Further evidence has emerged regarding the insecurity of Equifax s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax s security header configuration1. The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency.
Equifax s security header configuration
Many of the headers are more about addressing the basics, but as a site that serves over HTTPS they should really have features like HSTS and CSP enabled to offer their visitors a higher level of protection, Helme told El Reg.
The current misconfiguration that is present on the site with duplicated headers and conflicting values just raises questions about why the basics aren t being done properly. Earlier this week, Equifax admitted2 that hackers exploited an Apache Struts vulnerability (CVE-2017-5638) to break into its systems . The flaw had been patchable since March 7 but Equifax had failed to patch promptly . The intrusion but was only detected more than two months later.
Criminals gained access to names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of millions of Americans as well as the credit card numbers of 209,000 US consumers . The whole sorry mess raises a number of important questions. Three top Equifax executives, including its chief financial officer, sold a combined $1.8m worth of stock in the consumer credit reporting agency after the breach was detected but before it was made public .
Equifax said4 that the executives had had no knowledge that an intrusion had occurred at the time they sold their shares. US data privacy watchdogs at the Federal Trade Commission have taken the unusual step of confirming5 they had launched an investigation into the Equifax breach. Equifax chief exec Richard Smith has been called6 to testify before congressional lawmakers at the beginning of October .
Smith is due to appear before the House Energy and Commerce Committee on October 3.
Another security researcher reported7 that he d begun receiving spam emails at a single-use email address he d used uniquely to register with Equifax years earlier, but we ve not seen widespread evidence that data has escaped into the wild yet.
If you have any info you d like to share, drop us a line
Disbanding your security team may not be an entirely dumb idea, because plenty of other people in your organisation already overlap with their responsibilities, or could usefully do their jobs. That’s an idea advanced by analyst firm Gartner’s vice president and research fellow Tom Scholtz, who has raised it as a deliberately provocative gesture to get people thinking about how to best secure their organisations. Scholtz’s hypothesis is that when organisations perceive more risk, they create a dedicated team to address it . That team, he said, grows as the scope of risk grows . With business quickly expanding their online activities, that means lots more risk and lots more people in the central team .
Which might do the job but also reminded Scholtz that big teams are seldom noted for efficiency. He also says plenty of businesses see centralised security as roadblocks . I met one chief security officer who said his team is known as the ‘business prevention department’, Scholtz told Gartner’s Security and Risk Management Summit in Sydney today. He therefore looked at how security teams might become less obstructive and hit on the idea of pushing responsibility for security into other teams . One area where this could work, he said, is endpoint security, a field in which many organisations have dedicated and skilled teams to tend desktops and/or servers .
Data security is another area ripe for potential devolution, as Scholtz said security teams often have responsibility to determine the value of data and how it can be used, as do the teams that use that data . Yet both teams exist in their own silo and duplicate elements of each other’s work . Giving the job to one team could therefore be useful. He also pointed out that security teams’ natural proclivities mean they are often not the best educators inside a business, yet other teams are dedicated to the task and therefore excellent candidates for the job of explaining how to control risk. Scholtz’s research led him to believe that organisations will still need central security teams, but that devolution is unlikely to hurt if done well .
Indeed, he said he’s met CIOs who are already making the idea happen, by always looking for other organisations to take responsibility for tasks they don’t think belong in a central technology office. Making the move will also require a culture that sees people willing to learn, fast, and take on new responsibilities . Organisations considering such devolution will also need strong cross-team co-ordination structures, plus the ability to understand how to integrate security requirements into an overall security solution design.
Even those organisations who ultimately see such devolution as too risky, Scholtz said, can still take something away from the theory, by using it to ensure that business unit or team leaders feel accountable for securing their own tools .
Devolving security can also help organisations identify which security functions have been commoditised and are therefore suitable for outsourcing.
Rapidly pressing the Home button five times will bring up an SOS button . This will alert emergency contacts to your whereabouts . This much we knew. However, accessing the SOS screen also disables Touch ID until the user s passcode is entered (via Apple Insider2). The so-called cop button arrives with lingering controversy over law enforcement pressing citizens to unlock their phones using the fingerprint sensors.
Last December Scotland Yard officers snatched a smartphone from a suspect5 while it was unlocked, in order to bypass the security. Police in Michigan even 3D printed a murder victim s fingerprint6 in order to unlock a smart device. Pass codes remain off limits to law enforcement officials, which is what makes the new cop button all the more powerful.
If iPhone users believe they re in a position where they may be asked to unlock their phone with a fingerprint, they can simply press the home button five times in succession to disable it.
iOS 11 is nearly here
iOS 11 is approaching completion with the full release expected around a month from now. Given the latest rumours are pointing towards an iPhone 8 without a Touch ID sensor, it ll be interesting to see whether this new feature will apply to the expected Face ID feature. The new OS will bring a redesigned control centre, the brand new Apple Files directory, peer-to-peer Apple Pay payments, improved Siri and a Do Not Disturb while driving mode.
Will you be downloading iOS 11 when it lands or waiting until it s clear of potential launch bugs ?
Drop us a line @TrustedReviews on Twitter.