Slashdot Mirror
Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com)
The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.
Always blames his tools.
How the product is licensed doesn't affect the quality of the software.
If the software is of significant complexity, then chances are flaws will be there, and often just like commercial licences software a flaw can be overlooked by many eyes, until the flaw is found.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Keeps using a chisel with chipped blade and a loose handle.
Comment removed based on user account deletion
They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.
What you can't believe software that happens to be released with an Open Source license could have a security vulnerability.
Granted I expect the flaw is more then just a flaw in the software, but poor network design, excessive trust in the application and/or poor implementation.
But people who just scoff at the idea that Open Source is this just ultra secure system, will often implement it in a poor manor making it vulnerable. Because of a zealot faith in the holy license.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
>Model-View-Controller (MVC) framework for Java
There's your problem right there.
Security demands simplicity.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
I think that if we've learned anything from this incident, it is that Equifax is a competent, professional organization that prides itself on its honesty and transparency, and that they are tirelessly acting in the best interests of the general public.
Obliteracy: Words with explosions
Doing business of any kind, online, is inherently insecure. There's a lot of risk for consumers, and a lot of expense for businesses to stay as secure as possible (which isn't very). Sucks for people who need a credit score.
I don't respond to AC's.
>> is it the fault of Struts developers or Equifax's developers, system admins, and their management?
None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.
you are not allowed to place any blame on it
Yup, I went to the site and it asked for name and last 6, and I was like "GTFO"... Are you kidding me? How can these imbeciles NOT know that this looks like a classic phishing site.
You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?
Seems to me, Equifax is! as are all the credit collection businesses. Professional Extortion artists! They collect data on everyone. Then sell access to that information to the financial industry (Credit Checks). And if you want to protect yourself you are supposed to pay them to protect (Lock) your credit history.
They do not care about spending money to protect the information they have data mined.
Open source is better, if you use it right! And put the time in to do "YOUR" due diligence! They did not! They got hacked! It took them weeks to even realize it! And weeks before they came clean.
Hmm not sure about this story. Can you link me to a Amazon book about this scenario?
You have to assume your servers will get hacked. It doesn't matter what software you're running. Someone will find a way in. Any competent developer starts with that assumption and designs around it. That's why you never ever EVER store sensitive data unencrypted! They're looking for someone to blame for their incompetence.
"I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."
I said
credit collection businesses
I should have said
credit reporting businesses
Well they're entitled to ask for a full refund of whatever they paid for it.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This is only hear-say. It was never confirmed by Equifax or FireEye.
The point of open source isn't, "free software you don't have to pay anyone to develop!" but rather, it's software that you can audit and don't have to take anyone's word that it does what they claim. Honestly, when your data is both highly valuable and sensitive you should at the very least hire another company to review the source code.
Anons need not reply. Questions end with a question mark.
No complex software is without bugs, no complex software is completely secure. I'm a big open source fan but this is reality. Open or closed, there will be bugs and exploits. Subjectively, it seems open source may get fixed more quickly, but that doesn't change the bottom line, which is that the onus is on the company.
Equifax stores tons of sensitive information and it's up to them to protect it properly. No excuses, no finger pointing, no passing the blame. They are responsible, period.
Maybe it was global warming. Or Trump.
Why would you assume that they're using software written this decade? I think it's equally plausible that a good chunk of their components are from the mid 2000s and utterly riddled with security holes, but no PM will let the devs update anything because "if it works, leave it alone". Never mind that it doesn't actually work - that's someone else's problem, obviously.
It is apparent that Equifax couldn't give a flying fuck about security. I think it's ludicrous to debate whether the problem is with a bug revealed in March or September, when I think it's equally likely to be older than my kids.
Dewey, what part of this looks like authorities should be involved?
Seriously, I am guessing that we will find out that it was done in India, not in America.
I prefer the "u" in honour as it seems to be missing these days.
The problem there being Java.
This is like me blaming a lock manufacturer for a theft that involved a bunch of Russian guys driving a truck up to my front door, picking the lock, and carrying off all my stuff over the course of 8 hours while I sat there getting drunk.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Struts or not, the sole blame is with the greedy morons running Equifax with apparently the same take on security as they had in the year of their inception. Why do they even collect and store that much information and hold on to it for that long? I know, it is to generate a credit history, but I am sure there are equally good ways to determine if I pay my bills or not.
Equifax Blames Open-Source Software For Its Record-Breaking Security Breach
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND... - Apache License
Financial institutions KNOW this.
Correction: competent financial institutions know this. Incompetent ones clearly do not and, as recent events show, it is not always easy to tell the competent from the incompetent.
I'm just wanting to know if a lawsuit against these criminals is possible?
A class-action lawsuit is already in the works. You can find references to this in any one of many news stories.
If it weren't for deadlines, nothing would be late.
... not a product.
And the circle of life continues to spin, occasionally wobbling on its axis thanks to the weighty presence of dumb.
The problem with their claim is that
Open source == inspectable so you can see the consequences of your actions.
To claim that (OS==helpless user) as a defense for your (in)actions is pretty lame.
On the surface, the facts seems to be more like
Our business model requires holding information which if made public could hurt people.
It is expensive and hard to secure this data, so let's don't.
Suprise! the data got stolen.
No problem, let offer a revenue stream ^H^H^H^H^H 'service' to help.
Oops, we got caught doing that, need new plan.
Hmmm who can we blame for our in actions?
I know, the open source community.
Hopefully, the next step will be a Congressional inquiry figuring out that the world would be better off if these folks went bankrupt.
And for sure, an understanding that a bank opening an account with this silly ID information is indefensible.
We need more info to come to any conclusions. I've seen it claimed that Equifax wasn't using the latest version of Struts and some have thought that meant that they didn't patch to deal with the RCE from earlier this year. BUT, is it possible that what really happened is that Equifax was using Struts 1, not Struts 2? Struts 1 is EOL by the way. That wouldn't surprise me in the least.
Equifax punishes people for coincidences all the time.
I blame Java, not Struts......because its Java and its a pile of garbage.
Equifax obviously has never heard of data diodes, which let data in, but not back out. Such a system could have let them accumulate data without risk of exposing all of it. They probably never heard of capability based security either, nor the principle of least privilege. They probably also use Operating Systems that rely on ambient authority to get everything done, such operating systems are wildly popular, but can't be made secure.
There's a lot of bad design decisions behind this... not just the use of Apache Struts.
Data was leaked, management enjoyed a great round of insider trading, they botched up the page for verifying if your information was leaked, and now the most obvious next step: scapegoating.
What can we expect next? Shut up settlements after a long protracted court battle meant to make people forget about it, slap on the wrist from government/justice, just for the next rounds of leak to prove that they have learned nothing.
Equifax hack is the end of privacy even for those who are careful about it. You can be as paranoid as you want to, once your personal sensitive data is being taken and stored by companies that are this careless about it, it's over.
Oooh, but an open source software had an exploit in it. That's what they have to say? Motherfuckers, ALL software potentially has exploits in them. It's why for sensitive data competent companies employ several layers of security so that even if parts of it fail, attackers still won't have access to it. You are not a fucking backyard business or some kid's lemonade stand. If you are going to claim this level of ignorance for leaking all that data out, the rational decision would be closing doors down, getting out of the fucking market, and leave it to grown ups to handle since you are clearly too incompetent to do so.
So they get a Commodore-64 and some big floppy drives and put our SSNs on that, because *reasons*.
Then when it's breached they point to the C64 and say, "well, look what we had to work with."
Doesn't work that way, but we're not their customers. So fuck us.
Regardless of the system you use, setting up a system like this directly on the Internet is what's to blame. Obviously it's a little more expensive to develop a proper web application and checks and balances on what it can do but no part that is not the "View" should be online.
Custom electronics and digital signage for your business: www.evcircuits.com
Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com."
We should wait for the "equifaxsecurity2018.com" release.
It must have been something you assimilated. . . .
I wonder what they used for their horribly broken website https://www.equifaxsecurity201..., which can't even seem to reliably tell you if you were affected by the incident. But I'm not surprised that a company with such shitty security to allow practically all adult Americans' identities to be exposed can't even get their check to find out if you have been exposed right. But, based on the numbers, and subtract everyone who does not have a credit history (age 17 and under), it's safe to assume that *every* U.S. citizen with a credit history has to watch their asses from here on, for the rest of their life. Is Equifax going to blame open source software for that piece of shit site/impact checker too? Equifax... what a fucking joke.
For a thousand bucks or so, Equifax could have had our company inspecting their tools daily, scanning for any accessible systems with security issues, including the issues in the Struts plugins.
We would have also provided them with detection systems that would have caught the attempt to load the massive amount of data via the vulnerability, and systems to detect the attempt to exfiltrate the data, again at a very reasonable cost. These include 24/7 monitoring by our SOC. So if they had been even competent enough to simply sign up with a decent security provider, they would have been protected three times over.
ALL software beyond "hello world" has bugs.* A competent CIO, or even a competent programmer or network engineer, knows that and plans accordingly. Any CIO or CSO whose security planning pretends that there server software is perfect is incompetent. A software bug didn't cause this - plenty of other organizations used the same software, but didn't get breached because they had scanning and alerting set up, so they mitigated the flaw immediately after it became known.
*. All software has flaws, and well known proprietary software such as Windows, MS Office, Flash, and Oracle Java are an order of magnitude worse than well known open source software such as Linux, Libre office, Apache httpd, etc. My database I manage at work has almost every known vulnerability cataloged and rated for several measurements of severity. There's no comparison - there simply is not pride of workmanship in code nobody is allowed to see. Open source programmers know they are being judged personally for the code they put on display and it makes a HUGE difference in code quality.
They just wanted to get in the guinness book of records...
In other news, Granny said "don't put all your eggs in one basket".
Why was their data not compartmentalised? Its not that hard to do, and ought to be compulsory for data on this scale.
Public floggings are totally inadequate for scum like this. These people are a clear and present danger to civilisation as we know it, even in the absence of data loss like this. Now is the time to make this obvious to everyone.
Sent from my ASR33 using ASCII
There is a difference between profits and conspiracy to defraud, even if Trump supporters don't know..
Sent from my ASR33 using ASCII
Really? How? What punishments does Equifax dole out?
Clearly their US business differs from the one in the UK.
The exploit is not the root cause, the exploit only became possible in a live environment because they failed to properly follow governance processes during development.
You could argue that by giving somebody a [false] bad credit rating (by carelessly using a different John Smith's records, or simply because they haven't borrowed enough money in the past) they are punishing that person. It's something that happens regularly and costs those people money, yet credit agencies are rarely taken to task over their conduct.
Lots of excellent discussion here, but perhaps there is another aspect of this to consider...
Think about all the really big issues that have happened with financial institutions over the last 10-15 years, such as:-
1. Nick Leeson at Barings [lost his employer an estimated $1.4 Billion in 1995]
2. Jerome Kervial at Societe Generale [lost his employer $7 Billion in 2007]
3. Bruno Iksil at JPMorgan [lost his employer an estimate $7 Billion in 2012]
In fact, if you're interested, there is a complete ranking at Wikipedia:-
https://en.wikipedia.org/wiki/...
What this shows us is that all of the biggest losses [and at this point I will concede that the Wikipedia article lists only trading losses, but these are by far the largest, financially-impacting losses we observe] come not from data security issues, or software vulnerabilities, but from an absolute lack of fundamental operational controls on the financial side of the institutions that have experienced these losses.
Yes, it is true to say that "because: Cyber" seems to have created a bit more interest in boardrooms around the world, but the cold, hard fact remains that the vast majority of losses [whether numerically or by value] originate from operational control failures, not IT Security. This being the case, when an institution comes to look at safeguards, IT and Cyber Security controls are almost always going to play "second fiddle" to the operational risks the institution carries.
Having worked for both blue chip companies and financial institutions for the last ~ 30 years, my own personal experience is that IT Controls are generally seen as a poor relation to Operational Controls - and attract budgets and resources accordingly. As an IT professional with many years working in IT Security, IT Risk Management and Cyber Security, I would like to see cyber risk treated more seriously by large corporations. Unfortunately, in the absence of actual, head-line grabbing real-world examples of multi-billion-dollar losses from cyber events, the institutions carrying these risks will consider them to be "black swan" events - undeniably high risk, but so rare as to be irrelevant... until they are themselves hit.
The only way to ensure that the information of private citizens is adequately protected by the corporations that hold and process it is to follow up incidents such as this with hard-hitting fines, along with jail time for relevant executives [CEO, CIO, CTO]. Unless we see that happen [and just consider for a moment the likely lobbying effort against this] then there will be no safety and no recourse for individually impacted citizens.
Some may be thinking that perhaps legislation like the Sarbanes-Oxley Act [and clause 404 of that bill] might be sufficient to address the gap. The sad fact is that, in the 15 years since it was introduced, SOX has become a "paper exercise". There is no evidence to suggest that anything equivalent but addressing data breaches would be any more useful 15 years from now.
Unless something fundamentally changes, the balance of probability will condemn this particular topic to irrelevance.
Defense in depth is an applicable concept here. A single point is going to have weaknesses. While a Struts vulnerability may have been involved, there is a whole iceberg of failures below that on the Equifax side for the breach to reach this scale. It is hard to say what level of failure though without any details. "May have been impacted" is not the same as 100 million people victimized by identity theft.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Red the Equifax annual report on their website - it's all about revenue growth (18%), new markets and reducing expenses... Looking at the people, the CIO has a Bachelors degree in Russian and Masters degree in Business Administration. The other "techie", President of Information Solutions, is a Harvard lawyer.
http://www.equifax.com/about-e...
Now it has come out that top management unloaded stock post breach, but before public announcement.
We have a corporation dealing with personal information with zero security core competency at the top, and devoid of moral principal AND willingness to commit crimes for personal gain.
THIS is the exact type of corporation and players that needs to be crushed and go away, like Arthur Anderson, or Daryl McBride.
If you adopt open-source software as an underlying framework for your system which stores highly sensitive information, then you take all the time you need to audit the code to ensure that your highly-sensitive information is secure before you go live.
It's *the firm's* responsibility to ensure their infrastructure is secure, not anyone else, and if they decide to use infrastructure X on a production server, the outcomes are on *their* ass.
They chose to use it! So naturally, it's someone else's fault. I am so sick of this shit! They are all parasites. And the US government never did anything about it because they too, want all of your data so they can bypass the intention of the US constitution. I'll add that this breach should discredit everything the credit bureau's have collected. It proves they have no control over their data and that most of it can be manipulated and controlled on behalf of big corporations. Congress, what the hell are you doing? If anything.
> Companies don't want to pony up the costs and resources to fix this crap. Good intentions are failing to keep companies secure
Fire safety was a similar issue a hundred years ago. The insurance companies created Underwriters Laboratories (UL Listed) and the National Fire Protection Association, which writes the fire code. Companies buy insurance against fire, and their insurance company, in order to reduce their own cost of claims, insists that the companies meet fire codes and otherwise operate safely to minimize the risk of fire. That has worked well.
The costs are a very real and legitimate issue. A magazine publisher should NOT spend $50 million to protect from the names of their subscribers being leaked. The cost would be too high relative to the risk. Spending too much on security is a mistake just as spending too little is. Spending on security increases costs, it makes products and services cost more for the consumer. It's all about calculating the *right* amount of spending to mitigate the risk by the right amount.
As it happens, insurance companies are experts at calculating risks and costs. I expect over time they'll get involved in cyber security in a similar way as they are involved in greatly reducing fire risk.
> the cost was new hardware due to a program that was written ... Essentially it was a Ruby Gem that was outdated and the whole program would need to be recoded to fix the vulnerability.
And this was why we write software as modules, even microservices, rather than a huge monolithic pile of code. With proper abstraction and encapsulation, a bad problem means that specific 12-line function, or at worst the entire 350-line module, needs to be redone.
> You're comparing products they sell and underwrite vs their own personal best practices
No, I'm comparing internal operating standards with internal operating standards. At my office, we had a fire inspector come through once every two years and look for extension cords being used improperly and that sort of thing. Passing the fire safety inspection lowered the insurance costs that the company paid. Management took care that we did well on the inspection, so that they would get the lower insurance rate.
We ALSO had a cyber security inspection / audit. The results of that inspection did not, however, affect our insurance costs. Therefore the security inspection was less important.
You are of course correct that fire insurance existed long before UL and NFPA, though not so long in the US. The point is that when they did take proactive measures such as UL and NFPA, it worked well - and they know that. They know that if they are going to insure a major office building, they are going to insist on fire safety. Knowing that, having that experience, they can use the results of cyber security inspections in setting rates.
Whether the inspection is outsourced or done by W-2 employees of the insurance company isn't the point. The point is they are starting to expect a passing security audit. Companies are beginning to pay attention to security in order to reduce costs, and hopefully we'll see that trend expand.
[OK, I'm late to this, but haven't seen this point made]
Even if it was a vulnerability in the front-end (in a DMZ, I hope), a totally compromised front-end shouldn't have allowed anybody to exfiltrate that much data. The backend should be locked down with methods that allow the front-end to access only one per call, and access patterns monitored to disallow harvesting. The actual data should be at least another step away, and encrypted in case anybody steals a the whole as a blob. There's bad architecture here, regardless of any owning of a public-facing website. This might have been a long-drawn out slow exfiltration, but it doesn't sound like it. The whole infrastructure may have been owned, but again, that can't be blamed solely (or even mostly) on any vulnerability in the top layer.