Equifax, Cryptography, and the Anatomy of a Data Breach
Earlier this month, news broke of a hack at Equifax that potentially exposed the credit records of 143 million Americans. This was a catastrophic breach, leaking names, social security numbers, addresses, and other personal information to the attackers. As many as 200 thousand customers had their credit card numbers stolen as well.
The hack reminds us just how vulnerable our information can be if the hands that hold it fail to properly secure that data.
On September 7th, Equifax reported on a series of security incidents they’d detected earlier in the year. Details were fuzzy at the time, but it’s since been disclosed that the attackers leveraged a known vulnerability in a piece of software used to power Equifax’s system.
Namely, Equifax uses the Apache Struts framework to power their web portals. In March, the Struts team identified a remote code execution (RCE) vulnerability in the component that parses and handles incoming requests. This vulnerability allowed an attacker to carefully craft HTTP requests that would escape from the framework and execute arbitrary commands on the server as if it were a logged-in user.
Despite a fix being available for this vulnerability, the Equifax team did not patch their servers for several months, leaving their system open to attack from any anonymous user on the network.
Further, much of the information stored on Equifax’s system was presented in plaintext. This included both data stored for US customers and was proved to include data stored in systems representing other countries as well! This lack of data protection -- encryption -- means that the attackers walked away with the plaintext details of millions of individuals.
While the full details of the breach, the identity of the attacker(s), and the steps taken to remediate the intrusion are still not fully known, what we do know is there were at least two things Equifax could have done to prevent this breach. These two steps, while not a comprehensive security stance, are also ones you can take to protect your own business and customers.
The first thing many security experts noticed once the attack vector (an unpatched remote code execution vulnerability) was revealed was the fact that Equifax had been so lax with updates to their platform. The RCE had been identified and disclosed to the public in early March. It had been publicized with proof-of-concept exploit code that could manipulate vulnerable servers. It was being actively exploited by hackers in the wild within 3 days of disclosure.
As of July 29th, when Equifax detected the security breach, they had still not applied the Apache Struts patch to their system.
The one thing you can do right now to avoid a similar fate is to update the software running your systems to ensure it’s not exposing any known vulnerabilities. When a security patch is released, apply it immediately to limit any potential exposure to malicious parties seeking to exploit the hold.
Storing sensitive personal data in plaintext is never a good idea. If the application is breached, the data can be stolen. If the database is hacked, the data can be stolen. While some data is more sensitive than others, any private information should always be stored securely to minimize the potential for abuse and theft.
Full-disk encryption and transparent database encryption (like that available through services like Amazon RDS) are great ways to protect the data store itself. These tools will protect from parties outside of the system from being able to eavesdrop on or steal your data. Unfortunately, even database encryption wouldn’t have saved Equifax.
Application-level encryption limits the visibility and usability of data to a specific application (or user) in possession of the right decryption keys. It’s closer to an end-to-end encryption model where the data is encrypted when it goes into the system and only ever decrypted when it’s pulled out for a specific use. Further partitioning data so that certain parts or users of an application have limited access to encryption keys and the data they protect is another step you can take to minimize the impact of any of those keys being leaked.
Implementing both database and application encryption would be considered a strong approach defense-in-depth to protect data both at rest (on the disk) and in use (in the application’s logic layer). There is no sign, however, that Equifax took either step.
Proactive Data Protection
Tozny’s new InnoVault product aims to make this kind of application-level end-to-end encryption easier for developers. You build a form, add the InnoVault SDK, and any submissions of that form are encrypted before they even get to the server, only being decrypted by parties with the appropriate authorization and only at the time the data is being used.
The full e3db storage system powers complete end-to-end encryption for any data your application needs. The data is encrypted at rest, only decrypted when it’s used, and doesn’t even live on your server (so there’s no risk of it being stolen during a hack of your system in the first place).
Tozny’s SDKs for e3db are publicly available, and the team is standing by to help you integrate truly secure storage with your application. Tozny does the heavy lifting so your team can focus on its immediate business rather than invest time understanding the ins and outs of different cryptographic approaches. Together, we can make sure your data -- and your customers’ peace of mind -- is safe and secure.
Nothing can undo the mistakes made by Equifax. Nothing can undo the mistakes already made by thousands of other companies who’ve walked the same path. But there are tools that can help divert your path to safer ground. You can make sure your system is safe by applying security updates immediately and avoid being hacked through a known vulnerability months after it’s been publicized in the media. You can make sure the data in your system is safe by enforcing strong cryptographic practices to protect it from prying eyes or unauthorized third parties.
Tozny is here to help you protect your data. We publish the tools that keep your customers’ information safe. Together we can prevent your business from following in the footsteps of Equifax. Let’s stop the breaches before they happen.