Equifax Data Breach Details Released, More Google+ API Bugs, Supermicro Strikes Back – WB47

Watch this episode on our YouTube channel!

This is your Shared Security Weekly Blaze for December 17th 2018 with your host, Tom Eston. In this week’s episode: Equifax data breach details released, more Google+ API bugs and Supermicro strikes back.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

A report released last week from the U.S. House of Representatives Committee on Oversight and Government Reform about the Equifax data breach, known as the largest consumer data breach in US history, shows that the breach could have been entirely preventable. The 96-page report, which we’ve linked in the show notes for a very stimulating and exciting read, goes into great detail on how attackers were able to exploit an Apache Struts vulnerability on an application called the Automated Consumer Interview System (or known as ACIS). For 76 days Equifax failed to detect the breach even though massive amounts of data was being exfiltrated. The report said “Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times”. The breach went undetected because the device used to monitor ACIS network traffic was inactive for 19 months due to an expired SSL certificate on the data exfiltration monitoring system. Ironically, at the same time, Equifax had also allowed at least 324 other SSL certificates to expire and “including 79 certificates for monitoring business-critical domains”. Once the SSL certificate was renewed for the data exfiltration service, it was then immediately identified that a data breach was taking place.  One of the interesting highlights I noticed in the report was about how the attackers were able to deploy 30 “web shells” (which are essentially backdoors) across the Equifax network due to the Apache Struts vulnerability. Because of these web shells, they were able to find a file containing unencrypted credentials which gave them access to 48 databases outside of the ACIS environment. After that, the rest is history.

The other shocking, but not so shocking part of the report was the very passive and pretty much voluntary recommendations from the committee. Some of the recommendations include requiring credit agencies to offer a free summary of all data that they’ve collected about you, consider offering more than one year of pre-paid identity theft protection, and giving the Federal Trade Commission more power to monitor data security practices of credit agencies like Equifax. There was no mention of any federal law or government enforcement that would penalize credit agencies for maintaining poor cybersecurity.  In my opinion, this is unacceptable. How many more data breaches will it take for the government to take the security and privacy of our personal data seriously? Only time will tell and we have a brand new year coming up to find out.

Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.

Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:

• Visibility into workload communication pathways;
• Security policies built on the cryptographic fingerprint of the software;
• The ability to apply policies and segment your networks in one click; and
• A way to continuously monitor and assess risk.

Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.

Google announced this week that they are expediting the shutdown of Google+ from August 2019 to April and that the Google+ API will be retired in 90 days. Why the sudden change? Well, back in November a software update caused a vulnerability in the Google+ API that may have impacted 52.5 million users. This vulnerability was found through internal testing procedures and it was fixed within a week of it being found. The vulnerability caused apps that were using the Google+ API that requested permission to view certain profile information like name, email address and more, were granted permission to view profile information about a user, even when set to not-public. In addition, apps with access to a user’s Google+ profiles also had access to profile data that had been shared with approved users which happened to be not publicly shared. The good news is that Google says that there is no evidence that app developers had accessed or abused this information before Google fixed the issue.

You may remember that back in October Google announced another similar vulnerability in the Google+ API that exposed the private information of 500,000 Google+ users. That initial vulnerability led Google to decide to retire the struggling Google+ social network altogether.  I don’t think many of us are going to miss Google+, I know I never used it and I’ll bet you never did either. Hopefully, because of this issue with Google+, Google is testing other similar APIs in their infrastructure for vulnerabilities to prevent this same issue from happening in the future.

Supermicro, the company at the heart of the controversial Bloomberg report from this past October, which said tiny chips were installed into their boards by the Chinese government, released a letter and YouTube video this past week to customers stating that their own internal audit found no evidence of any tampering of the companies servers or supply chain. The letter states that a leading third-party investigations firm was hired for the audit and motherboard models mentioned in the Bloomberg article were tested including several recent products.

This letter follows other major tech companies like Apple and Amazon (who happen to be Supermicro customers) as well as representatives of the Department of Homeland Security, the director of National Intelligence, and the director of the FBI, which have all denied and questioned the truth about claims made by the Bloomberg report.  Bloomberg still sticks to its story even though details about their sources have been very sketchy. Even more so after a subsequent Bloomberg story saying that the Chinese government had implanted spy chips in Supermicro hardware inside a major telecommunications provider. The source of this story came from a company called Sepio Systems but due to non-disclosure agreements with Bloomberg, the telecommunications company has remained unnamed.

I think now, with this latest news, the Bloomberg story has even less credibility than when it was first announced. Sure, the Chinese may be capable of infiltrating a supply chain with tainted hardware. However, I think there is something fishy about this story and we should pay attention to the facts and not always trust media speculation without hard evidence.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/12/17/equifax-data-breach-details-released-more-google-api-bugs-supermicro-strikes-back-wb47/