Equifax – Protecting themselves while exposing your data and Identity! September 11, 2017
Posted by Chris Mark in Uncategorized.Tags: Breach, data security, data theft, Equifax, insider trading, premier id, stock selling
add a comment
As an update to my last Equifax post a number of stories had circulated regarding Equifax’s Terms of Use in which they attempt to prevent lawsuits related to their own incompetence that resulted in the exposure of nearly 150 million consumer records. As stated on their Terms of Use:Terms of Use:
“YOU MUST ACCEPT THIS AGREEMENT, INCLUDING ITS “ARBITRATION” SECTION BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR, USE OR PURCHASE ANY PRODUCT. BY REGISTERING ON THIS WEBSITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.”
So here is what the noble and caring Equifax has done to the public. First, they had a data breach in 2015. Then their CEO offers the obligatory public apology where he emphasizes the ‘importance of protecting data. etc. etc. Then Equifax magnanimously offers consumers free credit monitoring…in the Equifax TrustedID Premier service. It should be noted that IF you do enroll in the Equifax TrustedID Premier you are agreeing to the Terms of Use listed above…in short, should your information be exposed and used to say…steal your identity you cannot sue them nor can you engage in a class action lawsuit. You are (according to the Terms of Use) bound by Equifax’ arbitration clause. For those who are fans of the Oscar Winning film Dodgeball, I quote: “That’s a bold strategy Cotton. Let’s see if it pays off!”
To add fuel to the proverbial fire. Equifax did not disclose the data breach for a full month while 3 executives sold millions of dollars of company stock within days of identifying the breach! Now..to be fair, Equifax stated (ahem, cough, cough) “…the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”” Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2. So let me get this straight…the Information Solutions President and CFO did not know there was a breach? To quote the incomparable George Straight: “I’ve got some oceanfront property in Arizona. From the front porch you can see the sea. If you’ll buy that I’ll throw the Golden Gate in free!”
Chris Mark speaking at COMTEC 2014 by TouchNet August 27, 2014
Posted by Chris Mark in Uncategorized.Tags: AT&T, Breach, cardholder, Chris Mark, compromise, COMTEC, Data, data security, education, higher, PCI, TouchNet
add a comment
Chris Mark will be presenting at the 2014 COMTEC TouchNet Client Conference on PCI DSS and data security within the payment card industry. The title of the presentation will be Hitting the PCI Bullseye. COMTEC is the premier conference for Higher Education organizations. I was invited to speak in 2012 but found myself delayed returning to teh US as I was in the Gulf of Aden providing maritime security. Below is a description from the TouchNet website.
“Join us for the COMTEC pre-conference PCI Workshop: Hit the Bullseye on November 10th. This power-packed day of PCI and security training is vital for business, security, compliance, audit, and IT professionals who want to stay on target with changes in payment security rules in the coming year. You’ll get real-world advice on compliance and best practices from industry experts and campus leaders who are dedicated to information security.”
”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014
Posted by Chris Mark in cybersecurity, Data Breach.Tags: active, active response, Chris Mark, cybercrime, cybersecurity, data breach, data security, deterrence, fight, InfoSec & Privacy, PCI DSS, response, security
1 comment so far
“Everyone has a plan until the’ve been hit” – Joe Lewis
Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.
As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers. This is frequently referred to as ‘hacking back’ or ‘offensive hacking’. Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’. On May 28th, 2013 there was an online discussion in which an author of the upcoming book: The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:
“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added) (more…)
Chris Mark in September 2013 – SC Magazine (Interview and Article) August 21, 2013
Posted by Chris Mark in cybersecurity, Industry News, PCI DSS.Tags: AT&T, Chris Mark, cybercrime, cybersecurity, data security, SC Magazine, Secure Computing, security
add a comment
In the August, 2013 edition of Secure Computing Magazine (SC Magazine), I have an interview and article included. The interview is for the cover story called “Beyond the Checkbox; PCI DSS” and the article is called “Understanding Parallax and Convergence to Improve Security”. Below is an excerpt from the article..be sure to check them out!
“To address today’s threats, companies require a high degree of convergent perspective, information expertise, and coordination between personnel and groups. Previously, companies could “make do” with basic security controls such as firewalls, Intrusion Detection System (IDS), and anti-virus. Attempting to understand the threats facing an organization and analyzing risk was often an afterthought, as companies relied upon simple compliance matrices and lists of “best practices” to secure their environment. This is no longer sufficient to address the threats of 2013. A major mistake in information security implementation is what can be referred to as “security parallax.””
How to choose a VPN that will protect your privacy (Guest Post by IVPN) June 2, 2013
Posted by Chris Mark in Uncategorized.Tags: cybercrime, cybersecurity, data protection, data security, online privacy, privacy, VPN
add a comment
This article is written by Christopher Reynolds, head of business development at IVPN – a VPN service, and EFF member, dedicated to protecting users’ online privacy. I don’t often allow guest posts but Mr. Reynolds and IVPN have done a great job of providing valuable info. Certainly worth taking a look!
Online privacy is coming under increasing attack from governments around the world. Legislation such as CISPA in the US, the CCDP in the UK and Australia’s data retention proposals, have generated real worry among privacy-conscious internet users over our law enforcement’s desire to increase their powers of surveillance to unprecedented levels. This culture of fear is driving more and more people toward commercial Virtual Private Networks (VPNs), which promise to protect user data and offer online anonymity. But choosing a VPN that actually protects privacy is not straightforward. In this blog post I will go over the key issues you must consider before signing up to any VPN service.
Data retention
The biggest issue when it comes to using a VPN in order to protect your privacy is data retention. Government surveillance is primarily facilitated by the data retention policies of your ISP. In Europe your ISP’s data retention policy is mandated by the EU Data Retention Directive, which forces all European ISPs to retain users’ personal information for between 6 months and 2 years after the user leaves the ISP’s service. This data includes web logs, which essentially means a record of every website you’ve visited and the times you visited them. The data your ISP holds won’t typically contain email logs – despite popular perception- unless you use your ISPs own email service. But it will include which third party email services you use and when you’ve used them. (more…)
Global Security, Privacy, & Risk Management 