USB flash drive, which I do. Has it happened?

Excerpts:

"June 2017: OneLogin Password Manager Hacked; Users’ Data Can be Decrypted

Do you use OneLogin password manager? If yes, then immediately change all your account passwords right now.

OneLogin, the cloud-based password management and identity management software company, has admitted that the company has suffered a data breach.

The company announced on Thursday that it had "detected unauthorised access" in its United States data region.

Although the company did not provide many details about the nature of the cyber attack, the statement released by the firm suggest that the data breach is extensive.

What Happened? OneLogin, which aims at offering a service that "secures connections across all users, all devices, and every application," has not yet revealed potential weaknesses in its service that may have exposed its users’ data in the first place.

"Today We detected unauthorised access to OneLogin data in our US data region," OneLogin chief information security officer Alvaro Hoyos said in a brief blog post-Wednesday night.

What type of Information? Although it is not clear exactly what data has been stolen in the hack, a detailed post on a support page that is accessible to customers only, apparently says that all customers served by the company's US data centre are affected, whose data has been compromised.

The stolen data also includes "the ability to decrypt encrypted data."

Source: The Hacker news June 2017:  http://thehackernews.com/2017/06/onelogin-password-manager.html

Here's another from 2015:

"Password manager LastPass said Monday that email addresses and encrypted master passwords were compromised in a breach. LastPass CEO Joe Siegrist wrote in a blog post that the company does not believe user accounts were accessed in the attack, but the company recommended that users change the master password they use to access their account." Source Forbes: https://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-exposing-encrypted-master-passwords/#12d4e9e7728f

How can they do that? Here's how - This next article shows you what tools to download, and how to use them with videos, so you can hack passwords too. the software to hack passwords.

Excerpt:

"Step 1 Cracking MD5 on Windows

On Windows, we're going to need to download and install Cain & Abel. Cain is part of the software suite, and is a AIO (All-In-One) Windows hacking tool. We will be using its bruteforce function to crack MD5 hashes.

Hash a Word

Let's hash the word "cowsay" using Miracle Salad's MD5 hash generator. We get the following as a result:

0f606505ce5a8e34d306f707067786ef

Bruteforce with Cain

I'm going to show you in a vTutorial how to crack the hash of the word "cowsay". Follow closely!

Step 2 Cracking MD5 on Linux

On Linux, cracking hashes is a bit different. We will be using JTR (John the Ripper). Linux is a bit faster at cracking hashes, as you will see in the video a bit later.

Installation

1. First, download JTR from here.
2. Extract with tar zxvf john-1.7.8.tar.gz
3. Navigate to the john directory
4. Install with ./configure && make && sudo make install

Bruteforce with John

I'm going to crack the hash of the word "cowsay" again, but this time with JTR. Commands will be listed below, if you miss any. Watch the video.

Step 3 Protect Yourself from Password Cracking"

In step 3 there is a link to his article on being as strong with your password protection.

That article is here: https://null-byte.wonderhowto.com/how-to/hackers-take-your-encrypted-passwords-crack-them-0130638/

 

 

Edited September 14, 2017 by RV_

[Pat & Pete]

https://www.reuters.com/article/us-equifax-cyber-ftc/ftc-probes-equifax-top-democrat-likens-it-to-enron-idUSKCN1BP1VX

[RV_]

Thanks Pat,

I hadn't seen that new info. It seems my guesses were in line with the reality. I would like to see the insider traders, the three I think it was top level folks who sold shares three days after the breach was discovered and now claim they did not know of the breach at that time.

[Pat & Pete]

Just seems kinda strange that they would choose that exact time to dump a load of shares . Not just a single person , but 3 at the very same time . Hmmm .

[coachmac9]

Here's another "bad timing" event that doesn't exactly shine a great light on Equifax...seems they were "fighting to kill a rule that would allow victims to sue"!! 

 

http://www.latimes.com/business/hiltzik/la-fi-hiltzik-equifax-arbitration-20170911-story.html

[DJW]

I am going to guess that before this is all said and done that 3 little boys are going to get laid over Daddy's lap.

Dennis

[Kirk W]

16 hours ago, Pat & Pete said:

Just seems kinda strange that they would choose that exact time to dump a load of shares

I hope that nobody thought that I was defending that fact! That timing might have been accidental if it were one person, less believable when two people and three is exceedingly difficult to believe was a coincidence. I do not buy it. 

[Pat & Pete]

7 hours ago, Kirk Wood said:

I hope that nobody thought that I was defending that fact! That timing might have been accidental if it were one person, less believable when two people and three is exceedingly difficult to believe was a coincidence. I do not buy it. 

And , anyone care to bet that anyone of those 3 had their personal information breached ?

[RV_]

Duplicate, now in Veteran's forum here.

Edited September 16, 2017 by RV_

[Blues]

On 9/8/2017 at 8:44 PM, rynosback said:

Read the fine print on signing up for the one free year.  It automatically re-enroles you.  But the big kicker is that by signing up, you agree not to sue them in the future.

 

On 9/11/2017 at 8:44 AM, LindaH said:

You will not automatically be re-enrolled.  From the link RV gave in his original post:

[snip]

From reading the Los Angeles Times article linked above, it appears that Equifax did in fact originally re-enroll you and did include an arbitration clause in their "free" one-year monitoring service, but they took a lot of heat for it and changed it.  The link RV Derek gave is continually updated with new information, and by the time LindaH replied, Equifax's website had the new provisions, without mentioning that they were new. 

So links are nice, but if content changes without any reference to the change, it can be misleading. 

Edited September 16, 2017 by Blues

[rynosback]

7 hours ago, Blues said:

 

From reading the Los Angeles Times article linked above, it appears that Equifax did in fact originally re-enroll you and did include an arbitration clause in their "free" one-year monitoring service, but they took a lot of heat for it and changed it.  The link RV Derek gave is continually updated with new information, and by the time LindaH replied, Equifax's website had the new provisions, without mentioning that they were new. 

So links are nice, but if content changes without any reference to the change, it can be misleading. 

Yes it has been changed.  But whenI posted that 8 days ago that is what the fine print stated.

[RV_]

Here is a good FTC web page about this breach. I never realized that our habit of doing our taxes as soon as the earnings statements were in was a security step. We have always filed in January, a few times early February because a government or civilian employer was late.

Blues,

Are you saying my supplying the first news link was misleading? If not who are you saying is misleading? Giving the link allowed the others here to follow the story i8mmediately, AND as it evolved from the source. It is not misleading to provide the source link. It gives the right link to follow it. If one chooses not to follow the story that is their prerogative.

Yep Rynosback,

It will continue to change as well. That's why instead of quoting second hand sources like a news outlet, Faux or otherwise, I always use primary sources. I checked it today and the folks and it looks like the folks who sold shares are both retiring but no mention of charges for insider trading.

I IS an evolving story and in the meantime, since it is free here for us as Louisiana law makes credit freezes/unfreezings free for victims of ID Theft, or anyone over 62 years young. Since I'm 65 and my Significant Harassment is 63, we are just going to freeze our credit reporting from all three main agencies. We don't foresee any loans made by us, just deposits, and USAA doesn't need those with us. We also signed up for free added security to have texts sent to us as part of logging in, everywhere we could. With the breach of one of the major password programs I am still a bit leery of LastPass and the like. So I will stick with my methods until I find one that has enough value added.

Freezing seems best to me as that tells anyone trying to use our ID that they aren't us. I have changed my main passwords for online biz and banking, as well as adding text verification for all that can do it.

Here's another great webpage for security after the breach:  From US news and World Report:

https://money.usnews.com/money/personal-finance/banking-and-credit/articles/2017-09-15/how-to-protect-your-credit-in-the-wake-of-the-equifax-breach

 

Edited September 17, 2017 by RV_

[Biker56]

I got signed up on 9/12 for the year of FREE monitoring. I'm pretty sure they already knew the other 3 numbers of my SS number.

The sign up site is a https:// site. No different then any of my several bank account sites I go to.

I get a text within 15 minutes or less of any charges/withdraws/deposits to my 3 CC, 2 Debit cards, 4 CK & MM accounts.
Or any changes done to any of my CD's.

I forgot to add. I have been putting a "Fraud Alert" on all 3 credit bureaus every 90 days for almost 2 years now.
Started that after someone tried to get a couple CC in my name. 1st one they screwed up and had it sent to my home address.

Edited September 17, 2017 by Biker56

[RV_]

News today is that Equifax had another major breach in March that they never disclosed. Among other embarrassments. they have yet to email is back the activation email promised. it has been several days.

[DJW]

RV

We got the email for the DW and completed it  but have not  received one for me.  Still waiting

Dennis