Could be worse
Remember, it always can be worse, it could be PriceWaterhouseCoopers, the "audit" company responsible for "audits" of each of the hacked CAs (including Diginotar)
Back in March, remote desktop specialist Citrix admitted hackers had romped through its core systems, and had purloined internal business documents. Now we're finding out the intrusion was much worse than first thought. A letter [PDF] to the California Attorney General this week, required by law following a hack of this nature …
Password spraying is the new euphemism for companies that don't like to say they were brute-forced. However, the addition of "spraying" does make it more evocative, rather likening the quality of numerous Citrix employees' passwords to what a sick tomcat sprays around the house.
Password spraying is the new euphemism for companies that don't like to say they were brute-forced
"Brute-forced" is a general term. "Password spraying" refers to one particular type of brute-force attack: brute-forcing by iterating user IDs against each of a set of commonly-used passwords.
It's true the technique is considerably older than the term. Google Ngram Viewer doesn't find any instance of the phrase in its corpus, which extends to 2008, so it seems to have been coined within the past decade (and in fact I don't recall hearing it for more than the past year or two). On the other hand, I recall a paper proposing this sort of attack against online banking systems that used short PINs and account numbers for authentication; that was around 2000. I imagine there are earlier examples, and of course there are analogues in physical security such as the use of dates for combination-lock numbers.
I think this is an Inverse Hanlon: at least as much malice as stupidity.
The credit-reporting agencies offer these "free credit monitoring" services cheaply to breach victims like Citrix, because the agencies can then try to sell their paid monitoring services to the recipients. Sometimes they just start billing after the free year to see how many people pay without checking what they're paying for.
It's a scam on both sides. The breached company uses it as a PR move, and the credit bureau gets a marketing opportunity. Presumably Equifax just offered Citrix the best deal.
Now that credit freezes are free everywhere in the US, the best bet is to ignore credit monitoring services (or if you take one of these free offers, be sure not to end up paying for it later) and freeze your accounts. Freeze with all the agencies, not just the big three; you can find comprehensive lists of them online. (Krebs' blog is one source.) If you have minor children, freeze their accounts too; children are a favorite target of some identity thieves because it's often years before anyone notices.
Some of the bureaus do a lousy job of handling freezes (shockingly, their security isn't any better here), and they all try to steer customers away from freezes to proprietary "credit protection" offerings that let the bureaus continue to make money off your account. But a real freeze is still your best bet.
IF you missed an exploitable flaw in your software during QA, what makes you think that you're going to find on a second look? Of course that assumes they even bothered with QA or security testing in the first place...
The average American has approximately 30 free offers of credit monitoring for one year available to them. How about offers of 1 year + of free housing for the people responsible in these companies (usually top management that didn't want to bother to spend the money) for failure to secure their networks, preferably at a Federal Super Max hotel. As for Equifax, do you know how much money they made due to their big data breach? A lot, since they used it to offer an extra level of security services to those people whose data they failed to protect in the first place.
Hey, this makes me think of something. There are basically 3 credit bureaus, at least in N America, right?
How about, instead of 1 year free monitoring on their system, the law is changed to require 1 year free on their competitor’s system? Might focus corporate attention on security somewhat.
But still like jail time for gross negligence. From peon to CEO, if warranted.
Yup, given their offerings Citrix falling for password spraying and mislaying 6TB of data transfer over 5 months is a bit like an accountant failing 3rd grade math. 8-/
That’s one domain AI ML might help: spotting anomalous network usage patterns. Seems like a number of vendors are aiming for that.
There are basically 3 credit bureaus, at least in N America, right?
Nope. There are three big ones, and a handful of smaller, specialized ones, which are just as vulnerable. Trying to make sure you've frozen your accounts everywhere is fun.
In any case, "free" credit monitoring is mostly just marketing, venturing as close as possible to outright fraud. The bureaus make an effort to convince people that they should either extend or enhance their free monitoring with paid services.
We have found no indication that the threat actors discovered and exploited any vulnerabilities in our products or services to gain entry.
If I were said international cyber crims I would also ransack an area of the network that made it look like I'd got in a certain way and only made off with email addresses and social security details which would keep them occupied for a fair while worrying about ID theft (as well as providing potential income and future attack avenues). In the mean time I'd be rifling the shit out of the rest of the network because, let's face it, they don't seem as if they have a f*cking clue and it's likely that's what they were after all along. I would be nervous if I were using their kit on the perimeter.
It's like a burglary when you throw the contents of some drawers on the floor and make the place look a mess whilst taking some obvious jewellery but you've also taken copies of confidential business materials and made copies of keys and hard drives - the bit you actually came for. Everyone thinks it was "just junkies" etc.