Slashdot Mirror
Equifax Says 2.5 Million More Americans May Be Affected By Hack (reuters.com)
According to Reuters, Equifax said about 2.5 million additional U.S. consumers may have been impacted by a cyber attack at the company last month. Last month, the company disclosed that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July.
As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
Tibetan monks here on sabbatical? Dogs? The flea's on said dogs?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
and say Everybody
Professor Farnsworth: "Good News Everyone! Equifax Says 2.5 Million More Americans May Be Affected By Hack"
Leela: But that's worse than what it was before!!!
Professor Farnsworth: "Huh, wuh?"
Your personal information is being shared by your creditors/bank with equifax. That is the only way they collect information.
Write your creditors and say you no longer consent to your information being sent to equifax due to their ongoing security issues. There are two other reporting agencies they can use, tell them you only want information shared with experian and transunion until further notice. Even if they say no, say you will hold them legally responsible for information shared with equifax after equifax has been shown to be an immediate and clear security risk.
It is pretty much the only way to hurt equifax. Gets companies to stop using them. Convince companies that no matter how strong their own privacy policies are, they don't work if they are not transitive to everyone they share your information with.
Heck, make this idea popular enough that credit card companies start listing "wont share your information with equifax." as a selling point and it will hurt them bad and make everyone take security more seriously.
http://notanumber.net/
But an we toss all the Cxx'x into prison for a few years, strip them of their assets, and make Equifax an example? They fucked up the rest of my life, one would hope the rest of their lives would be fucked as well.
They are the VW of credit agencies.
Table-ized A.I.
an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded
Yeah, right. Makes it sound like "equifax", eg some MBA, tried to get "admins" to patch it, but they refused.
Almost certainly what happened was the "Equifax email" was from an IT guy, and some admin manager said "NO, we can't do it right now."
I wonder what department the email was from, and to. And what conversation was had outside of an email stream. "Too costly", "Too busy", "No time", "Can't afford it".
Now that all hell has broken loose, I'm sure everyone's trying to claim "I wanted to do it!". Lies!
I work for a start-up in Seattle, and we've had a hiring-freeze against males for almost six years. Of course were so much in trouble now that we're working Seattle Hundreds (16 hours a day Mon-Thu and 12 hours a day Fri-Sun). It sucks since we can't take any time off to make-up for the subpar employees we've hired for the past six years.
> now that we're working Seattle Hundreds
By this point everyone should know that if you take a job in the Seattle area, it's going to require hundred hour work weeks.
Some clarification was required. 43 people in Delaware were not impacted. Thank you Ironically, the payouts made to management who are resigning, will on a per victim basis probably be greater than any of the victims will receive via any legal action taken.
1. You've already entered into a contract with your bank and creditors (aka "the fine print"). Typically the fine print allows them to change the terms of the contract under certain conditions but it does not allow you to change the terms of the contract. You can't just willy, nilly change a contract you don't like (unless it was stated in the original contract).
2. Unless your letter is notarized and requires a signature on delivery, it's pretty much worthless as well. They have no way of verifying the letter is actually from you (hence the notary) and you have no proof that they received it.
If an ordinary citizen did something this bad, we'd either get the death penalty or life in the gulag torture camps (living death). So this company needs to get the death penalty. Remember, corporations are people too!
Revoke Equifax's charter, shut them down, seize their assets for the public coffers. The American people deserve to see the management of Equifax standing in an unemployment line.
says it all..
open sores
I work for a start-up in Seattle, and we've had a hiring-freeze against males for almost six years.
Slow start, huh?
Maybe some had more data to share than others, but I wouldn't bet on anyone's personal data escaping unscathed. It would take an act of Congress to protect citizens from the fallout of this breach, but I doubt the current "business friendly" environment will do much to protect the average American.
Time is what keeps everything from happening all at once.
Yeah, dropping this press release just after a major national event that is consuming all the news cycles so it gets lost in the noise. How can the PR person who allowed this to get pushed out during such a situation look at themselves in the mirror and not think they are scum?
... everybody gets hacked, so it's not like all the information wasn't out there already. Business as usual.
At this moment these are just rounding numbers. It is easier to say everybody was hacked. Then look at who was not.
What I still find appalling is that the people that where hacked are "just" a few million people, but the real stink is how they dropped stock. It is like that douchebag with the inhalers. Screwing over a few million people for money is not an issue, but take some money from the rich and you are dead.
I am not saying that they should not be prosecuted for that but the company should be offline till the investigations end at least. The only thing that should be available online is a static webpage telling that they are offline.
Just as a precaution, the same should be done to their competitors till they show they are secure.
But that would mean they can't make money and we can't have peoples lives interfere with that, now can we?
Don't fight for your country, if your country does not fight for you.
FTC should now direct that ALL these types of organizations shall LOCK ALL CREDIT REPORTING unless requested to be opened by the OWNER of the accounts.
Not just forgetting to patch but also allowing entrance via default admin/admin login/password, perhaps allowing attackers to discover other credentials and attack vectors to exploit elsewhere.
Twinstiq, game news
There are 326 million American citizens. Of those about 74.2 million are children (under age 18), and only about 127 million are employed full-time.
This means that 326-(74.2 + 127) = 124 million are not employed full time. Equifax is more likely to have a file on a working adult, especially given how credit checks are part of modern employment screening, than a non-working adult. The breach is large enough that it covers every working adult in the US and then a very good chunk of the non-working ones.
It is everyone. Everyone. There isn't a person whose identity isn't compromised here. If you work, the odds of being in this hacked list are more likely than not.
So, credit just died, and nobody realized it. Wow. It is going to suck when that starts to hit home. This is the Craftsman-goes-to-China-gives-secret-sauce-to-everyone moment for the credit industry.
-Engr Student
I'm actually a systems security engineer and their music major CISO was way, way above my level on infosec knowledge.
Support my political activism on Patreon.
Has anyone bothered to ask why there are only 3 major credit bureaus?
How? I think you're lying can I please see some evidence that she's competent beyond her lame PCI DSS cert?
I really don't believe you at all.
Never mind I googled you... yes as someone who has only been out of community college a few years most professionals know more than you this is not surprising.
Yeah, I'm surprised they're still a start-up at least 6 years in, as well. I mean, with all the "diversity" you get by not hiring any men, you're sure to have the absolute brightest and best on your team. After all, no man has ever been good at anything; certainly never the best in their field.</sarc>
I'm all for hiring a diverse team based solely on merit, if the pile of resumes representing the best-qualified candidates does, in fact, belong to a diverse team. Doing anything else (like, for example, not hiring men because "diversity") is going to have real world negative consequences. Sure, maybe you build a "good enough" team picking and choosing by gender or race; but your company doesn't exist in a vacuum and your competitors will be hiring the talent you've passed up. You will lose to competitors who were willing to hire solely on merit because they will inevitably build a more talented and capable team.
And, when 90% of your qualified applicants are men, it's quite likely that 90% of your new hires will be. That's not sexism, that's statistics.
If more women wanted to do this work enough to actually get good at it, we'd see more women in tech. It's pretty bad when you can walk into a room and tell which women were hired on merit and which were hired to fill seats for "diversity" before anyone even says a word, but there's really that much of a gap that you actually can tell. Sadly, most women I've encountered in this field were not hired on merit; the ones who were are absolutely amazing at what they do, while the ones who weren't tend to be more eyecandy than anything else. And we wonder why harassment is so prevelent -- maybe stop hiring women who bring nothing more than a pair of boobs with them to the office and focus on hiring women who can do the job, instead? If you can't find a qualified female candidate, don't just hire the first nice ass that walks through the door, you're only setting yourself up for a hostile work environment by doing that; either hire a man if you have an immediate need and no worthy female applicants, or keep looking if the need is not immediate, the qualified women are out there, they're just typically harder to find because there are insanely fewer of them and they tend to switch jobs less once they find a place that treats them like people rather than meat.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Mauldin kind of scrubbed herself from the Internet and made her Linked-In profile private after the breach. She has given interviews in which she discussed at length the evolution of the CISO role from a simple evolution of InfoSec engineering to a broad strategic role of organizational risk management.
Thing is, I'm good on risk management—a lot better than most professionals in my field, because risk is a broad topic that doesn't just include things like security vulnerabilities and e-mail spoofing but rather an entire operational process of qualitative analysis from individual and organizational experience, identification of qualitatively-important risk, ranking of the probability (frequency of occurrence) and severity (cost) of those risks, and registering of risks and their mitigations and contingencies. Risk is a huge component of project management and even has its own business component (yes, you can have a Chief Risk Officer) which tracks risks such as market opportunities and threats to business operations.
I'm also pretty decent with infosec stuff because I can take an adversarial position using both my technology background and my risk management background. I understand the practices and the products in place--firewalls, intrusion detection systems, things like CISCO AMP which track file movement through a network and look for anomalies, vulnerability management, patch management, password controls, encryption, the like--just fine. None of that bothers me.
What I never got was theory.
If you start talking about the deep computer science theory and the modeling structures behind risks, you lose me. Quickly. I understand role-based access control; I've also read the published standard for role-based access control, and the damned thing is full of discrete math and high-level mathematical concepts that I just don't grasp. You need a dual bachelor's in mathematics and compsci to be in that stuff. What I understand is simple: users should be attached to roles; roles should grant permissions; and the granting of roles as such assures that we don't grant you permissions which you don't need AND that you don't simultaneously have permissions which circumvent security controls (we can notate which combinations of roles create conflicts of interests).
I'm like that with compsci in general. For example: modern compilers build programs such that anything with an on-stack buffer or an alloca() call gets a canary value generated from a random value (picked at process initialization) XOR against the return pointer on the stack, requiring a complicated read, compute, and rewrite of two pieces of data (you can't just start writing above the canary to avoid clobbering it) to pull off a stack-based buffer overflow. I don't fully-grasp how the random devices generate random data--there are data sources and algorithms, e.g. some shove it through a PRNG or through AES as a PRNG--and I sure as hell don't understand the compiler's parser or its optimizer (these days, optimizers operate on a static single assignment tree, which is at least approachable if you want to learn how they work).
The stack is a protected area anyway: can't execute it as code. You can even achieve this on a 486-SX if you want: just mark the Read[=execute]-Write pages as SUPERVISOR and have the kernel force a DTLB load when something tries to read/write the page. When you continue the program, the MMU will check the data translation lookaside buffer and say, "Oh, this is data pointed at [physical page]." It doesn't cause a fault until you try to execute the page, or until it falls out of the DTLB cache. If you try to execute it, it's not in the ITLB (instruction TLB), and the kernel looks at the general protection fault and just kills the program for attempting to execute a non-executable page.
Support my political activism on Patreon.
Great response though it wandered a bit. Anyhow don't sell yourself short she's the pointy haired boss from dilbert and they user their CISO position to train a promising C level executive instead of rewarding a good hacker, engineer, or scientist and they got the results they deserved.
I don't buy it. She's been in technical positions for a long while and the only black spot on her record is she strongly-defended cloud computing by talking about both the new opportunities to offload many of the security concerns to the provider (who can do it better) and to institute new security controls (because cloud computing lets you fuck up royally if you really want to). What shot down Equifax? A simple, traditional failure to patch a vulnerable piece of software--cloud, local bare metal, or VM.
If they had been using e.g. Edge Hosting in Baltimore to host their custom application, this would have never happened. Edge Hosting leverages AWS and all that in the back-end; they provide security in front of all that with a lot of Trend Micro stuff (IPS, firewalls, etc.) as well as good use of AWS infrastructure. You tell them what your custom application does, their engineers work with you to figure on how to make it run, they handle the administrative work of keeping it running, you give them code updates. They track security vulnerabilities, write automation scripts to deploy them across all assets for all of their clients, do rounds of test releases, and then push them out.
A cloud hosting provider like that would have been proactive in moving to protect all customers from a threat--something Mauldin believed was a great new opportunity while everyone was decrying cloud computing as an enormous mistake for anyone who doesn't want to lose control over their data and their security.
Instead, Equifax's own administrators were responsible for managing their own software. They got behind in patching. This isn't a CISO-level mistake; this is an operational problem. CISO-level mistakes are broad, overarching strategy problems, and apparently their broad, overarching strategy let them sail along happily while Home Depot, Target, Sony, and Ashley Madison got hacked repeatedly over the past decade. One tiny, tiny breach and their entire database gets sucked out the pinhole.
What could Mauldin have done in the past three years to cause this kind of failure of security--the simplest kind of neglect way down at the administrative level, where somebody didn't get around to putting in a patch? I doubt she cut down the company's patching policy from "Patches must be deployed by $RULES" to "Whatever, patch when you get around to it." The smoking gun is apparently that she has a degree in music, and so must be incompetent.
Support my political activism on Patreon.
My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.
After the subsequent numerous extremely bad hacks and the statement from the CEO that the org has a culture of tenure and mediocrity... the smoking gun that she sucks is that she was working there to begin with. A good hacker would have had a difficult time with the culture there and quit out of frustration.
My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.
You could also intuit that I'm a politician from my $800 suit. I'm also my Campaign Committee's chair, treasurer, accountant, chief technology officer, Web designer (could you tell?), content writer, speech writer, publicist, campaign strategist, information security officer, lawyer, and secretary.
I happen to like train wrecks. Why work at a place that's well put together when you could be rebuilding a nation? I've pushed back against management, pointed out enormous operational flaws, and gotten myself counseled for saying unpleasant things about the state of an employer here and there when they'd rather I just do what they tell me. They eventually get back in line, and the organization straightens itself out--to miraculous effect. Sitting around and coasting is boring.
Why wouldn't you want to work for a disaster employer?
Perhaps the most attractive thing about being a Congressman is I get to tell all my coworkers--you know, Congress--exactly what's wrong and keep telling them long after they're tired of hearing it, and the only people who can actually fire me are the voters. Nobody can complain to HR that I'm "not a team player" because I'm annoying. Sure, you still need to play by the rules of human behavior and get buy-in, be diplomatic, and all that; but so does everyone else. In a corporation, the moment they get bored of the game, they start ignoring you, then realize you're impossible to ignore and start complaining to management; in Congress, they have to let you talk, then deal with the Media telling the whole goddamned country what you said, and then they have to deal with their own constituents. You can actually keep pushing on the issues that need to be pushed when doing so can get you buy-in, without worrying that one or two of the people you're never going to win over will call your manager to complain.
If you want to do that but you aren't going for officer of some legislative body, go for officer of some hilariously fucked-up corporation. If you want to be boring, get a job somewhere that doesn't need you to straighten their shit out.
Support my political activism on Patreon.
I'd much rather have a job that's low stress, high paying, and full of smart co-workers. Counter intuitively you don't actually learn much from untangling a messy clusterfuck of an IT workplace. You just get burned out. Top talent is an infosec wizard who can lead and manage, it's a rare person and she's probably going to expect a lot more than a "culture of mediocrity and tenure" to retain.
So they had some chubby mom-looking bitch with a music degree. She did graduate summa cum lade and she did get a masters degree. She's just good at finishing things and that's the kinda person that's going to work for a place like equifax. She ended up where she was, the field had no calling to her.
Yeah, over three months when I got to my last job I started working 10 hour days, going home and working remotely, studying 5 new technologies, forgetting to eat until like 9pm, forgetting to shower, etc. Manager told me to slow down. Eventually, I came home, collapsed, cried for a while, then crawled into bed and slept 14 hours; I woke up feeling fantastic.
I wonder what kind of infosec degree you could have gotten pre-2002.
Support my political activism on Patreon.
EE, CS, Mathematics, Physics, CIS. I know everyone rags on her degree but a solid 1/3rd of infosec people are for all intents and purposes seat warming frauds. This is one of them. It's not her degree I have a problem with, it's her.
So a quick google search shows there are about 250 million adults in the U.S.
Subtract those that are older and haven't applied for credit in a very long time.
Subtract the college students that have never applied for credit using a credit bureau.
Subtract the tinfoil hat crowd.
Subtract those in prison.
It seems to me that every American actively participating in this nations credit system has been hacked. The way the number is reported, it seems like it was a partial database breach. But subtracting out those not currently participating in the credit system seems awfully close to the number reported.