olly - Fotolia
Following Equifax breach, CEO doesn't know if data is encrypted
News roundup: Following the massive Equifax breach, the CEO said he doesn't know if customer data is encrypted or not. Plus, flaws were found in IEEE's P1735 standard, and more.
Equifax's interim CEO said during a congressional hearing that he doesn't know whether or not the company now encrypts customer data.
Equifax alerted the public in September 2017 to a massive data breach that exposed the personal and financial information -- including names, birthdays, credit card numbers and Social Security numbers -- of approximately 145 million customers in the United States to hackers. Following the Equifax breach, the former CEO Richard Smith and the current interim CEO Paulino do Rego Barros Jr. were called to testify before the Committee on Commerce, Science, and Transportation this week for a hearing titled "Protecting Consumers in the Era of Major Data Breaches."
During the hearing, Sen. Cory Gardner (R-Colo.) questioned Smith and Barros about Equifax's use of -- or lack of -- encryption for customer data at rest. Smith confirmed that the company was not encrypting data at the time of the Equifax breach, and Gardner questioned whether or not that was intentional.
"Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith.
Smith pointed out that encryption at rest is just one method of security, but eventually confirmed that a decision was made to leave customer data unencrypted at rest.
"So, a decision was made to leave it unencrypted at rest?" Gardner pushed.
"Correct," Smith responded.
Gardner moved on to Barros and asked whether he has implemented encryption for data at rest since he took over the position on Sept. 26.
Barros began to answer by saying that Equifax has done a "top-down review" of its security, but Gardner interrupted, saying it was a yes or no question. Barros stumbled again and said it was being reviewed as part of the response process and Gardner pushed again.
"Yes or no, does the data remain unencrypted at rest?"
"I don't know at this stage," Barros responded.
Gardner appeared stunned by Barros' answer and pointed out that a lack of encryption was essentially what caused this massive Equifax breach. Smith attempted to make the situation better.
"Senator, if I may. It's my understanding that the entire environment [in] which this criminal attack occurred is much different; it's a more modern environment with multiple layers of security that did not exist before. Encryption is only one of those layers of security," Smith said.
Also testifying at the hearing was a panel of experts in security and privacy, as well as the former CEO of Yahoo Inc., which revealed in September 2017 that its data breach in 2013 affected 3 billion user accounts.
Gardner deferred to Todd Wilkinson, the president and CEO of Entrust Datacard who was a member of the panel, and asked Wilkinson whether it is irresponsible not to encrypt customer data at rest. Wilkinson pointed out that industry standards such as PCI DSS require retailers and others to encrypt precisely the kind of information that Equifax did not encrypt.
Equifax still faces over 240 class action suits following the data breach, including lawsuits from multiple classes of consumers, as well as shareholders and financial institutions that claim to be affected by the breach.
In other news
- A group of researchers from the University of Florida have discovered several vulnerabilities in IEEE's P1735 cryptography standard. P1735 is supposed to encrypt intellectual property used in chip design so they can't be reverse engineered and taken advantage of for free. Animesh Chhotaray, Adib Nahiyan, Domenic Forte, Mark Tehranipoor and Thomas Shrimpton took a closer look at the P1735 standard in their paper, "Standardizing Bad Cryptographic Practice." "We find a surprising number of cryptographic mistakes in the standard," the researchers said. "In the most egregious cases, these mistakes enable attack vectors that allow us to recover the entire underlying plaintext [intellectual property] IP." Some of the flaws found in the standard enable hackers to decrypt the IP protected by P1735 and alter it to inject hidden malware. "Some of these attack vectors are well-known, e.g. padding-oracle attacks," the research group said. "Others are new, and are made possible by the need to support the typical uses of the underlying IP; in particular, the need for commercial system-on-chip (SoC) tools to synthesize multiple pieces of IP into a fully specified chip design and to provide syntax errors."
- Security experts have found a faster, more affordable way to exploit chips from Infineon Technologies. The flaw, known as Return of Coppersmith's Attack, or ROCA, is in Infineon's key generation library for RSA encryption and could enable attackers to steal the keys of vulnerable devices. ROCA was first made public in October 2017 by researchers from Czech Republic, the U.K. and Italy. However, this week, two other security researchers, Daniel J. Bernstein and Tanja Lange, published a blog post that showed a faster, cheaper way to exploit the flaw, which was originally dismissed as being too difficult and too expensive to register as a major threat. The affected devices include Gemalto's IDPrime .NET smart cards and Estonia's national ID cards. The primary concern is that the flaw in the chips could result in voter fraud as Estonia's citizens use their ID cards to vote. Previously, it was thought that hacking just one ID card would cost $80,000, but the new research shows a way to do it for $20,000.
- It's now known that a previously disclosed kill switch in the code of Intel's Management Engine (ME) can be exploited via USB port. The Intel ME is an embedded subsystem on most Intel chips manufactured since 2008 and functions as its own CPU, separate from the CPU and operating system of the device. It was previously assumed that the Intel ME was secured against attacks, but in August 2017, Positive Technologies disclosed its findings that there is a way to disable the Intel ME. Now, it's been revealed that recent versions of Intel ME feature Joint Test Action Group (JTAG) debugging ports that can be reached through USB ports. JTAG gives hackers access to the code running on the chip and thus the firmware. This means Intel ME is less secure than previously thought as access to firmware can grant hackers access to any number of security vulnerabilities that can be exploited.