*** The Security News Thread ***

[Neo]

Hackers Steal Personal Information of 143 Million Americans in One Attack
By Kate Conger on 08 Sep 2017 at 12:30PM

Equifax, one of the largest credit reporting agencies in the US, revealed today that it has suffered a massive data breach at the hand of hackers. The stolen data includes names, Social Security numbers, birthdates, and other personal information for 143 million Americans.

The data was accessed via a web application vulnerability, Equifax said in a statement. The company’s investigation found that hackers first accessed the data in mid-May of this year and maintained their access over the summer, ending on July 29. Equifax is working with a forensic firm to investigate the breach, and says its investigation is ongoing.

Credit card numbers belonging to roughly 209,000 consumers were also stolen, along with what Equifax calls “dispute documents with personal identifying information” for 182,000 more people.

“The company has found no evidence of unauthorised activity on Equifax’s core consumer or commercial credit reporting databases,” the company said in a statement.

Equifax says that data belonging to people in Canada and the United Kingdom may also have been accessed, and it is working with regulators in those countries to disclose the breach.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax CEO Richard F. Smith said in a statement.

Social Security numbers and other personal information can be used in identity theft schemes. Credit card numbers, of course, can be used to make fraudulent purchases. Equifax is offering identity theft protection and credit monitoring to affected consumers.

The Equifax breach affects many more people than the 2013 Target hack that exposed the financial information of more than 41 million customers. Target paid a $18.5 million settlement in response to lawsuits over the hack.

Hackers Steal Personal Information of 143 Million Americans in One Attack | Gizmodo UK

[raycarey]

two points on the above:

1. equifax set up a webpage if you think your data was stolen....you need to give your last name and the last 6 digits of your social security number....and they don't actually tell you whether or not you're in jeopardy. errr...no thanks.
http://www.marketwatch.com/story/aft...ted-2017-09-07

2. after the breach was discovered (and before informing the public), executives unloaded a lot of stock...i'd guess some of these people are going to need to lawyer up.
http://www.marketwatch.com/story/equ...lic-2017-09-07

[Dragonfly]

The data was accessed via a web application vulnerability, Equifax said in a statement. The company’s investigation found that hackers first accessed the data in mid-May of this year and maintained their access over the summer, ending on July 29. Equifax is working with a forensic firm to investigate the breach, and says its investigation is ongoing.

this what happens when you let fuckwit Indians take over your IT infrastructure and webapp development.

Unfortunately this is quite common, there are tons of S&P 500 companies that have been infiltrated deeply and still are, and yet don't know it. They either couldn't care less or simply too incompetent to do anything about it.

[jabir]

two points on the above:

1. equifax set up a webpage if you think your data was stolen....you need to give your last name and the last 6 digits of your social security number....and they don't actually tell you whether or not you're in jeopardy. errr...no thanks.
After huge data breach, Equifax not telling all customers whether they are affected - MarketWatch

2. after the breach was discovered (and before informing the public), executives unloaded a lot of stock...i'd guess some of these people are going to need to lawyer up.
Equifax executives sold stock after data breach, before informing public - MarketWatch

These sites are ultra secure, they don't even ask for mother's maiden name or secret password.

[Grampa]

2. after the breach was discovered (and before informing the public), executives unloaded a lot of stock...i'd guess some of these people are going to need to lawyer up.

Yes, and reports say the execs unloaded their stock holdings before the news was released to the public.

[harrybarracuda]

2. after the breach was discovered (and before informing the public), executives unloaded a lot of stock...i'd guess some of these people are going to need to lawyer up.

Yes, and reports say the execs unloaded their stock holdings before the news was released to the public.

They claim they didn't know.



Fucking hell, they are asking you to "enroll" to find out if you're impacted.

Yeah, right.

[raycarey]

Fucking hell, they are asking you to "enroll" to find out if you're impacted.

it gets worse....if you enroll, you have to put a check mark next to a lot of small print.....part of that small print states that you waive any rights to join a class action suit against equifax.

[harrybarracuda]

Fucking hell, they are asking you to "enroll" to find out if you're impacted.

it gets worse....if you enroll, you have to put a check mark next to a lot of small print.....part of that small print states that you waive any rights to join a class action suit against equifax.

You have to admire the lawyers that put that one together so quickly.

Lots of people will be ticking away in their haste to find out if Equifax have fucked them over.

One hopes there is a massive fine coming their way.

[David48atTD]

I'm not a computer sort of guy, but I read this ...

BlueBorne: Bluetooth bug could expose billions of devices to attack, cyber experts warn

Internet security experts are urging people to update their software to protect against a serious vulnerability,
which if exploited could spread uncontrollably via the common wireless technology bluetooth.

The so-called 'BlueBorne vulnerability' could allow hackers to spread from device to device over bluetooth without the owner's knowledge.
Ty Miller, managing director of international cyber security firm Threat Intelligence, said this could be one of the most dangerous security flaws that has come out to date.

The vulnerability is considered serious, as the researchers who found it say an exploit could spread without people clicking on a link or being on the internet.

The guts of the story is here

[harrybarracuda]

Microsoft fixed it on Tuesday.

The rest are playing catch up.

I bet Buttplug won't be happy about that.

[harrybarracuda]

It's the sort of thing I could imagine happening if you let Buttplug run your computers.

As we close in on a week since Equifax announced the massive hack that could potentially have exposed the financial information of 143 million consumers in the U.S., we have been left with many questions. How could a firm entrusted with our most sensitive financial data allow this to happen? Well, security researcher, Brian Krebs (who broke the Target breach story in 2014), reports today that the company still has some shocking vulnerabilities on its website in Argentina.
According to information supplied to Krebs by security researcher Alex Holden of Hold Security, the company is still leaving user data vulnerable to attacks. This firm began researching Equifax sites in South America and found almost immediately that it was simple, pimple to get into an employee portal that had been designed for Equifax Argentina employees to manage credit disputes in the country. Unbelievably, it was “protected” with the user name admin and the password admin. It obviously didn’t take a hacking genius to get inside.

[harrybarracuda]

You can't explain shit like this to the likes of Buttplug, because he's too stupid, but essentially Equifax got hit because they didn't do their updates.

Apache released a patch for a serious vulnerability - which was being exploited in the wild - in Mid-March; they hadn't bothered applying it. Som num na.

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

https://arstechnica.com/information-...month-old-bug/

[Dragonfly]

sounds like they were managed by Indians, something you seem to know about Harry

I wonder if they were using one of your legendary password managers to store all their login info

[baldrick]

make some more sh1t up butterfly , it makes you look like you know what you are talking about

Dave Webb -
chief information officer for Equifax, where he is responsible for leading a global team of IT professionals in delivering the technology strategy as well as support for the company's innovative solutions.

Corporate Leadership | About Us | Equifax

[harrybarracuda]

sounds like they were managed by Indians, something you seem to know about Harry

I wonder if they were using one of your legendary password managers to store all their login info

Of course not Buttplug, they were doing the same as you do, can't you read?

Username Admin Password Admin.

[Dragonfly]

Of course not Buttplug, they were doing the same as you do, can't you read?

Username Admin Password Admin.

ah again you are wrong, harry

I always use "password" for my admin passwords

[Dragonfly]

make some more sh1t up butterfly , it makes you look like you know what you are talking about



Corporate Leadership | About Us | Equifax

you don't know how these things work, Mr Plumber

Their CTO is simply a buyer, he is buying all those IT services from Indian providers like INFOSYS

but you wouldn't know that since you are a clueless little amateur

[baldrick]

he is buying all those IT services from Indian providers like INFOSYS

and a simple google search shows where their data centres are located

and guess what - https://www.glassdoor.com/Jobs/Equif..._IC1155641.htm

buttplug is shown to be a sh1tspeaking idiot ...again ... and again ... and again

[Dragonfly]

and a simple google search shows where their data centres are located

and guess what - https://www.glassdoor.com/Jobs/Equif..._IC1155641.htm

buttplug is shown to be a sh1tspeaking idiot ...again ... and again ... and again

god, you are just too easy to expose as ignorant

2 job posts to prove your point ? how more stupid do you need to be ?

if you had any experience in the real world, you would know that all S&P 500 companies and MidCap companies are outsourcing their IT services to INFOSYS and their like

their datacenter can be in the US or fuck knows, they can still be operated by Indians or INFOSYS you dumbo

god, you and harry you quite make the pair of Indian call center boys

[harrybarracuda]

and a simple google search shows where their data centres are located

and guess what - https://www.glassdoor.com/Jobs/Equif..._IC1155641.htm

buttplug is shown to be a sh1tspeaking idiot ...again ... and again ... and again

He's not very bright you know.

[Dragonfly]

Harry tell Pumber boy how many Indians you are managing in your ITS

[harrybarracuda]

What is an "ITS"?

Is this some new word you made up because you don't know what the fuck you're on about?

[baldrick]

if you had any experience in the real world, you would know that all S&P 500 companies and MidCap companies are outsourcing their IT services to INFOSYS and their like

What is an "ITS"?

Indian typing services - buttplug relates data entry with IT services management

[Dragonfly]

dumber and dumber trying to figure out basic corporate lingo

[harrybarracuda]

Indian typing services - buttplug relates data entry with IT services management

Cool, Buttplug has found a job as a data entry clerk.