Slashdot Mirror
Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com)
phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.
Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.
Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.
Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
I can see a company delaying patching serious bugs long enough to test it and make sure the fix isn't worse than the bug.
I can see a company treating bugs that aren't reported as being serious as non-serious.
I can see a company assessing a "serious" but and determining it's not serious in their environment and not treating it with urgency.
But that's not what happened here.
Heads deserved to roll and at least two did.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The company has finally figured out how to use a random number generator, from TFA:
Blaming this on a single security flaw just shows how incompetent they are. It's your design and approach at security that's flawed to begin with.
Allowing some shiny MVC framework directly accessing a database containing millions and millions of personal records is just plain dead retarded software design. This kind of incompetency should be fined, let's start with $100 for every record that got stolen in compensation. If such an incident can instantly bankrupt you, maybe then these companies start to take their software security serious.
What will happen with the one that sold they stock before annoncement.
I have some (extremely limited) sympathy for patching "deep applicaiton infrastructure" things like Struts, because it can take quite a bit of QA to make sure that the patches don't break the application or make the problem worse. That being said, it's a top priority and companies - especially in a PCI or similar compliance environments - need to budget the time and resources to deal with issues like this, because they will pop up on a regular basis.
That being said, this problem could have been blocked without patching. First of all, an application-level proxy / API that sanity checks the types and rate of requests should have been between the public web application and the database back end. All sorts of mischief can be either stopped or at least slowed down here, and the failure to have something list this is a major architectural error. Secondly, a reverse-proxy (or load balancer) could look for attacks of this nature and block them before the get to the web server. F5's products are explicitly capable of stopping this CVE, and I'm sure some of their competitors can do it as well.
Security needs to exist in layers, because at some point people will screw up at one layer or another. That's just human nature, and it will not change until AIs take over the world and enslave us, but that's a problem for 2019.
Help save the critically endangered Blue Iguana
She's going to get her pension and benefits, which given her title, is a lot of money. Maybe even some sort of parachute.
This needs to be fully investigated, and she should probably lose all of it.
Clearly, we need more diversity hires.
So now everyone in the US is encouraged to pay each of the credit bureaus $10 or more to "lock down" their credit. Why isn't this free? Why should they get $1B (100M "customers" * $10) over their mistake?
Just like it was for Microsoft to make the lawyer Brad Smith their president. You wouldn't, for example, hire someone who hates cars to be the president of GM, but that's basically what Equifax and Microsoft have done.
So, one year they send me two documents. One says "pci compliance". One is for data breach insurance. I do the PCI, and toss the insurance. The next year, they send me PCI compliance, and charge me for the insurance. I call, tell them no, as I don't have any hackable databases, unless you break into my office and pull out handwritten credit card numbers from each individual file. I argue with them, and they tell me that it is mandatory. I read the policy, and find it is almost useless. If I don't PCI, they charge me $20 per month "noncompliance fee". If I do, they then charge me a bit under $200 for this useless insurance anyway. Meanwhile, someone goes to the front door and walks off with the whole database ? I know interchange is a huge ripoff and is in desperate need of renovation...if Africa can move money with a dumb-phone for a lower commission rate, then V/MC/AX need to die in a fire today...but WTF ? Meanwhile, I'm stuck with paying for insurance I can't use, with a system that is not easily electronically hackable (no stored numbers anywhere..period, and I use their portal to charge HTTPS).........
Wait, but we can't fire her, we need women execs no matter what, right?
Go read a history book or live abroad for a year or two. Diversity has nothing to do with incompetence. Being a music major being hired in a security role is not what diversity is about. It means the all things being equal between candidates in technical knowledge, the candidate who has cultural differences that are different than the group they will be hired into will more likely offer a different approach to solving the problem.
Diversity is about having more tools in your box to work with. Lack of diversity is akin to having a tool box full of hammers when your trying to take a doorknob off a door. You can take it off with a hammer, but a screwdriver would have done the job more effectively.
A company that holds that much information should have top notch security. That includes penetration testing, penetration detection and multiple layers. Public layer should never have access to database that has that much information. There should be an internal webservice that returns filtered information information. This is 101 security!
Will be a black transgendered female lesbian one-legged vegan muslim trombone player.
We all know now she was hired to fill out diversity requirements for male/female ratio at upper management. Sadly this was the equivalent of needing a torque wrench and using a hammer and pliers instead. If you're chief security officer and you fail at security, then the company hired the wrong person.
And what the fuck does reading a history book or living abroad have to do with anything asshole? Apparently it didn't help you.
Diversity has nothing to do with incompetence.
Except when "diversity" is being used in a religious like way to bump or push a candidate into a position, even when a more talented person would have been hired. To a point: She wasn't likely hired because she was a music major. She was likely hired into that position because they were female. So that the company could show just how "progressive" they were and "rah feminism" they are at putting women into high level positions(you know the bullshit that feminists and progressive have been pushing for 7-8 years now). And you can almost bet that there were people under her scrambling around to cover up the exec-level bungling. Hell you can even hear it in radio ad's "look at us, so-and-so company we're an all female/black/latino/etc company" as some type of header before the sales shtick.
Anyone who's worked in a corporate environment in the last decade has seen this. Where someone else is hired into some management system not based on skill, or knowledge, or ability, or foresight and understanding. But because of their race, sex, or something else that they were born with. There's a very strong anti-meritocracy movement in corporate environments right now, and it's killing those companies.
Om, nomnomnom...
One would think that after suffering one of the worst breaches ever in terms of the potential damage, a company would look for fresh perspectives, and not hire the new leaders from within.
The Daddy casts sleep on the Baby. The Baby resists!
..but were David Webb and/or Susan Mauldin amongst those execs that sold shares before the breach was made public?
Clearly, the root cause here is cat parasites that impaired judgement of the board and execs to ignore basic security practices in a trust and consumer data line of business. It is like mice getting attracted to cat urine smell, only with your financial information.
It means the all things being equal between candidates in technical knowledge
In all my years of sorting through job applications and conducting interviews, "all things being equal" has never occurred.
Instead, what does occur is that HR managers or upper management hint strongly that "won't someone rid me of this meddlesome diversity quota imbalance". The end result is that some will hire the first diversity candidate that in good light meets absolute minimum requirements, despite there being better candidates available.
FTP: "Thus, MarketWatch reports, Equifax 'admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began.' And even then, Equifax didn't notice (and remove the affected web applications) until July 30."
I'll be interested to see how Equifax is punished for their lack of security in allowing the sensitive data -- not even given willingly to them -- of 143 million Americans to be stolen. Our laws in this country give slaps on the wrist to these financial services companies because they believe they're too big to fail and should be treated with kid gloves.
Even today, all mandatory data breach notification regulations are at the state level. Our do-nothing U.S. Congress has yet to require companies to report data breaches at a national level. It's simply mind blowing how we allow this to continue.
That's a crap analogy. Her job required hammers and screwdrivers, and what she had in her toolbox was gasoline, a match, and a fiddle.
If everyone old enough to receive credit or get a job locked down their CRA files, the CRAs would go out of business.
Look for:
1. The lock down fee changing from one-off to a yearly subscription.
2. The definition of what access is allowed to a person's locked down file to be changed to allow everything but opening a new account.
I have an associate who has made boat loads of money investing in companies that don't care about diversity and hire/promote based solely on merit.
If we are honest, merit was always secondary consideration. Before recent diversity at all costs push, it was connections and schmoozing that got unqualified males promoted to the top. It isn't structurally different from what is going on right now. The key difference is that today unqualified candidates mistakenly believe they can actually make decisions, while in the past they mostly worked on putting away hard liquor before lunch, and played golf all afternoon.
We all know now she was hired to fill out diversity requirements for male/female ratio at upper management. snip...
No, we don't "all know" that was the reason she was hired into that role, it is a more accurate to state that a substantial number of people believe that to be the reason, but that belief is obviously not the same as knowledge.
Its interesting that an Open Source API Apache Struts (likely a few jar files in a web application) caused this issue. Good old reliable and free Apache Struts. This isn't a simple run patch.exe and all is good scenario by some admin. You'd have to update the jars to the fixed apache versions (hopefully these exist), retest everything in the app, and rerelease it to production.
You make a good point. On the the other hand, they needed people immediately, who can fill those rules on day one. Had the retirements been planned, they would have spent a month of or more looking for the right candidate, who would then give two weeks notice at their old job, and maybe take a week to pack up and move. Then the new person would spend month getting to know the company and its various systems. So a good outside hire would take about 10 weeks from listing to the job to actually being productive. That's fine if the outgoing person stays while you're looking for a replacement.
In this instance, they needed someone who was ready to fill the role today, and using the pre-selected internal backup makes sense. At my last three jobs, someone was designated as my backup, ready to step into my role if something happened to me, and I was the designated backup for someone else. I do their job while they are on vacation or sick, so I'm ready to take over their position at a moment's notice.
She retired. She wasn't fired. So she'll get to take it all with her. Once again, the ruling class (and at CSO level she's a member) take care of themselves. And once again, I sure wish we could get the working class to do the same. Hell, we can't even get the working class to agree Healthcare is a right and not a privilege.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Straight to CLUB FED! For a prolonged Stay...
to sit around waiting for these kinds of things. But you need skilled people to do it and there's only so many H1-Bs you can have work full time on one thing while three or four times a year ramping up to an 80+ hour work week. Most experienced programmers won't put up with those kinds of hours except occasionally. Once they figure out it's part of the job they leave if they can.
So you either find a way to get the indentured servants that are folks here on work visas or you pay people to sit around waiting for problems and fixing them. It's usually only $300-$500k/yr. A sizable chunk of change but still quite affordable to large companies. But saving that $300-$500k was somebody's bonus the year the decision was made.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I wondered if Equifax intended to circle the wagons, hold on to upper management, and then try to buy, bribe, or schmooze their way out of this mess via political channels. For a lesser P.R. disaster than this recent exploit, such a strategy might have worked.
But abruptly canning the CSO and CIO says three things to me:
(1) Equifax's internal auditing shows that this mess is considerably worse than what has been publicly revealed so far.
(2) The CEO has now shifted to "I have to save my own job" mode. The CSO and CIO have been thrown under the bus, and more will probably follow.
(3) Equifax is going to take it on the chin, financially speaking. Canning the CSO and CIO is a clear admission that Equifax was negligent. The lawsuits are going to increase exponentially from this point. But worse than that is the overwhelming demand by millions of consumers to freeze their credit reports. Equifax (along with Experian and Transunion) makes a lot of money selling credit information to banks so that they can offer credit cards to you. Credit freezes prevent that. Every new credit freeze is another hit on the annual bottom line. Equifax is bleeding from millions of tiny cuts, and it will only get worse.
Frankly, it couldn't happen to a more deserving bunch of guys.
He - personally - should be fined millions and then sent to jail.
... and to think that Jason Bourne was their CIO. I think there's a deeper plot to all this ...
Can somebody post what US laws pertain to storing, distributing and protecting of personal information in this case?
4wdloop
At the executive level, you can assume that anyone holding that position has no actual expertise and sometimes no experience. Anyone with a CxO title is appointed to that position, and is usually well-connected on the boards of several companies. BUT -- good people in this position know they have to hire people who actually do understand the areas they're responsible for. If she wasn't capable of doing this, or was just hiring her friends for key positions, this is the result you get. I've been doing IT work in big companies for over 20 years now and have witnessed stuff like this over and over. It's a constant battle to do a good job when you have executives hiring incompetent people at the top, offshoring or outsourcing key IT functions for big kickbacks, etc. (I'm assuming that when we peel back the covers on this, the unpatched system will be a result of the IT department getting so disconnected that a simple system change takes 3 months and people on 2 different continents coordinating it.)
What I don't like about IT in general is that people can mess up badly, get fired or be allowed to "retire", then go to another company and mess things up there as well. I would love the idea of a professional organization that would ban incompetent people from working in the field after a fair finding of facts. This would really cut down on the number of slapped-together "solutions" that cause breaches like this in the long run. If my reputation were on the line, I wouldn't rush through a system design the way I'm sometimes forced to by schedules. As it is, IT people can do the equivalent of joining the French Foreign Legion and come out on the other end with a clean reputation. (For those unfamiliar, the FFL is France's overseas military force who basically accepts anyone who wants to escape their current situation and grants them a new identity in exchange for military service.)
Why are we education shaming this woman?
fed to them by billionaires and corporations that don't want to pay taxes. I remember a story during the height of the tea party boom of a small town that tried something like that. They eliminated all taxes and were genuinely shocked when the services stopped. They just figured all the waste would get cut and everything would be honky dory.
There's also a lot of "I got mine, fuck you" going around. A general sentiment that since I worked hard to get where I'm at I shouldn't have to pay for other folks. One of the big problems I see is baby boomers who got where they are through sheer dumb luck but also had to work hard to take advantage of that luck. They forget or ignore the luck part and get mad at folks who don't work as hard as they did.
Then there's good 'ole fashion tribalism and the racism that goes with it. Nobody wants to pay for the other 'tribe' to have health care.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Quack! Quack! I love Big Brother too!
I have to agree. "Diversity" hiring is an injustice, but we have no evidence she was a diversity hire. Despite her degree being in Music, she may well have been perfectly qualified through experience.
My moms a black transgendered gay woman you insensitive clod.
Correct. She may have been promoted through the ranks for her knowledge of compliance. What a lot Slashdotters don't seem to know is that a CSO for a tech company is very different than a CSO for a financial institution (FI). Quite often an FI CSO role is an additional and secondary role for the Chief Compliance/Risk Officer, who generally don't have a tech background. That being said, Equifax could have afforded a CSO with a tech background.
Asking for a friend.
The original release said that hackers gained access to "certain files".
I think they had un-encrypted spreadsheets of the data available for download by companies to which they sold data. Then the hackers managed to access the download location.
How come nobody has pointed out the IBM connection? It looks to me that IBM is at fault more than Equifax.
https://www-03.ibm.com/press/us/en/pressrelease/27266.wss
Get diversely fucked.
What makes you think this was a diversity hire?
It is very common for top managers in tech to be relatively clueless about what they are managing.. just like top-level management everywhere. :)
That said, I haven't seen any information about her qualifications or lack thereof.
People keep saying it but I do not understand it at all.
How does someone from X background have a different set of different ideas on how to solve CVE patching than a set of, let's just say "white dudes" (who also come from very different backgrounds - ie one was a sysadmin, one was a network engineer, one was a dev, etc)
I've never seen someone in a meeting say " hey we should solve this security hole with this trick I learned in X country ". Or because I had to overcome X disability, we should definitely optimize algorithm X this way.
What the fuck are you even talking about ?
I have to agree. "Diversity" hiring is an injustice, but we have no evidence she was a diversity hire. Despite her degree being in Music, she may well have been perfectly qualified through experience.
But the fact of the matter is that by her being female, her hiring was a de facto help meeting diversity requirements.
Hey champ.
You probably thought starting your first sentence in the subject field and finishing it in the comment was pretty clever.
"Oh my stars! What a novel and unexpected use of the subject field! This rapscallion has shown complete contempt for social mores! How scandalous!"
But really, you're not the first person to do this. And it's pretty fucking annoying to start reading a comment and realize that you're reading a sentence fragment because the poster thought he would be a clever boy by starting his comment in the subject field.
So please, do everyone a favor and go drink a quart of bleach.
If we are honest, merit was always secondary consideration. Before recent diversity at all costs push, it was connections and schmoozing that got unqualified males promoted to the top. It isn't structurally different from what is going on right now. The key difference is that today unqualified candidates mistakenly believe they can actually make decisions, while in the past they mostly worked on putting away hard liquor before lunch, and played golf all afternoon.
Here you are talking about breaching computer security, unquestionably a serious, but not a life-or-death matter. But there are even more serious matters which are life-or-death and may be harmed by this SJW diversity bullshit. How about planes falling out of the sky? Not that there are no incompetent male pilots (how many of them got their jobs because of this SLW bullshit?), but aviation is a life-critical application which may have been eroded by the SJW bullshit. Here is an old example: https://en.wikipedia.org/wiki/Kara_Hultgreen
"ATLANTA, September 15, 2017: As part of the company's ongoing review of the cybersecurity incident discovered July 29 but not announced until September 7, 2017, Equifax Inc. (NYSE: EFX) today made personnel changes and released additional information regarding its preliminary findings about the incident. The company announced that the Chief Information Officer David Webb and Chief Security Officer Susan Mauldin are retiring..."
This is an improved intro to the press release. When some search result turns up this version of the text in the future, the names and the disclosure lag will be plainly visible. Pay me $10 if you'd like to "freeze" out future access to this version of the release.
in the past they mostly worked on putting away hard liquor before lunch, and played golf all afternoon
I always wanted that job... but I don't play golf.
But, but - diversity is so valuable!
Look at all the companies that have been founded, crushed it, aren't diverse, and our struggling to become so, because otherwise they wouldn't be those amazing companies that they already are somehow.
from another country before you pretend to have a clue what they think about things. you will end up humiliating yourself a lot less that way.
That's the sound a golden parachute makes as it opens
This is how the Federal government ends up staffed with so many morons ... because many Federal agencies for whatever reason prefer people with military service over experience. If two applicants were applying for the same job, the one with 4 years in the Marines would get the job over the one that didn't regardless of qualifications.
So, to be clear, society's problems aren't so much isolated to gender/race quotas at hiring, it's ANY system that values anything other than ability to perform the job.