Equifax Blames Open-Source Software For Its Record-Breaking Security Breach

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.

equifaxsecurity2017.com

[Phoeniyx]

Yup, I went to the site and it asked for name and last 6, and I was like "GTFO"... Are you kidding me? How can these imbeciles NOT know that this looks like a classic phishing site.

Re:Equifax Corporate Officers

My bitter, aging software engineer take: it's the endgame of chasing new features to meet next quarter's revenue target, neglecting to fund maintenance/sustaining teams for legacy apps. I don't even see maintenance/sustaining teams anymore. Maybe that was just a telecom industry (which I left 10+ years ago). In any case, if there isn't a development team that is actively updating an old unglamorous app, you're in trouble. Software will rot, not just from years of app patches, but also reliance on abandonware thirdparty libraries accumulating known exploits over time.

Makes sense.

Let's be honest. Open source software has just about the worst record for things like security, usability and support. There is a very good reason why so few desktops run Linux, or Apache Open Office, or GIMP or things like that. Desktops tend to be the #1 target for malware and when the rubber meets the road, Microsoft simply has a better track record in the security realm. I mean hell, Linus torvalds thinks security problems are "just another bug" like glitchy audio or compile failure. Is it any wonder that his OS is considered the worst of the worst when it comes to security?

Re:Root cause = SJW hiring practices

[elrous0]

You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

Wow, I thought you were trolling until I actually looked it up. WTF were they THINKING? You're not supposed to give a token diversity hire an actual job. You're supposed to appoint them to a bullshit position where they can't do any actual damage, then put their picture in all your brochures to virtue-signal to everyone how progressive you are.