Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com)

Posted by BeauHD on from the finger-pointing dept.

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.

8 of 283 comments (clear)

  1. A poor carpenter... by Ritz_Just_Ritz · · Score: 5, Funny

    Always blames his tools.

    1. Re:A poor carpenter... by ScienceofSpock · · Score: 5, Insightful

      In the financial sector, proper security is THE most important thing. If you are offering services and you cannot secure your customer's data absolutely, then you shouldn't be offering services.

      If proper security is "too expensive" for your profit margin, then you have a failed business model, and shouldn't be offering services.

      Financial institutions KNOW this. This is the business they choose to be in, it has a high operating cost and they get paid VERY well to perform these services. They shouldn't be let off the hook for taking the cheap way out, and they certainly shouldn't be allowed to profit from these tactics. They only understand money. The only way to punish these institutions when they do stupid shit like this is to hit them hard in the purse.

  2. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  3. It is open source ... by AnthonywC · · Score: 5, Insightful

    They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.

  4. Yes Yes by American+AC+in+Paris · · Score: 5, Funny

    I think that if we've learned anything from this incident, it is that Equifax is a competent, professional organization that prides itself on its honesty and transparency, and that they are tirelessly acting in the best interests of the general public.

    --

    Obliteracy: Words with explosions

  5. Root cause = SJW hiring practices by Anonymous Coward · · Score: 5, Interesting

    You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

    1. Re:Root cause = SJW hiring practices by i286NiNJA · · Score: 5, Interesting

      I don't think it was SJWs. I think she was well connected and managed to land a bunch of compliance gigs that have nothing or little to do with technology and Equifax regards security as a good starter position for c-level executives and PHBs instead of being a terminal position for some former teen-hacker.

      Let it soak for a second. If you work in IT.. even as tech takes over the world.... even as infosec mismanagement crises have been first page news for several years.

      YOU ARE WORTH LESS THAN THE MANAGEMENT CASTE.

      No matter how smart, no matter how educated, no matter where you work and no matter how much money you make... Unless you're born rich and connected or embed yourself into bureaucracies for access to such people .
      You are of a lower caste.

  6. About costs, what works for fire safety is by raymorris · · Score: 5, Insightful

    > Companies don't want to pony up the costs and resources to fix this crap. Good intentions are failing to keep companies secure

    Fire safety was a similar issue a hundred years ago. The insurance companies created Underwriters Laboratories (UL Listed) and the National Fire Protection Association, which writes the fire code. Companies buy insurance against fire, and their insurance company, in order to reduce their own cost of claims, insists that the companies meet fire codes and otherwise operate safely to minimize the risk of fire. That has worked well.

    The costs are a very real and legitimate issue. A magazine publisher should NOT spend $50 million to protect from the names of their subscribers being leaked. The cost would be too high relative to the risk. Spending too much on security is a mistake just as spending too little is. Spending on security increases costs, it makes products and services cost more for the consumer. It's all about calculating the *right* amount of spending to mitigate the risk by the right amount.

    As it happens, insurance companies are experts at calculating risks and costs. I expect over time they'll get involved in cyber security in a similar way as they are involved in greatly reducing fire risk.