September 2017 – MEI Security

MEI Security (Stoughton, MA) will support a Cyber “Capture The Flag” Workshop at the Boston Application Security Conference in Burlington, MA, October 14th. The conference is free of charge.

MEI’s Arena workshop is an Attack/Defend Information Security challenge where teams of competitors defend their own services (web services and others) and launch attacks against competing teams. Teams may choose to attack or defend (or both). Additional challenges include recovering after attacks, handling common InfoSec tasks like investigations, advisories, requirements to spin up new services, and gaining control of IoT devices which may be available on the network. It’s like running your own IT Security team (in a relatively safe and relatively isolated, fictional network environment) but – you CAN’T get fired for a breach and you CAN attack your adversaries!!

Capture the Flag exercises are useful tools to help individuals and organizations harden their information security postures, reduce attack surfaces, and burnish penetration testing skills, to decrease risk to organizations and individuals in our ever-changing threatscape.

The Boston Application Security Conference is held courtesy of OWASP Boston. October is National Cyber Security Awareness Month coordinated and led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). MEI Security is pleased be an NCSAM Champion and to partner with these organizations and programs. @OWASPBOSTON @BASConf @StaySafeOnline #NCSAM #CyberAware

Conference tickets and tickets to the workshop are found here. Workshop participants must first have a conference ticket and present ID to gain access to the host facility, then an additional ticket for the workshop. All tickets are free of charge. A participant briefing describing the arena and rules of engagement will be held at 9am. The challenge will commence at 10am, scoring will conclude at 4pm. As Defender seats and resources are limited, please do not register for a Defender ticket if your team is not committed to defending provided resources throughout the challenge.

For more information contact MEI Security at 617-544-7233, info@meisecurity.com, @meisecurity

Yesterday, Equifax admitted publicly that they were breached, and that personal information was exposed for 143,000,000 U.S. Consumers. While this is not the largest data breach in number of records exposed, it is arguably the worst data breach ever due to the type of data that criminals accessed. Whether or not you believe that your information was exposed there are steps you can take to protect yourself.

Why This Breach is Historic

This breach involved personal information, not just credit card numbers. If a criminal gets hold of your credit card information you can cancel the card, and if they are able to make any charges you can dispute those with the credit card company. It’s slightly worse if a criminal gets your debit card information. In that case you can get a new card, but you may have to fight with the bank to get your cash back into your bank account.

In this breach identity information was stolen. If a criminal gets hold of your identity information it’s much harder for you to change that, and the criminal can continue to use it for years. Even if you are able to change your social security number (which may require proof of criminal activity) many companies will continue to have your previous number, and may grant access to your information based on that.

According to the information available today criminals gained access to names, social security numbers, addresses, and other information for more than one hundred million people in the U.S. In some, or perhaps most, of these cases the people who are now at risk never had any dealings directly with Equifax. Even so, the failure of Equifax to protect consumers’ data now costs time and money of millions of people. Time and money which will be required to protect people and/or to react to criminal activity committed in their name.

Even worse is the fact that Equifax has been breached before!

April 2013 through January 2014: Provided credit reports to unauthorized entity
May 2016: Leaked 430,000 names, addresses, social security numbers, …
April 2016 through March 2017: Allowed Criminals to Steal W2 Data for an Undisclosed Number of People
January 2017: Exposed information of a “small number” of customers at partner Lifelock

And they’re not alone. Experian has been in the news for its own share of issues.

Because of the number of people who are now subject to identity theft, this is quite possibly the worst data breach in history.

What You Can Do

Even if you haven’t been breached yet, there are at least two things you can do to protect yourself and to prevent criminals from using your information. Note: option 1 is more expensive and is optional if you complete all of option 2; however option 1 is the easiest over the long term.

Option 1: Sign up for credit monitoring. You may choose to do this via Equifax for free, or you may choose not to place your trust in the company that has lost control of consumer data 5 times in 5 years. There are alternatives. (e.g. Lifelock, Transunion, Fast3CreditScores, Experian Identity Works, Privacy Guard ) Numerous sites are available for evaluating these.

Pro:
- You will receive alerts when anyone attempts to open a new credit account in your name.
- Some of these credit monitoring companies will help you if your identity is compromised. Choose carefully.
Con:
- This is more expensive than the $15 per year for a freeze. (assuming you only apply for one new credit account per year)

Option 2: Contact each of the four consumer credit bureaus (Equifax, Experian, Innovis, Trans Union), and request a Credit Freeze. This may cost up to $15 per bureau, depending on your state of residency.

Pro:
- If a criminal attempts to open a credit account in your name they will be refused.
Con:
- When you wish to open a new credit account you will have to do the following.
  - Ask the company from which you are requesting credit to tell you which credit bureau they use, Equifax, Experian, Innovis, or Trans Union.
  - Contact that credit bureau and release the freeze.
  - Apply for the new credit account or loan.
  - Contact that credit bureau and request the freeze again – this will likely cost an additional $15. If you do this less than once per season then this is much less than you will likely pay for credit monitoring. It is of course less convenient.

Conclusion

Because of the large number of identities stolen (143,000,000) this is likely the worst data breach ever. Whether or not your personal information was breached in this incident, there are steps you can take to prevent criminals from using your identity to commit crimes.

Monthly Archives: September 2017

CTF Event @ BASC 2017

The Equifax Breach: Why it’s big, and how to stay safe.