Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com)

Posted by BeauHD on from the finger-pointing dept.

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.

37 of 283 comments (clear)

  1. A poor carpenter... by Ritz_Just_Ritz · · Score: 5, Funny

    Always blames his tools.

    1. Re:A poor carpenter... by jellomizer · · Score: 2

      However there is a problem with being too aggressive.
      Proper Security it tough, if you are going to be 100% secure then chances are you will not be able to perform your business. However there needs to be rules to make sure the company is putting in its best effort into security. If we find that there was a someone who tried to raise flags about security, where management declined because it was too expensive then there should be repercussion. But if there are reasonable checks in place, you shouldn't kill the company just because there was a flaw.

      If your job is a Software Developer or some sort of engineer. Even if you are an ace at your job. Chances are you could had made a mistake, do you think you deserve to have your life and career killed, because of one bad day.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:A poor carpenter... by ScienceofSpock · · Score: 5, Insightful

      In the financial sector, proper security is THE most important thing. If you are offering services and you cannot secure your customer's data absolutely, then you shouldn't be offering services.

      If proper security is "too expensive" for your profit margin, then you have a failed business model, and shouldn't be offering services.

      Financial institutions KNOW this. This is the business they choose to be in, it has a high operating cost and they get paid VERY well to perform these services. They shouldn't be let off the hook for taking the cheap way out, and they certainly shouldn't be allowed to profit from these tactics. They only understand money. The only way to punish these institutions when they do stupid shit like this is to hit them hard in the purse.

    3. Re:A poor carpenter... by Desler · · Score: 2

      And a good carpenter can spot when a tool is gimmicky shit or poorly made. Every tool is not a good tool.

    4. Re:A poor carpenter... by Mad+Merlin · · Score: 2, Insightful

      Proper Security it tough, if you are going to be 100% secure then chances are you will not be able to perform your business.

      There's no such thing as 100% secure, and there never will be.

      Even if you use a one time pad for encryption (which if implemented perfectly, is unbreakable from a ciphertext analysis perspective), it can still be broken in a multitude of other ways (flawed/predictable RNG for generating the pad, (accidental) pad reuse, a wrench, etc). Plus, the practicality of actually deploying one time pad encryption properly is so cumbersome that it's pretty much unused.

      Perfectly implemented one time pads aside, if you had an infinitely fast computer, you could break every known encryption algorithm and decrypt every encrypted transmission ever sent. While we don't have infinitely fast computers (yet), the performance delta between a computer today and a computer 20 years ago is practically infinite. Similarly, the performance delta between your $300 laptop and a determined state level attacker or large botnet is rapidly approaching infinite.

      There's far more to security than just encryption, but the basic tradeoff involved in encryption (how much computing power do I need to spend to make it relatively impractical for an adversary to brute force a decryption within $x timeframe) mirrors most security topics well.

      --
      Game! - Where the stick is mightier than the sword!
    5. Re:A poor carpenter... by Xest · · Score: 4, Insightful

      "If you are offering services and you cannot secure your customer's data absolutely, then you shouldn't be offering services."

      This is absolute drivel, there's no such thing as absolute security. The choice you're offering therefore is to simply not do business at all, or to hire people who don't understand security sufficiently to falsely believe they have absolute security rather than people who understand absolute security is non-existent and that it's simply a measure of risk.

      "If proper security is "too expensive" for your profit margin, then you have a failed business model, and shouldn't be offering services."

      Again, nonsense. As absolute security is a myth then you're basically saying every business model in the world ever has failed and every company should shut down. That's complete and utter nonsense, obviously.

      You've not considered another possibility - that Equifax actually did the best they could and it just wasn't good enough. Given that all security can be compromised given sufficient effort this could simply be a case of them falling foul of measured risk.

      That also might not be the case, it might also turn out to be absolute incompetence of course, but until we have more details we simply do not know. The summary pre-supposes they were victim to an old known exploit and not a recently publicised zero day - it's possible that the recently publicised zero day was in fact discovered precisely because of this hack for all we know - the idea that it was an old unpatched vulnerability is entirely speculation right now.

      We just don't know how much blame they deserve right now. What I personally know is that it's hard to recruit good security professionals precisely because those who truly understand security often don't want to touch it precisely because they know there's always a chance someone determined could breach security. What I do know is that as a result of this most the industry is full of people parroting the myth you have of being able to implement absolute security and as a result creating a false sense of security.

      Stop it. It's not helpful, it just puts you in the same basket as all those in the industry who peddle the myth and create the problem in the first place. I'd take someone who accepts that there's always a risk, but is honest about to what extent they believe they've been able to mitigate it, and then give them a waiver from blame if something happens any day over someone like you that pretends they can implement perfect security. But because people like you exist peddling the myth we instead find ourselves with an industry full of you, and we find ourselves with problems like this happening time and time again.

      We need to accept that security is always imperfect, and we need to start blaming only on relative effort applied to try and make the system secure - if someone took reasonable measures and still got fucked we need to accept that that's an inevitable consequence of the fact that absolute security doesn't exist, and that therefore due to simple statistics even some of the most fortified companies will inevitably be hit.

      So wait until we have the facts before assuming they did much wrong.

    6. Re:A poor carpenter... by TheRaven64 · · Score: 3, Insightful

      the performance delta between a computer today and a computer 20 years ago is practically infinite

      No it isn't, it's finite and it's a predictable number that is factored into the design of crypto systems. You assume that performance doubles roughly every year (a bit faster than Moore's law, but this factors in changes like GPUs / DSPs / FPGAs becoming cheap). For a symmetric crypto algorithm, adding one bit to the key length doubles the computational cost of attacking it, so if you want your data to be secure in 20 years than you work out how long it would take to crack it today and add 20 bits. Adding 20 bits is a bit awkward, so you round up to the nearest power of two.

      Occasionally you make the jump sooner. A lot of things moved from 128-bit AES to 256-bit AES, because it turns out that 256-bit AES is faster. Magical quantum computers aside, that gives an extra century or so before any of these can be cracked (ignoring weaknesses in the implementation, which are how most of these things are broken).

      --
      I am TheRaven on Soylent News
    7. Re:A poor carpenter... by Cederic · · Score: 4, Insightful

      Overall I agree with everything you've said, but one thing to add.

      it's hard to recruit good security professionals precisely because those who truly understand security often don't want to touch it precisely because they know there's always a chance someone determined could breach security

      You will suffer data loss. Assume that, plan for it, understand how to detect and mitigate it.

      Given the impossibility of perfect security it would be naive to do anything else, no matter how great (and well resourced) your data security is.

    8. Re:A poor carpenter... by Cederic · · Score: 2

      If we find that there was a someone who tried to raise flags about security, where management declined because it was too expensive then there should be repercussion.

      Be realistic. It's always possible to add an additional security measure, and there are rapidly diminishing returns.

      Security is a risk based domain, and sometimes it's appropriate to take the risk.

    9. Re:A poor carpenter... by TheRaven64 · · Score: 2

      Only if you correctly salt them (i.e. a different salt for each one). SSNs are 9-digit numbers. That's about a 30 bit search space. It's possible to generate a rainbow table for MD5s of all possible SSNs very quickly and store it in memory on a moderately powerful system.

      --
      I am TheRaven on Soylent News
    10. Re:A poor carpenter... by AmiMoJo · · Score: 3, Interesting

      Equifax's service isn't based on providing reliable information or securing that information. It's based on fulfilling a legal requirement to mitigate risk when evaluating potential customers for loans.

      They really don't care if they information they have is accurate, let alone secure. You are not their customer, they don't care what happens to you. All they care about is charging companies for read/write access to your file.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Blame the software not the License. by jellomizer · · Score: 4, Insightful

    How the product is licensed doesn't affect the quality of the software.
    If the software is of significant complexity, then chances are flaws will be there, and often just like commercial licences software a flaw can be overlooked by many eyes, until the flaw is found.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Blame the software not the License. by jellomizer · · Score: 2

      All sounds good in theory. But if there is 1% of the people out of the millions of transactions requesting more than 100 rows that will still be thousands of requests that need approval. The supervises will get fatigued at the request and just blanket approve them.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  4. It is open source ... by AnthonywC · · Score: 5, Insightful

    They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.

    1. Re:It is open source ... by Mr.+Shotgun · · Score: 3, Interesting

      They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.

      To be fair most organizations do not have the expertise or desire to review and fix the source code for products they are using, open source or not.

      That being said I am betting dollars to pesos that they were attacked with the March Vulnerability and not taken down by the zero day from a week ago. It seems like unless a vulnerability has a fancy web page and gets featured on CNN, management could not give a flying fuck. Wait till the next patch cycle becomes wait until the next quarter becomes eh we'll get to it. And that shit has got to stop.

      --
      Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
  5. JAVA! by TechyImmigrant · · Score: 2, Interesting

    >Model-View-Controller (MVC) framework for Java
    There's your problem right there.

    Security demands simplicity.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:JAVA! by Wrath0fb0b · · Score: 2

      Model-View-Controller (MVC) framework for Java

      There's your problem right there. Security demands simplicity.

      A properly designed & implemented MVC is far simpler to understand, develop and audit than a tangle of spaghetti code that mixes everything up into a unitary blob.

      Simplicity is not the lack of internal structure, it's the lack of complicated relationships between the various pieces. There are plenty of very complex pieces of software that are nevertheless simple because the complexity is well matched by modular design and clean/legible interfaces.

      For a lot of design tasks, MVC is a proper choice for this. And like most things, using an off-the-shelf framework is largely preferable to rolling your own. That doesn't mean that some crap contractor never used it in the wrong place or wrote it completely pants-on-head stupidly. Or that some framework isn't shit.

  6. Yes Yes by American+AC+in+Paris · · Score: 5, Funny

    I think that if we've learned anything from this incident, it is that Equifax is a competent, professional organization that prides itself on its honesty and transparency, and that they are tirelessly acting in the best interests of the general public.

    --

    Obliteracy: Words with explosions

  7. Equifax Corporate Officers by xxxJonBoyxxx · · Score: 4, Insightful

    >> is it the fault of Struts developers or Equifax's developers, system admins, and their management?

    None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.

    1. Re:Equifax Corporate Officers by Anonymous Coward · · Score: 3, Informative

      My bitter, aging software engineer take: it's the endgame of chasing new features to meet next quarter's revenue target, neglecting to fund maintenance/sustaining teams for legacy apps. I don't even see maintenance/sustaining teams anymore. Maybe that was just a telecom industry (which I left 10+ years ago). In any case, if there isn't a development team that is actively updating an old unglamorous app, you're in trouble. Software will rot, not just from years of app patches, but also reliance on abandonware thirdparty libraries accumulating known exploits over time.

  8. equifaxsecurity2017.com by Phoeniyx · · Score: 2, Informative

    Yup, I went to the site and it asked for name and last 6, and I was like "GTFO"... Are you kidding me? How can these imbeciles NOT know that this looks like a classic phishing site.

    1. Re:equifaxsecurity2017.com by ichimunki · · Score: 2

      I didn't know this until a couple days ago, but starting in 2011 all new SSNs are random numbers. https://www.ssa.gov/employer/r...

      --
      I do not have a signature
  9. Root cause = SJW hiring practices by Anonymous Coward · · Score: 5, Interesting

    You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

    1. Re:Root cause = SJW hiring practices by i286NiNJA · · Score: 5, Interesting

      I don't think it was SJWs. I think she was well connected and managed to land a bunch of compliance gigs that have nothing or little to do with technology and Equifax regards security as a good starter position for c-level executives and PHBs instead of being a terminal position for some former teen-hacker.

      Let it soak for a second. If you work in IT.. even as tech takes over the world.... even as infosec mismanagement crises have been first page news for several years.

      YOU ARE WORTH LESS THAN THE MANAGEMENT CASTE.

      No matter how smart, no matter how educated, no matter where you work and no matter how much money you make... Unless you're born rich and connected or embed yourself into bureaucracies for access to such people .
      You are of a lower caste.

    2. Re:Root cause = SJW hiring practices by elrous0 · · Score: 3, Informative

      You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

      Wow, I thought you were trolling until I actually looked it up. WTF were they THINKING? You're not supposed to give a token diversity hire an actual job. You're supposed to appoint them to a bullshit position where they can't do any actual damage, then put their picture in all your brochures to virtue-signal to everyone how progressive you are.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
  10. Struts Fault? by oldgraybeard · · Score: 2

    Seems to me, Equifax is! as are all the credit collection businesses. Professional Extortion artists! They collect data on everyone. Then sell access to that information to the financial industry (Credit Checks). And if you want to protect yourself you are supposed to pay them to protect (Lock) your credit history.

    They do not care about spending money to protect the information they have data mined.

    Open source is better, if you use it right! And put the time in to do "YOUR" due diligence! They did not! They got hacked! It took them weeks to even realize it! And weeks before they came clean.

    1. Re:Struts Fault? by oldgraybeard · · Score: 2

      Just saw it on the Fox Business Channel, the 3 execs that were caught selling 1.8M in stock before this came out.

      Chief Financial Officer John Gamble made $946,374
      U.S. Information Solutions President Joseph Loughran made $584,099
      Consumer Information Solutions President Rodolfo Ploder made $250,458

      Of course none of them knew about the data breach ;) lol Right!

      I have a bridge to sell you ;)

  11. Re:Had this problem with a credit card company... by Anonymous Coward · · Score: 2, Funny

    Hmm not sure about this story. Can you link me to a Amazon book about this scenario?

  12. Well they're entitled by Hognoxious · · Score: 2

    Well they're entitled to ask for a full refund of whatever they paid for it.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  13. Re:Bullshit... by chipschap · · Score: 2

    No complex software is without bugs, no complex software is completely secure. I'm a big open source fan but this is reality. Open or closed, there will be bugs and exploits. Subjectively, it seems open source may get fixed more quickly, but that doesn't change the bottom line, which is that the onus is on the company.

    Equifax stores tons of sensitive information and it's up to them to protect it properly. No excuses, no finger pointing, no passing the blame. They are responsible, period.

  14. Not all financial institutions... by Roger+W+Moore · · Score: 3, Insightful

    Financial institutions KNOW this.

    Correction: competent financial institutions know this. Incompetent ones clearly do not and, as recent events show, it is not always easy to tell the competent from the incompetent.

  15. Data diodes? by ka9dgx · · Score: 2

    Equifax obviously has never heard of data diodes, which let data in, but not back out. Such a system could have let them accumulate data without risk of exposing all of it. They probably never heard of capability based security either, nor the principle of least privilege. They probably also use Operating Systems that rely on ambient authority to get everything done, such operating systems are wildly popular, but can't be made secure.

    There's a lot of bad design decisions behind this... not just the use of Apache Struts.

  16. It's cheap for us to inspect the tools daily by raymorris · · Score: 4, Interesting

    For a thousand bucks or so, Equifax could have had our company inspecting their tools daily, scanning for any accessible systems with security issues, including the issues in the Struts plugins.

    We would have also provided them with detection systems that would have caught the attempt to load the massive amount of data via the vulnerability, and systems to detect the attempt to exfiltrate the data, again at a very reasonable cost. These include 24/7 monitoring by our SOC. So if they had been even competent enough to simply sign up with a decent security provider, they would have been protected three times over.

    ALL software beyond "hello world" has bugs.* A competent CIO, or even a competent programmer or network engineer, knows that and plans accordingly. Any CIO or CSO whose security planning pretends that there server software is perfect is incompetent. A software bug didn't cause this - plenty of other organizations used the same software, but didn't get breached because they had scanning and alerting set up, so they mitigated the flaw immediately after it became known.

    *. All software has flaws, and well known proprietary software such as Windows, MS Office, Flash, and Oracle Java are an order of magnitude worse than well known open source software such as Linux, Libre office, Apache httpd, etc. My database I manage at work has almost every known vulnerability cataloged and rated for several measurements of severity. There's no comparison - there simply is not pride of workmanship in code nobody is allowed to see. Open source programmers know they are being judged personally for the code they put on display and it makes a HUGE difference in code quality.

  17. Re:Lick the boot too hard and you'll scuff the shi by oobayly · · Score: 2

    You could argue that by giving somebody a [false] bad credit rating (by carelessly using a different John Smith's records, or simply because they haven't borrowed enough money in the past) they are punishing that person. It's something that happens regularly and costs those people money, yet credit agencies are rarely taken to task over their conduct.

  18. About costs, what works for fire safety is by raymorris · · Score: 5, Insightful

    > Companies don't want to pony up the costs and resources to fix this crap. Good intentions are failing to keep companies secure

    Fire safety was a similar issue a hundred years ago. The insurance companies created Underwriters Laboratories (UL Listed) and the National Fire Protection Association, which writes the fire code. Companies buy insurance against fire, and their insurance company, in order to reduce their own cost of claims, insists that the companies meet fire codes and otherwise operate safely to minimize the risk of fire. That has worked well.

    The costs are a very real and legitimate issue. A magazine publisher should NOT spend $50 million to protect from the names of their subscribers being leaked. The cost would be too high relative to the risk. Spending too much on security is a mistake just as spending too little is. Spending on security increases costs, it makes products and services cost more for the consumer. It's all about calculating the *right* amount of spending to mitigate the risk by the right amount.

    As it happens, insurance companies are experts at calculating risks and costs. I expect over time they'll get involved in cyber security in a similar way as they are involved in greatly reducing fire risk.

    1. Re:About costs, what works for fire safety is by conquistadorst · · Score: 2

      >

      As it happens, insurance companies are experts at calculating risks and costs. I expect over time they'll get involved in cyber security in a similar way as they are involved in greatly reducing fire risk.

      That's quite an imperfect analogy. You're comparing products they sell and underwrite vs their own personal best practices, but let's ignore that for now because regardless the cyber experience is just not there at insurance companies right now. Insurance companies, even those like mine offering cyber coverage, don't have boots on the ground like they did for fire & allied lines. When it comes to fire, insurance companies employ (and still have) claims adjusters who had physical experience from looking at properties damaged in fires and investigating their causes. They do outsource sometimes too but a majority of the time they don't. Should they be hiring claims adjusters that are experienced in cyber forensics? Yes, I'm surprised they're not. Maybe they will *someday* but they don't right now. At my company they rely on outsourcing *all of it* it. The elephant in the room we're all being forced to see here is cyber attacks carry a far steeper and more dynamic sophistication than fires. Don't get me wrong, fires are sophisticated but it's a completely different playing field. I don't think we have to go through the laundry list of why they're so different but we can.

      In fact, I'm actually going to take your example and use it to beat you to death with it. Let me point out terribly unfortunate flaws. Insurance companies first started covering fire in the early 1700's. The UL wasn't founded until 1896 and the NFPA wasn't founded until 1896. Yes, that's almost 200 years later. YIKES. So those organizations make awfully terrible examples of "prowess" by insurance companies. As an insider I can tell you when it comes to technology insurance companies lag the rest of the world, not the other way around. But you are right they will figure it out, eventually.