Equifax note

September 12th, 2017

I share a tweaked version from the SANS Institute. In my opinion, steps 3, 4, and 5 are the most useful. #3 costs $5-10 per bureau and requires you to unfreeze each as needed - so be advised. I add that annualcreditreport.com is the only legitimate (by that I mean truly direct to the bureaus AND free of charge) way to check your credit once per year at the three main bureaus. Due to the volume of activity at the bureaus now, calling the phone numbers below may be the most effective way to act.

In addition to the options below for this incident, remember to stay wary, skeptical, and safe; do not click stuff that you do not trust.

Jim

Equifax is one of four credit rating services, called Credit Bureaus; the other three are ExperianTrans Union and Innovis. These companies harvest and sell your financial data and credit ratings, plus that of effectively every United States citizen. Equifax announced that they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised, including names, Social Security Numbers, addresses and, in some instances, driver's license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. This is not your fault. Companies collect a huge amount of data about people, data that you have no control over nor is there much you can do to protect it. This situation is Equifax's fault. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. Here are some steps that you might consider.

  1. Equifax Website: Equifax has created a website where you can learn more about the incident. One of the options they offer is you can check to see if your data is believed to be compromised. While this is a nice feature, operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened.
  2. Credit Monitoring: You can sign up for free for Equifax's TrustedID credit monitoring service (Note: you may be asked to come back later to set it up, it appears that Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, you may limit certain legal recourse which you might have otherwise had.). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent write-up by Brian Krebs on the limitations of Credit Monitoring.
  3. Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. A security freeze locks your credit scores so no one can access them. This means that while your credit score is frozen, no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you!) a loan or credit card. The challenge is that you have to manually setup and pay for a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. But then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four credit bureaus.
  4. Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdrawal or credit card charge is over a certain limit, or they can send you daily reports of your activity. We highly recommend that you enable at least one of these.
  5. Social Engineering Attacks: Be warned, in the coming days and weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. This is why we have an active security awareness program, to help you understand and defend against attacks like these.

If you do get hit with Identity Fraud, the FTC has created a site to help you recover. The Equifax situation will be fluid, so expect frequent new updates and findings. However, the behaviors above apply regardless of how the situation changes, so we recommend that you focus on those.

FREEZING UPDATE, from a commenter named Mike on Krebs' blog

SPECIFIC PHONE MENU OPTIONS TO SELECT:

Equifax: 866-349-5191 choose option 3 for a "Security Freeze"

Experian: 888-397-3742
- Press 2 "To learn about fraud or ADD A SECURITY FREEZE"
- Press 2 "for security freeze options"
- Press 1 "to place a security freeze"
- Press 2 "…for all others"
- Enter your info when prompted

Transunion: 888-909-8872
- Choose option 3, you'll be prompted to enter your zip code, SSN, and so on

Innovis: 800-540-2505
- Press 1 for English
- Press 3 "to place or manage an active duty alert or a SECURITY FREEZE"
- Press 2 "to place or manage a SECURITY FREEZE"
- Enter your info when prompted

Each automated system will try to push you to the company's website, ignore that! Some even make it sound as if you must go to their website to set up a credit freeze. But be patient, and you will soon hear an option to set up a credit freeze.

 

Posted by Jim Sherrill | Topic: News  | Category: Security

Subject Line - IT'S A TRAP!

October 20th, 2016

"Business E-mail Compromise," or BEC, is the name for malicious attempts to use a fake Reply-to field or a fake Display Name to compromise humans' money or information. For example, an attacker sends an e-mail with the Display Name set as that of the CEO. Employees without alert skepticism may respond to the implied trusted request, not noticing that the money or data is actually going to the attacker.

Here are the top ten recent BEC Subject Lines, in descending frequency:

  • Request
  • Payment
  • Urgent
  • hello
  • hi
  • Follow up
  • NO DATA
  • Quick One
  • Urgent Request
  • [blank]


The first five make up over 20% of the imposter e-mails.

In contrast, please review a list from one month of one address at MSA - one of our defensive layers blocks these messages from ever arriving in an Inbox. These messages have malicious content that encrypts files and forces you to pay a ransom or restore from a safe backup. Notice the variety in Subject Lines as well as the improbable From names & e-mail addresses. 

email block list


If you are not blocking these messages, please use caution and common sense before opening or previewing anything like these samples!



Posted by Jim Sherrill | Topic: News  | Category: Security

Maintain composure, do not click

September 20th, 2016

There are many versions now of the encrypting "ransomware" programs. Some not only encrypt your business documents but also delete critical files from your server and stop your operations entirely! The only sound way out after infection is to restore from backup - paying the ransom is almost never recommended.

How to reduce risk

  • As always, never open ANY suspicious attachments (e.g. zipped .js, .wsf or .vbs files)
  • Keep recent backup copies of important data in a secure place either online or offline
  • Ensure that your system and applications are fully updated and patched

 

Posted by Jim Sherrill | Topic: Tips  | Category: Security

I updated our list of safe software to use and safe places to get that software.

The paranoid among you will not trust any of these links (well done!) but will search for the tool or site name in a trustworthy search site. Yes it is cumbersome to get squared away but is your work and home information worth it?

Posted by Jim Sherrill | Topic: Tips  | Category: Security

STOP CLICKING

October 24th, 2014

We have helped a few sites where staff have infected their computer *and* server files. This behavior MUST stop and you have the power.

Delete the message. If you are thoughtless enough to open the message, then do not click any links.

This behavior works to prevent issues, every time, no matter how evil and virulent the malware is.

Do you ever get messages with any of these subject lines? You know what to not do. Do not trust anything in your inbox, do not open these. Ignore them all, delete them all. If it is legitimate, someone will contact you in another way. This list is only a sample, Bad Guys use similar and clever techniques.

  • USPS - Your package is available for pickup ( Parcel 173145820507 )  
    USPS - Missed package delivery ("USPS Express Services" <[email protected]>)
    USPS - Missed package delivery  
    FW: Invoice
    ADP payroll: Account Charge Alert  
    ACH Notification ("ADP Payroll" <*@adp.com>)
    ADP Reference #09903824430  
    Payroll Received by Intuit
    Important - attached form  
    FW: Last Month Remit
    McAfee Always On Protection Reactivation  
    Scanned Image from a Xerox WorkCentre
    Scan from a Xerox WorkCentre  
    scanned from Xerox
    Annual Form - Authorization to Use Privately Owned Vehicle on State Business  
    Fwd: IMG01041_6706015_m.zip
    My resume  
    New Voicemail Message
    Voice Message from Unknown (675-685-3476)  
    Voice Message from Unknown Caller (344-846-4458)
    Important - New Outlook Settings  
    Scan Data
    FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]  
    Payment Advice - Advice Ref:[GB2198767]
    New contract agreement.  
    Important Notice - Incoming Money Transfer
    Notice of underreported income  Notice of unreported income - Last months reports
    Payment Overdue - Please respond  
    FW: Check copy
    Payroll Invoice  
    USBANK
    Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages)  
    past due invoices
    FW: Case FH74D23GST58NQS  
    Symantec Endpoint Protection: Important System Update - requires immediate action

 

 

Posted by Jim Sherrill | Topic: Tips  | Category: Security

Medical Software Associates. 1021 McCallie Avenue. Chattanooga, TN 37403