Equifax note

September 12th, 2017

I share a tweaked version from the SANS Institute. In my opinion, steps 3, 4, and 5 are the most useful. #3 costs $5-10 per bureau and requires you to unfreeze each as needed - so be advised. I add that annualcreditreport.com is the only legitimate (by that I mean truly direct to the bureaus AND free of charge) way to check your credit once per year at the three main bureaus. Due to the volume of activity at the bureaus now, calling the phone numbers below may be the most effective way to act.

In addition to the options below for this incident, remember to stay wary, skeptical, and safe; do not click stuff that you do not trust.

Jim

Equifax is one of four credit rating services, called Credit Bureaus; the other three are ExperianTrans Union and Innovis. These companies harvest and sell your financial data and credit ratings, plus that of effectively every United States citizen. Equifax announced that they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised, including names, Social Security Numbers, addresses and, in some instances, driver's license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. This is not your fault. Companies collect a huge amount of data about people, data that you have no control over nor is there much you can do to protect it. This situation is Equifax's fault. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. Here are some steps that you might consider.

  1. Equifax Website: Equifax has created a website where you can learn more about the incident. One of the options they offer is you can check to see if your data is believed to be compromised. While this is a nice feature, operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened.
  2. Credit Monitoring: You can sign up for free for Equifax's TrustedID credit monitoring service (Note: you may be asked to come back later to set it up, it appears that Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, you may limit certain legal recourse which you might have otherwise had.). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent write-up by Brian Krebs on the limitations of Credit Monitoring.
  3. Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. A security freeze locks your credit scores so no one can access them. This means that while your credit score is frozen, no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you!) a loan or credit card. The challenge is that you have to manually setup and pay for a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. But then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four credit bureaus.
  4. Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdrawal or credit card charge is over a certain limit, or they can send you daily reports of your activity. We highly recommend that you enable at least one of these.
  5. Social Engineering Attacks: Be warned, in the coming days and weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. This is why we have an active security awareness program, to help you understand and defend against attacks like these.

If you do get hit with Identity Fraud, the FTC has created a site to help you recover. The Equifax situation will be fluid, so expect frequent new updates and findings. However, the behaviors above apply regardless of how the situation changes, so we recommend that you focus on those.

FREEZING UPDATE, from a commenter named Mike on Krebs' blog

SPECIFIC PHONE MENU OPTIONS TO SELECT:

Equifax: 866-349-5191 choose option 3 for a "Security Freeze"

Experian: 888-397-3742
- Press 2 "To learn about fraud or ADD A SECURITY FREEZE"
- Press 2 "for security freeze options"
- Press 1 "to place a security freeze"
- Press 2 "…for all others"
- Enter your info when prompted

Transunion: 888-909-8872
- Choose option 3, you'll be prompted to enter your zip code, SSN, and so on

Innovis: 800-540-2505
- Press 1 for English
- Press 3 "to place or manage an active duty alert or a SECURITY FREEZE"
- Press 2 "to place or manage a SECURITY FREEZE"
- Enter your info when prompted

Each automated system will try to push you to the company's website, ignore that! Some even make it sound as if you must go to their website to set up a credit freeze. But be patient, and you will soon hear an option to set up a credit freeze.

 

Posted by Jim Sherrill | Topic: News  | Category: Security

Subject Line - IT'S A TRAP!

October 20th, 2016

"Business E-mail Compromise," or BEC, is the name for malicious attempts to use a fake Reply-to field or a fake Display Name to compromise humans' money or information. For example, an attacker sends an e-mail with the Display Name set as that of the CEO. Employees without alert skepticism may respond to the implied trusted request, not noticing that the money or data is actually going to the attacker.

Here are the top ten recent BEC Subject Lines, in descending frequency:

  • Request
  • Payment
  • Urgent
  • hello
  • hi
  • Follow up
  • NO DATA
  • Quick One
  • Urgent Request
  • [blank]


The first five make up over 20% of the imposter e-mails.

In contrast, please review a list from one month of one address at MSA - one of our defensive layers blocks these messages from ever arriving in an Inbox. These messages have malicious content that encrypts files and forces you to pay a ransom or restore from a safe backup. Notice the variety in Subject Lines as well as the improbable From names & e-mail addresses. 

email block list


If you are not blocking these messages, please use caution and common sense before opening or previewing anything like these samples!



Posted by Jim Sherrill | Topic: News  | Category: Security

Maintain composure, do not click

September 20th, 2016

There are many versions now of the encrypting "ransomware" programs. Some not only encrypt your business documents but also delete critical files from your server and stop your operations entirely! The only sound way out after infection is to restore from backup - paying the ransom is almost never recommended.

How to reduce risk

  • As always, never open ANY suspicious attachments (e.g. zipped .js, .wsf or .vbs files)
  • Keep recent backup copies of important data in a secure place either online or offline
  • Ensure that your system and applications are fully updated and patched

 

Posted by Jim Sherrill | Topic: Tips  | Category: Security

I updated our list of safe software to use and safe places to get that software.

The paranoid among you will not trust any of these links (well done!) but will search for the tool or site name in a trustworthy search site. Yes it is cumbersome to get squared away but is your work and home information worth it?

Posted by Jim Sherrill | Topic: Tips  | Category: Security

STOP CLICKING

October 24th, 2014

We have helped a few sites where staff have infected their computer *and* server files. This behavior MUST stop and you have the power.

Delete the message. If you are thoughtless enough to open the message, then do not click any links.

This behavior works to prevent issues, every time, no matter how evil and virulent the malware is.

Do you ever get messages with any of these subject lines? You know what to not do. Do not trust anything in your inbox, do not open these. Ignore them all, delete them all. If it is legitimate, someone will contact you in another way. This list is only a sample, Bad Guys use similar and clever techniques.

  • USPS - Your package is available for pickup ( Parcel 173145820507 )  
    USPS - Missed package delivery ("USPS Express Services" <[email protected]>)
    USPS - Missed package delivery  
    FW: Invoice
    ADP payroll: Account Charge Alert  
    ACH Notification ("ADP Payroll" <*@adp.com>)
    ADP Reference #09903824430  
    Payroll Received by Intuit
    Important - attached form  
    FW: Last Month Remit
    McAfee Always On Protection Reactivation  
    Scanned Image from a Xerox WorkCentre
    Scan from a Xerox WorkCentre  
    scanned from Xerox
    Annual Form - Authorization to Use Privately Owned Vehicle on State Business  
    Fwd: IMG01041_6706015_m.zip
    My resume  
    New Voicemail Message
    Voice Message from Unknown (675-685-3476)  
    Voice Message from Unknown Caller (344-846-4458)
    Important - New Outlook Settings  
    Scan Data
    FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]  
    Payment Advice - Advice Ref:[GB2198767]
    New contract agreement.  
    Important Notice - Incoming Money Transfer
    Notice of underreported income  Notice of unreported income - Last months reports
    Payment Overdue - Please respond  
    FW: Check copy
    Payroll Invoice  
    USBANK
    Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages)  
    past due invoices
    FW: Case FH74D23GST58NQS  
    Symantec Endpoint Protection: Important System Update - requires immediate action

 

 

Posted by Jim Sherrill | Topic: Tips  | Category: Security

Save yourself!

January 11th, 2014

A quick note, it is important to be more paranoid of all attachments and links to web sites. This one is a authentic, serious  risk of permanently losing work or home files. Notice that it scans for files on network shares as well.

In addition to paranoia, I recommend downloading and installing this program with the default settings. I have done this on my work laptop and on my home computer.
http://www.foolishit.com/download/cryptoprevent-installer/



Read as much as you want about this nasty extortion process:
http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-26#entry3165383


From SANS:

--New Hampshire Town Lost Files to CryptoLocker
(January 7, 2014)
A New Hampshire town has lost eight years worth of computer files to the CryptoLocker ransomware. An employee at the Greenland, NH, town hall opened an attachment accompanying an email purporting to be from AT&T on December 26. The system administrator did not learn about the issue until four days later, after the deadline for paying the ransom had expired.
http://www.computerworld.com.my/resource/security/cryptolocker-scrambles-eight-years-of-data-belonging-to-us-town-hall/


Posted by Jim Sherrill | Topic: Tips  | Category: Security

Short story: On April 8, 2014, after you call to wish me a divine natal celebration, Microsoft stops patching XP. Before this amazing day, you should have replaced all your XP machines, or have them so severely disabled that they are nearly useless.

Longer story: There are many web pages advising about this issue, try https://startpage.com/do/search Because the long line of Microsoft operating systems (NT, 2000, XP, Vista, 7, 8, ...) share components --even today-- once a juicy exploit is discovered in say Windows 7, Bad Guys will use that exploit knowledge to create malicious code that will compromise XP.

XP that is connected to the internet or your network possibly exposes you to violation(s) of HIPAA requirements. This is because XP by April, 2014, will receive no security updates from Microsoft. You might say, "But we have anti-virus and anti-malware that is still updating!" Yes, but these new exploits may precede the detection and fix process in those protection softwares. The best plan is to replace XP as soon as you can. Reduce risk and be safe. Right. Now.

 

Windows Server 2003 has a similar fate in July 2015.

 

Postscript: Here are some of the relevant HIPAA regulations.

§164.306 Security standards: General rules.

(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

 

§164.308 Administrative safeguards.

(a)

    (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

...

    (6)    (i) Standard: Security incident procedures.  Implement policies and procedures to address security incidents.

    (ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

 

 

 

Posted by Jim Sherrill | Topic: News  | Category: Security

Learn, think, be more cautious

October 11th, 2013

You had to learn your software tools to provide healthcare, the same skills and efforts are required to stay safe at work and at home.There are many ways to improve your knowledge and behaviors, here is a useful source: SANS tip of the day

Plus, did you read HIPAA §164.312 Technical safeguards yet? "Assign a unique name and/or number for identifying and tracking user identity." For your medical software products, each human must have their own name and password.

 

 

Posted by Jim Sherrill | Topic: Tips  | Category: Security

Medical Software Associates. 1021 McCallie Avenue. Chattanooga, TN 37403