Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Equifax Breach, Major Firms Still Rely on Same Flawed Software (zdnet.com)

Posted by msmash on from the we-learn-nothing dept.

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.

32 of 62 comments (clear)

  1. Well duh.... by Kenja · · Score: 4, Insightful

    A data breach may cost money later, but changing would cost money now, which is all stock holders care about.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Well duh.... by Kenja · · Score: 1

      Tesla is more of a cult than an investment, I mean the COE said just last week that people shouldn't invest in them if they expect to make money.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    2. Re:Well duh.... by Anonymous Coward · · Score: 1

      A data breach makes money for the C-levels. If they can wait six months between the breach and the announcement, they can short their stock early on, and in two quarters, cash in when the company stock values plummet, and the SEC here in the US cannot touch them. Even if they just short/dump the stock a few days ahead, they have made a mint, as insider trading is something that isn't enforced these days.

    3. Re:Well duh.... by Anonymous Coward · · Score: 1, Informative

      You could at least try to get your trolling right. Tesla CEO said that people who didn't like volatility shouldn't invest in them. He never said anything about avoiding them if they expect to make money. He's also explicitly stated that they're very likely to start turning profits in Q3/Q4 of this year...so there's that. But by all means, go back to your negative blathering.

    4. Re:Well duh.... by sheph · · Score: 1

      Exactly. The failure is in the ability to communicate value in spending. C level people rarely understand technology enough to properly communicate the risk and benefit of security. It just isn't typically in their wheel house. This is why people in security who really understand both need to be vocal in communicating both to those who interact with the shareholders.

      --
      I don't believe in karma, I just call it like I see it.
    5. Re:Well duh.... by Raenex · · Score: 1

      More likely this is about lazy/ignorant security practices than a cynical decision to save money short term.

  2. Equifax got away, so why change? by sinij · · Score: 4, Insightful

    This behavior is very logical. Equifax got away with gross negligence in the area of data security. It follows that expenditures on data security can be minimized. Updates and technical expertise costs money, market-driven approach would be to keep already paid-for systems in place and outsource maintenance of these old systems to the lowest bidder.

    1. Re:Equifax got away, so why change? by ErichTheRed · · Score: 2

      This is exactly correct. There's no money in fixing security problems, insurance will pay any damages, and executives are shielded from any liability anyway. And all they have to do is give consumers a year of free "credit monitoring."

      Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happened.

    2. Re:Equifax got away, so why change? by sinij · · Score: 1

      Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happened.

      We can't do that, as software engineers don't often write any code from ground-up and often don't control how code they write is used. In civil engineering it is possible to control all aspects of the project and very clearly limit its scope of use. Now imagine building a skyscraper when the foundation was designed by someone else, you have no control over how closely the spec was followed during construction, and at some point some madman would try to land a 747 on it. That is how civil engineering as software design would look like.

      Software engineering almost universally relies on code written by others, be it libraries, APIs, drivers and so on. Also imagine you contribute to some open source project, it gets integrated incorrectly into something that you had no knowledge of, then you get hauled in front of the technically illiterate jury because it was your code that lead to exploit and data breach, never mind that patch was available for 6 month prior to incident.

    3. Re:Equifax got away, so why change? by sheph · · Score: 1

      If it's due to negligence then yes I completely agree. It's all well and good to blame the engineer if the design is flawed due to incompetence. However, if it's because of pressure from above to ignore security issues, or go with the cheapest option rather than the best option and push forward with bad design then those making that decision should be held accountable.

      --
      I don't believe in karma, I just call it like I see it.
    4. Re: Equifax got away, so why change? by ErichTheRed · · Score: 1

      Maybe there would be fewer bad hamster wheel owners if the hamsters had a way to push back. If the hamster was a PE, and the penalty for signing off on something they were forced to rush through was "you'll never work in the industry again and will be sued out of existence," the level of cowboy development would go way down.

      The fact that whole branches of software development can go in and out of fashion in 6-month cycles is a bug, not a feature. No one will support this because most techies think regulations are evil, but I think it's time to grow up as a profession, build stuff around a known-good core and innovate around the edges unless there's a truly mind-blowingly better way of doing something.

    5. Re:Equifax got away, so why change? by Junta · · Score: 1

      If you really need to fix the problem, you *must* hold the decision makers accountable.

      There will always be some personnel that will do what they are asked, because they don't care or they don't know how bad things are. If they can't find any in their own country, they will offshore to developers in a country that just have no reason whatsoever to care.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    6. Re:Equifax got away, so why change? by viperidaenz · · Score: 1

      Equifax is more like sending the box of rivets saying "PATCH RIGHT NOW" and the box gets left under someone's desk for 6 months, then the bridge falls down.

      But it's more like a box with cover panel, some rivets and an assembly robot with a description saying "if someone taps this specific rivet on a specific angle with a specific amount of force, it may fall out, leaving other rivets vulnerable to similar attacks that may eventually weaken the structure enough for the bridge to collapse" and all they have to do it turn on the robot and it will automatically install the panel over the vulnerable rivet to mitigate the issue.

    7. Re:Equifax got away, so why change? by plopez · · Score: 1

      Do you know how many groups/people have a hand in even new home construction? The foundation was poured by concrete specialist, he plumbing by plumbers, the dry wall was manufactured by companies specialized in it etc. Now for a skyscraper the number sky rockets with all of the specialized construction materials and techniques required. An Architect or CE has to trust that each of them has delivered to spec. Things get tested on site, e.g. slump tests, but by and large the contractor must deliver to spec. The problem with software is there is no spec. Due to no liability.

      --
      putting the 'B' in LGBTQ+
    8. Re:Equifax got away, so why change? by lactose99 · · Score: 1

      Would have been great to use this as data to ensure Equifax was punished for that breach. Now it becomes the status quo...

      --
      Fully licensed blockchain psychiatrist
    9. Re:Equifax got away, so why change? by Bert64 · · Score: 1

      Because the orders are not illegal, just wrong... And you'll be fired for not following them. You might even be fired just for pointing out that the orders are wrong.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    10. Re:Equifax got away, so why change? by swillden · · Score: 2

      insurance will pay any damages

      If there were significant damages, this would be part of the solution, not part of the problem. Insurance companies are quite good at assessing risk and delivering targeted recommendations which must be followed to get lower premiums. The problem is that there are no real damages for insurance companies to pay, so none of these incentives come into play.

      Maybe what we need is statutory damages for privacy breaches, which apply above and beyond any provable actual damages. Say, $100 for each social security number, name, address etc., perhaps on an increasing scale when multiple pieces of information about one person are leaked in such a way that they are connected, since having more data about a person makes identity theft and other malicious use easier. The money should be payable to the person whose information is leaked.

      Oh, and evidence that a company tries to hide a breach should result in triple damages and criminal prosecution of the individuals tried to conceal it.

      If the Equifax breach had resulted in statutory payouts of, say, $500 per person to each of the 145M people harmed, the resulting $72.5B liability would have hammered Equifax flat, insurance or no. And you can bet that other companies would have gotten serious about data security -- not only that, it would make stored data about individuals a serious liability which companies would try to avoid. You can't be forced to pay out for leakage of data that you never had. Companies' own attorneys and insurance companies would be constantly harping on the need to limit liability by destroying customer/user data.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    11. Re:Equifax got away, so why change? by Anonymous Coward · · Score: 1

      Not quite. The problem with software patches is that they can and do cause things to break occasionally. Reference most recently the patches for the Intel CPU bugs which ended up breaking more than they fixed. I personally had a 2k8 server render itself unbootable because it has a particular model AMD CPU that could not execute certain instructions that were present in Intel's patch. Fault to Microsoft for not doing enough testing but it appeared to affect only certain AMD CPUs.

      More like, we replaced the rivets now the drawbridge is stuck in "open" and we're fucked.

  3. Why Patch by Anonymous Coward · · Score: 3, Insightful

    How many Equifax executives have gone to prison?

    Put them in chains, and other executives might notice.

  4. Consultant-built Software by ErichTheRed · · Score: 2, Informative

    One problem is that companies continue to run software that was built as a one-off by some consulting company, offshore vendor or similar. They either don't exist anymore, or want millions to even look at the code again.Those packages need these out-of-date frameworks and other software as dependencies, and the company doesn't have the expertise in-house to know whether a patch will break something. In my line of work, the main offender is awful Java thick client applications, and these often require a _specific_ point release of some horribly outdated JRE/JDK. But JEE web apps are even worse in this regard...and despite the hype around app-of-the-month, there are TONS of these systems from the 2000s floating around in big companies.

    Consulting companies should be required to at least hand over the source code for software they produce if they're not interested in maintaining it long-term as an actual product. And if a company is relying on some system as a dependency, they shouldn't allow their vendors to walk away without fully understanding what they've left running on their systems.

    1. Re:Consultant-built Software by Bert64 · · Score: 1

      The problem is none of the companies hiring these consultancies understand what they're getting...

      They should demand source code, should demand a second source supplier, should demand ongoing maintenance, should demand that the software store data and communicate using documented protocols so that its easily replaceable.

      But very few people ever make these demands, so few of the consultancies cater to them.

      It should be due diligence to insist on all of the above and have a thorough procurement policy, but for that to happen the people making the purchasing decisions need to understand what they're getting into.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  5. Probably all relying on same version of WebSphere by Narcocide · · Score: 1

    (or some other ill-conceived and bloated atrocity that will never receive security updates because they cost too much money)

  6. If you allow them to do it... by SeaFox · · Score: 1

    Was this flawed software deemed "non-complaint" by a government regulatory body of some sort after the Equifax breach?

    ...
    No?

    Well, then, why the hell would you expect things to change? The financial sector isn't going to do anything that costs money or time that doesn't personally benefit them unless you force them to.

  7. faa level code audits cost way to much to do by Joe_Dragon · · Score: 1

    faa level code audits cost way to much to do. and also why should the 1099 or H1B risk being fired / kicked out by not signing off.

  8. More hype by jbmartin6 · · Score: 1

    All they showed was how many downloads, not how many implementations. I'm sure my company has downloaded a copy of the software too, we use local copies of various repos. We don't use Struts anywhere, we just prefer to maintain local repos.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  9. Re:Open Source is Magic! by Junta · · Score: 1

    Note that a lot of these top-100 companies is chock full of outdated closed source software too.

    On a recent random check of a few laptops from one of those sorts of companies, the average was about 2 years since they last received any update whatsoever from Microsoft (their update mechanism had broken and they had no reporting about it). I was working with another company and they were intentionally using a commercial product from a company that went out of business 15 years ago, because it would be too much trouble to migrate off.

    Here the open/closed doesn't matter, either way they are terrible at software currency.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  10. Re:Right by Junta · · Score: 1

    I share the thought that those downloads do not *necessarily* mean the company deployed insecure software, but to say that 'most of these companies' are patching the security issues is way too optimistic. Sure some, but most are completely oblivious.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  11. Just left a meeting discussing solving that by raymorris · · Score: 1

    > C level people rarely understand technology enough to properly communicate the risk and benefit of security. It just isn't typically in their wheel house.

    I just left a meeting with the CEO of our security company in which we discussed how to solve this. Heck, even the technical C people, like a CIO of a major company, are busy with many different things - desktops, network, on-premise servers, cloud .... They don't have time to really understand each of the vulnerabilities that comes out every day.

    They need the security experts to tell them the bottom line "how secure are we?", "What are the top five things we need to do to reduce our risk?" and "what is the value proposition, the financials?"

  12. How many went to jail for Equifax breach? by 140Mandak262Jamuna · · Score: 2
    None. Right?

    What it lost was money, right? And who lost it? The shareholders.

    All bonuses and pay all these executives wee gorging themselves in, was not clawed back. They did not go to jail. They paid the fines and compensation using shareholder's money.

    Why would they change?

    Why would you expect them to change?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  13. Re:Open Source is Magic! by Holi · · Score: 1

    "And don't give me the usual "but the vulnerabilities were fixed before the hack happened!""

    So ignore the truth, check.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  14. Re: Probably all relying on same version of WebSph by Narcocide · · Score: 1

    Maybe you should read up on WebSphere and figure out why these huge enterprises may be all mysteriously holding onto an ancient and buggy fork of an open source project.

  15. Re: Witch hunt by Reverend+Green · · Score: 1

    Shills be shillin'