Equifax: Pearl Harbor for SSNs (and it's Cybersecurity Awareness Month already)

Could there be a silver lining to the awful Equifax story? How about eliminating the social-security number as a personal identifier?

That's the hope of White House (ahem) “cybersecurity coordinator” Rob Joyce.

Not only that, but October is (ahem) Cybersecurity Awareness Month—Hurrah! In this week’s Security Blogwatch, we dare to be aware.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Outside


State of Security Operations 2018: Go Inside World SOCs

Dare to be aware

What’s the craic? As Nafeesa Syeed and Elizabeth Dexheimer report, Social Security Numbers Should Go:

The Trump administration is exploring ways to replace the use of Social Security numbers … in the wake of consumer credit agency Equifax Inc.’s massive data breach … according to Rob Joyce, special assistant to the president and White House cybersecurity coordinator.

Joyce’s comments came as former Equifax CEO Richard Smith testified before the House Energy and Commerce Committee. [He] said the rising number of hacks involving Social Security numbers have eroded its security value. … “The concept of a Social Security number … being private and secure -- I think it’s time … to think beyond that. … What is a better way to identify consumers?”

Joyce said officials are looking into “what would be a better system” that [uses] a “modern cryptographic identifier,” such as public and private keys.

While lawmakers were unanimous in criticizing Equifax’s response to a breach that compromised information on 145.5 million U.S. consumers, they were divided on how to fix the underlying issue. Democrats on the panel have reintroduced legislation imposing requirements for when companies have to report data breaches, while Oregon Republican Greg Walden noted … “you can’t fix stupid.”

Um, couldn’t we at least try? Laura Hautala has more on Joyce’s immodest proposal—Let's replace Social Security numbers:

It would be fair to ask what your Social Security number is even good for anymore. It's no longer really a secret form of identification, so let's think of something else.

Major data breaches often spur complaints that [it] was never intended to be a universal form of identification. … If we phase out Social Security numbers, though, we'll need something that won't just get compromised all over again.

But do infosec mavens agree? Does DropBear drop in the woods? [You’re fired -Ed.]

It boggles the mind. … What kind of idiot goes "you need to keep this number secret from strangers except of course any official of any organization who might conceivably need to ask for it, because those are all Good Guys"?!?

And kaur has this insight:

Immutable data should not have any value at all.

My name and SSN are assigned to me. I cannot choose or change them. Thus, they should have no business value, esp no value in the credit / financial context.

My address, my employment, my family are essentially fixed as well. Again - this data could be public. It should have no value.

Stopping the criminals won't work - as long as there is anything of value, there will be intent and crime to get it. The value itself must change.

Meanwhile, where’s my Equifax sitrep? Michael Riley, Jordan Robertson, Anita Sharpe, Dune Lawrence and Jennifer Surane say it Has the Hallmarks of State-Sponsored Pros:

The intruders used techniques that have been linked to nation-state hackers in the past. [Equifax] employees used to joke that [it] was just one hack away from bankruptcy.

On March 10, hackers scanning the internet … got a hit on an Equifax server in Atlanta, according to people familiar with the investigation. … They may not have immediately grasped the value of their discovery, but … that first group—known as an entry crew—handed off to a more sophisticated team of hackers.

The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say [it] has the hallmarks of similar intrusions [that] were ultimately attributed to hackers working for Chinese intelligence.

Others involved in the investigation aren't so sure, saying the evidence is inconclusive at best [or] that there is evidence that a nation-state may have played a role, but that it doesn't point to China.

So, in summary? Here’s milo “@adrjeffries” minderbinder:

Capitalism logically ends in Equifax.

Still, here’s some good news. It’s National (ahem) Cybersecurity Awareness Month again, thanks to NCSA and the DHS:

This October marks the 14th annual National Cyber Security Awareness Month … a far-reaching online safety awareness and education initiative co-founded and led by the National Cyber Security Alliance … and the U.S. Department of Homeland Security.

We all need to do our part to be safer online and, when we do, we make the internet more secure for everyone.

Yay! Amirite? Matt “@mattblaze” Blaze burns suitably sarcastic:

It’s National Cybersecurity Awareness Month. If you didn’t know cybersecurity is a mess, an Awareness Month will definitely do the trick.

Really? For the whole of October? Alex “@alexmarsh” Marsh’s heart sinks:

After the last several weeks, it feels like this should be every month.

But Jake “@MalwareJake” Williams disagrees:

I think we can end cybersecurity awareness month now. Everyone not living under a rock is aware that cybersecurity is pretty well ****ed...

And Kai “@kairoer” Roer is taking all this way too seriously:

Except that awareness does not change behaviors. Month or century - not helping. We need a change of focus-from awareness to behaviour training. And to relearn that there is no such thing as 100% security. Especially with people.

Meanwhile, Joseph “@josephmenn” Menn is fed up of shiny PR people:

To my friends in media relations: I am fully aware that it is Cybersecurity Awareness Month. No further bulletins are required. Thank you.

That's a situation to which Lorenzo “@lorenzoFB” Franceschi-B offers this neat solution:

BRB, going to set up an email filter to trash all emails mentioning "Cybersecurity Awareness Month"

The moral of the story? Recent events, culminating in the Equifax breach, have created a crisis that demands an alternative to SSN/address/birthdate—the standard identity-verification triple.

And Finally…

I’m going outside

Warning: may invoke feelings of, “What the heck did I just watch?”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.


Image source: Alexandra (cc0)

Topics: Security