Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com)

Posted by EditorDavid on from the what-could-go-wrong dept.

phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.

Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.

16 of 196 comments (clear)

  1. Incompetent idiots by Anonymous Coward · · Score: 5, Insightful

    Blaming this on a single security flaw just shows how incompetent they are. It's your design and approach at security that's flawed to begin with.

    Allowing some shiny MVC framework directly accessing a database containing millions and millions of personal records is just plain dead retarded software design. This kind of incompetency should be fined, let's start with $100 for every record that got stolen in compensation. If such an incident can instantly bankrupt you, maybe then these companies start to take their software security serious.

    1. Re: Incompetent idiots by that+this+is+not+und · · Score: 5, Insightful

      A lot of 'sensitive information', namely things like SSN, are only sensitive because the credit application process has been so sensitized. Credit extending companies want it to be trivially easy to extend credit. They want the cashier at a clothing store to be able to issue a credit card to customers at the point of sale. So things that used to be ordinary accessable information like SSNs are made into secrets, for the convenience of credit issuing companies.

      When I attended college at a small liberal arts school in 1979 they didn't really have a student ID number. They just used students' SSNs as an id. So SSNs were scattered all over campus fairly freely. You used a card with your SSN on it at the library to check out books.

      There is really no reason for this not to be okay, except for businesses who want to be able to use your SSN as a sort of 'secret password' to allow youbto go into debt to them.

    2. Re: Incompetent idiots by belthize · · Score: 3, Insightful

      Same here, college I went to in the mid-80s used our SSN as the student ID number, Sometime around 87 or so they appended the number 4 to the end because they claimed it was illegal to use your SSN as a form of identification. I found that logic fascinating.

      For years I've been a proponent of just posting everyone's SSN on a website so we can quit pretending it's a secure bit of info. As long as folks falsely think it's secure they'll keep using it.

  2. Retiring is a lot better than firing by Anonymous Coward · · Score: 2, Insightful

    She's going to get her pension and benefits, which given her title, is a lot of money. Maybe even some sort of parachute.

    This needs to be fully investigated, and she should probably lose all of it.

  3. Re:Good news everyone! by arth1 · · Score: 3, Insightful

    Unless the entropy requirements are published, the assumption should be that it's not random, but a pseudo-rng with known flaws.
    Exchanging "date +%m%d%Y%H%m" with "ran=frac(9821 * ran + 0.211327)" does not qualify for "random", although it might be a good enough number for this purpose.

  4. what a bs. by kiviQr · · Score: 5, Insightful

    A company that holds that much information should have top notch security. That includes penetration testing, penetration detection and multiple layers. Public layer should never have access to database that has that much information. There should be an internal webservice that returns filtered information information. This is 101 security!

  5. Re:Not noticing?? That's bad by Anonymous Coward · · Score: 5, Insightful

    They didn't officially notice the breach until after they sold off their stock shares... So they say.

  6. Re: Not noticing?? That's bad by Anonymous Coward · · Score: 0, Insightful

    But but but but WOMEN IN TECH.

    This is what happens when you hire someone because she has a vagina instead of actual qualifications.

  7. Re: Hiring anti-tech employees is a bad idea by sinij · · Score: 4, Insightful

    Thing is, this is what 'next quarter' corporate culture rewards - accountants and lawyers cooking books and lobbying for government handouts.

  8. Not quite by bagofbeans · · Score: 4, Insightful

    If everyone old enough to receive credit or get a job locked down their CRA files, the CRAs would go out of business.

    Look for:
    1. The lock down fee changing from one-off to a yearly subscription.
    2. The definition of what access is allowed to a person's locked down file to be changed to allow everything but opening a new account.

  9. Not really by rsilvergun · · Score: 4, Insightful

    She retired. She wasn't fired. So she'll get to take it all with her. Once again, the ruling class (and at CSO level she's a member) take care of themselves. And once again, I sure wish we could get the working class to do the same. Hell, we can't even get the working class to agree Healthcare is a right and not a privilege.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:Not really by Anonymous Coward · · Score: 0, Insightful

      That's what "gun to their head" means. Taxes are taken via that means, and used to pay for things.

      What I don't get, is why Americans think socialized health care is evil, then have socialized fire departments, police, social workers, courts, and well -- lots and lots of lots of other things.

      Why is socialized = evil with health care, but != evil with police. Or the fire department.

      I'll tell you why.

      The rich benefit from socialized police, that protect them over the poor. And the rich benefit in factories, businesses, and buildings they own, not burning down. Or, fire spreading uncontrollably... and causing damage.

      But as soon as something helps the poor more than the rich (IE, health care), EVIL! SOCIALISM!

      Either social police, fire departments, schools, and health care is bad, or good. How can you just separate one thing out?

  10. The trouble is nobody likes paying programers by rsilvergun · · Score: 4, Insightful

    to sit around waiting for these kinds of things. But you need skilled people to do it and there's only so many H1-Bs you can have work full time on one thing while three or four times a year ramping up to an 80+ hour work week. Most experienced programmers won't put up with those kinds of hours except occasionally. Once they figure out it's part of the job they leave if they can.

    So you either find a way to get the indentured servants that are folks here on work visas or you pay people to sit around waiting for problems and fixing them. It's usually only $300-$500k/yr. A sizable chunk of change but still quite affordable to large companies. But saving that $300-$500k was somebody's bonus the year the decision was made.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:The trouble is nobody likes paying programers by phantomfive · · Score: 3, Insightful

      You can say that again.

      Ask any programmer: "When was the last time you had a sprint to look at security? When was the last time your manager gave you extra time on a task to make sure it was secure?" The answer is always "never."

      --
      "First they came for the slanderers and i said nothing."
  11. Re: Not noticing?? That's bad by Anonymous Coward · · Score: 4, Insightful

    But but but but WOMEN IN TECH.
    This is what happens when you hire someone because she has a vagina instead of actual qualifications.

    This. Exactly this. Hire based on qualifications, not on gender.

  12. Re:Not noticing?? That's bad by pop+ebp · · Score: 4, Insightful

    When the break-in first came to light, lots of people criticized Equifax, but a vocal minority said something along the lines of "No system is absolutely secure. We don't know if the hackers used a zero-day vulnerability against Equifax. They could have followed all the security best practices and still be hacked."

    My response was "If the past is any guide, every time a major company was hacked, it was eventually traced to vulnerabilities in outdated software that should have been patched months ago. I am going to assume this is the same."

    Turns out I was right. Companies never learn.