Equifax Just Loves Making Itself a Target

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Credit-reporting firm Equifax used its own data holdings to identify 25 of its own employees working multiple full-time jobs simultaneously, then fired 24 of them. In doing so, it revealed the extent to which it's aggregating sensitive employment information.

Being "overemployed" — secretly working multiple full-time jobs — is a trend. Equifax used one of its own products, called The Work Number, to identify employees that had overlapping pay periods from other companies. This information was then combined with other data including VPN usage, manager reports and unexplained absences during the workday to identify 25 employees working multiple full-time jobs. In addition to 25 employees, 283 contractors were also identified as potentially working two jobs, although it is not clear what happened to them.

While The Work Number product has existed since 2007, it has massively grown in scope over the last couple of years. The company's 2021 annual report states The Work Number is now "now receiving records every pay period from 2.5 million companies, up from 1 million when we started 2021 and 27,000 contributors a short two-plus years ago".

The authors of the Business Insider report state:

The authors of this piece requested their own TWN reports and found that almost every job both had ever held was listed in the report. In one author's case, this included all salaried positions since graduating college in 2013, as well as a job working in the college library as a student.

In the other author's case, the report dated back to a student gig calling his college's alumni and asking for donations in 2010. Every paycheck he'd received in three jobs held since 2014 was also in the report.

The only things missing from his report were two unpaid internships and a high-school job in a restaurant kitchen.

At first glance it is surprising that Equifax holds such detailed payroll information, but digging further it actually makes business sense. It aggregates payroll information from employers to form a central clearing house that provides benefits for businesses, employers and individuals. Businesses can use it to check prospective customers' income and employment history before providing credit; employers don't have to service employment and income checks from businesses; and individuals benefit from faster loan processing.

These transactions would still occur without Equifax, just more slowly, and you could even argue that a competent centralised body could operate more securely than the millions of employers and businesses could on their own. In effect, Equifax is being paid to make the exchange of otherwise private information easier and faster. It seems like a good business and Equifax has launched an equivalent service, the Workforce Solution Verification Exchange, in Australia, Canada, India, and the UK.

Equifax has already turned The Work Number into a new product, Talent Report Employment Monitoring, to "monitor your employee's post-hire employment status". Equifax "saved" USD$3.2m in salaries by firing its overemployed workforce, although we doubt those people were doing absolutely nothing at all in their jobs so the actual savings will only be a percentage of that figure. Still, Equifax can advertise an ROI for this service so it'll probably do well.

One question from a government policy perspective is whether the benefits stemming from the aggregation of all this employment data in one place is worth the risk. One way to tackle this is to make sure that security standards are high and that Equifax understands that it will be held accountable for data breaches. But the aggregation of everyone's employment history within a single company is a giant target for Chinese hackers and they've breached Equifax at least once already.

More philosophically, should limits be placed on the use of this data? Should it be used to investigate employees like this?

Equifax's use of The Work Number to identify overemployed workers has created some buzz on the /r/overemployed subreddit devoted to working multiple jobs. One piece of sage advice offered there: "Rule 1.2, do not OE at Equifax" [OE is overemploy, ie take a second job]. Another piece of advice for those seeking to be overemployed: you can freeze your data report at The Work Number or opt out from the Verification Service.

It's hard to feel much sympathy for Equifax's laid-off workers, however. Some called into Equifax interviews conducted as part of the overemployment investigation from other work sites and others were working three jobs! And after all, even though they've been fired they already have another job to go to.

Allegations Against German BSI Head Are Clear as Mud

The head of Germany's national cyber security organisation (the BSI), Arne Schönbohm, has been suspended following reports of possible ties to Russian intelligence, despite the allegations levelled against him looking embarrassingly thin. Most news outlets are reporting Schönbohm has been fired, but the removal will not be not final until an investigation into his conduct is completed.

Schönbohm co-founded the Cyber Security Council Germany, a membership organisation in 2012, and the major allegation levelled against him is that one of its members was a company founded by a former Russian intelligence agent. The firm in question, Protelion, didn't join the Council until 2020, well after Schönbohm left for the BSI in 2016, and was ejected from the Council within days of the allegations being aired on a German satirical news show.

Another co-founder of the Council and its current President, Hans-Wilhelm Dünn, is also alleged to have been part of a Russian influence operation. It's not explicitly stated what Dünn's role was, but he appears to have maintained a number of Russian links, including taking part in the 2018 Russian Presidential election as an "election observer" at the invitation of the Russian Duma. This shows spectacularly bad judgement, but it could well be that Dünn is guilty of nothing more than being greedy and naive.

It is not at all clear that Schönbohm is guilty of anything at all. A spokesperson for Interior Minister Nancy Faeser, the Minister responsible for firing Schöbbohm, told reporters that Schöbohm would be "presumed innocent" while an investigation into the allegations was carried out.

One theory we've heard is that domestic politics played a role here. Lending credence to this theory, this Reuters article points out the different German political factions involved: Schönbohm was appointed by a conservative minister, but the Interior Ministry is "now run by the Social Democrats".

If party politics did play a role here that would be terrible, as it would for no good reason undermine the trust that BSI needs to have with both the German public and private sectors, but also with international partners.

Ironically, the spokesperson for Interior Minister Faeser said that Schönbohm was suspended because the allegations had "permanently damaged the necessary public confidence in the neutrality and impartiality of his conduct in his office as president of Germany's most important cybersecurity authority".

At this point, it's a no-win situation. The reputational damage to Schönbohm and the BSI has been done, and the only thing that would retrospectively justify the whole drama is if Russian interference or espionage is proven.

Three Reasons to be Cheerful this Week:

1. Dutch police used this one weird trick to get ransomware decryption keys for free: Dutch police were able to recover 155 decryption keys from the Deadbolt ransomware group by paying the ransom in Bitcoin, receiving the keys and then cancelling the transactions before they were confirmed. We didn't know this was possible, but it turns out that confirming Bitcoin transactions takes so long that some merchants will accept transactions before they get committed to the blockchain. This is known as zeroconf, as you've got zero confirmation. It looks like the Dutch police were then able to cancel the transaction before it was confirmed.
2. The US has updated its nuclear command and control system: The upgrade was revealed to the public after a new exhibit at NSA's National Cryptologic Museum contained equipment that had been used to generate codes the president could use to authorise the use of nuclear weapons. The retired equipment was used from the 1980s until as late as 2019, so it's reassuring that it has been updated and also reassuring that the upgrade was apparently kept a secret. The Wall Street Journal reported the "recent technology refresh surprised several nuclear and security experts, who said they had no prior indication the code-generating equipment had been overhauled".
3. KataOS, a secure OS for smart devices: Google has announced it is working on a "provably secure" operating system for embedded devices called KataOS with a reference implementation on secure hardware called Sparrow. It's based on a security-first microkernel and is implemented in Rust, which Google says avoids entire classes of bugs.

Sponsor Section

A new Proofpoint and Cybersecurity at MIT Sloan report examines boards of directors' perceptions about key challenges and risks. It finds that although cyber security is high on the agenda in board rooms there are some interesting differences in perception between CISOs and boards.

These differences cover the gamut from how likely a material cyber attack is, whether malicious insiders are a top concern and what the most important consequences of a cyber attack are.

Another significant concern is that awareness and funding do not translate into preparedness. Most respondents thought their board recognised cyber security risk, there was adequate investment and that data was protected, but despite that nearly half thought their organisations weren't prepared for a cyber attack.

Download the report here.

Shorts

Bitter, Yet Sweet. Cold, but Hot.

CyberScoop reports National Cyber Director Chris Inglis has foreshadowed that the soon-to-be-released national cyber security strategy will be "tough" while also claiming new regulations will be applied with the "lightest possible touch". So tough, but also soft.

There are other indications that the technology sector will be central to US government national security concerns. US Secretary of State Antony Blinken is also visiting Silicon Valley this coming week to reach out to the US's top tech firms to get them more involved with top national security challenges.

Cyber Criminals Discover Australia

Several significant hacks of Australian companies have been announced over the last week.

Medibank Private, one of Australia's largest private health insurance companies, was breached and has subsequently halted trading of its stock on the Australian Stock Exchange. Medibank's initial investigations found "unusual activity consistent with the precursors to a ransomware event", but also "no evidence customer data has been removed from the network".

Yesterday, however, a group claiming to be responsible for the breach contacted Medibank saying that it had stolen 200GB of sensitive information and threatened to email Medibank's thousand most prominent customers their own personal information. This threat resulted in Medibank issuing a trading halt on its shares "to ensure that it meets its continuous disclosure obligations".

Also in the last week, data from about 2.2 million customers of MyDeal, a marketplace owned by Woolworths, Australia's largest grocery chain, was breached and offered for sale. Jeremy Kirk's reporting dives into the breach and has some gems including the hacker claiming to have lost access to MyDeal "while I was high on mushrooms". This incident also underscores the cyber security risk of acquisitions — Woolworths acquired 80% of MyDeal on 23 September this year.

Finally, online wine retailer Vinomofo also announced a breach this week. Weirdly, they aren't releasing details about how many people were affected citing privacy and scam protection reasons.

Another Lapsus$ arrest

The arrests of Lapsus$ members continue. Brazilian Federal Police announced they arrested a suspected member of the group in the Brazilian city of Feira de Santana.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss whether cyber operations can be integrated with tactical conventional warfare.

From Risky Biz News:

China does a funny and tries to pose as IntrusionTruth: Something weird and very cringe-worthy happened at the start of the week when over the course of two days, on Monday and Tuesday, a few hundred (obviously very botty-bot) Twitter accounts started pushing a dumb rumor that the APT41 cyber-espionage group was actually the US National Security Agency.

In addition, some accounts tried to reinforce this ridiculously braindead disinformation attempt by floating a rumour that US cybersecurity firm Mandiant also linked APT41 to the NSA, which is obviously not true.

Some accounts posted in Chinese, others posted in English, while others even went as far as to try and pose as IntrusionTruth—a mysterious entity that has been doxing Chinese APTs for half a decade now—in an attempt to give legitimacy to their wacky theory. (continued)

IRGC installed malware on phones of Iranian protesters following their arrest: BSI, the German cybersecurity agency, took down this week a web server used to control malware deployed by the Iranian government to spy on participants of recent anti-government protests.

The server was identified over the weekend by Hamid Kashfi, a security engineer at Trail Of Bits, who confirmed a tip that the Islamic Revolutionary Guard Corps, a branch of the Iranian military, was manually installing malware on the devices of detained anti-government protesters.

Mango Markets exploiter comes forward: In a series of tweets over the weekend, an individual named Avraham Eisenberg took credit for the attack on Mango Markets following which he walked away with $114 million worth of cryptocurrency. Eisenberg came clean after he was publicly identified as the attacker last week and after the Mango Markets community voted to allow him to keep $47 million of the exploited funds if he returned $67 million back to the platform, so it and all the other projects that depended on it could avoid insolvency.