Contact Us Today!   314.394.3001   |   info@andersontech.com

Posts

Byte-Size Tech: Recovering from a Hack Can Be Pricy

/in , , , /by

 

Libby Powers and Ben Fairbanks of Anderson Technologies dive into a recent new client’s story. This non-profit struggled to deal with a hack of their former server and needed a comprehensive IT solution in one vendor. Now, with a solid foundation, they know their data is protected.

 

Related Reading

Contact Us

 

Transcript

Libby Powers: Welcome to another edition of Byte-Size Tech. I’m Libby Powers, and today I am joined by one of our team members, Ben Fairbanks. Say hi, Ben.

Ben Fairbanks: Hello.

Libby Powers: He is one of our system administrators here at Anderson Technologies. I really appreciate you sitting down with me today, because I was hoping to talk about a new client we recently brought on that I heard some of the team talking about. It was a not-for-profit. Is that correct?

Ben Fairbanks: Yeah, that’s right. And when we first heard about them, they were calling us because they were struggling to get through the after effects of their server being hacked.

Libby Powers: Oh, the not-for-profit server was actually hacked?

Ben Fairbanks: That’s right. This client primarily relied on contractors and individual vendors do their jobs for them. It seemed that a previous IT vendor had gotten their networks onto a new server, and things seem to be working great. But that vendor failed to properly turn off or secure their old server, and that’s where the criminals got it.

Libby Powers: Oh, criminals? So we’re talking about cyber crime and organized crime.

Ben Fairbanks: Yeah, all the above pretty scary stuff. But thankfully, no personal information or PI was accessed. But this client still had to deal with the red tape of reporting the issue to the authorities, digging through all their systems to review what had been accessed, and ensuring that the new server wasn’t truly untouched.

Libby Powers: Wow. So luckily they didn’t put ransomware or anything on these on the server. But the hack was still a major pain, I’m guessing, right?

Ben Fairbanks: Of course, yeah. The cost and man hours is something that no client, let alone a nonprofit with a set budget, wants to suddenly have to deal with. In the process of reaching out to their members in the cleanup, they were recommended to call us. At first they weren’t sure. They were based in Pennsylvania, and we’re in St. Louis.

Libby Powers: Yeah, I could see how that would be a little scary if you’re multiple states away and your IT vendor is a flight away. Right?

Ben Fairbanks: Yeah, of course. And that’s definitely something that every organization is going to have to weigh. But a great part about doing IT is that 90 to 95% of the work can be done remotely. Once we got signed on with this client, we sent two of our expert team members down on location to get all the hardware, wires, and their network fully set up and documented. At the end of multiple days, it took about 50 hours total to get them up and going. From there, we’ve had smooth sailing just operating remotely.

Libby Powers: So it took you guys 50 hours to undo this hack?

Ben Fairbanks: Yeah, totally. And that’s why I went back before, even if it’s not something that where there was ransomware, or maybe their data got lost, even when the effects of the breach aren’t catastrophic, it’s still a lot of work just to get everything back up and going. So that great ground layer is something that a lot of organizations need.

Libby Powers: You know, that’s really interesting you say this, Ben, because I think that so many small businesses and nonprofits, they don’t believe that they’re targets, and this really just proves that they’re more vulnerable, and they pay more when they have to fix it.

Ben Fairbanks: Exactly. Everyone’s a target. It’s just how well you put up your defenses really.

Libby Powers: Super interesting. How are they doing now?

Ben Fairbanks: How are they doing now? They’re doing good. We’ve had a lot of tickets with them, just tiny, small stuff that are quick fixes. I haven’t heard about any big issues that this client has been facing. But from there, it’s been smooth sailing. We haven’t seen any large malicious activity. But we have set up a much stronger ground layer for them to operate on. I think all parties involved are pretty happy with the way that they’re continuing to work.

Libby Powers: I love it when we can be Batman. Like Batman is to Gotham, we are to St. Louis, and this new client out of state.

Ben Fairbanks: When things get quiet, you just know everything is going good. That’s the thing—if no one really knows they have IT people, I’m starting to think that’s a good thing.

Libby Powers: Yes, when they don’t know you’re there. Awesome. Well, I appreciate you taking time today for this episode of Byte-Size Tech. There’s actually a blog article written about this client as well, if you want to go check out our blog. Ben, I really appreciate you taking the time out of your day to help me with this one.

Ben Fairbanks: Yeah, of course, always good to hang out with you.

Libby Powers: Thanks Ben. Have a great day everyone. Bye!

Good Sports: Partnering with an MSP after a Disruptive Hack

/in , /by

Even if a hack doesn’t bring operations to a screeching halt, the impact has ripples that affect productivity, effort, and an organization’s approach to cyber security and IT. After suffering a breach of their legacy server, a sports nonprofit based in Pennsylvania reached halfway across the country for the right solution.

“At the end of the day in a nonprofit,” says Executive Director M. M., “I just want to look my board members in the eyes and say we’ve done everything a reasonable and prudent nonprofit can do to do right by its membership.”

Anderson Technologies sat down with M. M. to discuss the hack and how it—and partnering with a managed IT services provider—changed everything for his almost-100-year-old sport association.

Too Big to Be Small, Too Small to Be Big

AT: Thank you for taking the time to chat with us. Your organization serves approximately 10,000 members across middle school, high school, and colleges. Could you tell us a little about what you do?

MM: We have three core competencies, if you will. Coaching development is the cornerstone of what we do. We really focus on developing transformational coaches in the educational environment, so primarily middle school, high school, and college coaches.

Secondly, our focus is on student well-being. We have a large number of first-generation college-bound students in our sport. We spend a lot of time coaching our coaches on how to make sure they do well academically, how to make sure they stay in school and graduate. We do a lot with sports performance, and nutrition.

The third area would be advocacy. Lobbying governing bodies for legislation and policies that will help grow our sport. One of the things we’re most happy about in that world is we’ve helped to establish 274 new college programs since 1999. With our large percentage of first-generation college-bound students, it provides access for so many students to go to college that otherwise wouldn’t have the chance.

AT: What does your day-to-day look like as Executive Director of the Association?

MM: My primary focus would be business development, fundraising, sponsorships, and a focus on revenue generation. We do have a small staff here of four full-time people and about 10 subcontractors that are strategically located around the country who I oversee on a day-to-day basis to execute the nonprofit’s mission.

Hackers Exhibit Un-sportsman-like Behavior

AT: Could you tell me about the event that led you to Anderson Technologies? I know that your association experienced a hack.

MM: We did. We got hacked back in October of 2020. We’re a typical small nonprofit. In a lot of ways, we’re too big to be small and too small to be big. Sometimes as an organization this size you become vulnerable to these types of things.

We’re not big enough to have a full time IT director, and the consequences of not having a full time IT director are things like getting hacked. Since that happened, we made the decision to outsource everything that’s not core to our mission.

That way, we can focus our time and energy on the things that we have the expertise to do, and outsource those critical things that aren’t central to our core mission but are certainly essential to the long-term success of our organization.” — M. M., Executive Director

AT: What events led up to the breach?

MM: We had an old legacy server that some time ago we had transferred all the data off of it and onto the cloud-based platform that we currently have. But, of course, no one ever told us to unplug the old legacy server. That’s what the hackers got into.

It wasn’t so much that the information they got was critical to us being able to operate, but we needed to know and ensure that no sensitive data was obtained. That obviously determines what we need to communicate out to anybody that may have had personal data compromised.

It was very disruptive and labor intensive. Expensive. The old adage that an ounce of prevention is worth a pound of cure certainly would have been the case.

AT: How did you respond to the hack?

MM: We followed standard protocol. We immediately contacted local police, contacted the FBI. And immediately I reached out to a network of IT experts that we have in our membership, asking for advice, including one of our advisors who referred us to Anderson Technologies.

AT: What did you expect when reaching out to Anderson Technologies? Did you have any previous good or bad IT vendor experience?

MM: We actually had some previous bad experiences. We’ve dealt with a single consultant in the past. My experience is, sometimes single consultants will take on more than they can handle, and things slip through the cracks. In that case, we didn’t have a well-defined statement of work spelling out what the consultant was doing and what they weren’t doing. We were paying for it, but it was never spelled out.

When something like that happens, that conversation quickly turns to ‘I didn’t know you wanted me to do this and that and the other thing.’ That’s why it’s important to dot the I’s and cross the T’s and have a well-defined statement of work so both parties are well aware of what’s being done.

A Different Approach and a New Solution

AT: How would you say that your organization’s approach to IT changed after the hack and partnering with Anderson Technologies? It sounds, unlike before, that you now have things well-defined and have someone taking ownership over IT?

MM: Our approach was: we made the decision that we’re going to outsource everything that’s not central to our core mission. We are going to avoid single consultants and try to work with a small firm—the biggest firm that we could afford—to provide us with the managed services that we needed. And their services will really go beyond the cybersecurity. We’re looking for someone that would become familiar with our entire internet platform, and could provide ongoing advice for us. The cyber security was the first step.

AT: Would you share more about your relationship with Anderson Technologies?

MM: We’re looking for Anderson Technologies to provide us with ongoing advice, and they’ve already done a terrific job. When we need a specific consultant in a specific area, we lean on Anderson Technologies to find that best option for us, help us interview that consultant.

Generally speaking, one of the things that’s changed is we have access to a smaller firm where there’s multiple people, as opposed to a single consultant. The challenge with single consultants is that they have a tendency to come and go, and in the IT world every time they go, you’re paying the next one a large sum of money to do more discovery. You end up starting back at square one over and over and over again.

AT: It sounds like it’s especially beneficial for nonprofits to have multiple people working together to take ownership of their IT infrastructure, rather than relying on a single person.

MM: What happens a lot of times to small nonprofits is, when you have different IT people working on different projects, eventually you wind up with pipes that don’t fit into each other.

I’ve learned the importance of having one IT general contractor who is the point person for any decision that you make that’s related to IT. It’s very complex, and being small, we can go out and hire our own IT person, but you end up with a lot of institutional knowledge in one person. If that person ends up retiring or leaving, it’s very disruptive to the organization. Whereas if you have an IT firm that you’re outsourcing it to, you have much better continuity, and it’s much less disruptive.

AT: We’ve definitely seen with other clients where their entire network was managed by one person, and when he leaves, they’re left wondering, ‘where do we even start?’

MM: Exactly. But if you can have two IT people, you have some redundancy in what you’re doing. I think it’s a far better strategy to outsource it to a firm, rather than a single person. You outsource it to a single person, you’re right back to the same problem as with a single staff member.

AT: How would you describe your interactions with our team?

MM: It’s really, really good. One of our concerns in the beginning was not having someone that was local. We all know that technology can be done remotely, but when you talk about setting up hardware, there’s an argument to be made that using a local firm can be an advantage. But Anderson Technologies has been great. We had a couple situations where it required Anderson Technologies sending experts to our office to set things up, and they really did a great job. We’re still early in our relationship, but we’re off to a great start.

Disruption vs. A Good Night’s Sleep

AT: I have one more question about the hack that you experienced. You said that there was a lot of downtime and a lot of frustrations. What was that like?

MM: It was very, very disruptive. Very costly in terms of actual cost and in staff time to fix the problem. It was months of disruption.

Anybody who thinks they can’t afford to outsource IT to a third party to protect them, they’ll spend far more trying to do it themselves. ” — M. M., Executive Director

AT: It seems many organizations learn that the hard way. How does it make you feel to know that you have stronger security measures in place now?

MM: Much better, I’m much better. At the end of the day, in a nonprofit, I just want to look my board members in the eyes and say we’ve done everything a reasonable and prudent nonprofit can do to do right by its membership.

You can never eliminate bad things from happening. But, God forbid, if it happened again, I’d feel pretty good saying this is what we did to mitigate this risk. We know the bad guys are pretty good at what they do, and you’re never fully protected. But at least we’re doing everything within our resources that we can do, and that’s a pretty good feeling at the end of the day.

 

Your organization doesn’t have to live through a hack or the loss of a trusted vendor or IT staff member to know that cybersecurity and IT can feel tumultuous. Are you curious about how Anderson Technologies can help you sleep better at night? We’d love to talk about solutions tailored to your needs.

Contact Us

password breach category 1

Collection #1 Security Breach

/in , /by

Here at Anderson Technologies we like to keep our clients updated on the latest cyber security news. We’ve covered such breaches as KRACK and the Equifax hack in the past, and now we’re reporting on a breaking data breach called Collection #1, which affects nearly 2.7 billion emails and password combinations.

What Exactly Is the Collection #1 Breach?

The Collection #1 Breach was first reported January 17, 2019, by Troy Hunt, a cyber security researcher and operator of Have I Been Pwned (HIBP). Hunt named the breach after the root folder—containing over 87GB of data—that was uploaded to a hacking forum. Comprised of around 773 million unique email addresses and 21 million unique passwords, this information seems to have been gathered from databases of personal information from over 2000 breaches as far back as 2008.

“This number makes it the single largest breach ever to be loaded into HIBP,” Hunt states in his blog post explaining the breach.

While this personal information may not be much use to one-off hacking attempts, the real danger comes with a technique known as “credential stuffing.” Gizmodo explains:

Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites. This is concerning as the Collection #1 breach contains almost 2.7 billion combos.

How Do I Know if I’ve Been Impacted?

Thankfully, the easiest way to see if any of your email addresses, usernames, or passwords have been affected by Collection #1 is to use Hunt’s HIBP. You may have even used this resource to know whether or not to change a password after past breaches like Equifax!

Hunt has painstakingly cleaned and entered all data from Collection #1 into HIBP’s (safe) search engine, allowing anyone to securely check if any individual user account information was compromised.

have i been pwnd

How Do I Keep My Accounts Safe from Future Breaches?

The nature of these data breaches indicate decoding of previously encrypted account information like email addresses and passwords. Anderson Technologies recommends protecting yourself with multi-factor authentication (MFA), as well as a password manager like LastPass or Dashlane.

“The only way to effectively deal with it is to use MFA,” says Joe Baker, Anderson Technologies Systems Administrator. “I like the MFA standard of something you know and something you have—you know your password, and you have your phone for authentication.

“Everyone should go to haveibeenpwned.com to check their email addresses. For me, after entering my email, I searched for and found my compromised email and old password in a matter of seconds. It’s shockingly easy to get this info once it’s out there in plain text. If it’s something that you care about, protect it with MFA. If you can’t protect the account with MFA, then don’t use that account.”

If you believe information vital to your business has been compromised (current administrator credentials, for example), immediate intervention can help mitigate further security threats. Senior Systems Administrator Eric Dischert suggests the following steps:

  • Update passwords for all affected accounts
  • Temporarily lock all systems until extent of the breach is known and appropriate steps have been taken
  • Ensure proper auditing and logging are running
  • Determine the root cause, impact, and necessary steps to fix
  • Deliver a public announcement (if industry regulations require it) and prepare for corresponding responses
  • Educate employees regarding breach details and lessons learned

As always, consult with your managed services provider to ensure all these steps are completed thoroughly enough to protect your business from further threat. For more information about Collection #1 and the consequences for your personal information, contact us here or at 314.394.3001.

Contact Us

Don’t Hold the Door Open for Cyber Criminals

/in , /by

Here in St. Louis, you’re likely to hear people saying they’re heading to Bread Co. for lunch, even if Panera is the sign above the restaurant. That’s because to St. Louisans, Panera will always be Saint Louis Bread Company. But recently, residents were relieved the St. Louis name wasn’t attached to Panera’s recent cyber security blunder.

On April 2, Brian Krebs of security news website KrebsOnSecurity broke the story that customer data from Panera’s loyalty program—including names, email and physical addresses, birthdays, and the last four digits of credit card numbers—was available through an insecure API on their website. Worse yet, Panera had been notified about the defect eight months prior in August 2017 and did nothing to resolve the problem.

Cyber security researcher Dylan Houlihan found the flaw in Panera’s API and, after confirming the extent of the problem, contacted Panera’s cyber security team. He notes that reaching out to Panera was difficult as there was no information available for who to contact if security holes were found. Panera’s response was less than stellar. In Houlihan’s detailed account of their communication, Panera’s director of information security, Mike Gustavison, was suspicious of him, and after receiving proof of the problem, took several days to reply that they would work to resolve it.

Except they didn’t.

Every month, Houlihan checked to see if the flaw was fixed, only to see that customer data was still unprotected. Finally, in April 2018, he contacted Krebs to make the matter public and force Panera to respond. They did. Within two hours Panera claimed they patched the problem.

Except they hadn’t.

Krebs continued to monitor the website and found that, while the information was no longer accessible to the public, if a member logged into their free Panera account, they could still exploit the flaw. He also discovered that it extended to other parts of Panera’s business, such as the catering website.

After the negative media coverage, Panera took down its website and patched the problem properly. In a tweet following the incident, Krebs estimates that up to 37 million accounts could have been made public because of this flaw. While there is no evidence yet that malicious agents accessed the data, this was still a terrible security breach.

How Often Does This Really Happen?

It’s easy to lose the details in light of Panera’s poor response and subsequent inaction, but accidental data breaches from misconfigured hardware or software happen far more often than you might imagine.

  • March 6, 2017: River City Media left more than a billion email accounts exposed to the public, some with personal information. Also exposed were detailed records of their own illegal spamming activities. The problem—no password protection on the backups.
  • June 19, 2017: Deep Root Analytics left millions of Americans’ addresses, birthdays, phone numbers, and political views on a variety of topics open to the public. The problem—misconfigured user permission settings.
  • October 3, 2017: A National Credit Federation cloud storage bucket was found to be open to public access, revealing personal, credit, and financial information of tens of thousands of its customers. The problem—misconfigured user permission settings.
  • October 6, 2017: An Alteryx cloud storage bucket was found to be accessible to anyone with a free Amazon Web Services account. It exposed personal data, Experian marketing data, and US Census data for more than 123 million American households. The problem—misconfigured user permission settings.
  • April 9, 2018: A flaw similar to Panera’s was discovered in P. F. Chang’s rewards website. The problem—an insecure API.
  • April 23, 2018: After rebuilding their website following a ransomware attack, MEDantex’s new customer portal contained abilities intended only for employees, including accessing confidential patient records without authentication. The problem—a bug on the website.
  • May 17, 2018: LocationSmart’s demo feature is found to be able to track the location of almost any cell phone without the user’s consent. The problem—an insecure API.

What Does This Mean for a Small Business Owner?

These examples of private, financial, and personal information leaked unintentionally serve as a warning to all business owners. While there’s a sense of poetic justice that River City Media revealed their own criminal activities by forgetting to add a password, the truth is, not all data you could reveal belongs to other people. You can be a cyber threat to your own business.

Few businesses can run day to day without some amount of personal, customer, or vendor data stored either on their network or in cloud storage. The technicalities of properly configuring security for these electronic databases can be daunting, but even when things appear to be simplified for you, all it takes is one open port, one missing password, or one unsecured application for the door to your data to be left wide open.

This is why it’s vital for businesses to have their systems set up by IT professionals and to perform network security audits routinely to ensure both the hardware and the software are configured correctly. It’s not enough to simply hire an IT consultant once and assume your system is secure. Files get moved, employees are hired, and new hardware is installed—all leaving room for new settings to supersede old ones, or worse, be forgotten all together. A network security audit performed at least annually gives you peace of mind that your cyber doors are tightly closed and locked.

What Should You Do to Protect Your Business?

While it’s crucial to know how to avoid opening the door to criminals, knowing how to respond to a breach is just as important. Here are a few simple steps you can take to avoid or address an accidental data breach.

  1. Hire IT professionals to set up all hardware and software. Your customers trust you to be the expert in your field, so trust the IT professionals to be the experts in theirs. Make sure all your hardware and software have been properly configured from the start.
  2. Perform annual network security audits. Just because you configured everything correctly, doesn’t mean it will stay that way. Your business changes all the time, so it’s best to check the doors and windows before someone else notices they’re open.
  3. Know your hardware. Many business owners don’t realize what’s in their hardware closet. Can you point to your hardware firewall with confidence? Are you certain it’s the correct type for your business? Ask an IT professional to review your hardware with you so you understand what you need and how it works. Doing so will improve your ability to spot potential problems.
  4. Have a way people can contact you about problems they find. One lesson learned from the Panera breach is how important it is that people can contact you with problems they’ve noticed. Many security researchers who find flaws due to misconfiguration just want you to know about the issue so it can be resolved. Make sure they can get in touch. Larger companies should have separate contact information specifically for security issues to keep them from being lost with other routine technical issues customers might have.
  5. Respond quickly to any problems found. Don’t wait eight months or for public embarrassment to sound the alarm before responding to an accidental data breach. If you act swiftly, your data may still be kept safe. In many accidental breaches, the problem was found not by criminals but cyber researchers.

No company wants to find themselves in a situation like Panera’s, so make sure your network security is done right. If you’d like to learn more about configuring your systems or to schedule a network security audit, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

Contact Us

Equifax Hack Updates: What You Can Do NOW to Keep Your Credit Safe

/in , /by

It has been over six months since the massive hack of credit monitoring company Equifax, and over three since the attack was disclosed. We now know that 145 million Americans (and 15.2 million Europeans) have been affected.

Due to the data stolen—names, social security numbers, addresses—the victims  of the Equifax hack must be wary of their credit for the rest of their lives. Attackers can use leaked data to create profiles for spear phishing attacks or round out existing profiles, making identity theft even easier to perpetrate.

We covered the data breach in a previous blog post, “Equifax Hack 101: What You Need to Know to Keep Your Credit Safe,” but the news hasn’t stopped rolling in. In this post we address new developments, and additional actions you, as an individual or as a small business owner, can take to mitigate the hack.

Protecting Your Personal Data

Our initial post details credit monitoring and credit freezes. Some agencies recently introduced a “credit lock,” which they claim is easier and less expensive for the user while also more effective. The difference between a lock and a freeze is that a freeze is state-monitored, and a lock is controlled by the company only. “I take strong exception to the credit bureaus’ increasing use of the term ‘credit lock’ to steer people away from securing a freeze on their file,” says Brian Krebs of Krebs On Security. Don’t be fooled by credit lock offers.

You can also talk to lenders (mortgages, banks, etc.) about what steps they are taking to prevent someone from misusing leaked information. Challenge these organizations to take additional steps like providing internal credit monitoring alerts to keep customers safe.

Tax return filing fraud is one thing that credit freezes or monitoring cannot protect. File as early as possible to prevent your refund from going to a scammer. This is not a new problem. The IRS recently issued reminders and new alerts regarding tax fraud.

While most of the information obtained from the Equifax hack was actually already in the hands of tax fraudsters, remain vigilant because criminals are continuing to adjust their tactics. The IRS even reports instances of fraud targeting hurricane victims and tax professionals in addition to the average citizen.

The Troubling Behavior within Equifax

The hack itself isn’t the only problem with Equifax.

After a data breach, many companies are able to save face by being upfront with customers, providing adequate solutions, and cracking down on security. Unfortunately, Equifax missed these cues.

Even after fixing the questionable language in the Terms of Use initially included, in their TrustedID program Equifax continues to come under fire. Initially, the PIN numbers granted to customers seeking a security freeze consisted of the date and time the freeze was granted. This has since been corrected, but what an oversight! Many users have also had difficulty contacting the company to change their PIN.

The site Equifax set up for customers to check if they were affected by the hack continues to cause problems. Because Equifax failed to secure similar domains it was susceptible to phishing scams. Thankfully, the third-party sites (one actually directed to by Equifax itself) were benevolent—pointing out how easily scammers could use a similar domain to obtain your information. Then, in early October, Equifax temporarily took down a page about the hack because it, too, had been hacked. Criminals injected malicious code to trick users into downloading adware from fraudulent links.

As of November 3rd, Equifax’s internal investigation into allegations of suspicious trades made by top Equifax executives concluded that none of their employees were guilty of insider trading. These allegations are still under investigation by the House Financial Services Committee.

Moreover, Equifax was allegedly warned about the vulnerabilities to its systems one year ago in December by a security researcher. “These allegations, if accurate, reinforce indications that Equifax—which has a significant business selling data protection tools—was shockingly negligent and incompetent when it came to security,” says Jeff John Roberts of Fortune Magazine.

These problems have been a cause of concern for many consumers, however it is important to note that Equifax is continuing to offer credit freeze at no charge through January 31, 2018, and, through TrustedID, offers free credit monitoring and up to $1 million in identity theft insurance.

Can We Expect Any Changes to the Industry?

Beyond being proactive with your personal protection, customers must look to Congress and other government agencies to implement changes. Speak to your representatives about your concerns for the future. Many are already investigating reasons why the Equifax hack was possible and ways to prevent hacks like it in the future.

Laws also need to change regarding reporting compliance. Lawmakers and industry leaders agree that consumers should have been alerted to the Equifax hack far earlier.

In our initial article, we noted that several class-action lawsuits were being filed against Equifax; however, after an October 24 vote by Congress to disallow class-action suits against banks and credit companies, the future of these cases is unclear.

After initially trusting Equifax with a “bridge” contract for work on the IRS’s Secure Access program, the Government Accountability Office rescinded the contract, at least temporarily. They may work with another credit monitoring agency on the project, but some members of Congress are questioning the rationale behind trusting any credit bureau with so much data.

It’s possible we may be looking at the end of the social security number—or at least moving away from the strict reliance we now place on SSNs for identity. The best identity theft protection may be to stop using easily hacked information.

Tips for Small Businesses

Small businesses should look at the response from Equifax and at the controversy surrounding it and wonder what they can do differently when dealing with private information.

The first step for small businesses should be a thought experiment. Think about potential risk as well as known and unknown vulnerabilities in your internal network. Do you trust your current cyber security company to protect your data from a data breach? What are the consequences of a data breach like the Equifax hack in your company? What would the cost to your company be?

For many small businesses, investing in stronger cyber security protection is a clear solution. Your IT department or an outside cyber security company can help analyze your systems. If personnel are constantly putting out fires, as seems to be the case with Equifax, they may not be able to keep everything else up to standard.

Invest in security that provides monitoring, analysis, and dedicated attention. At Anderson Technologies, a St. Louis IT company, we often start with a full network audit, helping clients identify areas of concern and providing the path to a more secure network.

Beyond your network, take time to train and retrain employees on the technology used and best practices for staying safe, both online and off. The best identity theft protection is education. Get a free ebook from Anderson Technologies to teach your employees the foundations of cyber security safety now!

Anderson Technologies is a St. Louis cyber security company that specializes in protecting client data. For more information on our services, email info@andersontech.com or call 314.394.3001 today.

Contact Us

KRACKed: The Fissure in Wireless Security

/in , /by

Internet surfing on mobile devices has seemed relatively safe since the 2001 Wi-Fi security protocol update and the advent of wireless data encryption. The WPA2 encryption standard mostly shielded us from being hacked on our private networks. However, new research from Belgian cyber security expert Mathy Vanhoef exposes a threat that proves our false sense of security is coming to an end thanks to the Key Reinstallation Attack (KRACK) vulnerability.

What Is the KRACK WPA2 Hack and How Does It Work?

WPA2 (or Wi-Fi Protected Access 2) is one of the current wireless security standards. Unlike its predecessors, it securely encrypts web traffic by way of a “four-way handshake” process that randomly generates an encryption key every time a device with matching credentials accesses a wireless network. This handshake protects your private home and business networks different with four authentication exchanges, ensuring information you send back and forth over the network is safely encrypted.

The KRACK vulnerability interferes with the four-way handshake by way of the encryption key; KRACK records the key and reinstalls it to be used multiple times. This allows the attacker access to communications between your device and wireless access point, as well as any information that isn’t otherwise encrypted. Hackers could potentially view and steal your credit card information, passwords, shared files, and any other private information sent across the web.

One caveat of the KRACK vulnerability is that hackers need to be within the range of your Wi-Fi network. This means that your personal information is safe from hackers on the other side of the world, but anyone in close proximity could gain access to your network traffic if they have technical skills. And even though a hacker must be in range to exploit this vulnerability, it’s possible KRACK could be used for packet injection (explained here) or inserting malware or ransomware into websites.

How Can I Protect My Network Privacy?

 Though KRACK is disrupting our WPA2 sanctuary, there are many ways to ensure you’re safe—or as safe as you can be—until the WPA2 protocol is updated to prevent these attacks.

  1. Update Your Router

Most people don’t think about updating their router in the same way you update your phone or laptop software, but this is a vital step to protecting your wireless network from KRACK. You can find instructions to update some of the more common manufacturers’ router firmware here. If your router doesn’t belong to one of the companies that has released a firmware patch, you should contact your internet service provider.

  1. Update All Devices with Wi-Fi Connectivity

Thanks to Apple and Microsoft’s specific implementation of WPA2, they aren’t as vulnerable as other devices. However, that doesn’t mean your iPhone is safe. Mathy Vanhoef’s blog publicizing the vulnerability includes a demonstration of an attack on an Android device and links to examples of bypassing encryption in Apple operating systems, as well as other common encrypted applications. Any device with Wi-Fi capabilities needs to be updated as soon as patches are released. In the meantime, use Ethernet or cellular data on your mobile device if possible.

  1. Utilize Other Methods of Encryption

Even when this WPA2 vulnerability no longer exists, you should make sure you’re communicating with websites securely. Many websites use HTTPS, which you may have noticed during browsing sessions. Thankfully, most websites that handle sensitive personal information (banking and financial sites, etc.) already default to secure browsing, which encrypts private data. Browser extensions like HTTPS Everywhere will force sites to browse securely when the option is available. Communicating over a virtual private network (VPN) also encrypts all traffic, rendering it safe from KRACK. However, be aware that VPN providers may store your data in other ways, so make sure to research and select a trusted company.

  1. Take Stock of Your IoT Devices

The Internet of Things, while still new technology, is notorious for its inherent security weaknesses. Any IoT devices you have connected to your wireless network may need to be disconnected until patches are available. Information from most IoT devices is probably harmless even if hackers were able to gain access to it, but unless each device encrypts traffic, your privacy could still be compromised.

Thankfully, this vulnerability is getting much publicity. The US Computer Emergency Readiness Team continues to update its list of over 100 vendors and their software updates, and none of the indexed vulnerabilities are yet known to be used outside of research. It’s unlikely that an everyday WPA2 user has been affected by this breaking vulnerability, but it would be wise to exercise caution until more information and software updates are released. Be wary of any unfamiliar wireless networks, and keep an eye out for any notices from your hardware and internet service providers.

For more help keeping your network safe from KRACK and other threats, contact the experts at Anderson Technologies at 314.394.3001 or info@andersontech.com.

Contact Us

Equifax Hack 101: What You Need to Know to Keep Your Credit Safe

/in , /by

Credit plays a ubiquitous role in our lives. What can we do when the systems we trust fail us?

Corporate cyber security breaches are more common than many people realize. The recent headline-making Equifax data hack affects upwards of 143 million Americans, making it one of the largest risks to personal information to date. This breach is leading consumers to question their safety from identity theft and whether credit bureaus and ancillary companies have their best interests at heart.

 What happened?

Equifax is one of the three biggest credit reporting agencies that collect consumer credit information. You don’t have to submit any of your personal information to Equifax for them to have it—if you’ve applied for a car loan, mortgage, or credit card, Equifax likely has your data in their system.

A vulnerability in an Equifax web application framework, Apache Struts, was discovered and disclosed in March of 2017. At that time, patches were implemented, though these efforts did not completely solve the problem and in late July suspicious traffic was noted. According to their press release about the breach, Equifax’s security team then “investigated and blocked the suspicious traffic that was identified.” Three days later (August 2, 2017), Equifax hired Mandiant, an independent cyber security consulting firm, to evaluate the damage.

After analyzing the scope of the breach, Mandiant discovered that personal information of 143 million Americans had been exposed, along with credit card numbers of 209,000 Americans, dispute documents for 182,000 Americans, and various information of certain United Kingdom and Canadian residents. In direct response to this analysis, Equifax provided a site for consumers to check whether their information may have been compromised and subsequently sign up for a free year of credit monitoring.

How is Equifax handling the situation?

Some of Equifax’s actions haven’t been viewed optimistically. A public relations nightmare ensued after the discovery of an arbitration clause in Equifax’s Terms of Use.  The language apparently waived the rights of consumers who signed up for credit monitoring to sue Equifax in relation to the security breach. It took Equifax until September 13 to release a statement that they had removed the offending clause from their Terms of Use.

Executive personnel changes also followed in the days after the hack disclosure. However, allegations of insider trading that purportedly took place after the breach was discovered have not yet been publicly addressed.

On September 20, several sources reported that Equifax incorrectly linked customers to a fake website designed to look like the signup site for credit monitoring.  Fortunately, the person who set up the fake site did not have malicious intent, but the situation revealed how easily criminals could take advantage of Equifax’s oversights and gather even more personal information.

What’s the damage?

Unfortunately, unlike many previous cyber security incidents, the type of data gathered in this breach will have a serious impact for years to come.  Criminals now have their hands on Social Security numbers, records of open credit accounts, and other personal data from Equifax’s stockpile of consumer profiles.  Attackers can now build targeted spear phishing attacks that, if executed well, will seem extremely legitimate to many users.

Will credit monitoring prevent my information from being compromised?

In short, no. Credit monitoring does nothing to prevent thieves from accessing your personal information.  It only keeps an eye out for suspicious activity regarding your credit file. Many credit bureaus and agencies advertise the service for a fee. The free year of TrustedID Premier offered by Equifax in light of this most recent breach also provides identity theft insurance, which covers up to $1 million of certain expenses, such as legal fees, related to recovering your credit information in the event of theft.

There likely won’t be any negative effects from submitting your information to Equifax and enrolling in the free year of TrustedID Premier, but until a few days ago the site was infamously broken. Some users reported receiving different messages depending on the device used to submit their inquiry. Equifax claims it fixed the site on September 13.

If you are already fastidious about monitoring your lines of credit, there’s not much to be gained by sharing additional personal information and enrolling in free credit monitoring. The olive branch from Equifax is welcome but may not make a significant impact depending on the consumer.

What other steps can I take?

There are two big moves anyone can make at any time to protect their personal information—submitting a fraud alert or requesting a credit freeze. Both actions are effective in ensuring criminals don’t have easy access to your credit, though they work in different ways.

You can request a fraud alert by contacting the credit bureaus (Equifax, Experian, TransUnion, and a smaller but still significant bureau, Innovis), but you must provide varying amounts of paperwork and personal information before your application is complete. This must be done independently for each company.  Once your fraud alert is in place, lenders can still access your credit information but they can’t grant credit in your name without contacting you first.

If you don’t want your credit files to be viewed by anyone other than yourself, applying for a credit freeze is the way to go. Even though new lines of credit can still be applied for in your name, none can be opened unless you “unfreeze” your credit files to give access. Again, this process must be completed at each credit bureau.  Consumer Union offers a thorough how-to guide on placing a security freeze on your credit files and what fees you should expect depending on which state you live in. Unfortunately, many states require fees to lift a credit freeze as well; this means you might have to pay every time you want to move or apply for a car loan. However, the costs associated with this protection are much smaller compared to the time and trouble involved with being a victim of identity theft.

Those affected can also seek legal recourse. A firm in Oregon has already filed a class-action lawsuit against Equifax, claiming that the company failed “to maintain adequate electronic security safeguards as part of a corporate effort to save money.” At least 23 other lawsuits are in the works, filed in 14 states and the District of Columbia. A federal panel will review and likely combine these cases into a single lawsuit. If class-action status is granted, affected customers will be able to join.

Even if Equifax deems you unlikely to have been impacted by the hack, it would be wise to use this opportunity to evaluate the security of your credit information and keep a closer eye on your credit scores.

Anderson Technologies is a St. Louis cyber security company that specializes in protecting client data. For more information on our services, email info@andersontech.com or call 314.394.3001 today.

Contact Us