A Notice to Dark Cubed Customers on the Equifax Data Breach

By now, you have likely heard about the cyber breach announced by Equifax today, September 7th, 2017.  You can read the full release from Equifax here: https://www.equifaxsecurity2017.com.

This blog posting summarizes our initial thoughts on this incident and what it means to you, our customers.  In summary, this breach resulted in a massive loss of personal information potentially for 143 million people in the United States.  It is more likely than not that your information was included.  You should consider if you are prepared personally for the effects of this breach and if your company is prepared for a breach to your sensitive data.  Our team at Dark Cubed is watching vigilantly for signs of such attacks amongst our customers and take our role in being your partner seriously.  For more information on this data breach, read on!

First, it is clear that this was a breach that provided an outside party with access to a significant data set held by Equifax.  In the public press release, Equifax states that this was an incident “potentially impacting approximately 143 million U.S. consumers.”  If that sounds like an incredibly large number, it is.  Considering that in 2016 the United States had a population of approximately 323 million people this estimation means that three out of every four adults in the US are potentially impacted by this breach.  

Second, the data breach contains sensitive information.  According to the release, the data to which the attackers gained access “includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”  Probably less interesting to most readers, but something significant is this line in their notification, “Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.”  This sounds like boring, legal jargon, but the United States is a country that does not have a national data breach law.  This means that 48 states – that is every state except for South Dakota and Alabama – each has their own law and requirements for a company when a data breach affects residents of that state.  Think about the scale and complexity of the effort faced by Equifax working with every individual state to follow the letter of the law in each and every location.  In addition, many of these states have provisions that allow residents to sue companies when such an event occurs.  Let me be clear, we are only seeing the tip of the iceberg on this incident and it is going to be a significant event for the future of cyber security in the United States.

Third, to date there has been very little data released about the details of the breach, this is to be expected.  According to the press release, the breach occurred in Mid-May and was discovered on July 29th.  Most readers will probably be surprised that notification of the general public occurred today, over 30 days later, but they shouldn’t be.  Following the discovery of the breach, an outside firm was likely brought in to perform forensics.  This process was not a short one and likely took a minimum of a week or two.  Once a breach is confirmed, many states require a notification within 30 days.  This indicates that this breach was likely confirmed internally on or around August 8th, 10 days after it was discovered.  The data accessed, according to the press release, was “certain files,” while CEO of Equifax states in his video message it was “data files.”  These files were accessed through a method broadly defined as “a U.S. website application vulnerability.”  In addition they are claiming that they “found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”  This final statement likely means one of two things.  Either (A) the attackers were able to exploit something such as a SQL Injection to pull data from servers and didn’t gain access to the systems themselves or (B) Equifax may not have been storing the data necessary to “find” evidence of such activities and therefore can make this claim.

Finally, it is important to note the actions being taken by Equifax following a breach.  They are following the textbook on what to do following a breach and it is clear they have learned the lessons from those companies that have gone down this road before them.  Their activities have included:

  • Engaging a firm to perform a forensics review
  • Establishing a website to provide monitoring services to their customers
  • Establishing a call center to support concerned customers
  • Sending written notifications to all affected
  • Working with law enforcement
  • Notifying U.S. state and federal regulators
  • Notifying all U.S. state attorneys general

It is clear that the scope and scale of the actions required by Equifax following this incident are staggering and the costs associated with this response are going to be enormous.  For perspective, the Home Depot breach in 2014 likely cost the company around $179M and that breach only affected 50 million credit card numbers and around 53 million e-mail addresses[1].

So the real question is what does this breach mean to you?

First, it is more likely than not that your personal information was included in this breach.  If attackers use this information, they could attempt identity theft or other scams.  You should make sure that you are monitoring your credit files at the credit bureaus and monitor your credit cards and bank accounts for suspicious activities.  Fortunately, Equifax will provide this for free for a year to all affected. (it is the least they can do)

Second, it is very highly likely that other scammers will exploit this event to try to capture your information.  Never give your personal information to anyone over the phone or to a website that you have not verified as being legitimate.  If you are told to visit a website in response to a breach (such as Equifax’s own website for this incident: www.equifaxsecurity2017.com) never click on a link in an e-mail to that website.  It is better to cut and paste the domain name or manually type the domain name in the browser.  We have already seen indications that spammers have shown interest in this event.  For example, the domain name released by Equifax was registered on the 22nd of August, however many variants of that domain name were registered today by a different service, likely on behalf of Equifax.  This delay is likely the result of some form of an oversight by the company in not considering the fact that a good attacker could use the domain name “equifaxsecuvity2017.com” to trick unwitting customers; notice the “v” instead of the “r” in security.  Our assumption was that Equifax’s mass registration of these variants was in response to an individual registering the name “equifoxsecurity2017.com.”  Interestingly enough, visiting that url brings up a website that tells the user “You're probably looking for https://www.equifaxsecurity2017.com/” and then asks the question “Why was I able to register this after the Equifax breach announcement??”

equifox.png

Finally, you should certainly be considering if your own infrastructure is exposed to an attack and if you have adequate protections in place.  Of course, being a Dark Cubed customer is a great start!  You should also consider if you are prepared to respond in the event a data breach occurs within your company or organization.  A good way to evaluate your preparedness is to get into a room with your leadership team and to walk through what would happen if you discovered a data breach.  Here are some key questions to consider:

  1.     Who would be responsible for managing the incident?
  2.     Who would support the forensics and analysis?
  3.     What data are you collecting that could help determine the breadth of the attack?
  4.     Is your law firm prepared to support you?
  5.     Do you know who to contact in law enforcement?

If you have any questions related to this incident, don’t hesitate to reach out to our team at info@darkcubed.com and we will help you out.  Thanks for being a great customer; we are honored to have the opportunity to continue to serve you!

Swimming Upstream at Black Hat

Recently I was one of the many tens of thousands of attendees converging on Las Vegas at Black Hat, the massive annual cyber security conference.  One morning of the event I found myself walking down a long venue hallway while thousands, and this is no exaggeration, I mean thousands of attendees were walking the opposite direction.  

The whole corridor was filled with people heading to the expo floor to see the new cyber security technologies on display and learn how AI, machine learning, magical mystery boxes, and other toys would help them finally secure their network.

How Do You Sniff Out Cyber Threats?

I read recently that the nose isn’t very good at maintaining awareness of the smells around us constantly, however it excels at detecting changes in smells.  Kind of strange to think about, but it explains how someone can live in a house with a deadly natural gas leak for hours or days and not realize it.  This may be a strange thought to start out a blog on cyber security, but thinking about how we relate to the world around us can help to develop new ways to improve the speed, scale, cost, and accessible of security. So how do you sniff out cyber threats?

The Cyber Security Context Challenge

In my last blog posting, I spoke about the importance of thinking about cyber security as a resource problem rather than a technology problem. I challenged readers to think about speed and scale as a solution for the resource problem. This posting expands on that discussion by considering the importance, or lack thereof, of “Context.” My assertion is that while context may matter in some situations, it is one of the biggest impediments to implementing effective cyber security today.  

The cyber security community is primarily made up of geeks, technologists, and nerds that typically can’t help themselves from going down a rabbit hole when it comes to digging into a problem. This growing community of men and women are on the front lines of protecting our payment systems, preserving our privacy, and keeping the valuable intellectual property from getting sucked out of the servers of companies of all sizes.  

Rethinking The Approach to Cyber Security

Everyone knows that cyber security is a big problem and most of what we hear about in the media is just how big of a problem it truly is: the average cost of a breach is $4M (http://fortune.com/2016/06/15/data-breach-cost-study-ibm); the global economic impact of cyber crime is $450B (http://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html); there were 4B data records stolen in 2016 alone (http://www.nbcnews.com/storyline/hacking-in-america/more-4-billion-data-records-were-stolen-globally-2016-n714066). Those are definitely some big numbers! Now, rather than wringing our hands over the size of the problems and challenges, let’s spend a little time thinking about a solution.

Expanded Threat Information is Almost Live!!

Friday is a big day for Dark Cubed!  We are preparing to launch a new feature that has been in the works for quite a while, and I couldn’t be more excited!  As I approach my one-year anniversary at Dark Cubed, I have enjoyed taking a few minutes to look back over time and see the incredible progress we have made.  From the rapid growth of customers, the new features implemented in the product, to the features requested by our amazing customers such as automated notifications, one-click blocking, and multi-level reporting.

SMBS and Cyber Security: A Real Challenge

Make no mistake: a proper cyber security strategy is essential for all companies that deal with intellectual property, customer data, financial information, and other sensitive materials. However, all too often small and mid-sized companies can feel lost in the marketplace since the majority of mainstream cyber security companies only offer services with a hefty price tag attached.

Yes, cyber security solutions can be expensive. But so are cyber attacks.

What is Grizzly Steppe? Dark Cubed Explains Russian Hackers, Elections, and Data-Driven Analytics

Two days before New Years, something interesting happened in the world of cyber security. The Department of Homeland Security released a report on hacking activities by Russian Intelligence Services related to activities against the U.S. Government. The report was somewhat interesting, however DHS also released a set of indicators in a .csv file with 956 lines of data. As the CEO of a new cyber security startup focused on using data in smarter, more interesting ways, this data tugged and pulled at me in a way that I did not expect. Over the next two days, in between (and through) family events, football games, and dogs grabbing food off of the counters, I sat on a stool in my in-law’s kitchen and tuned out the world. There was something about this analysis that I could not ignore.

How An Information Sharing Environment Can Better Predict Cyber Threat Trends

With sophisticated hacking schemes gaining velocity, maintaining an organization's cyber security can feel demanding. Few know that reality better than the federal government. In response to the events of September 11, 2001, the Department of Homeland Security, together with Congress, began to develop methods by which to gather crucial information on illicit cyber activity and disseminate it to other government agencies within the national security enterprise and private networks considered as critical infrastructure. Known as the Information Sharing Environment (ISE), DHS endeavored to boost inter-agency cooperation and reduce attitudes clinging to parochial interests in order to better protect the country from future cyber peril.

Cyber Security Monitoring In 15 Minutes? Really???

If you've read anything about Dark Cubed, you know that we pride ourselves on being different. We have built a powerful cyber security platform that is easy to install and use.

"no way." It's too simple.

Most people hear claims like that and think, “no way.” It's too simple. They are jaded. I don’t blame them. Most people discount those claims as marketing hype… if it is powerful, it cannot be easy to install or use. It has to be hard and expensive.

I have a Firewall, so I am protected, right??

Mike owns a financial advisory firm. He helps people save for life’s big events like college and retirement and knows each one of his clients personally. His team consists of 15 employees with a range of responsibilities, from providing investment advice to making trades and other administrative activities. As a result, Mike's company collects some really important personal information like social security numbers, bank account numbers, balances and transaction instructions. 

The Value of Shared Data Analytics

Here at Dark Cubed, we are focused on a new approach to cyber security that works for companies of all sizes. A key part of our mission is to use elegant engineering to simplify the deployment and use of sophisticated security capabilities. One key component behind Dark Cubed is our ability to provide enhanced protection for our customers through near real-time data analytics and predictive algorithms. As we continue to deploy Dark Cubed to more customers, we are ramping out our data science and analytics capabilities, both in-house and through partnerships. Two of the partnerships we are excited about are with the University of New Haven (focusing on IoT and Mobile Malware applications, www.unhcfreg.com) and George Mason University (focusing on data analytics and visualization, https://ece.gmu.edu).

Reflections on Last Week

I was on the road last week and had plenty of airplane time to catch-up on some overdue reading and reflection.  The conclusion of the week was marked by a rather interesting event that caused a relatively significant event on the Internet with the DDoS attack against the Dyn’s architecture.  Now, just to warn you, this isn’t a posting about how we could have fixed it and how we are the magic bullet for cyber security…we aren’t that obtuse (although many other cyber security companies are seizing this as a marketing opportunity).  Anyway, while at home this weekend and in between baseball games and kid birthday parties, I had a chance to reflect on the week and our vision at Dark Cubed, I was struck by the impact of three events from the week.

Lessons Learned From Protecting the 2016 Republican Convention

Last month I spent the week in Cleveland, Ohio – the home of the Rock and Roll Hall of Fame, Great Lakes Brewing Company, and LeBron James.  I wasn’t there to enjoy the sights, rather, Dark Cubed had been provided the opportunity to demonstrate our technology at the Republican National Convention as a member of the Cyber Security Operations Center.  Here are some of my thoughts resulting from supporting this historic event, regardless of your political leanings.

Great Press For Dark Cubed!!

We want to send a  huge thank you to a number media outlets for highlighting the hardworking team behind the scenes at the Republican National Convention (RNC) this past week. Rarely do we hear a success story woven into media coverage around cyber security. Instead, we read about data breaches, millions of dollars lost and encroaching Russian hackers. Advancements to the security measures at the RNC this year allowed the collective team to weave a story of success into the more common cyber security narrative.