Equifax CEO Richard Smith

Equifax's May Mega-Breach Might Trace to March Hack

Mathew J. Schwartz • September 21, 2017

Hackers behind the mega-breach at Equifax stole data in May, but they - or other attackers - penetrated the credit bureau's systems in March, exploiting a vulnerability for which Apache Struts had issued a patch, just four days prior.

Anti-Malware

US Sanctions Iranian Nationals Over DDoS Bank Attacks

Latest

Governance

HHS Incident Response Will Be Scrutinized

Marianne Kolbasuk McGee • September 20, 2017

A federal watchdog agency has announced it will scrutinize HHS's incident response capabilities as well as Obamacare's security controls. The agency has also issued a new report finding security gaps in Alabama's Medicaid information systems security.

Breach Notification

Equifax Disputes Report of Undisclosed Breach From March

Jeremy Kirk • September 19, 2017

Equifax is disputing Bloomberg's report that it suffered an undisclosed data breach, discovered in March, that predates the massive breach that began in May. Instead, Equifax says the March incident involved its payroll service and that it notified all victims and required regulators.

Anti-Malware

Avast Distributed Trojanized CCleaner Windows Utility

Mathew J. Schwartz • September 18, 2017

For one month, the installer for a widely used, free Windows utility called CCleaner also installed a malicious payload that was designed to allow attackers to push additional malware onto infected PCs, warns Cisco Talos. Developer Piriform, owned by Avast, has released updates that expunge the malware.

Anti-Malware

CDDC: One Secure Screen for Classified, Secret and Public Networks

Jeremy Kirk • September 15, 2017

Researchers in Australia says they've conquered a thorny problem: how to view information stored on multiple air-gapped networks at the same time without security or usability concerns. They've created a device, called the Cross Domain Desktop Compositor, that's been tested by the Australian Department of Defense.

Breach Preparedness

Gauging Equifax's Future in Wake of Massive Breach

Eric Chabrow • September 15, 2017

Top IT security and information risk experts, including former RSA Executive Chairman Art Coviello, analyze the struggles Equifax faces in the wake of a massive data breach in the latest edition of the ISMG Security Report.

Breach Notification

Equifax's Colossal Error: Not Patching Apache Struts Flaw

Jeremy Kirk • September 14, 2017

Equifax made an error that led to one of the largest and most sensitive data breaches of all time, and the mistake was elementary: The credit bureau failed to patch a vulnerability in Apache Struts - a web application development framework - in a timely manner.

Anti-Malware

Report: North Korea Seeks Bitcoins to Bypass Sanctions

Mathew J. Schwartz • September 14, 2017

In cryptocurrency we trust: The government of North Korea has been turning to bitcoin exchange heists and cryptocurrency mining - potentially using malware installed on other countries' systems - to evade sanctions and fund the regime, security experts say.

Anti-Malware

Kaspersky Software Ordered Removed From US Gov't Computers

Eric Chabrow • September 13, 2017

The Trump administration is directing U.S. federal executive branch agencies to remove anti-virus software from Russian-owned Kaspersky Lab from their computers within 90 days. Kaspersky denies "inappropriate" ties to Russian government.

Breach Notification

Equifax's Latest Data Breach: Argentina

Jeremy Kirk • September 13, 2017

Equifax has a new problem on its hands: Argentina. Investigators with security consultancy Hold Security discovered that Equifax's Argentina website exposed national identity numbers for at least 14,000 citizens. But the information exposure may be far more extensive.

Breach Notification

Equifax CEO: 'We Will Make Changes'

Mathew J. Schwartz • September 13, 2017

What do you do if you're the CEO of a credit bureau that's suffered a massive breach, leading to Congressional probes, dozens of lawsuits, formal investigations by state attorneys general and calls for your resignation? Answer: Issue an apology via USA Today.

Cybersecurity

Don't Delay: Replace Symantec TLS/SSL Certs Now

Jeremy Kirk • September 12, 2017

A major operation to cleanse websites of digital certificates created under questionable circumstances is underway. Google has issued the orders: Purge digital certificates that were issued by Symantec before June 1, 2016.

Compliance

NY Cyber Regulations: Who Must Comply?

Tracy Kitten • September 12, 2017

The new cyber regulations from the New York Department of Financial Services apply to far more than just major New York-based banks, explains Paul Bowen of Arbor Networks.