Slashdot Mirror
Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com)
For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.
It just keeps getting better!
What technologies are involved here? I have no idea if this is the case for this particular situation, but I remember hearing that the original problem involved Apache Struts, so I presume Java may have been involved. What about the OS or OSes that were involved? Were they Linux?
Surely the definition of stupidity is when you keep on doing the same thing and expect different results?
to make it very clear: Equifux are scum. DANGEROUS scum. Don't go there! Not now. Not ever.
THIS MEANS YOU!
Sent from my ASR33 using ASCII
Is this the story that never ends?
I don't read AC
Equifax is really the gift that just keeps giving!
This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/DNS_spoofing
Anything to do with flash in 2017 is a recipe for disaster.
Can't wait until Adobe kills Flash in 2020 and everyone moves away from that piece of garbage.
Any private citizen who would commit a tiny, insignificant fraction of this kind of blunder would be behind bars, with his assets seized. What is so special about a company that should have been shut down weeks ago?
And why is that CEO still at large?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I see this as another example of why we need to start using a safe-by-design programming language like Rust for developing web apps and any other software that deals with the hostile Internet environment. Languages like Java and Scala were supposed to be like that but I don't think that either go as far as Rust does. We need to start using OSes, network stacks, web servers, web apps, and web browsers written in Rust. I think that this is the only way to face the dangers of the modern Internet.
If corporations are people, it is time to jail Equifax.
Rust is great and all but this meme-ish "rewrite all the things in Rust" crap is just stupid.
Mr. Roque: Then...
Ray Hott: Then that means we should...
[pause]
Mr. Roque: Yes?
Ray Hott: Shut everything down.
[pause]
Ray Hott: Is that something that...
[pause]
Ray Hott: You want us to shut everything down?
[pause]
Ray Hott: Then we'll shut everything down.
What i would suggest is that the entire IT staff and C_O group repeat after me
"Would you like me to tell you the Daily Specials?"
"Would you like fries with that or Maybe upgrade to Our new LOADED FRIES"
At this point you have to wonder if it isn't time to revive the idea of a corporate death penalty.
How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors? What's Equifax's excuse going to be this time?
CUR ALLOC 20195.....5804M
You people act as though Equifax is made of money that they can lavishly spend it on securing the highly sensitive financial data of consumers who never gave the company authority to collect and share it in the first place. Equifax only made $3.1 billion last year; they have a lot of wealthy shareholders and executives whose lifestyles depend on a high revenue to profit ratio.
Sure, Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company, but that could happen to anyone. /s
I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
#DeleteFacebook
n/t
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
All ISPs should just block equifax.everything as a service to the community and to all of America.
And when an independent audit of equifax' website, security and their entire domain is done. And only when it shows it clear, then it should be allowed to be on probation to be viewed online with a warning stating that equifax.everything is a source of malware, identity theft, incompetence, stupidity and users should visit the site with the utmost of caution.
I have been reporting equifax' website everywhere I can as a source of malware and I have been blocking it.
So... was the CEO's info also included in the breach?
You know what would be an ironic rebalancing of the cosmos?...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!
So, what do we do now? The management at Equifax has now proven beyond any reasonable doubt that they are completely incompetent, totally incapable of being responsible for the data they collect. Who takes over? Can the government come in and take control? Or would that be worse? Who needs to be in charge at Equifax to stop the bleeding and secure their systems?
Furthermore: The incompetence now evident should, in my opinion, be considered criminal negligence, considering how many people are affected, and by 'affected' I mean 'potentially or in fact having their lives RUINED'. Round up the management at Equifax, everyone who was responsible for the decisions that led us to this point, put them under arrest, and bring criminal indictments against them. I'd much rather prefer severed heads on poles lining Wall Street, but we don't do that sort of thing in this country so I'll settle for mandatory jail time, megafines, seizing of assets, and court orders prohibiting these idiots from ever working in the finance industry ever again -- or anywhere else that can affect the lives of hundreds of millions of people. I'm sure Walmart would just love to have them as greeters, or maybe the Jiffy Lube down the street will hire them.
A "corporate death penalty" is basically just an "organization death penalty". As such, it would apply to other non-corporate organizations as well, including open source projects.
Under your system, if an open source project released software that was buggy or had security holes in it, then the project would be shut down, any copies of the source code destroyed, any web sites or other project hosting infrastructure eliminated, and so on. The developers would be prohibited from interacting with one another in the future.
Is that really what you want? Because that's exactly what you're calling for. Projects like the Linux kernel, like Firefox, like Apache httpd, and nearly every other open source project out there that has ever suffered from a bug or a security flaw would no longer be allowed to exist.
Why would we keep using C and C++ when there's a better language out there in the form of Rust?
Because there exist many non-PC platforms to which a C compiler or a C++ compiler has been ported but a Rust compiler has not. How would you even bootstrap stage 0 of a Rust compiler on a new ABI if it's written in Rust and there are no other independent implementations of Rust? My best guess, which I haven't tried, is to go back to some OCaml compiler, build old Rust, and then build new Rust from that.
n/t
Use this as a campaign issue for all future elections. l'm for shutting down the entire credit industry in its current form and throwing out any politician who take their money or votes in their interest.
Equifax has been controversial since it was started in 1899 to serve retailers who wanted to extend credit to customers. Their existence and business practices spawned a few laws.
It's an inherently unethical business.
But here is some bad karma coming there way: Years ago, I was at a talk that had an Equifax exec on its panel. They have to put up with the same shit as we do (there is also Experian and Transunion that also fucks everything up). But she is able to clean stuff up internally fast for herself and family.
We have to write in, call into their Indian call center and hand over all of our personal information and get the run around for months.
So, what I'm doing is to make Equifax' existence as miserable as possible. Letters to congressmen. Support of Elizabeth Warren. and other things - all legal.
I want to see them running in the red for as long as I can.
And, if I am damaged in any way, I'm gonna try to sue them AND the people who used their services because they should know better.
Credit doesn't go through? I'm suing Equifax and the lender.
Insurance? Same as well as a complaint with the insurance commissioner.
Background check? employer, their background check company and Equifax.
Make doing business with Equifax a liability.
Brilliant, I say.
Let me be the first to posit that this can only be the work of a devious mind, a mind that has read countless articles of news for nerds, stuff that matters from a strategically positioned couch in his mother's basement that has been altered to look like the bridge of the original Enterprise, reeking with the faint smell of cat piss and 5day-old BO that's losing the battle with Old Spice
If I trust a company enough to do business with them and the company trusts Equifax, it does not mean I trust Equifax. Pretty soon people are going to blacklist not only Equifax, but also every establishment that leans upon Equifax as well.
Microsoft's market share is vast, diverse, and spread out geographically.
No single Antivirus meets the needs of every user or business. You've got home users who need simplicity, you've got business users who need manageability, you've got gamers who need performance, and developers who need control. You've got different countries with different language needs. You've got your for cost, and your freeware. Finally you've got up starts and Open Source options. Etc. Etc.
What is more surprising is when there are not 65 competitors in a particular market, such as Media Player / Store / Streaming client, or Office Suite, or Credit Bureau, etc.
I suppose the biggest reason why an Antivirus can have 65 competitors is that there is no need to move data from one installation of another, so no need for any uniform standards or compatibility.
A "corporate" death penalty just means the company is dissolved, and the shareholders lose money (capital). But the individuals responsible for causing the problems in the first place just dust off their resumes and go to work for other companies. It may may you feel better, but it doesn't accomplish anything. And in fact it may makes things worse because (assuming this corporation was egregiously worse than its competitors) the bad guys who caused the problem are now scattered throughout hundreds of different companies instead of all concentrated in one place that you can avoid or be extremely cautious around.
You have to understand that a corporation is just a paper entity. It doesn't really exist. A bunch of people decide to work together instead of as individuals, and "the corporation" is just a dotted line drawn around that group of individuals. It exists because although Bob and Frank want to work together, Bob doesn't want to be personally liable for Frank's screwups and vice versa. To really effect change, you need to allow gross negligence like this to pierce the corporate veil, and punish the individuals responsible for the bad decisions with fines and jail time.
I understand the purpose of credit reporting agencies, and I don't have a blanket hatred or dislike of them like some people. (Hey, sorry if you're irresponsible with your money all the time and don't pay your bills when due. That doesn't make the "messenger" evil when they perform the function of warning others about your financial behavior.)
But Equifax? They've long been frustrating because of a lack of care in verifying the data they collect, and a general unwillingness to correct mistakes on credit reports. Inability to secure all of this sensitive information they've collected is icing on that cake.
Look at some of the nonsense they partake in, such as giving you "ONE free look at your credit report per year". That's YOUR info they've collected and make money off of, and they don't even want to show YOU what they've got unless you pay like everybody else? As far as I'm concerned, I should be able to create an account with these people where I can log in and see my credit report ANY time, as well as submit online requests for changes whenever I see something wrong or questionable. I know Equifax and one of their competitors had wrong information about the history of addresses I lived at previously, and neglected to fix it, even after multiple requests. (It seems they don't consider that part of the content of a credit report that could potentially hurt your credit score, so it's not a priority to correct.) If it's worth keeping track of though, it's worth keeping track of correctly, IMO. Don't lie to everyone pulling my report, giving a bogus street address I supposedly resided at (which was obviously due to a typo somebody made at some point, since the street is fairly similar to the name of one I actually DID live at previously).
I don't understand how this could have happened, they changed their password from admin to 12345, it should be secure now.
The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business.
Claiming that a problem is complex is not a valid excuse for doing the job incompetently such that it results in harm to others. If you cannot manage sensitive data safely then you either need to exit the business or step your game up. They do not get a free pass just because it's a hard problem. If the security problem is that hard that they need government indemnification then they DEFINITELY need to be regulated. Medicine is easily as if not more complex than IT security and yet doctors are held liable for malpractice and are highly regulated. I see no reason why ITprofessionals should be held to a lesser standard of care if they want to manage sensitive data like credit histories or medical records.
Regulations don't have to specify specific technology or tactics. They just have to specify that they have to keep the data secure, what secure means, and outline punishments for failure to do so. If they cannot handle the risk then don't get into the business.
You're already a corporate shill for a law that isn't written and doesn't exist.
Please tell me you're a fucking lawyer at least.
You have no idea what such a law would look like or how it would work
-jcr
My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!
I am an engineer and I also happen to be a certified accountant. I can assure you that engineers do not as a general proposition make better (or worse) business decisions than any other category of worker. The problem at equifax was NOT an engineering failure, nor did it happen because engineers weren't making engineering decisions. It was a failure of company culture and a lack of risk controls. The engineering flaws that were exposed were simply predictable knock-on effects of the poor business controls.
Don't get me wrong, I think that upper management at Equifax should find themselves in front of a judge as soon as possible. This was a failure that went FAR beyond mere incompetence. I think that Equifax should be buried under an avalanche of lawsuits and probably cease to exist because they clearly cannot be trusted to handle sensitive data with appropriate levels of care.
... into installing crapware Symantec calls Adware.Eorezo
This sentence doesn't parse. Why "calls ..." after the crapware's name?
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Even if you can cross-compile, you can't ensure that the cross-compiler binary is free of Ken Thompson's self-propagating "trusting trust" attack unless you bootstrapped it from an independently developed compiler.
I have sent letters to all of my credit providers instructing them that, if they wish to continue to do business with me, they must immediately cease providing my information to Equifax. If they do not agree to the terms, I will pay off my credit facility and cease to do business with them permanently.
every time you apply for credit or a bank account you've signed something that gave Equifax the right to collect your data. Read your agreements and if you don't like it don't sign it.
This is the philosophy of "You always have a choice". It's popular with the right wing, libertarians, corporations and the Republican party. You can try pointing out that it's not possible to find a bank or credit card that doesn't do business with Equifax and also impossible to live without either but I've found those arguments fall on deaf ears. If pressed I've had some of the "You always have a choice" crowd come out in favor of slavery. I really don't have an answer to that.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
they're a vastly powerful company. For a lot of people if you want to do business you have to do it with Equifax. Tell them to do otherwise and you you might as well tell somebody living in the 12th century not to bother with their local guild system. We live in the world we live in and not the one we want to.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
from tfa:
" The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that's responsible for the redirects. In that case, the breach, technically speaking, isn't on the Equifax website and may be affecting other sites as well. "
So Equifax wasn't hacked, but the web admins were slow to remove the offending links of the third party ad network causing the redirects.
More "A Patching". You wine, kick, and scream, blaming everything and everyone else on the planet but yourself to the point of sucking off the IRS to persuade possible fundamental change in how the U.S. does commerce...Why am I not surprised? Sounds like you're getting hackers of all kinds. Use cash people.
Eventually, his browser opened up a page on the domain hxxp//:centerbluray.info
a) That's (almost) a URL, not a domain
b) What's with the "hxxp"?
c) The : is in the wrong place
systemd is Roko's Basilisk.
You seem to misunderstand what the "corporate veil" protects. The only people protected are the shareholders. If you can prove that Joe from IT was grossly negligent, you can sue him for damages. The reason employees usually are not sued is because Joe from IT doesn't have millions that is needed to fund the class action lawsuit
One might argue that a "malware researcher" might already be at increased risk of having already contracted some sort of exploit that might manifest as a malicious redirect.
Then again, where Equifax and their recent security fumbles are concerned, it's certainly within the realm of possibility that such an exploit found its way into their services. Unless there's an independent and unbiased analysis of the Equifax systems and protocols, it's unlikely we'll ever be certain.
There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die.
Not sure what planet you live on but there literally are new diseases every day (ever hear of mutations?) and people do literally die from them. Every day, all around the world. Diseases like influenza and malaria are constantly mutating and overcoming even our best attempts to shield against them. And unlike you I'm not talking about a figurative death either. Literally millions of people die - literally die - every year because of new versions of diseases that our immune systems and medical technology cannot cope with.
IT security is a tough problem and I'm not diminishing it in the least. But spare me the dick measuring contest where you try to arrogantly assume that what you think you understand about IT security makes it more difficult than what other fields do or that the consequences are greater. If you seriously believe that medicine isn't as difficult as IT security then frankly I think you are an imbecile who doesn't really understand either field.