Hacker Attack To Equifax: Stolen The Personal Data Of 143 MILLION American And Canadian Citizens

One of the biggest hacker attacks of all times has been carried out against Equifax, one of the biggest credit management agencies, based in Atlanta.

In the attack, personal and sensitive data of some 143 million american, canadian and english citizens have been stolen, admits Richard Smith, president of Equifax.

The attack has been carried out exploiting a vulnerability in the information system.

This is what I mean, when I say that we are largely over extimating the importance of security in vedeosurveillance. In this case, we are not speaking of events that could happen: in this case the fact has happened, and has involved MILLIONS of citizens, causing a tremendous damage, thousands of times bigger than the damage that could have been caused exploiting a vulnerability in a videocamera.

In this case no Chinese technology: we have an american firm, using american technology, an american president and an american CSO (Chief Security Officer), that by the way should be fired immediately with the obligation to reimburse the damage they caused because of their negligence/ignorance/incapacity.

This story shows once again that the americans had better to fix their IMMENSE security problems, before barking at others.

Sincerely,

Giancarlo Favero

Reactions:

(1)

(6)

Joseph Hirasawa

IPVMU Certified

Ugh...Brutal.

Being at the level of "hobbyist" when it comes to Infosec (I'm mesmerized by this industry! So interesting.) I'm in no way a subject matter expert but it seems a bit brutal to endorse the CSO be fired & front damages (which can sadly be in the billions of $).

I agree that we, in the physical security industry, haven't scratched the surface of solid cyber security yet while pointing the harsh finger. But it doesn't mean that we should just disregard the efforts of manufacturers to pony up and deliver secure systems. We need to care and put it to the makers of the present & future to do every & any means to harden their hardware & software products to further mitigate cyber crime.

With that said, the truth is that the rate/rise of cyber crime is mind boggling & to defend against it is almost a near impossibility. With enough motivation & resources, anything/anyone can be hacked. It's just a sad reality of our present world. In the end, it's a result of our collective dependence & blind trust in systems and/or organizations whose first & the only goal is to monetize our every action. 2nd to that MAY be our security. (Unlikely...count further down.)

I don't want to be the "Dooms Day" preacher other than to state: Be aware of the truth & anticipate, prepare, & expect it to get worse. Never settle for "good enough" in security.

I highly recommend everyone read "Future Crimes" by Marc Goodman. Akin to entering the matrix of cyber crime.

Reactions:

(2)

Undisclosed Integrator #2

In reply to Joseph Hirasawa

You hit the nail on the head. As someone who could very well be affected by this breach I am not going to condemn the CSO until an after action report has been posted.

For all we know Sally May in accounting had the bright idea to plug a flash drive she found in the parking lot into the network and that was the cause of the breach. There are still way to many variables to even begin to find who is at fault.

Reactions:

(2)

Joseph Hirasawa

IPVMU Certified

In reply to Joseph Hirasawa

Totally agree & good point about poor Sally May. ;)

There are too many ways one can impregnate a network. A smart man is quick to assume but slow to condemn.

Reactions:

Undisclosed Integrator #2

•Sep 13, 2017

Okay. Now I am starting to condemn the CSO.

http://www.msn.com/en-us/money/companies/how-did-the-equifax-data-breach-happen/ar-AArQkDt?li=BBmkt5R&ocid=ientp

Reactions:

Joseph Hirasawa

•Sep 13, 2017

IPVMU Certified

I know eh....

Still, without a completed audit & the breach incidents become truly transparent (Which may never be.) then, & only then, can we point fingers.

Hindsight is always 20/20. Case in point: If Cisco has launched an Apache Struts investigation due to this news. http://thehackernews.com/2017/09/apache-struts-flaws-cisco.html Then who are we to state the CSO was negligent?

Don't get me wrong. It's a painful truth that such a stronghold of critical information be breached in such a manner (To be honest, it's disgusting & impressive!) & the CSO might be 100% to blame....

Might be....

Reactions:

(1)

Giancarlo Favero

•Sep 14, 2017

I would add that, even if it was an Apache Struts vulnerability, this would have compromised only the web server, that is the front-and of the Information System, and not the database engine, where the data reside.

If they had set up a DMZ (DeMiliytarized Zone), which is a very basic and common configuration in Information Security, the database would not be compromised and the data could not have been stolen.

If further investigations would prove that they had not set up a DMZ, that would be a SCANDAL, and the CSO should not only be fired, but condemned to pay all the damage and loss deriving from such severe incapacity and incompetence.

Taking into account only the damages in terms of image and credibility of Equifax, the damage could be quantifiable in the order of several MILLION dollars, and somebody should pay for that.

Reactions:

Undisclosed #1

So your defense of Hikvisions woeful cyber security record is to point out that 'it's not that bad' when compared to other successfully employed hacks?

that's not a defense - it is a deflection.

Reactions:

(9)

(1)

Undisclosed End User #3

As a Cyber Security Professional these should be the first reads daily before you even look at emails. Be AWARE and know before the customer informs you.

https://nvd.nist.gov/general/nvd-dashboard

https://ics-cert.us-cert.gov/

http://cve.mitre.org/

Reactions:

(2)

(3)

Undisclosed Manufacturer #4

In reply to Undisclosed Manufacturer #4

You can see that there are a few individuals who are tired of having to defend their po-Hikvision stance and are starting to post anything they can to deflect people. They are using things like this to try to combat against the anti-Hik.

Of course it is a backfire, since this just highlights the importance of cyber security, showing how crucial it is that Hik or whomever has an issue respond and take corrective measures.

Instead the supporters have just been saying that cyber isn't that important, no one cares, their products are the same quality as others, and you can make more money.

Reactions:

(3)

(1)

Giancarlo Favero

•Sep 09, 2017

In life, both personal and professional, it's important to be fair, precise and not write complete false statements.

I never wrote that cybersecurity in general is not important, and I challenge you to post/quote where I would supposedly have said that.

Being the founder and owner of a security firm since 30 years ago, I know that cybersecurity is of paramount importance, for example in banking, financial transactions processing, the healthcare, and so on.

What I said, and repeat now, is that we tend to over-estimate the importance of security IN VIDEOSURVEILLANCE, which is a completely different statement.

The concept is so simple that even a child would understand it: the amount of time, money, effort, security measures and devices that we should put in place, must be proportional to the value of the information that is to be protected, the likelihood of an attack and, besides other things, the number of end users that can be affected.

And of course credit card numbers, checking accounts, medical data, data about investigations, for example, are thousands of times more valuable compared to images, that in general nobody cares about.

And of course the evaluation of risk and the approach to security must be completely different in the two scenarios. This is what I mean when I say that sometimes the importance of security in videosurveillance is over-estimated.

But I never said that cybersecurity in general is not important.

Giancarlo Favero

Reactions:

Undisclosed Integrator #2

•Sep 09, 2017

So what is your option when a hacker takes over an IP Camera, uploads a custom firmware onto busy box, and then uses that IP Camera as a point of entry onto the network?

Most of the installers I know still don't use a VPN and they port forward for each individual device. This opens up multiple attack vectors and potentially compromises the entire network.

Reactions:

(1)

Undisclosed #1

•Sep 09, 2017

Just because you never said the words 'cybersecurity in not important' doesn't change the fact that you are clearly arguing degrees of importance.

Your primary position appears to be that because there are other hacks happening on different platforms that have nothing to do with video surveillance, that we in the physical security industry are paying too much attention to the cybersecurity of video surveillance equipment?

Reactions:

(1)

Undisclosed Integrator #5

•Sep 10, 2017

Has anyone else noticed the trend of Hikvision proponents noting how long they have been in the industry?

Reactions:

(1)

(2)

Joseph Hirasawa

IPVMU Certified

I'm going to humbly disagree. The importance of cyber security in anything, even if it be CCTV, smart home controllers, EAC, intrusion systems, light bulbs, printers, speakers, etc, should never be under-estimated.

It's that mindset alone that has lead to integrators & service providers being breached due to security holes being left open & easily compromised, thinking its level of importance as = low.

I don't care if I'm securing a client's visa credentials or their storage room pin. Any system on the network (Regardless of what it is.) adds square footage to the surface area of possible attack. It is our job as layer one security solution providers to ALWAYS ensure that the systems or solutions we provide (regardless of importance) do not add to the surface area mentioned.

Reactions:

(1)

Undisclosed Integrator #2

Rules for Hacker Club:

Rule Number 1: Don't talk about Hacker Club (see rule 3)

Rule Number 2: There is ALWAYS someone smarter/better than you.

Rule Number 3: Don't conform to the rules.

Reactions:

(1)

Joseph Hirasawa

IPVMU Certified