EQUIFAX BREACH

INFORMATION SECURITY PRESENTATION

By : Satyanarayana Gokavarapu
UTA ID : 1001537960
POINTS TO TALK
 What is Equifax ? What is Equifax Breach ?
 What information was jeopardized in the breach?
 Who all are affected ? How to find an individual whether he
affected for this breach or not ?
 How to protect yourself from this breach ?
 Cause for this breach
 Resources
EQUIFAX BREACH
 Equifax Inc. is a consumer credit reporting agency. Equifax collects and
aggregates information on over 800 million individual consumers and more than
88 million businesses worldwide.

 In this breach the data at risk includes :

• Social Security Numbers

• Birth Dates
• Addresses
• Driver license numbers (some)
• Credit Card Numbers (209,000 U.S. consumers)
• Certain dispute documents with personal identifying information around 182,000
U.S consumers
• Card numbers , Expiry date and Cardholder’s name.
 Fraudsters can use this information to conduct e-commerce fraud at
online merchants.
WHO ARE AFFECTED
FOR THIS BREACH
 143 Million
Americans
 UK Residents (Some)
 Canada
Residents(Some)
HOW TO CHECK AFFECTED OR NOT FOR THE BREACH

 Equifax is offering one free year of their credit monitoring service. In

addition, it has put up a Web site — www.equifaxsecurity2017.com —
that tried to let people determine whether they were affected.
 Credit monitoring do not prevent thieves from using your identity only will
alert you soon after an ID thief does steal your identity and to recover
from it.
 In cases where identity theft leads to prosecution for crimes committed in
your name by an ID thief, you may incur legal costs as well. Most of these
services offer to reimburse you up to a certain amount for out-of-pocket
expenses related to those efforts. But a better solution is to prevent thieves
from stealing your identity in the first place.
HOW TO PROTECT YOURSELF FROM THIS BREACH ?

 File a security freeze — also known as a credit freeze — with the

four major credit bureaus.
 A security freeze essentially blocks any potential creditors from
being able to view or “pull” your credit file, unless you affirmatively
unfreeze or thaw your file beforehand. With a freeze in place on your
credit file, ID thieves can apply for credit in your name all they want,
but they will not succeed in getting new lines of credit in your name
because few if any creditors will extend that credit without first being
able to gauge how risky it is to loan to you (i.e., view your credit file).
 Freezing your credit involves notifying each of the major credit
bureaus(Equifax, Experian, Innovis and Trans Union. ) that you wish to
place a freeze on your credit file.
 Online , Phone and Writing.
 Provides a Unique personal identification number to unfreeze.
 It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe
place (perhaps along with your latest credit report), so that when
and if you need to undo the freeze, the process is simple.
CAUSE FOR BREACH
 Equifax dates back to November 2016, and that perhaps the
intruders then managed to install software capable of capturing
customer credit card data in real-time as it was entered on one
of Equifax’s Web sites.
 Equifax stated that hacker(s) downloaded the data in one fell
swoop in mid-May 2017. The attacker accessed a storage table
that contained historical credit card transaction related
information before mid-May 2017
 On July 29, 2017, Equifax said the hackers broke in through a
vulnerability in the software that powers some of its Web-facing
applications.
 Equifax confirmed reports that the application flaw in question
was a weakness disclosed in March 2017 in a popular open-
source software package called Apache Struts (CVE-2017-5638).
 The Apache flaw was first spotted around March 7, 2017, when security firms
began warning that attackers were actively exploiting a “zero-day”
vulnerability in Apache Struts. Zero-days refer to software or hardware flaws
that hackers find and figure out how to use for commercial or personal gain
before the vendor even knows about the bugs.
 By March 8, Apache had released new versions of the software to mitigate
the vulnerability. But by that time exploit code that would allow anyone to
take advantage of the flaw was already published online — making it a race
between companies needing to patch their Web servers and hackers trying
to exploit the hole before it was closed.
 Screen shots apparently taken on March 10, 2017 and later posted to the
vulnerability tracking site xss[dot]cx indicate that the Apache Struts
vulnerability was present at the time on annualcreditreport.com — the only
web site mandated by Congress where all Americans can go to obtain a
free copy of their credit reports from each of the three major bureaus
annually.
 The Apache Struts flaw also was present in Experian’s Web properties.
 It remains unclear when exactly Equifax managed to fully eliminate the
Apache Struts flaw from their various Web server applications. But one thing
we do know for sure: The hacker(s) got in before Equifax closed the hole,
and their presence wasn’t discovered until July 29, 2017.
CVE-2017-5638, annualcreditreport.com, Unpatched,
PoC, Example
TL;DR The Jakarta Multipart parser in Apache Struts 2
2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles
file upload, which allows remote attackers to execute
arbitrary commands via a #cmd= string in a crafted
Content-Type HTTP header, as shown above.
RESOURCES

 https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-
credit-card-accounts-in-one-fell-swoop/#more-40773
 https://krebsonsecurity.com/2017/09/equifax-breach-response-
turns-dumpster-fire/
 http://xss.cx/2017/03/12/txt/cve-2017-5638-
annualcreditreportcom-exploit-poc-content-type-http-header-
example.html
 https://krebsonsecurity.com/2017/09/the-equifax-breach-what-
you-should-know/