Equifax compromise and their insecure response

Today it was announced that someone infiltrated Equifax earlier this year and stole 143,000,000 identities. These identities include names, birthdates, and addresses, at a minimum. Details are available at your favorite news site.
What I want to talk about is the website they’ve put up to address the issue. This website is Yet Another Example of how the financial services industry trains users to be phishing victims.
Equifax set up a website for people concerned about the possibility of identity theft after this major data leak. The URL, as distributed by the press and linked to from Equifax’s own website is https://www.equifaxsecurity2017.com.
When I was first sent to the site, I thought it was a phishing site because there is absolutely no way to confirm this site is owned and managed by Equifax. Zero. In fact, there’s a lot of evidence that the site isn’t owned by Equifax. And most of the rest of the evidence relies on trusting that the hackers still don’t have some level of access to Equifax systems.

Visiting the Website

The site does have SSL, but the certificate is issued to “ssl511860.cloudflaressl.com”. Cloudlfare has a somewhat sketchy history and I would not put it past them to host and protect a phishing site. So the SSL certificate doesn’t give me any faith this is Equifax.

There’s a link back to Equifax’s pages, but that’s SOP for phishing, so no help there. Yes, I can get to the website from Equifax’s home page, but this URL is being given out in various press articles.
When we check the whois. The registrar is MarkMonitor but the registrant is some random company called DNStinations.

Registrant Name: Domain Administrator
Registrant Organization: DNStination Inc.
Registrant Street: 3450 Sacramento Street, Suite 405
Registrant City: San Francisco
Registrant State/Province: CA
Registrant Postal Code: 94118
Registrant Country: US
Registrant Phone: +1.4155319335
Registrant Phone Ext:
Registrant Fax: +1.4155319336
Registrant Fax Ext:
Registrant Email: admin@dnstinations.com
Registry Admin ID:

When I visit http://dnstinations.com/ I get an error message:
The domain owner has no website. That doesn’t reassure me.
Now, when I drop the physical address into Google I get an address that’s listed as a Proxy Partner on the MarkMonitor website. At this point, I start to wonder if my faith in MarkMonitor is misplaced.
Of the things we can check on the website, the best assurance we have here is that MarkMonitor is a service that big companies use to protect their domains. Not that reassuring overall, but we’ll go with it.

ID Protection Services

We’ll assume the press has done some level of fact checking and this website is  valid. We click on the link that says “enroll in ID protection” which takes us to a different website: https://trustedidpremier.com. The first thing it asks me for is my name and the last 6 digits of my social security number.
What evidence do I have that this website is valid? It has a SSL cert issued by Amazon. It’s hosted on EC2. The whois data is all behind privacy protection. The bare domain serves up an error message.

This is the website that they want me to trust to protect my identity?

It will work

The thing that really gets me is that most people are going to drop their information into this website. They’re going to go through whatever process is going on.
This is training for people to be phished. I’ve actually seen better phishing websites than this one. In fact, I’m more inclined to believe this is legitimate because phishing sites are done better!
Now, I’ve long believed that all my information is compromised and is out there for sale. I know some of it is. Two universities that had my info have lost it. I’ve had my credit card company send me new cards “for security purposes”. I shopped at Home Depot during their compromise. None of that is any of my fault, which is why I’m careful but not obsessively careful with personal info. I can’t control if it stays private. That’s clear.
But acknowledging that I can’t control my personal info doesn’t mean I am going to go around and drop my name and most digits of my SS number into some website as horribly set up as this one.
Equifax dropped the ball here, not just by their lax security but also by their insecure response to the compromise. (And that’s before we get to the fact that 3 senior Equifax executives sold 1.8 million dollars worth of stock after they found the compromise but before they announced it.) This isn’t unique to Equifax, Target dropped the ball, too, when they were compromised.
I was on a call today discussing DMARC. It’s great that email folks are stepping up to make email more trustworthy. But when a company pulls such a boneheaded move, in response to a major leak of data, I know that DMARC and email isn’t enough. We need to work towards a safer internet and that means companies have to step up and stop being stupid about cybersecurity.

Related Posts

Electronic records outside US not covered by US warrants

The 2nd Circuit Court of Appeals ruled against the Government today in US Government vs. Microsoft. The government is investigating a drug dealer and want access to records held by Microsoft. Microsoft turned over metadata stored on US machines. But they refused to turn over the specific emails stored on machines in Dublin. The company’s position is that the federal government needs to follow the rules of the Mutual Legal Assistance Treaty between the US and Ireland.
This has been winding its way through the appeals court.
The court’s ruling today states “§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”
An interesting ruling, and I see pros and cons to the ruling. It does complicate anti-spam enforcement a bit and make it easier for criminals to hide their data overseas while they might be in the US. But it’s already easy for them to do that. Many arrests of spam gangs and others for crimes committed on the Internet over email involve multiple law enforcement agencies across the world.
Full text of the ruling (.pdf link)

Read More

Target "acquires data"

It was our priority to inform as many guests as quickly as possible. Relevant emails were pulled from a variety of sources.
@AskTarget

Read More

Poor delivery at Gmail but no where else

I’ve mentioned before that I can often tell what ISP is making filter changes by what my calls are about. The last few weeks it’s been Gmail where folks are struggling to get to the inbox. One of the things most clients and potential clients have mentioned is that they’re not having any problems at the other major ISPs.

Read More