Forget the One-Day Exploit, Beware the One-Hour Exploit

A recent report by the United States Government Accountability Office (GAO) details how one of the largest personal information hacks in history was designed. The hack described was the one on Equifax, a credit reporting agency (CRA) that exposed the PII (personally identifiable information) of more than half of all adult Americans. Why should you care? Well, if you have a business or organization of any size, you could be vulnerable to the same type of hack that brought down Equifax. It is a hack that could have been performed by anyone with a rudimentary knowledge of hacking.

The report explains how a few small oversights left the company vulnerable. These are mistakes that numerous firms and organizations make every day. Here’s how it happened.

When Cisco found a serious vulnerability in the Apache Struts web application framework, they notified their customers. In a blog post, they emphasized that “it is highly recommended that you upgrade immediately.” But, apparently, almost as soon as they announced the vulnerability, it was being exploited. What this meant was that any enterprise that did not update its servers at once, were in danger of being attacked. The quick use of a newly announced vulnerability is often termed a one-day exploit; however, this one could have been measured in hours.

When Equifax received the news of the security flaw and the recommendation to update their system, they sent out notices to all system server administrators, just like they were supposed to do. Unfortunately, the list of system administrators was out of date. It did not include the address for the system administrator for its dispute portal servers. Thus, this administrator did not get the notice and the update was not installed. This left the servers for this department vulnerable to attacks.

Two days later, “unidentified individuals” discovered the unpatched server. Using software designed to make use of this vulnerability, the hackers accessed the server and tested their software. No data was taken. It wasn’t until May that the actual attack on the server began. Maybe the attackers just needed time to develop an attack framework based on their initial reconnaissance. In any event, when they re-entered the system, they were able to hide their activities as they worked their way around the Equifax network, stole data, and methodically sent it back to their C&C (command and control center). By making their actions on the network look like normal network traffic, they were able to remain undetected for 76 days (May 13, 2017 to July 29, 2017). Here is a diagram of the breach from the report.

equifax diagram

Why didn’t Equifax discover this breach sooner? Normally, security architecture would be alerted if it saw encrypted traffic running through its network. Unfortunately, such detection software did not work because the certificate it needed to operate had expired 10 months before the attack. The attackers, therefore, were more or less free to do whatever they wanted because they would not be detected. It is unclear whether they realized this before they began the attack. The dispute portal servers were taken offline as soon as the breach was discovered.

For enterprises who want to protect themselves from such attacks, it is important to mention two more lapses that made the attack so successful. According to the report, the databases should have been segmented. This means that the databases were in some way connected so that the attackers with access to one database could access others. Another blunder was that Equifax kept usernames and passwords to these databases in an unencrypted file. Imagine the excitement on the part of the hackers when they discovered this.

Equifax has subsequently updated its security architecture in predictable ways. Some of its improvements seem more cosmetic than anything else; for example, creating a new position, Chief Information Security Officer, which will, purportedly, improve communication between IT and management. Yeah, ok.

It took a while for Equifax to figure out how many people were affected by the hack, but they finally settled on 145.5 million. They then set up a website where people could find out if they were among those affected. Those interested in finding whether they were victims of the hack, can go to this page and click the “Am I impacted” button.

equifax impact

You will need to give your name and the last 6 digits of your social security number. If you live outside the U.S., you will need to use a VPN. Interestingly, Equifax accidentally sent people to the wrong site, an approach often associated with phishing attacks.

equifax phish

The repercussions of this breach went beyond Equifax. For example, both the IRS and SSA had to take actions to guard against a possible increase in identity fraud. These and other government agencies used Equifax to validate certain transactions. Surprisingly, no government agencies were made aware of the attack until it was publicly announced, making them vulnerable to a variety of attacks in the interim. Equifax refused any help from the Department of Homeland Security.

After the hack, the company’s share prices fell 33%. They have since recovered most of these losses. In fact, the company is expected to make record profits next year. As of this writing, Equifax faced no penalties for the breach although one lawsuit is pending. Some evidence of this hack has purportedly been found on the deep web. Most of the data taken has probably been combined with other available personal information troves to make ‘fullz’, a term that refers to full information and, at a minimum, includes “the victim’s full name and billing address; credit card number, expiration date and card security code; as well as their Social Security number and birth date.” Fullz simply sell at a higher price on the deep web.

Although Equifax may seem to have escaped relatively unscathed by the breach, politicians are pushing for more penalties to be paid by companies who are breached due to their own ineptitude. However, ineptitude is not easy to delineate. For example, in a large organization, it is often very difficult to perform all updates as soon as information on a vulnerability is released. Sometimes, this is because of practical considerations, such as the update interfering with normal work flow. At other times, updates simply take a long time because of the size of the network.

Hackers have been known to begin their attacks on holidays or weekends when they believe that most of the IT staff will be away. Can this be classified as ineptitude on the part of the company? It’s not a question with an easy answer. However, with these points in mind, I would suggest that most small to medium-sized enterprises would be more vulnerable on weekends and holidays, while large companies and organizations would be more vulnerable during peak working hours.

So what can companies and organizations learn from the Equifax hack? First of all, don’t wait to perform important security updates because the hackers certainly won’t. Implement a certificate checking program that alerts administrators when a certificate is about to expire. Keep important databases separate and encrypt all stored usernames and passwords.

Several executives, including CEO Richard Smith, ‘resigned’ after the breach. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” Smith said as he sadly pocketed a $90 million goodbye package. A number of states took action against Equifax which resulted in Equifax promising to implement security measures that it had already put in place. In the end, Equifax paid out about $250 million in security updates that they would have paid for anyway. In fact, the whole breach could be looked at like one, giant, well-designed penetration test. As such, it was a bargain for everyone except those who lost all of their personal data.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s