In the wake of the Equifax act of corporate malfeasance (Read: this was not a breach. It was a terrible and continuing mistake on account of a company who exists solely to guard and protect sensitive financial data) let me ask you a question: when is the last time you actively patched your software or updated your firmware?
If your answer is “never” or “I have no idea what a patch or firmware is”, the ongoing Equifax scandal (Read: Equifax is a legitimate societal scandal worthy of complete and swift corporate elimination) is all the information you need as to why paying attention to digital security is of dire importance.
For those of you who haven’t been following the ongoing Equifax negation of duty, here is your timeline:
February 2nd — March 7th, 2017
Over the course of around a month, Apache is notified of the security vulnerability, provides a security patch for the vulnerability, and publishes the update.
March 10th, 2017
Alleged Equifax breach takes place.
March 10th — March 14th, 2017
Over the course of four days, MITRE (National Security Engineering Center) and NVD (U.S. government repository of standards based vulnerability management data) add the vulnerability and resolution to their database. On the 14th, CERT (United States Computer Emergency Readiness Team) releases a public advisory of the vulnerability. Additionally on the 14th, Equifax says they are aware of the issue.
May 13th, 2017
Initial and verified Equifax breach occurs.
July 29th, 2017
Equifax, nearly three months after the initial verified breach, first detects the intrusion.
July 30th, 2017
Equifax patched vulnerability.
August 1st and 2nd, 2017
Three senior leadership members of the Equifax team sell roughly $2 million shares of company stock. According to the US Security and Exchange Commission, Equifax CFO John Gamble Gr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran, all sell company shares days after they discovered the July 29th breach.
August 2nd, 2017
Equifax contacts Mandiant to help with, what they must internally know, will be a perilous incident response.
August 10th, 2017
Understanding their internal security protocols aren’t stringent or strict enough, Equifax acquires ID Watchdog, an identity theft protection service provider.
September 7, 2017
Equifax, trying to get ahead of what they know will eventually blow up in their faces, announces systemic failure in responsibility. The now darkly hilarious and devious lead of the announcement is:
No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases. Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers
Unauthorized access is an incredible phrase here because it honestly tells the truth: hackers entered the Equifax system with direct access to admin credentials which, no joke, amounted to:
September 8, 2017
Equifax stock shares take a steep nose dive of 13.7% in the first day of trading since the breech announcement.
September 12, 2017
Equifax apologizes in public op-ed in USA Today.
September 15th, 2017
Equifax CSO & CIO resign.
September 26th, 2017
Equifax CEO Richard Smith resigns.
- Equifax time to patch: 138 Days
- Equifax time to notice compromise: 78 Days
- Equifax time to notify public: 117 Days
Take a step back for a moment to think about this. Equifax, which holds and “secures” 143 million user accounts, knew about their failings for more than three months before they made any public statement. Moreover, understanding the coming stock plunge, three Equifax executives sell roughly $2 million in company stock and they hire two firms to help clean up their self-created mess.
For a company who exists on the premise of the public knowingly or unknowingly trusting them with sensitive financial data, their lapse in judgement in terms of public disclosure, stock sell off, and childish server protection protocols, looms large.
And that’s the point: if a company like Equifax exists on the premise of data security and they screwed the pooch as hard as they did, what makes you think not understanding or following Internet and IoT security updates is a good idea?
Three Reasons Why You Need to Pay Attention
- On October 23rd, 2017, Krack had the security community scrambling to resolve an endemic vulnerability in the ubiquitous, secure Wi-Fi network standard known a WPA2.
- In August 2017, the FBI without warning, purged all Kaspersky Lab code from their networks. Upon execution, the FBI immediately began urging private sector companies to do the same.
- On October 20th, 2017, it was reported the IoT BOTNET known as Reaper evolved MIRAI BOTNET strategy utilizing software hacking protocols to hack directly into connected physical devices like cameras and routers. Reaper does this by leveraging known security flaws found in the code of insecure devices. Once inside, it spreads itself further, like a tumor, to other devices within a connected network. The rub: researchers believe the BOTNET is already installed across a million networks and counting.
Put it this way, if the aforementioned events are taking place on a near daily basis and one of the largest supposed to be secure companies in the United States is protecting their severs with passwords built by the cast of Spaceballs, you should have all the motivation you need to patch your devices, update your firmware, and yes, change your password on a routine basis to something which isn’t easy to guess.
Brad can be reached for comment at firstname.lastname@example.org. He currently changes his passwords every thirty days using a round robin code generator.
Nest Wi-Fi connection included.