Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Equifax Breach, Major Firms Still Rely on Same Flawed Software (zdnet.com)

Posted by msmash on from the we-learn-nothing dept.

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.

62 comments

  1. Well duh.... by Kenja · · Score: 4, Insightful

    A data breach may cost money later, but changing would cost money now, which is all stock holders care about.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Well duh.... by Anonymous Coward · · Score: 0

      ....changing would cost money now, which is all stock holders care about.

      Tesla shareholders would disagree with you. Tesla constantly makes changes and they're fine with it - even when it loses money.

    2. Re:Well duh.... by Kenja · · Score: 1

      Tesla is more of a cult than an investment, I mean the COE said just last week that people shouldn't invest in them if they expect to make money.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    3. Re:Well duh.... by Anonymous Coward · · Score: 1

      A data breach makes money for the C-levels. If they can wait six months between the breach and the announcement, they can short their stock early on, and in two quarters, cash in when the company stock values plummet, and the SEC here in the US cannot touch them. Even if they just short/dump the stock a few days ahead, they have made a mint, as insider trading is something that isn't enforced these days.

    4. Re:Well duh.... by Anonymous Coward · · Score: 1, Informative

      You could at least try to get your trolling right. Tesla CEO said that people who didn't like volatility shouldn't invest in them. He never said anything about avoiding them if they expect to make money. He's also explicitly stated that they're very likely to start turning profits in Q3/Q4 of this year...so there's that. But by all means, go back to your negative blathering.

    5. Re:Well duh.... by sheph · · Score: 1

      Exactly. The failure is in the ability to communicate value in spending. C level people rarely understand technology enough to properly communicate the risk and benefit of security. It just isn't typically in their wheel house. This is why people in security who really understand both need to be vocal in communicating both to those who interact with the shareholders.

      --
      I don't believe in karma, I just call it like I see it.
    6. Re:Well duh.... by Raenex · · Score: 1

      More likely this is about lazy/ignorant security practices than a cynical decision to save money short term.

  2. Equifax got away, so why change? by sinij · · Score: 4, Insightful

    This behavior is very logical. Equifax got away with gross negligence in the area of data security. It follows that expenditures on data security can be minimized. Updates and technical expertise costs money, market-driven approach would be to keep already paid-for systems in place and outsource maintenance of these old systems to the lowest bidder.

    1. Re:Equifax got away, so why change? by ErichTheRed · · Score: 2

      This is exactly correct. There's no money in fixing security problems, insurance will pay any damages, and executives are shielded from any liability anyway. And all they have to do is give consumers a year of free "credit monitoring."

      Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happened.

    2. Re:Equifax got away, so why change? by sinij · · Score: 1

      Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happened.

      We can't do that, as software engineers don't often write any code from ground-up and often don't control how code they write is used. In civil engineering it is possible to control all aspects of the project and very clearly limit its scope of use. Now imagine building a skyscraper when the foundation was designed by someone else, you have no control over how closely the spec was followed during construction, and at some point some madman would try to land a 747 on it. That is how civil engineering as software design would look like.

      Software engineering almost universally relies on code written by others, be it libraries, APIs, drivers and so on. Also imagine you contribute to some open source project, it gets integrated incorrectly into something that you had no knowledge of, then you get hauled in front of the technically illiterate jury because it was your code that lead to exploit and data breach, never mind that patch was available for 6 month prior to incident.

    3. Re: Equifax got away, so why change? by Anonymous Coward · · Score: 0

      Yeag, sure. The hamsters of the software treadmill should be held accountable.

      Never the owners of the treadmill.

    4. Re:Equifax got away, so why change? by sheph · · Score: 1

      If it's due to negligence then yes I completely agree. It's all well and good to blame the engineer if the design is flawed due to incompetence. However, if it's because of pressure from above to ignore security issues, or go with the cheapest option rather than the best option and push forward with bad design then those making that decision should be held accountable.

      --
      I don't believe in karma, I just call it like I see it.
    5. Re: Equifax got away, so why change? by ErichTheRed · · Score: 1

      Maybe there would be fewer bad hamster wheel owners if the hamsters had a way to push back. If the hamster was a PE, and the penalty for signing off on something they were forced to rush through was "you'll never work in the industry again and will be sued out of existence," the level of cowboy development would go way down.

      The fact that whole branches of software development can go in and out of fashion in 6-month cycles is a bug, not a feature. No one will support this because most techies think regulations are evil, but I think it's time to grow up as a profession, build stuff around a known-good core and innovate around the edges unless there's a truly mind-blowingly better way of doing something.

    6. Re: Equifax got away, so why change? by Anonymous Coward · · Score: 0

      There already exist highly regulated software development activities such as medical, aerospace and parts of automotive.

      The onus is still with management because most things are a matter of money, time and other resources.

    7. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 0

      THIS. For far too long software engineers have gotten away with delivering defective product with the attitude "we'll patch it later". (Let's face it, many of them aren't "engineers" in the traditional sense, with a traditional engineering degree, but "devs" with a CS or diploma mill background. So yeah, certainly no classes on engineering ethics in that type of curriculum.) The really annoying part about this is they get away with delivering schlock, and then the ops folks are thrown under the bus for NOT PATCHING RIGHT NOW IMMEDIATELY. Apparently these morons have never worked in an enterprise where releases are managed, tested, and only done during scheduled outage windows. No, we can't fix your shit immediately when you say so.

      To draw the civil engineering analogy another poster mentioned, that's like a CivE delivering a bridge that was missing a bunch of critical rivets, sending the transportation dept. a box of rivets saying "PATCH RIGHT NOW" then the bridge collapses that same day. Then blaming the transportation dept. for not shutting down a major roadway to install their rivets RIGHT NOW without reading any drawings (IOW, software testing).

    8. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 0

      if it's because of pressure from above to ignore security issues...

      Because *orders are orders*, right? Sorry, all choices are personal. I'm not saying quit your job, just that you acknowledge your own part when you *play along to get along*. To me, the person that executes the order is far worse than the person making it.

    9. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 0

      Last time I checked my state board, there was no PE for SE. Sorry, but the lobbies have spoken, and the money has already exchanged hands.

    10. Re: Equifax got away, so why change? by Anonymous Coward · · Score: 0

      Sounds like you want a scape goat for your shitty business practices.

    11. Re:Equifax got away, so why change? by Junta · · Score: 1

      If you really need to fix the problem, you *must* hold the decision makers accountable.

      There will always be some personnel that will do what they are asked, because they don't care or they don't know how bad things are. If they can't find any in their own country, they will offshore to developers in a country that just have no reason whatsoever to care.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    12. Re:Equifax got away, so why change? by viperidaenz · · Score: 1

      Equifax is more like sending the box of rivets saying "PATCH RIGHT NOW" and the box gets left under someone's desk for 6 months, then the bridge falls down.

      But it's more like a box with cover panel, some rivets and an assembly robot with a description saying "if someone taps this specific rivet on a specific angle with a specific amount of force, it may fall out, leaving other rivets vulnerable to similar attacks that may eventually weaken the structure enough for the bridge to collapse" and all they have to do it turn on the robot and it will automatically install the panel over the vulnerable rivet to mitigate the issue.

    13. Re:Equifax got away, so why change? by plopez · · Score: 1

      Do you know how many groups/people have a hand in even new home construction? The foundation was poured by concrete specialist, he plumbing by plumbers, the dry wall was manufactured by companies specialized in it etc. Now for a skyscraper the number sky rockets with all of the specialized construction materials and techniques required. An Architect or CE has to trust that each of them has delivered to spec. Things get tested on site, e.g. slump tests, but by and large the contractor must deliver to spec. The problem with software is there is no spec. Due to no liability.

      --
      putting the 'B' in LGBTQ+
    14. Re:Equifax got away, so why change? by lactose99 · · Score: 1

      Would have been great to use this as data to ensure Equifax was punished for that breach. Now it becomes the status quo...

      --
      Fully licensed blockchain psychiatrist
    15. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 0

      You didn't contradict my point in any way. It doesn't matter where a person is. If he executes an illegal order, he is guilty. Enough of the blame passing!

    16. Re:Equifax got away, so why change? by Bert64 · · Score: 1

      Because the orders are not illegal, just wrong... And you'll be fired for not following them. You might even be fired just for pointing out that the orders are wrong.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    17. Re:Equifax got away, so why change? by swillden · · Score: 2

      insurance will pay any damages

      If there were significant damages, this would be part of the solution, not part of the problem. Insurance companies are quite good at assessing risk and delivering targeted recommendations which must be followed to get lower premiums. The problem is that there are no real damages for insurance companies to pay, so none of these incentives come into play.

      Maybe what we need is statutory damages for privacy breaches, which apply above and beyond any provable actual damages. Say, $100 for each social security number, name, address etc., perhaps on an increasing scale when multiple pieces of information about one person are leaked in such a way that they are connected, since having more data about a person makes identity theft and other malicious use easier. The money should be payable to the person whose information is leaked.

      Oh, and evidence that a company tries to hide a breach should result in triple damages and criminal prosecution of the individuals tried to conceal it.

      If the Equifax breach had resulted in statutory payouts of, say, $500 per person to each of the 145M people harmed, the resulting $72.5B liability would have hammered Equifax flat, insurance or no. And you can bet that other companies would have gotten serious about data security -- not only that, it would make stored data about individuals a serious liability which companies would try to avoid. You can't be forced to pay out for leakage of data that you never had. Companies' own attorneys and insurance companies would be constantly harping on the need to limit liability by destroying customer/user data.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    18. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 1

      Not quite. The problem with software patches is that they can and do cause things to break occasionally. Reference most recently the patches for the Intel CPU bugs which ended up breaking more than they fixed. I personally had a 2k8 server render itself unbootable because it has a particular model AMD CPU that could not execute certain instructions that were present in Intel's patch. Fault to Microsoft for not doing enough testing but it appeared to affect only certain AMD CPUs.

      More like, we replaced the rivets now the drawbridge is stuck in "open" and we're fucked.

    19. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 0

      Same thing, if you execute the order, you are to blame as much as the boss, more so, for carrying out the execution. I tried to tell the other guy. Nobody has to quit or anything, they just have to understand that their morality is no better than the boss's if they follow his orders. The rationalizations are bullshit. It's not complicated.

    20. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 0

      And do you know how many local ordinances and building codes are mandated by law in your area? There are tons of them. They go as far as "items, including plants, within XXX feet of an intersection and within X feet of a roadway cannot be higher than X inches nor obstruct the views of any driver." There's no such thing for software. There aren't any "The window close button must be at least XX pixels from all other interactive controls."* Such a thing could exist, but no one seems to care about making it happen. It would also be a nightmare if such regulations existed. Creativity in the software industry would be near dead. All UIs would be nearly exactly the same just as all roadways and home layouts are nearly exactly the same. Sure you'd be able to change some of the colors of your CSS, but anything more than that would be illegal. And it'll make exporting software from your current region crazily complex.

      You'll argue the UIs aren't important. The laws would only dictate security concerns. Maybe they would at first, but just like HTML's only purpose is for describing content so the client side software can decide how to best display it, it'll be corrupted near instantly.

      Don't forget the programming industry is less than 100 years old. I'm sure the first large buildings and bridges had issues. One anyone is able to reliability write extremely high quality software in a cheap and timely fashion, I'm sure the process will spread throughout the industry and become standard. Until then, we'll keep fighting over bullshit arguments like tabs vs spaces when the answer is really tabs and spaces. And whatever regulations get written will prevent the no-tab, no-spaces IDEs from being build. In structured languages, you should never need to manually indent anything nor would the IDE need to save indentation hints to the file. The argument shouldn't even exist. But the industry is still immature, so such quality tools don't exist yet and we're too busy figuring out how to compel people to buy things to bother improving anything else.

      *Well, there used to be UI guidelines for all the major OSes. Those are all ignored now since changes in UI sell far better than unseen changes in security and features.

  3. Why Patch by Anonymous Coward · · Score: 3, Insightful

    How many Equifax executives have gone to prison?

    Put them in chains, and other executives might notice.

    1. Re:Why Patch by Anonymous Coward · · Score: 0

      **friendly...get your spam post shit right!!

  4. Consultant-built Software by ErichTheRed · · Score: 2, Informative

    One problem is that companies continue to run software that was built as a one-off by some consulting company, offshore vendor or similar. They either don't exist anymore, or want millions to even look at the code again.Those packages need these out-of-date frameworks and other software as dependencies, and the company doesn't have the expertise in-house to know whether a patch will break something. In my line of work, the main offender is awful Java thick client applications, and these often require a _specific_ point release of some horribly outdated JRE/JDK. But JEE web apps are even worse in this regard...and despite the hype around app-of-the-month, there are TONS of these systems from the 2000s floating around in big companies.

    Consulting companies should be required to at least hand over the source code for software they produce if they're not interested in maintaining it long-term as an actual product. And if a company is relying on some system as a dependency, they shouldn't allow their vendors to walk away without fully understanding what they've left running on their systems.

    1. Re: Consultant-built Software by Anonymous Coward · · Score: 0

      None if the things you name was a problem at Equifax. They used some craptastic free Java serialization library and were to cheap to have it updated AFTER warned of the risks and BEFORE they were owned.

      Management us 100â... to be blamed here.

    2. Re:Consultant-built Software by Bert64 · · Score: 1

      The problem is none of the companies hiring these consultancies understand what they're getting...

      They should demand source code, should demand a second source supplier, should demand ongoing maintenance, should demand that the software store data and communicate using documented protocols so that its easily replaceable.

      But very few people ever make these demands, so few of the consultancies cater to them.

      It should be due diligence to insist on all of the above and have a thorough procurement policy, but for that to happen the people making the purchasing decisions need to understand what they're getting into.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Consultant-built Software by Anonymous Coward · · Score: 0

      companies should be required to at least hand over the source code for software they produce

      Any company not putting that requirement into their statement of work orders with consulting firms, or at a minimum requiring the development firm to place the code in escrow has a very pool legal team. I've quite often been the tech reviewer for contracts or SoWs for the legal departments where I worked and I've always seen or requested that the source code be delivered as part of the work or that it be in escrow.

      Any software consultancy that won't agree to those conditions has something to hide and shouldn't be used.

  5. Open Source is Magic! by CajunArson · · Score: 0

    Funny how the completely open source Apache Struts framework never got any of the blame in the Equifax hack.

    And don't give me the usual "but the vulnerabilities were fixed before the hack happened!" Because if that was true then only zero-day hacks of any system could count and despite the propaganda those attacks are quite rare.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re: Open Source is Magic! by Anonymous Coward · · Score: 0

      Equifax failed to update their systems long after the first warnings.

      The company should be closed and owners disposessed.

    2. Re:Open Source is Magic! by Junta · · Score: 1

      Note that a lot of these top-100 companies is chock full of outdated closed source software too.

      On a recent random check of a few laptops from one of those sorts of companies, the average was about 2 years since they last received any update whatsoever from Microsoft (their update mechanism had broken and they had no reporting about it). I was working with another company and they were intentionally using a commercial product from a company that went out of business 15 years ago, because it would be too much trouble to migrate off.

      Here the open/closed doesn't matter, either way they are terrible at software currency.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re:Open Source is Magic! by Holi · · Score: 1

      "And don't give me the usual "but the vulnerabilities were fixed before the hack happened!""

      So ignore the truth, check.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  6. Probably all relying on same version of WebSphere by Narcocide · · Score: 1

    (or some other ill-conceived and bloated atrocity that will never receive security updates because they cost too much money)

  7. If you allow them to do it... by SeaFox · · Score: 1

    Was this flawed software deemed "non-complaint" by a government regulatory body of some sort after the Equifax breach?

    ...
    No?

    Well, then, why the hell would you expect things to change? The financial sector isn't going to do anything that costs money or time that doesn't personally benefit them unless you force them to.

  8. Re: Probably all relying on same version of WebSph by Anonymous Coward · · Score: 0

    Maybe you read before you crappost. It was STRUTS. Insecure versions unpatched for months.

  9. Right by Anonymous Coward · · Score: 0

    "..10,800 companies downloaded vulnerable versions of the software."

    10,799 of them were security companies trying to male a name for themselves.

    All jokes aside, I'm sire most of these companies are downloading the vulnerable versions of the software for specific comparability needs and only patching security issues. If done before production this process is entirely industry standard and acceptable for larger slower moving companies. Sure makes for a scary sounding title for an article though.

    1. Re:Right by Junta · · Score: 1

      I share the thought that those downloads do not *necessarily* mean the company deployed insecure software, but to say that 'most of these companies' are patching the security issues is way too optimistic. Sure some, but most are completely oblivious.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  10. Witch hunt by Anonymous Coward · · Score: 0

    I am American and the witch hunt against equifax is ridiculus. Never before has any company been under so much scrutiney. All companys use sometimes flawed softwares but only equifax has libtards and leftist agitators on sites like Slashdot.Org calling for violence against them. Shameful.

    1. Re: Witch hunt by Anonymous Coward · · Score: 0

      This a trilion times! I too am American and left wing parties are going nuts with the witch hunts trying to discredit amazing groups all over the country. Very sad.

    2. Re: Witch hunt by viperidaenz · · Score: 0

      I too am Ameri..... wait no I can't type that with a straight face. I would be embarrassed to be an American. I'm glad I'm not.

    3. Re: Witch hunt by Anonymous Coward · · Score: 0

      Equifax is a credit bureau. It has literally every credit transaction you ever did, in its database.

      The breach will have the same effect as a bank robber stealling all of the assetts of your financial institution, causing you lose all of your money, including retirement funds.

    4. Re: Witch hunt by Anonymous Coward · · Score: 0

      So? Why are you giving out your personal information if you are so worried? You stupid libtards needs to find the better argument.

    5. Re: Witch hunt by Reverend+Green · · Score: 1

      Shills be shillin'

  11. faa level code audits cost way to much to do by Joe_Dragon · · Score: 1

    faa level code audits cost way to much to do. and also why should the 1099 or H1B risk being fired / kicked out by not signing off.

  12. More hype by jbmartin6 · · Score: 1

    All they showed was how many downloads, not how many implementations. I'm sure my company has downloaded a copy of the software too, we use local copies of various repos. We don't use Struts anywhere, we just prefer to maintain local repos.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  13. Just left a meeting discussing solving that by raymorris · · Score: 1

    > C level people rarely understand technology enough to properly communicate the risk and benefit of security. It just isn't typically in their wheel house.

    I just left a meeting with the CEO of our security company in which we discussed how to solve this. Heck, even the technical C people, like a CIO of a major company, are busy with many different things - desktops, network, on-premise servers, cloud .... They don't have time to really understand each of the vulnerabilities that comes out every day.

    They need the security experts to tell them the bottom line "how secure are we?", "What are the top five things we need to do to reduce our risk?" and "what is the value proposition, the financials?"

  14. How many went to jail for Equifax breach? by 140Mandak262Jamuna · · Score: 2
    None. Right?

    What it lost was money, right? And who lost it? The shareholders.

    All bonuses and pay all these executives wee gorging themselves in, was not clawed back. They did not go to jail. They paid the fines and compensation using shareholder's money.

    Why would they change?

    Why would you expect them to change?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  15. Take down vulnerable builds by Anonymous Coward · · Score: 0

    Public, trusted artifact repositories need to start taking down broken, risky builds. This would force the migration to newer, presumably more secure versions of these libraries.

    1. Re: Take down vulnerable builds by Anonymous Coward · · Score: 0

      Absolutely! Once a problem has been discovered old versions should be quarantined! Nobody should be able to do a new installation with the broken versions.

  16. AOL is responsible for this mess by Anonymous Coward · · Score: 0

    AOL pushed Internet access onto people long before they could be trained on using it securely. Sure, no respectable slashdotter would be caught dead deploying vulnerable software, but IT security is universally flawed as a result. It may simply not be possible to fix this mess, which means AOL owes the world an apology (and trillions of dollars in reparations).

  17. Re: Probably all relying on same version of WebSph by Narcocide · · Score: 1

    Maybe you should read up on WebSphere and figure out why these huge enterprises may be all mysteriously holding onto an ancient and buggy fork of an open source project.

  18. What's My Motivation? by Anonymous Coward · · Score: 0

    If Equifax got a non-slap on the non-wrist, and people STILL use their services.... ....why pay to fix it?

    ---Why pay to maintain patches on-going?

  19. Snort by Anonymous Coward · · Score: 0

    There's more than one way to block an exploit. You don't always need to patch the software which risks breaking something else.

    If you can't get the reference, you're not qualified to reply and know far less about security than you think. That's one of the many problems with the computing industry. Too many people think they know far more than they do.

  20. How Open Source Can Fail by Anonymous Coward · · Score: 0

    There was always a bit too much of "but FOSS cures all! Thousands of eyeballs! Problems get fixed automagically!" for me.

    This article shows how implementation can be an issue. The patch was available and Equifax never implemented it.