Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com)

Posted by BeauHD on from the finger-pointing dept.

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.

7 of 283 comments (clear)

  1. JAVA! by TechyImmigrant · · Score: 2, Interesting

    >Model-View-Controller (MVC) framework for Java
    There's your problem right there.

    Security demands simplicity.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. Root cause = SJW hiring practices by Anonymous Coward · · Score: 5, Interesting

    You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

    1. Re:Root cause = SJW hiring practices by i286NiNJA · · Score: 5, Interesting

      I don't think it was SJWs. I think she was well connected and managed to land a bunch of compliance gigs that have nothing or little to do with technology and Equifax regards security as a good starter position for c-level executives and PHBs instead of being a terminal position for some former teen-hacker.

      Let it soak for a second. If you work in IT.. even as tech takes over the world.... even as infosec mismanagement crises have been first page news for several years.

      YOU ARE WORTH LESS THAN THE MANAGEMENT CASTE.

      No matter how smart, no matter how educated, no matter where you work and no matter how much money you make... Unless you're born rich and connected or embed yourself into bureaucracies for access to such people .
      You are of a lower caste.

  3. Don't store data unencrypted! by SoftwareArtist · · Score: 1, Interesting

    You have to assume your servers will get hacked. It doesn't matter what software you're running. Someone will find a way in. Any competent developer starts with that assumption and designs around it. That's why you never ever EVER store sensitive data unencrypted! They're looking for someone to blame for their incompetence.

    --
    "I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."
  4. Re:It is open source ... by Mr.+Shotgun · · Score: 3, Interesting

    They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.

    To be fair most organizations do not have the expertise or desire to review and fix the source code for products they are using, open source or not.

    That being said I am betting dollars to pesos that they were attacked with the March Vulnerability and not taken down by the zero day from a week ago. It seems like unless a vulnerability has a fancy web page and gets featured on CNN, management could not give a flying fuck. Wait till the next patch cycle becomes wait until the next quarter becomes eh we'll get to it. And that shit has got to stop.

    --
    Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
  5. It's cheap for us to inspect the tools daily by raymorris · · Score: 4, Interesting

    For a thousand bucks or so, Equifax could have had our company inspecting their tools daily, scanning for any accessible systems with security issues, including the issues in the Struts plugins.

    We would have also provided them with detection systems that would have caught the attempt to load the massive amount of data via the vulnerability, and systems to detect the attempt to exfiltrate the data, again at a very reasonable cost. These include 24/7 monitoring by our SOC. So if they had been even competent enough to simply sign up with a decent security provider, they would have been protected three times over.

    ALL software beyond "hello world" has bugs.* A competent CIO, or even a competent programmer or network engineer, knows that and plans accordingly. Any CIO or CSO whose security planning pretends that there server software is perfect is incompetent. A software bug didn't cause this - plenty of other organizations used the same software, but didn't get breached because they had scanning and alerting set up, so they mitigated the flaw immediately after it became known.

    *. All software has flaws, and well known proprietary software such as Windows, MS Office, Flash, and Oracle Java are an order of magnitude worse than well known open source software such as Linux, Libre office, Apache httpd, etc. My database I manage at work has almost every known vulnerability cataloged and rated for several measurements of severity. There's no comparison - there simply is not pride of workmanship in code nobody is allowed to see. Open source programmers know they are being judged personally for the code they put on display and it makes a HUGE difference in code quality.

  6. Re:A poor carpenter... by AmiMoJo · · Score: 3, Interesting

    Equifax's service isn't based on providing reliable information or securing that information. It's based on fulfilling a legal requirement to mitigate risk when evaluating potential customers for loans.

    They really don't care if they information they have is accurate, let alone secure. You are not their customer, they don't care what happens to you. All they care about is charging companies for read/write access to your file.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC