Equifax Security Breach & Credit Freezes

By now, you’ve heard of the Equifax security breach. There’s plenty of coverage on it so I won’t go into detail here.

However, a friend asked me what I felt they should do next and I figured I’d share my recommendation (which really goes for any security breach that affects your personally identifiable information.)

We may all might was well do three things:

  1. Go to Equifax’s website to see if we might be victims of this latest breach: https://www.equifaxsecurity2017.com. They have a handy tool for you to check if you’re part of the breach.
  2. Sign up for the free credit monitoring that Equifax is providing (if available to you, on the same website)
  3. Consider signing up to freeze your credit report.

Its this last one I want to discuss in more detail. The Identify Theft Resource Center has some great info on the pros and cons of credit freezes. There’s often a cost associated with freezing (and thawing) your credit report for long periods of time and sometimes you have to be a victim of ID theft to start. Worse, the rules vary state to state. But it makes me wonder why this isn’t the default setting for all consumers?

Why isn’t our credit frozen automatically and easy to thaw (by the consumer) with minimal hassle? Especially since these credit companies are collecting information about us without our explicit consent, it seems that consumers should have better defense against ID theft than simple credit monitoring, which is generally clunky and temporary. Criminals have great patience and they know the monitoring only lasts one to two years.

If thawing one’s report to sign up for new credit was easy, there’s really no reason from a consumer perspective why we wouldn’t want to enable this fundamental and powerful privacy feature.

Infragard Social Media and Public Safety Event

Recently the San Diego chapter of Infragard invited me to speak at our “Social Media and Public Safety” event on May 23rd. The event was held at the beautiful Irwin Jacobs auditorium at Qualcomm’s headquarters. It’s a fantastic facility for such events.

I gave a talk on “Social Media 101” to explain some of the basics of common social media and why emergency and incident responders should be using it. It’s not often that information security professionals talk up the importance of using social media, mostly because we’re so busy preaching why they are so bad for security and privacy. But they are valuable tools that emergency responders can ignore only at their peril. My premise is that if we don’t understand how to use such tools ourselves, how can we help others protect themselves online?

SDG&E arrived to demonstrate their new Incident Command Trailer. Very cool.

My conclusion? Get involved! Use the tools. Learn the culture. Pick a topic you care about and aren’t worried about from a privacy perspective  (like fishing for example!) and post only about that. Anything is better than nothing and nothing is what the bad guys are hoping we will do.

While the event was going on, we used twitter hashtag #sdcssm which was trending locally in San Diego until at least 9pm that night. Take that, #songstogetlaidby!

For those interested in a copy of my presentation, I’ve made it available here.

What happened to ‘normal’?

By now you may have heard that the Department of Homeland Security has changed its terror alert system from the old color-coding scheme to a much simpler one: Elevated and Imminent.

While most security professionals can agree the old system was vague and confusing, at that the new one should do much to clear that up, I wonder if anyone else has noticed the change in perspective.

As of now, America has only two states of security-being: “High alert,” and “Oh my god, we’re under attack!”

Is that it? Are we stuck forever in the mindset that we are under siege? There’s no chance things could ever return to “normal”, that is, a state of low alert?

I realize there are politics involved in a ‘low threat’ state. No one wants to be the one to change the terror threat state to ‘low’ and then suffer an attack that leaves people thinking the change was premature. And budgets are cut when things are low threat states.

But can’t we at least maintain the hope that there at least exists the possibility that our security status could someday be low threat? Or have we bought into the fact that we have lost this war and that credible threats somewhere in the world will always be plotting against us with a reasonable chance to cause us harm?

Why am I uncomfortable that in the best of times, our state of alert will be “elevated?” Is it just choice of words? Words, as they say, do have meaning. Is it out of the realm of our conventional wisdom anymore to simply be “vigilant?”

Mystic Rain Workshop

A few years ago I put together a blended threat incident response workshop for the San Diego chapter of Infragard with the help of the local chapter and some excellent volunteers.

Mystic Rain is an incident response workshop designed to highlight the relationship between physical and cyber security threats. I hosted the workshop for the San Diego chapter of Infragard in 2009.

You can run the same workshop! Here’s all the resources (550K, zipped) including instructions on how to run it.

This timed workshop is a great tool for a large group of people (10+) divided into teams and helped by table proctors to consider threats outside their daily roles as physical or cyber security professionals.

Forensic Paper

Years ago I had to write this extensive paper for to earn a GIAC Certified Forensics Analyst title.

Christopher Vera – SANS GCFA Practical v.1.3
Analysis of Unknown Binary, Forensic Tool Validation, and Legal Issues of Incident Handling for GIAC Certified Forensic Analyst Certification, Version 1.3
Abstract: The investigator: analyzes an unknown binary using several Linux and Windows forensic tools revealing an ICMP Backdoor; Tests Dependency Walker as a forensic tool for analyzing unknown Windows binaries; Explores the legal issues of a system administrator of an imaginary ISP sharing possible forensic evidence with a government agent acting under color of law.