Slashdot Mirror
Equifax Was Warned (vice.com)
Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it -- but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline. This revelation opens the possibility that more than one group of hackers broke into the company. And, more importantly, it raises new questions about Equifax's own security practices, and whether the company took the right precautions and heeded warnings of serious vulnerabilities before its disastrous hack. Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.
Equifax is a company that collects sensitive financial information without permission from consumers and shares it with financial services companies. It's cybersecurity should be the physical equivalent of Ft. Knox. This multi-billion company has no excuse for allowing such a flagrant breach of its data.
Yes, we all know that betting your company's future on open source software like Linux / Apache / Struts is a recipe for disaster.
Anybody can introduce a bug into open source software that will take down your company.
That's why I prefer commercial software with well established quality control.
They ought to be on the hook for damages to every person affected — with a meaningful minimum even for those of us, who can not demonstrate actual harm. Just because my details are now accessible to anyone anonymously.
Yes, it will bankrupt them, and that'd be a good thing. Have them go the way of Enron and Ashley Whatshername...
In Soviet Washington the swamp drains you.
This smells of Class Action Lawsuit !
Or more than one...
Apache Struts had plenty of quality control. The bugs in question were patched LONG before any breach. The fact that it's open source is what enabled a third-party security company to discover and report the security vulnerability so quickly.
It's a double-edged sword, since not patching your systems means that vulnerabilities are published for all to see. But the patch was available.
It doesn't matter what you use if you don't patch it.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I think we need private and governmental bodies where people can submit complaints about security vulnerabilities.
Governmental body: Something like the CFPB but for security and privacy related concerns.
Private watchdog groups: We also need an org that exists that can be notified whenever a security or privacy vulnerability is reported to a company. Such a group could keep track of info, be designated as a proxy to be provided with updates/responses on when and if a security or privacy vulnerability is being responded to, etc. And also have the ability to disclose to the public information about the vulnerability if the company fails to respond in certain ways and according to some guidelines. It would probably be good to have laws that allow some federal agency to set guidelines, similar to how the USPTO does with DMCA take down notices.
Let's get all our Hillary-bashing out in one thread, so we can see how silly we look!!
Says the person bashing Trump. :-/
...Harvey Weinstein touch Equifax in its private parts.
This is exactly why such personal information collection should be illegal. Of course there wouldn't be a problem if companies applied proper security mesures, but that's exactly the problem: There will never be appropriate security mesures in place. Ever. Period. No amount of legislation will ever change that. History has shown time and time again that hackers will always win.. The consequences of such information falling into the wrong hands are just too great.
So until the system is changed in a way that makes such leaks almost irrelevant, collecting of personal information should be made illegal. How course, like with anything illegal, it will not make it disapear, but it will reduce its scope, until the system can be fixed.
The people responsible for making decisions at Equifax are completely and totally incompetent and/or have a total disregard for the consequences to the people whose data was allowed to remain at risk. So far as I'm concerned there's no yard-arm high enough to hang them all from, and hanging is actually too good for them; they should be drawn, quartered, the pieces convicted, and buried face-down in unmarked shallow graves. If you're getting the idea that this is pissing me off, you are most certainly correct. In all seriousness they need to be prosecuted to the fullest extent of the law, incarcerated for the maximum amount of time possible, assets seized (especially any made from their sale of Equifax stock, which was done before informing the public that they'd been junglefucked), and legally prohibited from being employed in the finance industry (not even so much as being a bank teller!) for LIFE. That is, assuming, they have any life after this; I'd imagine at least one of the approximately 50% of Americans (not even counting overseas people affected!) whose lives may well have been ruined by this would feel motivated to track these people down and shoot them in the head -- and more power to 'em, I say.
There is a way to have enough data for a transaction, but no more. A certificate based system, where one's ID card just validates the cardholder is whom they claim to be, and is a repository for certificates. For example, a certificate showing the person is over age 21. That way, they can go to a bar in the US, and the cert provides what the bar needs to know to comply with the law. The bar doesn't need names, ages, or anything else. Just that the bearer is over 21.
This could be extended to a lot of other things, and to reduce fraud, short-lived certs should be used. For example, a cert that lasts 1-2 days that is done by a police department certifying someone has no entries on their RAP sheet, and has no pending charges. This way, stuff can be done, but relevant info can be sequestered in small, scattered databases, so a breach would be of limited damage.
I've worked in big companies for a long time and I'm not surprised. The IT security people are usually in-house, but I wouldn't be shocked if they were offshore or totally outsourced. When the IT security team is contacted by a "researcher" telling them somehting's vulnerable, big IT departments will take forever to put anything into place. First the security team has to run it up the flagpole to their management, then their management has a meeting to decide what course of action to recommend to the server team. The server team (who also may be offshored or outsourced, which introduces more delays) will be told that they have a vulnerability to patch. Application owners affected will need to be contacted to determine when a good time to patch will be. Worse still, if it's a shared service like a service bus or core application component, you have to coordinate that among all the systems' users. Only then can a change management notice be raised, then discussed at the Change Approval Board meeting, then scheduled. At any point, this can also be delayed by the application owner saying they can't take the downtime.
I'm sure all the DevOps kids will say "dude, just put it in the cloud and CI/CD it...we release 20 times a day!" Legacy financial systems are a different animal. You might be able to release the web front-ends to a system like that 20 times a day, but big company IT's complexity and culture make it hard to apply this to the core.
If the warning was anything other than, "Danger CEO your stock options are under peril", they would pay no attention to it.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Seemingly never mentioned in this or other major (OPM) hacks - could the hackers have altered the data, even changed timestamps/logs to cover their tracks?
Could it be proved either way? Speaking of a real can of worms legally, can one now challenge that data if you don't like it under the assumption it's been hacked?
Could you get a security clearance via hacking OPM? Ramifications are interesting here. If one had content of both, they'd know who to blackmail as well. And these are the guys who want the keys to our crypto, promising they'll keep it safe when they can't even keep their own employee stuff safe?
Why guess when you can know? Measure!
That's why I prefer commercial software with well established quality control.
And what commercial software is that? It's not like all commercial software has great quality control. Have read this >month's security bulletins from the likes of Oracle, Microsoft, etc. Also in the case of Struts, it had been patched months prior to the intrusion.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Didn't the US Government just approve that Equifax can no longer be sued into oblivion? Why the hell should Equifax (or any other company) even give a shit about security at all anymore? They fuck up, get raises, and live long, happy lives.
There are two other credit reporting agencies. We can afford to dismantle this one and redistribute assets to the people who were wronged.
Of course our Representatives aren't representing us and have sided with their corporate masters: "Senate votes to kill new rule allowing class-action lawsuits against banks after Pence casts deciding vote"
A reasonable way for policing these kinds of breaches is to enact legislation requiring those companies pay each and every person whose identity was leaked a reasonable compensation. In my case, that would be about $120 per year as I've already had to close hacked accounts, change personal data and hire an independent identity management firm to clean up the mess and control future issues. 145m x $120 = bankruptcy for Equifax. Sounds good to me.
However, the sad fact of the industry is that a great many (though not all) organizations are told over and over by those who know internally of the risks.
But security is hard. There is no room for cutting corners. You either have partitioned networks, or not, locked down firewalls, or not, encryption, or not, and so forth. But too often, cuts are made for expediency. When good, fast, or cheap is chosen in such domains, you don't usually even get to chose two: you get to chose one. And too often, the definition of acceptable risk changes as things go up the chain from those who know and build the systems to those who make the final decisions, who are often non-technical.
Thus, until there are ramifications for that sort making horrible decisions when it comes to security, things will continue as they are now. The techies know. But they don't usually have the power. Those with the power are told, but are only concerned with the short term ROI and bottom line.
Check your premises.
that's what we voted for. so get over it.
"We"? Speak for yourself. I didn't vote for Trump and I'm certainly not about to "get over it" until he is removed from office.
Further deregulation will lead to even MORE piss-poor security situations like this. Our lawmakers are, at this point, willfully negligent to the point of being criminally culpable. This same situation happens again and again, at various private and government places, and yet nothing is really done. Oh, a law or two might be passed that says "unauthorized access is illegal" yet nothing dictating that any real effort must be done to stop said unauthorized access. Even if we passed a law to force some level of IT security, we lack the backbone to actually do any enforcement.
The US doesn't even have a current Cabinet-level person doing anything related to security in a real way. "Giuliani Security & Safety" does NOT count. Rob Joyce has TWO full time jobs, one as the "White House Cybersecurity Coordinator" and another as "acting deputy homeland security adviser to the President". While those may have overlapping duties, it's obvious that cybersecurity needs to be it's own separate gig. I would even go so far as to say we need a "Commercial Cybersecurity Czar" to separate out the government vs public, as these are quite different in scope and approach.
However, seeing the kind of people Trumps likes to appoint, I would expect someone who thinks cybersecurity is a "hoax" and believes that corporations will be forced to secure themselves "if only allowed to by the invisible hand of the free market"; who would then nullify HIPAA and censure / fire / dismantle the part of NIST that writes the 800 series.
Is that really the time to talk about the issue, right after a warning? Such harassment is onerous to businesses, everyone knows businesses can police themselves, maybe we should change our laws so we can sue these wannabe warners.
When you prioritize diversity hiring and your Chief Security Officer has no professional training in IT Security.
they have no right to exist as a corporation which holds public information. None.
Over any period, the number of Linux kernel flaws will absolutely dwarf the number of flaws patched in the OpenBSD kernel.
There are consequences when choosing popularity over correctness.
So it seems everyone has got a story that proves Equifax was negligent in protecting sensitive information. We already know this from countless stories. Who cares how many warned of this security problem. The fact it was never addressed is a repeating story, where people who should know better don't, and they tend not to listen to others who sound the alarm. If your unwilling to be diligent yourself, what makes you think those people would listen to the alarmists?
Well, with morons like you around, at least the hackers need not worry about getting more opportunities in the future.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It doesn't matter what you use if you don't patch it.
i use an IBN 5100, so i'm safe.
..there should be some kind of registry where you can leave your contact info and the date that you notified the customer or employer that they had serious security issues and describe any extra circumstances (such as they refused to pay your final bill because it included unauthorized work --on doing what you could to improve security before you walked off due to their disregard for their customer's security). There are all kinds of mechanisms to report government agencies and contractors, but not much for purely commercial sector.
It's so old, half the M fell off!
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.