Equifax breach.... WTF

I'm linking here an article from the New York Times: Equifax’s Instructions Are Confusing. Here’s What to Do Now.

It’s time for all of us to play defense, because Equifax clearly did not.

In the wake of the epic breach of as many as 143 million of our Social Security numbers, names and addresses from the company’s credit files, the company put up a website that attempted to make sense of things for consumers.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

Why am I pointing to this article (which you should go and read)? Because this is getting ridiculous. Credit companies have so much personal information, information we DO NOT want them to have, but we are forced to give it to them by the way the BS credit system works in this country.
It's time for the credit companies and the whole financial industry to get its act together with security. We are the ones suffering from their lack of basic security - yes, at that level basic security also means red teaming, pentesting, and a whole lot more things, not just the stupid PCI checklist or the cover your ass checklist.



Here's a great article from Arstechnica that points to some really bad things.

For starters, the page they have set up: www.equifaxsecurity2017.com
It does look like a phishing domain, righr? On top of that, quoting Arstechnica:

It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

And then...

Screen Shot 2017-09-10 at 5.52.32 AM.png

I tried to see if my info was stolen, so of course I entered my real name and my real last 6 of my SSN:

Name: Bubufuck
Kast 6 of SSN: 123456

But then I tried all my friends' information. I entered 21 random strings of text and 21 random last 6 SSN, they were ALL compromised! Man, these hackers were good!

The best is when Equifax leaves debugging info for security purposes:

Yes, go read the whole article, but it's not surprising that 3 high level execs sold their stock right before announcing the (several weeks old) breach.


From The Verge's article

Screen Shot 2017-09-11 at 5.55.24 AM.png

Quote of the day

“I really try to put myself in uncomfortable situations. Complacency is my enemy.”

— Trent Reznor

Quote of the day

“The goal of training for alpine climbing can be summed up in one phrase: to make yourself as indestructible as possible. The harder you are to kill, the longer you will last in the mountains.”

— Mark Twight

Apply this mindset to security. Become resilient! By training to be harder to kill you are making your organization more prepared and more resilient to real-world attacks.

(via The Angry Red Teamer)

Quote of the day

“There’s always a degree of randomness involved.”

— Alex Honnold

Strategic Red Teaming: The Job Description

Our friends at the Red Team Journal posted a notional job descrition for a "Strategic Red Team Director". This provides a good list of what's needed on a Red Team, an what a Red Team should be on an organization. Yes, it's not pentesting.
Go read it.

This is an excellent opportunity for an experienced, forward-looking red teamer to build a world-class red teaming capability at a prominent global organization. The successful Strategic Red Team Director will lead the enterprise’s efforts in adopting and maintaining a system-wide view of threat-driven risks, with the goal of working with senior management to control these risks.

Situational Awareness

When you stop looking at your phone while you're walking. When you lift your head and just look around, paying attention to sounds, smells, movement. When you observe the world around you.
Things change. You notice things. You realize there are lots of little details everywhere.

You don't need training for this.

Situational awareness allows for a better plan at the end. Recon your target, research online about the weather, patterns of life, terrain, streets, landmark features, history, crine. Then, if possible, go there, spend a day getting a feel for the play, how it works. Maybe talk to people.


Access codes

Thank you all so much for the support!

We just sent out the access code for the forumn and private area of the blog. Please check your inboxes. The forum will be up and running in a few weeks. So keep an eye on the blog.

In several cases, Paypal didn't attach an email address, so if you haven't received the code, please use the contact form to let us know, and we will send it right out to you.

Again, thank you.

Assess the situation

First ask:

What is the most likely threat to occur? And the worst threat? How likely is the worst case scenario to occur?


Are you prepared for the most likely threat? Do you have a plan? Have you Red Teamed the plan?

Do you have a PACE ready?

Visualize the various parts of the plan, what you need and how you will use what you have. Communicate that plan to all those involved and drill it. Stress test it. Red team it. Give anyone involved in the planning and selection of actions, a chance to poke holes into it.

Sometimes you have time to fully assess the situation. Other times, you assess threats are they are presented and select the best way to act based on the information at hand.

Act, don’t react. Always try to be several steps ahead.

(first appeared here)