Security Newsletter

17 February 2020

Learn From How Others Get Breached: Equifax Edition

The goal here is not blame, but rather to highlight specific missteps by an organization so that others can avoid making the same mistakes, hopefully making them less likely to fall victim to attacks. On to Equifax, which suffered a breach in 2017 that U.S. prosecutors say resulted in the theft of personally identifiable information for 145 million Americans. On Monday, the Justice Department unsealed an indictment charging four officers of the Chinese People's Liberation

The short version of what went wrong is that beginning in March 2017, hackers found and then exploited an unpatched, critical Apache Struts flaw, using it to gain a beachhead inside Equifax's network. Along the way, they found plaintext credentials being stored in text files, giving them administrator-level access to numerous databases. Over the course of 76 days, attackers ran 9,000 queries against 51 databases, using encrypted communications to exfiltrate data, as well as their own remote desktop protocol and web shell software, together with leased Swiss servers as a staging area so that IP addresses didn't trace back to China.

Before the breach began, Equifax had allowed eight SSL certificates to expire, meaning that a tool it had for analyzing encrypted communications was not working. Once the security team renewed the certificates in August 2017, alarms began sounding, highlighting the malicious activity. If there's one thing that every organization should learn from the Equifax breach, it's about patching.

Continuous vulnerability assessment and remediation is one of the cornerstones of the top 20 critical security control areas identified by the SANS Institute. "And for good reason, as unpatched critical flaws often offer a malicious actor a trivial route to gain a foothold," Stubley tells me. "Without assurance activity focused on ensuring that patches have been applied in a timely manner, organizations are leaving themselves open and increasing the likelihood of a successful breach."

 

Apple joins FIDO Alliance, commits to getting rid of passwords

We all use passwords. We also all suck at using them. 81% of all hacking-based security breaches can be traced back to poor passwords. So, it is that the FIDO Alliance has been seeking to replace password-only logins with secure and fast login experiences across websites and apps using the emerging standard WebAuthn Their efforts have been supported by nearly all major technology and e-commerce companies with one major exception: Apple. Now, Apple has joined FIDO.

Currently, there is full FIDO support in three major platforms: Google Android and Chrome, Microsoft Windows and Edge, and Mozilla Firefox." While third-party security and authentication programs, such as the Nok Nok S3 Suite, supported WebAuthn logins on mobile Apps on iOS and Apple Watch Apps, "some organizations have been hesitant to deploy FIDO because there was no [major] public commitment from Apple to FIDO. Now with the addition of Apple, all major platform vendors in the FIDO Alliance prove that the world is finally ready for this technology.

Hopefully, now that Apple, a major player in the mobile space, has committed publicly to supporting FIDO and WebAuthn, we can finally start taking a step forward in putting passwords into the grave. Their day as a serious way of securing your information is long done.

 

More #News

 

#Patch Time!

 

#Tech and #Tools

Kindred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us. You can find all our open vacancies on our career page.

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with a diverse team of 1,600 people serving over 26 million customers across Europe, Australia and the US. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and is an innovation driven company that builds on trust.