Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com)

← Back to Stories (view on slashdot.org)

Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com)

Posted by msmash on Thursday October 12, 2017 @03:21AM from the fool-me-once dept.

For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.

95 of 150 comments (clear)

Min score:

Reason:

Sort:

Wow by Anonymous Coward · 2017-10-12 03:25 · Score: 1

It just keeps getting better!
1. Re:Wow by wardrich86 · 2017-10-12 03:35 · Score: 2
  
  Once you pop the fun don't stop! This has been one hell of a fun ride so far... but when are people going to start being held accountable for this? And if any of us have bad credit, can we just say we got Equifaxed and get credit scott-free?
2. Re:Wow by jellomizer · 2017-10-12 03:40 · Score: 5, Insightful
  
  The problems is that we have little say on the data that Equafax has on us. It is not like we went to Equafax and gave them the info, they had been collecting it for years without our direct permission.
  In short Equafax just screwed everyone, and to be joyous about this hack, even if it were to put them out of business, is like celebrating the crook going to jail, after he had burned down your home and lost everything. You are still suffering, even if justice was served.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
3. Re:Wow by TheRaven64 · 2017-10-12 04:28 · Score: 4, Insightful
  
  The one good thing that might happen is consumers wake up to the problems of allowing large-scale data collection and push for tighter regulations on companies that engage in this kind of behaviour.
  
  --
  I am TheRaven on Soylent News
4. Re:Wow by jellomizer · 2017-10-12 04:47 · Score: 4, Insightful
  
  The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business. Also it could send a wrong chilling effect, where now most companies are trying really hard to secure their systems from many different methods, to just doing what is legally stated, thus creating more problems.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
5. Re:Wow by OverlordQ · 2017-10-12 05:02 · Score: 2
  
  You can hate Equifax all you want, but you should really be also complaining about all the other companies that are giving it to them.
  If nobody freely (or with some $$$) gave them your information when you signed up for stuff, they wouldn't have a business.
  
  --
  Your hair look like poop, Bob! - Wanker.
6. Re:Wow by Anonymous Coward · 2017-10-12 05:31 · Score: 1
  
  or a company would be afraid to use computers to expand their business.
  You say that like it is always a bad thing. But some things should not be so easily accessed from the internet. Maybe the data that the credit bureaus aggregate should be one of those things.
  
  So you now have to wait a few days before getting approval for a new line of credit, big fucking whoop.
7. Re:Wow by AtariEric · 2017-10-12 06:39 · Score: 1
  
  Consumers can push all they want - the companies will shove back with effectively infinite force.
  
  --
  Don't trust any concentration of power.
8. Re:Wow by TheRaven64 · 2017-10-12 21:50 · Score: 1
  
  There's an easy way to avoid leaking a load of personal information when you're hacked: Don't keep a load of personal information on your servers. If regulation moved the default from 'let's keep everything, it may be useful for something eventually' to 'don't keep anything unless you can demonstrate a really strong business case that requires keeping it and outweighs the cost of insurance for the potential liability if it's leaked' then that would be a huge improvement.
  
  --
  I am TheRaven on Soylent News
9. Re:Wow by bingoUV · 2017-10-13 04:15 · Score: 1
  
  The one thing that is impossible in the field of IT security is the consumers waking up. Everything else is possible.
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
10. Re:Wow by jellomizer · 2017-10-14 04:12 · Score: 1
  
  Any rules on IT security will not be confined to just Credit Agencies. This will affect a local Mom and Pop shop that has an online store website setup.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
id10t? by Anne+Thwacks · 2017-10-12 03:32 · Score: 4, Insightful

A company shows a track record of failing to grasp the concept of security. Person visits said company's site, and finds malware infestation has a strong hold? Then does it again?
Surely the definition of stupidity is when you keep on doing the same thing and expect different results?
to make it very clear: Equifux are scum. DANGEROUS scum. Don't go there! Not now. Not ever.
THIS MEANS YOU!

--
Sent from my ASR33 using ASCII
1. Re:id10t? by The-Ixian · 2017-10-12 08:03 · Score: 1
  
  ew! this milk has gone bad! let me try again.. yeah, no, still bad! maybe one more time... oh, that one was chunky, gross!
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:id10t? by The-Ixian · 2017-10-12 08:04 · Score: 1
  
  I see what you did there. /slowclap
  
  --
  My eyes reflect the stars and a smile lights up my face.
3. Re:id10t? by barbariccow · 2017-10-12 08:51 · Score: 1
  
  Surely the definition of stupidity is when you keep on doing the same thing and expect different results?
  No, that's the definition of trying again. Stop repeating this fallacy. If you play basketball, and you miss a basket once, you get the ball back and shoot it, are you stupid because you are hoping for better results this time? Of course not!
But wait, there's more! by Ayano · 2017-10-12 03:32 · Score: 3, Funny

Is this the story that never ends?

--
I don't read AC
1. Re:But wait, there's more! by The123king · 2017-10-12 20:01 · Score: 1
  
  We'll be hearing from Equifax for much of the next year. Unless it gets overshadowed by something bigger and more embarrassing
  
  --
  If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
This may not have been Equifax by ebrandsberg · 2017-10-12 03:33 · Score: 4, Interesting

This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/DNS_spoofing
1. Re:This may not have been Equifax by Dutch+Gun · 2017-10-12 03:40 · Score: 4, Interesting
  
  Equifax was responsible for setting up a separate website to deal with this hack. Doing so increased the likelihood of stuff like this happening (which it has, apparently *twice* now). So, even if this "wasn't Equifax", I'm still going to blame them for failing web security fundamentals.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
2. Re:This may not have been Equifax by jbmartin6 · 2017-10-12 04:11 · Score: 2
  
  Yes, since the report is only from one person who is unable to replicate it (according to TFA) my thought is it was just as likely to be an issue with his browser or host.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
3. Re:This may not have been Equifax by TheRaven64 · 2017-10-12 04:34 · Score: 2
  
  For anyone who missed this, not only did they set up a brand new domain that wasn't related to their main site, they also tweeted the wrong domain name multiple times.
  
  --
  I am TheRaven on Soylent News
4. Re:This may not have been Equifax by Walking+The+Walk · 2017-10-12 04:39 · Score: 3, Informative
  
  This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/...
  That's a possibility, but the story is subtitled "Malware researcher encounters bogus download links during multiple visits.", and one would hope a malware researcher would have considered it. The article says it could be due to an ad the site was displaying:
  
  It's not yet clear precisely how the Flash download page got displayed. The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that's responsible for the redirects. In that case, the breach, technically speaking, isn't on the Equifax website.
  
  --
  A recursive sig
  Can impart wisdom and truth
  Call proc signature()
5. Re:This may not have been Equifax by Ichijo · 2017-10-12 05:47 · Score: 1
  
  Wouldn't encryption prevent the web browser from making a secure connection to a spoofed Equifax server?
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
6. Re:This may not have been Equifax by Trax3001BBS · 2017-10-12 07:14 · Score: 1
  
  Never run into this before so new to me, but centerbluray.info is being back linked to majestic.com https://www.robtex.com/dns-loo...
  https://majestic.com/reports/s... one time use (cookie)
7. Re:This may not have been Equifax by Anonymous Coward · 2017-10-12 07:40 · Score: 1
  
  RED FLAGS:
  - Equifax.com running non-Equifax ads?
  - Internet Explorer
  These two alone make me question the article... Posting anon since I've already modded this thread
  -Syn3rg
8. Re:This may not have been Equifax by Anonymous Coward · 2017-10-12 07:42 · Score: 1
  
  Wouldn't encryption prevent the web browser from making a secure connection to a spoofed Equifax server?
  No. The data between server and client is encrypted, but then the client has to use a DNS request, fetching data outside the encrypted channel, to determine where to go next. Even if the DNS request was encrypted, the result would still be the same if the DNS cache is poisoned.
2020 can't get here soon enough by phalse+phace · 2017-10-12 03:33 · Score: 4, Insightful

Can't wait until Adobe kills Flash in 2020 and everyone moves away from that piece of garbage.
1. Re:2020 can't get here soon enough by Opportunist · 2017-10-12 03:36 · Score: 1
  
  Don't worry, we'll find another piece of garbage to infest our computers, tie up CPU cycles unnecessarily and generally annoy internet users and make webpages unsufferably bloated long before Flash's demise.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:2020 can't get here soon enough by ITapeFatCashews · 2017-10-12 03:40 · Score: 1
  
  Damn... There goes a piece of my bread and butter. Every month I have to update Adobe Flash to the latest version. Oh, well. Since my employer is planning to switch from Win7 to Win10 in the near future, I still have job security with Microsoft.
3. Re:2020 can't get here soon enough by Tablizer · 2017-10-12 04:07 · Score: 1
  
  Can't wait until Adobe kills Flash in 2020...
  People have been predicting Flash will "end soon" for about two decades. It doesn't. It's the reverse of the Duke Nukem Forever pattern. "Unvaporware"? Or how people now ask the Moonies at the airport to define "soon".
  
  --
  Table-ized A.I.
4. Re:2020 can't get here soon enough by tepples · 2017-10-12 04:22 · Score: 1
  
  Cron can't agree to an updated End User License Agreement.
5. Re:2020 can't get here soon enough by HiThere · 2017-10-12 05:41 · Score: 1
  
  I think it's called HTML5.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
6. Re:2020 can't get here soon enough by antdude · 2017-10-12 13:57 · Score: 1
  
  But there are always other craps. What about HTML5? :P
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
7. Re:2020 can't get here soon enough by Hentes · 2017-10-14 13:15 · Score: 1
  
  That won't happen before advertisers pressure W3C to include every BS from Flash into web standards.
Why is this even possible? by Opportunist · 2017-10-12 03:35 · Score: 4, Insightful

Any private citizen who would commit a tiny, insignificant fraction of this kind of blunder would be behind bars, with his assets seized. What is so special about a company that should have been shut down weeks ago?
And why is that CEO still at large?

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Why is this even possible? by Anonymous Coward · 2017-10-12 03:54 · Score: 2, Interesting
  
  The CEO isn't at large. He was dismissed . . . with tens of millions of dollars. Remember, in the USA, corporations are people. They have all the rights, and none of the responsibilities.
2. Re:Why is this even possible? by Opportunist · 2017-10-12 04:29 · Score: 1
  
  He's not behind bars.
  Then again, maybe it's for the better. It's so hard to get a hand on those bastards when the state protects them.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Why is this even possible? by bill_mcgonigle · 2017-10-12 06:32 · Score: 1
  
  It's the Hamiltonian dream of a government of, by, and for the public corporations. Jefferson's Republic is dead, man. The mercantilism he and his compatriots fought against now rules the day. Free market capitalism has been replaced with "systemically important financial institutions" that will get bailouts courtesy of taxes excised from the middle class - the same people who got screwed over by Equifax.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:It keeps giving by Opportunist · 2017-10-12 03:37 · Score: 1

If you're a comedian, it's good for more material than even Trump currently.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If corporations are people... by sinij · 2017-10-12 03:46 · Score: 3, Insightful

If corporations are people, it is time to jail Equifax.
1. Re:If corporations are people... by Like2Byte · 2017-10-12 04:24 · Score: 1
  
  I don't remember who said but they said, "I'll believe corporations are people when we can cut their head off."
2. Re:If corporations are people... by HiThere · 2017-10-12 05:46 · Score: 1
  
  Well, all the C-level managers and the BoD, yes.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
3. Re:If corporations are people... by barbariccow · 2017-10-12 09:07 · Score: 1
  
  Prisons are for-profit. Also, if you didn't already know, you might be surprised to learn how much cheaper-than-china production happens in them (in the USA).
Corporate Comprimise Bingo anyone?? by laurencetux · 2017-10-12 03:49 · Score: 1

What i would suggest is that the entire IT staff and C_O group repeat after me
"Would you like me to tell you the Daily Specials?"
"Would you like fries with that or Maybe upgrade to Our new LOADED FRIES"
Incompetence... by rnturn · 2017-10-12 03:49 · Score: 4, Interesting

At this point you have to wonder if it isn't time to revive the idea of a corporate death penalty.
How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors? What's Equifax's excuse going to be this time?

--
CUR ALLOC 20195.....5804M
1. Re:Incompetence... by dunkindave · 2017-10-12 04:04 · Score: 1
  
  How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors?
  Businesses don't care - it is the consumers being hurt, not the businesses using Equifax's services. It would be like a local store that keeps getting broken into and robbed in the middle of the night. Would a person stop buying from them just because they're losing stuff? It doesn't effect them (assuming the data doesn't get modified). As long as they have what the person wants at a reasonable price when they want it, why should they care that the business has a loss problem?
  The most likely reason why it could become an issue is if the losing business ends up having to raise prices to compensate, or has to shutter its doors. THEN you can just go to a competitor.
  
  What's Equifax's excuse going to be this time?
  All remediation wasn't yet fully in place, or maybe, it was contracted out and the subcontractor failed, so they will never, ever, use that firm again, lesson learned. Or some other pass the buck statement.
2. Re:Incompetence... by HiThere · 2017-10-12 05:48 · Score: 1
  
  The thing is, it wouldn't affect Equifax much if the data *WAS* modified. They don't care much whether it's accurate or not.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
3. Re: Incompetence... by Chromium_One · 2017-10-12 05:56 · Score: 1
  
  Logical fallacy in play - because a past abuse was not punished should not prevent new abuses from being punished.
  
  --
  When you live in a sick society, just about everything you do is wrong.
4. Re: Incompetence... by pD-brane · 2017-10-12 06:25 · Score: 1
  
  corporate death penalty
  I am sick of this term. It pretends that it is as controversial as killing people.
Stop being so judgemental by Lucas123 · 2017-10-12 03:51 · Score: 4, Funny

You people act as though Equifax is made of money that they can lavishly spend it on securing the highly sensitive financial data of consumers who never gave the company authority to collect and share it in the first place. Equifax only made $3.1 billion last year; they have a lot of wealthy shareholders and executives whose lifestyles depend on a high revenue to profit ratio.
Sure, Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company, but that could happen to anyone. /s
1. Re:Stop being so judgemental by Cederic · 2017-10-12 22:20 · Score: 1
  
  Equifax only made $3.1 billion last year
  That's revenue, they made much much less in profit.
  I'm not sure it matters how much they spend on security anyway, they're failing on the basics now.
I'm shocked by DontBeAMoran · 2017-10-12 03:57 · Score: 4, Interesting

I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?

--
#DeleteFacebook
1. Re:I'm shocked by Anonymous Coward · 2017-10-12 04:56 · Score: 1
  
  I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
  Don’t be naïve. People write viruses to infect operating systems that are on the most machines. The main reason why Linux is so secure is because viruses would be less successful in targeting them. Also, since they hold the majority of less-savvy users, it makes more sense. Of course Linux is secure. Hardly anyone writes viruses for it.
2. Re:I'm shocked by drew_kime · 2017-10-12 05:00 · Score: 2
  
  I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
  Yes.
  
  --
  Nope, no sig
3. Re:I'm shocked by HiThere · 2017-10-12 06:01 · Score: 1
  
  No, the main reason that Linux is more secure is that MS stripped out all the security from the OS that they emulated in order to make it run faster on a smaller, cheaper, machine.
  MSWindows as designed for a single user machine operated without any network connections. Linux was designed from the start as a multi-user OS with network connections. So security has had to be retrofitted into MSWindows.
  I understand that they've done a pretty good job, but because of their EULA I'll never really know.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
4. Re:I'm shocked by barbariccow · 2017-10-12 09:13 · Score: 1
  
  If I remember my history correctly, Bill Gates actually stole IBM Dos and rebranded it, because IBM wouldn't protect its assets in any way as they were "trade secrets."
  But I believe he may be referring to microsoft's very partial and selective (and frequently broken) POSIX/CAPI implementation, such that they could support compiled code and advertise some sort of not-rewrite-everything-from-scratch migration path away from UNIX, back in the day.
5. Re:I'm shocked by david_thornley · 2017-10-13 05:19 · Score: 1
  
  Bill Gates, on being notified by his parents that IBM was looking for an 8086 OS, bought QDOS from the Seattle Computer Club with an exclusive license and gave IBM a nonexclusive license for QDOS after a quick cleanup job and name change. This meant that, when other computer companies were able to make good clones (basically a BIOS that did the same things as IBM's), they could buy their OS from Microsoft instead of IBM.
  I'm not aware that there were any illegalities in here, although it was definitely a case of Gates doing everything he could to enrich Microsoft regardless of the effects on anybody else.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
NUKE IT FROM ORBIT, it's the only way to be sure by Thud457 · 2017-10-12 04:00 · Score: 1

n/t

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
just asking for some greyhats by Thud457 · 2017-10-12 04:08 · Score: 1

So... was the CEO's info also included in the breach?
You know what would be an ironic rebalancing of the cosmos?...

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Completely and totally INCOMPETENT! by Rick+Schumann · 2017-10-12 04:12 · Score: 3, Interesting

My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!

So, what do we do now? The management at Equifax has now proven beyond any reasonable doubt that they are completely incompetent, totally incapable of being responsible for the data they collect. Who takes over? Can the government come in and take control? Or would that be worse? Who needs to be in charge at Equifax to stop the bleeding and secure their systems?

Furthermore: The incompetence now evident should, in my opinion, be considered criminal negligence, considering how many people are affected, and by 'affected' I mean 'potentially or in fact having their lives RUINED'. Round up the management at Equifax, everyone who was responsible for the decisions that led us to this point, put them under arrest, and bring criminal indictments against them. I'd much rather prefer severed heads on poles lining Wall Street, but we don't do that sort of thing in this country so I'll settle for mandatory jail time, megafines, seizing of assets, and court orders prohibiting these idiots from ever working in the finance industry ever again -- or anywhere else that can affect the lives of hundreds of millions of people. I'm sure Walmart would just love to have them as greeters, or maybe the Jiffy Lube down the street will hire them.
1. Re:Completely and totally INCOMPETENT! by vell0cet · 2017-10-12 04:24 · Score: 1
  
  What do we do now? Apparently, we give them no-bid contracts! http://time.com/4968558/equifax-breach-irs-contract/
2. Re:Completely and totally INCOMPETENT! by Rick+Schumann · 2017-10-12 05:29 · Score: 1
  
  Yes, I saw that, and all I can say about that is: Are you really surprised that the current administration would do something like that? I'm not.
Re:What technologies are involved? Java? Linux? by TheRaven64 · 2017-10-12 04:31 · Score: 2

It doesn't sound like it mattered what the OS was - there wasn't an OS-level compromise (and there didn't need to be, because they did no compartmentalisation of their entire system, so once you'd compromised the web server you had have complete control over all of the data).

--
I am TheRaven on Soylent News
Bootstrapping stage 0 of Rust by tepples · 2017-10-12 04:38 · Score: 1

Why would we keep using C and C++ when there's a better language out there in the form of Rust?
Because there exist many non-PC platforms to which a C compiler or a C++ compiler has been ported but a Rust compiler has not. How would you even bootstrap stage 0 of a Rust compiler on a new ABI if it's written in Rust and there are no other independent implementations of Rust? My best guess, which I haven't tried, is to go back to some OCaml compiler, build old Rust, and then build new Rust from that.
1. Re:Bootstrapping stage 0 of Rust by Chromium_One · 2017-10-12 05:53 · Score: 1
  
  Off-topic here, but ... can Rust do cross compiling? If so, add an output target for the new platform, cross compile, test. Less work if you can get away with it. If not, more work, yay!
  
  --
  When you live in a sick society, just about everything you do is wrong.
GO after the company by Anonymous Coward · 2017-10-12 04:47 · Score: 1

Equifax has been controversial since it was started in 1899 to serve retailers who wanted to extend credit to customers. Their existence and business practices spawned a few laws.
It's an inherently unethical business.
But here is some bad karma coming there way: Years ago, I was at a talk that had an Equifax exec on its panel. They have to put up with the same shit as we do (there is also Experian and Transunion that also fucks everything up). But she is able to clean stuff up internally fast for herself and family.
We have to write in, call into their Indian call center and hand over all of our personal information and get the run around for months.
So, what I'm doing is to make Equifax' existence as miserable as possible. Letters to congressmen. Support of Elizabeth Warren. and other things - all legal.
I want to see them running in the red for as long as I can.
And, if I am damaged in any way, I'm gonna try to sue them AND the people who used their services because they should know better.
Credit doesn't go through? I'm suing Equifax and the lender.
Insurance? Same as well as a complaint with the insurance commissioner.
Background check? employer, their background check company and Equifax.
Make doing business with Equifax a liability.
1. Re:GO after the company by Opportunist · 2017-10-12 20:49 · Score: 1
  
  I just hope for a sympathetic terrorist to park the next plane in the correct building this time.
  I mean, think of all the sympathy and support they could get! These terrorists are really bad at PR, I tell ya.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Yet another example of why we need Rust by FilmedInNoir · 2017-10-12 04:50 · Score: 1

Everybody says that about every new language, every new technology, every new half-baked fart out of Silicon Valley. But Rust wouldn't of stopped the LinkedIn breech. That was the doing of idiots that stored plain text passwords in the database. Rust won't stop the noobs.

--
Sig. Sig. Sputnik
Re:It keeps giving by i286NiNJA · 2017-10-12 04:51 · Score: 2

Trump did nothing wrong. When he gets us to the moon for real you'll eat your words.
Nope, just that big. by Monster_user · 2017-10-12 04:59 · Score: 1

Microsoft's market share is vast, diverse, and spread out geographically.

No single Antivirus meets the needs of every user or business. You've got home users who need simplicity, you've got business users who need manageability, you've got gamers who need performance, and developers who need control. You've got different countries with different language needs. You've got your for cost, and your freeware. Finally you've got up starts and Open Source options. Etc. Etc.

What is more surprising is when there are not 65 competitors in a particular market, such as Media Player / Store / Streaming client, or Office Suite, or Credit Bureau, etc.

I suppose the biggest reason why an Antivirus can have 65 competitors is that there is no need to move data from one installation of another, so no need for any uniform standards or compatibility.
Corporate death penalty doesn't accomplish anythin by Solandri · 2017-10-12 05:13 · Score: 1

A "corporate" death penalty just means the company is dissolved, and the shareholders lose money (capital). But the individuals responsible for causing the problems in the first place just dust off their resumes and go to work for other companies. It may may you feel better, but it doesn't accomplish anything. And in fact it may makes things worse because (assuming this corporation was egregiously worse than its competitors) the bad guys who caused the problem are now scattered throughout hundreds of different companies instead of all concentrated in one place that you can avoid or be extremely cautious around.

You have to understand that a corporation is just a paper entity. It doesn't really exist. A bunch of people decide to work together instead of as individuals, and "the corporation" is just a dotted line drawn around that group of individuals. It exists because although Bob and Frank want to work together, Bob doesn't want to be personally liable for Frank's screwups and vice versa. To really effect change, you need to allow gross negligence like this to pierce the corporate veil, and punish the individuals responsible for the bad decisions with fines and jail time.
Re:It keeps giving by stabiesoft · 2017-10-12 05:26 · Score: 1

Huh, I thought we had already been there a couple of times last century. Or was that fake news too?
Exactly .... by King_TJ · 2017-10-12 05:27 · Score: 2

I understand the purpose of credit reporting agencies, and I don't have a blanket hatred or dislike of them like some people. (Hey, sorry if you're irresponsible with your money all the time and don't pay your bills when due. That doesn't make the "messenger" evil when they perform the function of warning others about your financial behavior.)
But Equifax? They've long been frustrating because of a lack of care in verifying the data they collect, and a general unwillingness to correct mistakes on credit reports. Inability to secure all of this sensitive information they've collected is icing on that cake.
Look at some of the nonsense they partake in, such as giving you "ONE free look at your credit report per year". That's YOUR info they've collected and make money off of, and they don't even want to show YOU what they've got unless you pay like everybody else? As far as I'm concerned, I should be able to create an account with these people where I can log in and see my credit report ANY time, as well as submit online requests for changes whenever I see something wrong or questionable. I know Equifax and one of their competitors had wrong information about the history of addresses I lived at previously, and neglected to fix it, even after multiple requests. (It seems they don't consider that part of the content of a credit report that could potentially hurt your credit score, so it's not a priority to correct.) If it's worth keeping track of though, it's worth keeping track of correctly, IMO. Don't lie to everyone pulling my report, giving a bogus street address I supposedly resided at (which was obviously due to a typo somebody made at some point, since the street is fairly similar to the name of one I actually DID live at previously).
Re: MOD PARENT DOWN PLEASE by ichimunki · 2017-10-12 05:35 · Score: 1

Practically speaking this is years away from happening even if everyone stopped working on every line of legacy code in non-Rust projects. Meanwhile, no computer language can prevent programmers from misunderstanding requirements or goofing up an implementation, so there are bound to be bugs in all new software in Rust that might not be obvious security issues, but could cause more subtle issues, both in usability and security. Does Rust, by default, somehow prevent a programmer from making a web browser vulnerable to XSS? Does it prevent web developers from building flawed APIs that spill data all over the place? Does it force anyone implementing a database to NOT store actual passwords, but to properly salt and hash them before storing?

--
I do not have a signature
Re:What technologies are involved? Java? Linux? by HiThere · 2017-10-12 05:36 · Score: 1

The OS only matters if you can't do the work at the application level. Java could have been involved, but only because jvms are so common. Otherwise it would have needed to be some non-virtual machine language, like C or some such.
The thing is, if you can compromise a web application sufficiently to allow you to download and execute a binary, and you have your data available at the account that's contacting the web, no further security breaches are needed to have EVERYTHING copied over. Or erased. Or selectively altered. The bastards who encrypt all your data aren't doing the worst thing that they could, merely the one they find most profitable. (I wonder how often they send an actual decryption key after payment...and how often the acceptance of payment is the last you hear of them.)

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Incompetence is not a valid excuse by sjbe · 2017-10-12 05:39 · Score: 5, Insightful

The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business.
Claiming that a problem is complex is not a valid excuse for doing the job incompetently such that it results in harm to others. If you cannot manage sensitive data safely then you either need to exit the business or step your game up. They do not get a free pass just because it's a hard problem. If the security problem is that hard that they need government indemnification then they DEFINITELY need to be regulated. Medicine is easily as if not more complex than IT security and yet doctors are held liable for malpractice and are highly regulated. I see no reason why ITprofessionals should be held to a lesser standard of care if they want to manage sensitive data like credit histories or medical records.
Regulations don't have to specify specific technology or tactics. They just have to specify that they have to keep the data secure, what secure means, and outline punishments for failure to do so. If they cannot handle the risk then don't get into the business.
1. Re:Incompetence is not a valid excuse by Anonymous Coward · 2017-10-12 07:02 · Score: 2, Interesting
  
  Medicine is easily as if not more complex than IT security
  You have no idea what the nature of infosec is. The way the human body operates doesn't change weekly. There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die. In IT, it's weekly patches or you are fucked. It's relearn how it works over and over and over your whole career. Penicilin still works at least some of the time. Nothing from infosec lasts a tenth as long. There is no sitting still with technology.
  And that does not even begin to tackle the largest, most advanced technological wonder the world has ever seen with more endpoints than the human brain each with more connections than the human brain: the internet.
2. Re:Incompetence is not a valid excuse by zlives · 2017-10-12 08:39 · Score: 1
  
  perhaps being an info slut and allowing access to your holes to any one who wants it is not a behavior that lends itself to disease avoidance. i for one will be just fine with equifax dying because of their malfeasance.
Failure of culture and controls by sjbe · 2017-10-12 05:55 · Score: 1

My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!

I am an engineer and I also happen to be a certified accountant. I can assure you that engineers do not as a general proposition make better (or worse) business decisions than any other category of worker. The problem at equifax was NOT an engineering failure, nor did it happen because engineers weren't making engineering decisions. It was a failure of company culture and a lack of risk controls. The engineering flaws that were exposed were simply predictable knock-on effects of the poor business controls.
Don't get me wrong, I think that upper management at Equifax should find themselves in front of a judge as soon as possible. This was a failure that went FAR beyond mere incompetence. I think that Equifax should be buried under an avalanche of lawsuits and probably cease to exist because they clearly cannot be trusted to handle sensitive data with appropriate levels of care.
1. Re:Failure of culture and controls by Rick+Schumann · 2017-10-12 06:01 · Score: 1
  
  You know what? So long as the end result is the same in this case (Equifax execs in orange jumpsuits for years to come) the details don't matter to me much. Find who is responsible for this unmitigated disaster and crucify them.
2. Re:Failure of culture and controls by HiThere · 2017-10-12 06:08 · Score: 1
  
  Engineers tend to make different kinds of mistake than do accountants. With engineers running the company this particular kind of mistake probably wouldn't have happened. Actually, with accountants running the company it wouldn't have either. Accountants would have paid attention when the Wall street investors were told that it was a bad investment because the staff wasn't properly trained and they had no backup plan to deal with a break in. Apparently the people running the company were confidence men, and were gambling that they could take the money and get away with it.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
Symantec by KiloByte · 2017-10-12 06:02 · Score: 1

... into installing crapware Symantec calls Adware.Eorezo
This sentence doesn't parse. Why "calls ..." after the crapware's name?

--
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Reflections on Trusting Rust by tepples · 2017-10-12 06:06 · Score: 1

Even if you can cross-compile, you can't ensure that the cross-compiler binary is free of Ken Thompson's self-propagating "trusting trust" attack unless you bootstrapped it from an independently developed compiler.
1. Re:Reflections on Trusting Rust by Chromium_One · 2017-10-12 06:16 · Score: 1
  
  Yes, Slashdot has not entirely lost the pedantic jackassery that was part of making it great back in the time before time.
  Someone wake me up when Natalie, statues, and hot grits come back in style though.
  
  --
  When you live in a sick society, just about everything you do is wrong.
You've got plenty of say by rsilvergun · 2017-10-12 07:20 · Score: 2

every time you apply for credit or a bank account you've signed something that gave Equifax the right to collect your data. Read your agreements and if you don't like it don't sign it.

This is the philosophy of "You always have a choice". It's popular with the right wing, libertarians, corporations and the Republican party. You can try pointing out that it's not possible to find a bank or credit card that doesn't do business with Equifax and also impossible to live without either but I've found those arguments fall on deaf ears. If pressed I've had some of the "You always have a choice" crowd come out in favor of slavery. I really don't have an answer to that.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
1. Re:You've got plenty of say by jellomizer · 2017-10-14 04:15 · Score: 1
  
  Hence why I said directly.
  The paperwork doesn't say Can I give this information to Equafax? Where I can check yes or no on it.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Lots of folks don't have a choice by rsilvergun · 2017-10-12 07:22 · Score: 2

they're a vastly powerful company. For a lot of people if you want to do business you have to do it with Equifax. Tell them to do otherwise and you you might as well tell somebody living in the 12th century not to bother with their local guild system. We live in the world we live in and not the one we want to.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Re:What technologies are involved? Java? Linux? by barbariccow · 2017-10-12 08:50 · Score: 1

(I wonder how often they send an actual decryption key after payment...and how often the acceptance of payment is the last you hear of them.)
If you're referring to ransomware, the vast vast vast majority is just a scripted turn-key system. Set it and forget it. If word got out you didn't decrypt, nobody would pay, and nobody is looking at the data that got encrypted, that would leave a trail back to the culprit. So it's almost 100% of the time you pay, you get the key, and so long as you don't do whatever got you automatically infected in the first place again, you won't be re-infected. Just business.
Re:This would apply to open source projects, too. by barbariccow · 2017-10-12 09:09 · Score: 1

No way, didn't you read the GPL? There's no express or implied warranty of any kind, and the code is not certified as fit for any purpose!
hxxp//:? by wonkey_monkey · 2017-10-12 10:10 · Score: 1

Eventually, his browser opened up a page on the domain hxxp//:centerbluray.info
a) That's (almost) a URL, not a domain
b) What's with the "hxxp"?
c) The : is in the wrong place

--
systemd is Roko's Basilisk.
1. Re: hxxp//:? by Reverend+Green · 2017-10-12 17:54 · Score: 1
  
  Makes the whole story seem kinda suspicious, doesn't it...
Alternate Perspectives by johnshirley · 2017-10-12 12:09 · Score: 1

One might argue that a "malware researcher" might already be at increased risk of having already contracted some sort of exploit that might manifest as a malicious redirect.
Then again, where Equifax and their recent security fumbles are concerned, it's certainly within the realm of possibility that such an exploit found its way into their services. Unless there's an independent and unbiased analysis of the Equifax systems and protocols, it's unlikely we'll ever be certain.
Re: New Credit Terms by Reverend+Green · 2017-10-12 17:53 · Score: 1

So you're giving credit entirely? Good for you! But, ah, have "fun" getting a rental car next time you travel...
Oh, and you'll also need to give up use of the entire banking system. And maybe move to North Korea and renounce your citizenship. THEN you'll no longer be in the Credit Slander Bureau's databases. Maybe...
Re:It keeps giving by Opportunist · 2017-10-12 20:58 · Score: 1

Hey, I bet a lot of people would not mind shooing him on the moon.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Disease and mutations by sjbe · 2017-10-13 00:45 · Score: 1

There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die.
Not sure what planet you live on but there literally are new diseases every day (ever hear of mutations?) and people do literally die from them. Every day, all around the world. Diseases like influenza and malaria are constantly mutating and overcoming even our best attempts to shield against them. And unlike you I'm not talking about a figurative death either. Literally millions of people die - literally die - every year because of new versions of diseases that our immune systems and medical technology cannot cope with.
IT security is a tough problem and I'm not diminishing it in the least. But spare me the dick measuring contest where you try to arrogantly assume that what you think you understand about IT security makes it more difficult than what other fields do or that the consequences are greater. If you seriously believe that medicine isn't as difficult as IT security then frankly I think you are an imbecile who doesn't really understand either field.