Welcome to The Dashlane Tech Check for September 15, 2017!  I’ll help you catch up on Dashlane news and the biggest headlines in the tech and information security industry. And, just for fun, I’ll include a useful life hack that will keep your personal and work-related data secure all year long.

The Equifax Data Breach Saga

Last week, up to 143 million Americans were affected by the massive Equifax data breach. Days after the announcement, the company struggles to recuperate from security mishaps and customer backlash.

Learn more about the massive Equifax data breach

We now know how hackers managed to compromise 143 million customer records

Last week, Equifax announced that hackers were able to exploit a U.S. website application vulnerability to compromise Social Security numbers, names, home addresses, some credit card numbers, and more data for nearly 143 million people. According to Gizmodo, we now know the vulnerability was “Apache Struts CVE-2017-5638”. The National Vulnerability Database offers the following information about the vulnerability: “The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.”

According to Gizmodo, a patch for the vulnerability was available on March 6, 2017, but Equifax also claimed that the attack began in May 2017. Why Equifax failed to apply a security update is still a mystery.

Equifax walks back a controversial arbitration clause that would’ve forced victims to surrender their right to sue

In its initial response to the breach, Equifax announced that it would offer a free credit file monitoring service and identity theft protection for 143 million affected customers, however, swift backlash ensued after a controversial arbitration clause and class action waiver was discovered in the company’s Terms of Use for its TrustedID program. According to Forbes, the clause would’ve forced victims to sign away their rights to use Equifax for the data breach before signing up for Equifax’s TrustedID Premier service.

After several consumer, legal, and community organizations lambasted the clause, the company updated its website saying they have removed the clause from their Terms of Use: “We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.”

Equifax used “admin” as both the username and password for an employee web portal in Argentina

In an unrelated security incident, cybersecurity researcher Brian Krebs discovered Equifax’s Argentinian site was secured with a predictable username and password: admin. According to CNET, the site was an employee web portal used to protect thousands of customers and employees who’ve submitted credit disputes stored in plain text.

The company responded to the incident with the following statement: “We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cybersecurity event that occurred in the United States last week.  We immediately acted to remediate the situation, which affected a limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions. We have no evidence at this time that any consumers, customers, or information in our commercial and credit databases were negatively affected, and we will continue to test and improve all security measures in the region.”

Equifax issued brute-forcible PINs to customers with security freezes on their credit reports

On Monday, Equifax announced that it will waive fees for any affected consumers who’d like to put a freeze on their credit reports up until November 21, reports The Verge. However, some consumers who took the company up on its offer were in for a rude awakening. According to Ars Technica, consumers who registered to freeze their credit reports found that the PIN number Equifax issued were simply based on the date and time stamps of their enrollment–making them susceptible to brute-force attempts. In response, a company spokesperson sent a statement to Ars Technica saying they were going to “provide consumers a randomly generated PIN” within 24 hours.

The US Federal Trade Commission and the US Senate Finance Committee demand answers from Equifax

Embed from Getty Images

US Senators and the US Federal Trade Commission are now investigating all of Equifax’s mishaps around the data breach affecting about 143 million Americans. “The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” a FTC spokesperson said in a statement shared by Gizmodo on Thursday.

On Monday, Sen. Orrin Hatch and Sen. Ron Wyden of the Senate Finance Committee sent a letter to Equifax’s CEO Rick Smith, demanding more information on how the security breach unfolded and when the company became aware of it, CNET reports. They’re also particularly interested in learning when company executives learned of the breach, after news that three executives sold some of their shares just days after the hack was discovered.

Sen. Mark Warner, vice chair of the Senate Intelligence Committee said the Equifax breach was “profoundly troubling” and suggested congressional action to push for stronger consumer data protections. In a speech on the Senate floor on Thursday, Senate Minority Leader Chuck Schumer also said Equifax “stunningly and epically” failed to protect consumers’ sensitive data.

In addition, Sen. Elizabeth Warren and Sen. Brian Schatz said they will introduce legislation today that would require Equifax and other credit-reporting agencies to freeze consumers’ credit reports for free and allow consumers to access their credit reports for free, according to Bloomberg.

What in the (Security) world?

Here’s what made headlines this week in the world of digital identity, security, and privacy:

US government agencies ban Kaspersky security software

Photo credit: Kaspersky Lab

The Department of Homeland Security (DHS) issued a directive to all federal department and agencies, requiring the identification and removal of Kaspersky software within 90 days. The statement, shared by CNET, says the DHS is “concerned about the ties between Kaspersky officials and Russian intelligence and other government agencies.” The statement continues, “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”

Kaspersky has since called the allegations false and claims “no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company.”

Yet another dark web marketplace is taken offline

According to Motherboard, dark web drug Dream Market went down for a few hours, which originally led users to believe the site was subject to an exit scam or law enforcement takeover.

However, when the site came back online, many people complained that their Bitcoin wallets were emptied.  Operators claimed a “hard drive crash and a wallet file corrupted” that lead to the outage and wiped Bitcoin wallets. It’s currently unclear exactly what caused the outage and what happened to the missing Bitcoin funds.

North Korea blamed for attacks against South Korean Bitcoin exchanges

According to InfoSecurity Magazine, North Korean state hackers are likely conducting spear-phishing attacks against South Korean Bitcoin exchanges to fund the regime and circumvent tightening sanctions. By targeting exchanges, North Korean hackers can steal cryptocurrency from online wallets, and either swap them for more anonymous forms of cryptocurrency, or send them to another wallet altogether on a different exchange to circumvent anti-money laundering rules in some countries.

Have any thoughts on any of the news I shared? Leave me a comment below and make sure to visit our blog next week for another edition of The Dashlane Tech Check. Also, don’t forget to follow us on Twitter to always be in the know!