Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Open Source Software Security Apache Technology

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com) 283

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.
This discussion has been archived. No new comments can be posted.

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach

Comments Filter:
  • by Ritz_Just_Ritz ( 883997 ) on Monday September 11, 2017 @05:04PM (#55177299)

    Always blames his tools.

    • by bobmorning ( 316459 ) on Monday September 11, 2017 @05:10PM (#55177329)
      Until there are real consequences for this type of lax security why would anyone expect the behaviors to change? Throw a few billion dollar fine at them and maybe they will address the issue. But if the expected fines and penalties are low enough to be factored into the cost of doing business then nothing will change. The congressmen and Senators will stomp about and hold hearings, the CEO might get let go, but the culture isn't going to change unless the very existence of these large data holders is put at risk by punitive consequences.
      • However there is a problem with being too aggressive.
        Proper Security it tough, if you are going to be 100% secure then chances are you will not be able to perform your business. However there needs to be rules to make sure the company is putting in its best effort into security. If we find that there was a someone who tried to raise flags about security, where management declined because it was too expensive then there should be repercussion. But if there are reasonable checks in place, you shouldn't kil

        • by ScienceofSpock ( 637158 ) <keith,greene&gmail,com> on Monday September 11, 2017 @05:54PM (#55177567) Homepage

          In the financial sector, proper security is THE most important thing. If you are offering services and you cannot secure your customer's data absolutely, then you shouldn't be offering services.

          If proper security is "too expensive" for your profit margin, then you have a failed business model, and shouldn't be offering services.

          Financial institutions KNOW this. This is the business they choose to be in, it has a high operating cost and they get paid VERY well to perform these services. They shouldn't be let off the hook for taking the cheap way out, and they certainly shouldn't be allowed to profit from these tactics. They only understand money. The only way to punish these institutions when they do stupid shit like this is to hit them hard in the purse.

          • by Roger W Moore ( 538166 ) on Monday September 11, 2017 @07:14PM (#55177931) Journal

            Financial institutions KNOW this.

            Correction: competent financial institutions know this. Incompetent ones clearly do not and, as recent events show, it is not always easy to tell the competent from the incompetent.

            • I think what you are referring to as "incompetent" financial institutions are actually just apathetic. They simply don't care about good security because it is more cost effective for them to do as little as possible because the fines don't affect their bottom line as much as providing actual security would.

              We have regulations in place to try to make sure these financial institutions are NOT incompetent. They choose to not worry about the regulations because the fines don't affect them enough. We need stron

            • by Hylandr ( 813770 )

              It's high time that the other agencies be scrutinized. Even though the cat's out of the bag as it were.

          • by Xest ( 935314 ) on Tuesday September 12, 2017 @01:58AM (#55179195)

            "If you are offering services and you cannot secure your customer's data absolutely, then you shouldn't be offering services."

            This is absolute drivel, there's no such thing as absolute security. The choice you're offering therefore is to simply not do business at all, or to hire people who don't understand security sufficiently to falsely believe they have absolute security rather than people who understand absolute security is non-existent and that it's simply a measure of risk.

            "If proper security is "too expensive" for your profit margin, then you have a failed business model, and shouldn't be offering services."

            Again, nonsense. As absolute security is a myth then you're basically saying every business model in the world ever has failed and every company should shut down. That's complete and utter nonsense, obviously.

            You've not considered another possibility - that Equifax actually did the best they could and it just wasn't good enough. Given that all security can be compromised given sufficient effort this could simply be a case of them falling foul of measured risk.

            That also might not be the case, it might also turn out to be absolute incompetence of course, but until we have more details we simply do not know. The summary pre-supposes they were victim to an old known exploit and not a recently publicised zero day - it's possible that the recently publicised zero day was in fact discovered precisely because of this hack for all we know - the idea that it was an old unpatched vulnerability is entirely speculation right now.

            We just don't know how much blame they deserve right now. What I personally know is that it's hard to recruit good security professionals precisely because those who truly understand security often don't want to touch it precisely because they know there's always a chance someone determined could breach security. What I do know is that as a result of this most the industry is full of people parroting the myth you have of being able to implement absolute security and as a result creating a false sense of security.

            Stop it. It's not helpful, it just puts you in the same basket as all those in the industry who peddle the myth and create the problem in the first place. I'd take someone who accepts that there's always a risk, but is honest about to what extent they believe they've been able to mitigate it, and then give them a waiver from blame if something happens any day over someone like you that pretends they can implement perfect security. But because people like you exist peddling the myth we instead find ourselves with an industry full of you, and we find ourselves with problems like this happening time and time again.

            We need to accept that security is always imperfect, and we need to start blaming only on relative effort applied to try and make the system secure - if someone took reasonable measures and still got fucked we need to accept that that's an inevitable consequence of the fact that absolute security doesn't exist, and that therefore due to simple statistics even some of the most fortified companies will inevitably be hit.

            So wait until we have the facts before assuming they did much wrong.

            • by Cederic ( 9623 ) on Tuesday September 12, 2017 @03:05AM (#55179327) Journal

              Overall I agree with everything you've said, but one thing to add.

              it's hard to recruit good security professionals precisely because those who truly understand security often don't want to touch it precisely because they know there's always a chance someone determined could breach security

              You will suffer data loss. Assume that, plan for it, understand how to detect and mitigate it.

              Given the impossibility of perfect security it would be naive to do anything else, no matter how great (and well resourced) your data security is.

          • by AmiMoJo ( 196126 ) <mojo&world3,net> on Tuesday September 12, 2017 @07:45AM (#55180009) Homepage Journal

            Equifax's service isn't based on providing reliable information or securing that information. It's based on fulfilling a legal requirement to mitigate risk when evaluating potential customers for loans.

            They really don't care if they information they have is accurate, let alone secure. You are not their customer, they don't care what happens to you. All they care about is charging companies for read/write access to your file.

        • Re: (Score:3, Insightful)

          by Mad Merlin ( 837387 )

          Proper Security it tough, if you are going to be 100% secure then chances are you will not be able to perform your business.

          There's no such thing as 100% secure, and there never will be.

          Even if you use a one time pad for encryption (which if implemented perfectly, is unbreakable from a ciphertext analysis perspective), it can still be broken in a multitude of other ways (flawed/predictable RNG for generating the pad, (accidental) pad reuse, a wrench [xkcd.com], etc). Plus, the practicality of actually deploying one ti

          • by TheRaven64 ( 641858 ) on Tuesday September 12, 2017 @02:46AM (#55179291) Journal

            the performance delta between a computer today and a computer 20 years ago is practically infinite

            No it isn't, it's finite and it's a predictable number that is factored into the design of crypto systems. You assume that performance doubles roughly every year (a bit faster than Moore's law, but this factors in changes like GPUs / DSPs / FPGAs becoming cheap). For a symmetric crypto algorithm, adding one bit to the key length doubles the computational cost of attacking it, so if you want your data to be secure in 20 years than you work out how long it would take to crack it today and add 20 bits. Adding 20 bits is a bit awkward, so you round up to the nearest power of two.

            Occasionally you make the jump sooner. A lot of things moved from 128-bit AES to 256-bit AES, because it turns out that 256-bit AES is faster. Magical quantum computers aside, that gives an extra century or so before any of these can be cracked (ignoring weaknesses in the implementation, which are how most of these things are broken).

        • by Cederic ( 9623 )

          If we find that there was a someone who tried to raise flags about security, where management declined because it was too expensive then there should be repercussion.

          Be realistic. It's always possible to add an additional security measure, and there are rapidly diminishing returns.

          Security is a risk based domain, and sometimes it's appropriate to take the risk.

      • by TWX ( 665546 )

        This breach is bad enough that Equifax officers should see significant jailtime.

    • Always blames his tools.

      In that incomplete analogy, I think a web framework is more analogous to materials than tools.

    • by Desler ( 1608317 )

      And a good carpenter can spot when a tool is gimmicky shit or poorly made. Every tool is not a good tool.

  • by jellomizer ( 103300 ) on Monday September 11, 2017 @05:06PM (#55177305)

    How the product is licensed doesn't affect the quality of the software.
    If the software is of significant complexity, then chances are flaws will be there, and often just like commercial licences software a flaw can be overlooked by many eyes, until the flaw is found.

    • How the product is licensed doesn't affect the quality of the software.

      It certainly does influence management and priorities of the product.

  • by AnthonywC ( 4415891 ) on Monday September 11, 2017 @05:11PM (#55177335)
    They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.
    • In that case, why don't they make their own product.

      Often there is just as much time and effort to review code, of a complex application, then it would take a dev team to build an app customized to the actual business need, vs using a general purpose software.

      • In that case, why don't they make their own product

        Apparently in the case of Equifax the answer is: they are too incompetent to do so. They don't seem to be competent at any aspect of building software.

        • In that case, why don't they make their own product

          Apparently in the case of Equifax the answer is: they are too incompetent to do so. They don't seem to be competent at any aspect of building software.

          Alternatively, they may have some competent people, who wanted to do exactly that, or who pointed out security flaws and wanted to fix them, but were over-ruled on cost grounds by managers above them.

      • by vyvepe ( 809573 )

        Often there is just as much time and effort to review code, of a complex application, then it would take a dev team to build an app customized to the actual business need, vs using a general purpose software.

        You are way to optimistic about how much time it takes to develop a new application. You should have written: "Often times it is cheaper to review and adjust an existing application to your particular needs."

    • by Mr. Shotgun ( 832121 ) on Monday September 11, 2017 @06:33PM (#55177759)

      They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.

      To be fair most organizations do not have the expertise or desire to review and fix the source code for products they are using, open source or not.

      That being said I am betting dollars to pesos that they were attacked with the March Vulnerability and not taken down by the zero day from a week ago. It seems like unless a vulnerability has a fancy web page and gets featured on CNN, management could not give a flying fuck. Wait till the next patch cycle becomes wait until the next quarter becomes eh we'll get to it. And that shit has got to stop.

  • JAVA! (Score:3, Interesting)

    by TechyImmigrant ( 175943 ) on Monday September 11, 2017 @05:12PM (#55177345) Homepage Journal

    >Model-View-Controller (MVC) framework for Java
    There's your problem right there.

    Security demands simplicity.

    • MVC for java off IBM is a top grade choice for security. This is why you use cloud though, you can blame IBM at least till the flaw is isolated. ;)

    • by Xest ( 935314 )

      Out of interesting, what are you proposing as an alternative?

      It's just after years of CGI w/C or C++, PHP, and many other things it's pretty clear that managed languages like C# and Java have suffered the least, and least serious attacks.

      So I'm genuinely intrigued to know what you believe is both more simple, and more secure because I'm aware of no such thing. I still have nightmares of the full server control buffer overflow vulnerabilities from the days people were writing web apps in native code.

    • Model-View-Controller (MVC) framework for Java

      There's your problem right there. Security demands simplicity.

      A properly designed & implemented MVC is far simpler to understand, develop and audit than a tangle of spaghetti code that mixes everything up into a unitary blob.

      Simplicity is not the lack of internal structure, it's the lack of complicated relationships between the various pieces. There are plenty of very complex pieces of software that are nevertheless simple because the complexity is well matched by modular design and clean/legible interfaces.

      For a lot of design tasks, MVC is a proper choice for thi

  • Yes Yes (Score:5, Funny)

    by American AC in Paris ( 230456 ) on Monday September 11, 2017 @05:14PM (#55177357) Homepage
    I think that if we've learned anything from this incident, it is that Equifax is a competent, professional organization that prides itself on its honesty and transparency, and that they are tirelessly acting in the best interests of the general public.
  • Doing business of any kind, online, is inherently insecure. There's a lot of risk for consumers, and a lot of expense for businesses to stay as secure as possible (which isn't very). Sucks for people who need a credit score.
  • by xxxJonBoyxxx ( 565205 ) on Monday September 11, 2017 @05:15PM (#55177367)
    >> is it the fault of Struts developers or Equifax's developers, system admins, and their management?

    None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.
    • This story is the result of a CTO who is looking to blame anything as a CYA move. He said it, the suits bought it, and made a story of it.

      There is no way the CTO gets out of this with his job.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      My bitter, aging software engineer take: it's the endgame of chasing new features to meet next quarter's revenue target, neglecting to fund maintenance/sustaining teams for legacy apps. I don't even see maintenance/sustaining teams anymore. Maybe that was just a telecom industry (which I left 10+ years ago). In any case, if there isn't a development team that is actively updating an old unglamorous app, you're in trouble. Software will rot, not just from years of app patches, but also reliance on abandonwar

  • Yup, I went to the site and it asked for name and last 6, and I was like "GTFO"... Are you kidding me? How can these imbeciles NOT know that this looks like a classic phishing site.
    • Not to mention that with first and last name and last 6 finding the first 3 is often quite simple(especially if they can get your IP address as well). There are a ton of background sites where for free you can, with reasonable accuracy, piece together where a person was born and thus can figure out the first 3. SSNs are terrible for so many reasons, one of the biggest is that they aren't random. If they were completely random strings then I could share a certain # of digits without it being relatively ea
  • by Anonymous Coward on Monday September 11, 2017 @05:23PM (#55177427)

    You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

    • by i286NiNJA ( 2558547 ) on Monday September 11, 2017 @05:48PM (#55177529)

      I don't think it was SJWs. I think she was well connected and managed to land a bunch of compliance gigs that have nothing or little to do with technology and Equifax regards security as a good starter position for c-level executives and PHBs instead of being a terminal position for some former teen-hacker.

      Let it soak for a second. If you work in IT.. even as tech takes over the world.... even as infosec mismanagement crises have been first page news for several years.

      YOU ARE WORTH LESS THAN THE MANAGEMENT CASTE.

      No matter how smart, no matter how educated, no matter where you work and no matter how much money you make... Unless you're born rich and connected or embed yourself into bureaucracies for access to such people .
      You are of a lower caste.

    • by elrous0 ( 869638 ) on Monday September 11, 2017 @07:47PM (#55178071)

      You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

      Wow, I thought you were trolling until I actually looked it up [ihypocrite.net]. WTF were they THINKING? You're not supposed to give a token diversity hire an actual job. You're supposed to appoint them to a bullshit position where they can't do any actual damage, then put their picture in all your brochures to virtue-signal to everyone how progressive you are.

    • Obligatory XKCD [xkcd.com]
    • Posting to remove moderation. I thought you were trolling until someone actually posted the link about her career.

  • by oldgraybeard ( 2939809 ) on Monday September 11, 2017 @05:31PM (#55177461)
    Seems to me, Equifax is! as are all the credit collection businesses. Professional Extortion artists! They collect data on everyone. Then sell access to that information to the financial industry (Credit Checks). And if you want to protect yourself you are supposed to pay them to protect (Lock) your credit history.

    They do not care about spending money to protect the information they have data mined.

    Open source is better, if you use it right! And put the time in to do "YOUR" due diligence! They did not! They got hacked! It took them weeks to even realize it! And weeks before they came clean.
    • I said
      credit collection businesses

      I should have said
      credit reporting businesses
    • Just saw it on the Fox Business Channel, the 3 execs that were caught selling 1.8M in stock before this came out.

      Chief Financial Officer John Gamble made $946,374
      U.S. Information Solutions President Joseph Loughran made $584,099
      Consumer Information Solutions President Rodolfo Ploder made $250,458

      Of course none of them knew about the data breach ;) lol Right!

      I have a bridge to sell you ;)
      • actually, it is KNOWN that they did the sale shortly after they learned about the breach.
        • OK, I thought they were denying it. thxs I stand corrected ;)
          • would not surprise me if they tried to deny it. Would not be the first time that some rich asshole lied through their teeth. :)
            However, it is still known that they WERE notified prior.
          • Well, they ARE denying this breach is the reason. In science, "Correlation does not imply causation". However, when it comes to super-greedy C-level execs with insider info that they KNOW will cause a huge stock drop...well, I'm sure you can figure out the truth. But they will NEVER admit to cashing in stocks because of this, or any "actual verified knowledge" of the breach when they did so. Maybe if Trump proactively pardons them they will then admit to it.
        • According to this article, [bloomberg.com] Equifax says the three execs did not know about the breach before they arranged the sale.

          Insider trading is legal. Trading on insider information is not. Company officers like these three execs are required to announce their sales of shares well in advance. Normally, this is no big deal -- it's like cashing their paycheck. However, if they did in fact know about the breach when they arranged the sale, then they're looking at jail time.

          • there was another article, I forget where, that showed that they DID know just in front of their sale.
            BUT, I agree that the sale itself was probably arranged 2-3 weeks PRIOR.
            So, the real question becomes, did they delay the announcement knowing that they had a sale, or were they doing other things?
            If so, that is a whole other issue. Not insider trading, but stock manipulation.
            • by Cederic ( 9623 )

              I haven't seen anything stating that the individuals involved knew of the breach ahead of selling their shares.

              The timeline is that Equifax discovered the breach a couple of days before the sales, and these are people sufficiently senior that they very likely did know, but that's supposition rather than evidence.

              I think they're fucked anyway. Either they knew and broke insider trading regulations or they didn't know and are incompetent at their jobs..

      • John's original LinkedIN profile is gone, now it's just John G. [linkedin.com] His full name is John W. Gamble Jr., and he made over 2.6 million in total compensation last year. A [salary.com] Whitepages search [whitepages.com] doesn't find anyone in Atlanta, but does find a John W Gamble Jr. (Age 50-54) in Lockport, NY. [whitepages.com] This PR release [ajc.com] has him at 51 in 2014. According to this [4-traders.com] he is also on the board of both CyrusOne, Inc. and CyrusOne LP, a real estate company that specializes in data centers. And his "public assets" are over 7.5 million.

        He's work
    • by Cederic ( 9623 )

      Seems to me, Equifax is! as are all the credit collection businesses. Professional Extortion artists!

      What the fuck is 'credit collection'?

      They collect data on everyone. Then sell access to that information to the financial industry (Credit Checks). And if you want to protect yourself you are supposed to pay them to protect (Lock) your credit history.

      It's a difficult situation. If you follow the great American dream and apply for a credit card, you expect to be extended a multi-thousand dollar credit facility. You'll also go to the company that can offer this to you in a couple of minutes and not the one that takes several days, requires personally probing interviews, demands access to all of your existing bank accounts, mortgage and other credit facilities, and then turns you down anyway for being too high a risk.

      So

  • You have to assume your servers will get hacked. It doesn't matter what software you're running. Someone will find a way in. Any competent developer starts with that assumption and designs around it. That's why you never ever EVER store sensitive data unencrypted! They're looking for someone to blame for their incompetence.

    • How exactly does that work? In a cloud paradigm, where user login credentials can be treated as encryption key because company doesn't access data, it works. But in this paradigm, where company uses all this data for analytics and third party access, how is compromised data server kept separate from keys used to unencypt it's data all the time?

      • There is typically a query system involved where you request a specific data set. In such a situation they could use a private key encryption internally on the data set and then to communicate that data they could implement a perfect forward secrecy model of communication so if the keys for that one transaction message to the client were somehow captured, only that message would be decryptable, all future and past messages would not be affected. If I cared about data security for this type of data I would
        • Thinking and reading about what you're talking about, yeah I see pretty simple ways it could be doable now. Honestly, the easiest thing for companies who hold the data on site would be a piece of hardware, a data safe. It has inside it millions of private keys the world never knows in a table, and all its network functionality is to encrypt and decrypt data for storage using these, associate them with user password hash, and to re-encrypt using temporary tokens for each different session, and log. With phys

  • by Hognoxious ( 631665 ) on Monday September 11, 2017 @05:49PM (#55177541) Homepage Journal

    Well they're entitled to ask for a full refund of whatever they paid for it.

  • This is only hear-say. It was never confirmed by Equifax or FireEye.
    • This is only hear-say. It was never confirmed by Equifax or FireEye.

      How long have you been here? Netcraft has to confirm it, or it never happend.

  • The point of open source isn't, "free software you don't have to pay anyone to develop!" but rather, it's software that you can audit and don't have to take anyone's word that it does what they claim. Honestly, when your data is both highly valuable and sensitive you should at the very least hire another company to review the source code.

  • Why would you assume that they're using software written this decade? I think it's equally plausible that a good chunk of their components are from the mid 2000s and utterly riddled with security holes, but no PM will let the devs update anything because "if it works, leave it alone". Never mind that it doesn't actually work - that's someone else's problem, obviously.

    It is apparent that Equifax couldn't give a flying fuck about security. I think it's ludicrous to debate whether the problem is with a bug r

    • by Cederic ( 9623 )

      It is apparent that Equifax couldn't give a flying fuck about security

      While I'm personally greatly enjoying seeing Equifax get a kicking, and looking forward to meeting up with a friend that works there to taunt him about it, I think it's very apparent that Equifax do a fucking excellent job on data security.

      Otherwise this breach would have occurred a decade ago, and monthly since. It's almost a surprise that it's taken this long, and that is itself testament to the extent to which they do indeed give a fuck about security.

      US consumers though.. no, they don't give a fuck abou

  • Seriously, I am guessing that we will find out that it was done in India, not in America.
  • Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java.

    The problem there being Java.

  • This is like me blaming a lock manufacturer for a theft that involved a bunch of Russian guys driving a truck up to my front door, picking the lock, and carrying off all my stuff over the course of 8 hours while I sat there getting drunk.

    • This is like me blaming a lock manufacturer for a theft that involved a bunch of Russian guys driving a truck up to my front door, picking the lock, and carrying off all my stuff over the course of 8 hours while I sat there getting drunk.

      It's more like you blamed the lock manufacturer because they published patents showing how their lock works. Not that patents would make any difference to a lockpicker. They could find weaknesses in the design whether it was published or not.

      Similarly, crackers can find exploits in software, whether the source is open or closed.

      But really, we need a car analogy. This is slashdot after all.

      • OK, Its like this:

        Our job is to transport the data equivalent of highly enriched Uranium. To save money, instead of getting specialists to construct secure containment vessels, we will send it by public transport. Then when people find out that the NORKs are getting on the buses, and building missiles on the back seats, we can blame the Greyhound bus company.

  • Struts or not, the sole blame is with the greedy morons running Equifax with apparently the same take on security as they had in the year of their inception. Why do they even collect and store that much information and hold on to it for that long? I know, it is to generate a credit history, but I am sure there are equally good ways to determine if I pay my bills or not.
    • Hopefully, the penalty in this case will be severe enough that next time this is how the typical conversation will go:

      You: "We can do it cheap, or we can do it right!"

      Boss: "Do it cheap."

      You: "Oh, you mean like Equifax did?"

      Boss: "On second thought..."
    • by Cederic ( 9623 )

      I am sure there are equally good ways to determine if I pay my bills or not.

      Devise them, commercialise them, get retirement level rich.

      Even if you can't be arsed running a business, just sell it to Equifax, or Experian, or Call Credit. If you can provide reliable risk indicators without needing a fuckton of data then they'll start a bidding war for you.

  • Equifax Blames Open-Source Software For Its Record-Breaking Security Breach

    7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND... - Apache License

  • ... not a product.

  • We need more info to come to any conclusions. I've seen it claimed that Equifax wasn't using the latest version of Struts and some have thought that meant that they didn't patch to deal with the RCE from earlier this year. BUT, is it possible that what really happened is that Equifax was using Struts 1, not Struts 2? Struts 1 is EOL by the way. That wouldn't surprise me in the least.

  • I blame Java, not Struts......because its Java and its a pile of garbage.
  • by ka9dgx ( 72702 ) on Monday September 11, 2017 @08:20PM (#55178249) Homepage Journal

    Equifax obviously has never heard of data diodes, which let data in, but not back out. Such a system could have let them accumulate data without risk of exposing all of it. They probably never heard of capability based security either, nor the principle of least privilege. They probably also use Operating Systems that rely on ambient authority to get everything done, such operating systems are wildly popular, but can't be made secure.

    There's a lot of bad design decisions behind this... not just the use of Apache Struts.

    • by Cederic ( 9623 )

      Equifax obviously has never heard of data diodes, which let data in, but not back out

      It's rather hard to offer data based services without ever letting data out.

      They probably never heard of capability based security either, nor the principle of least privilege. They probably also use Operating Systems that rely on ambient authority to get everything done, such operating systems are wildly popular, but can't be made secure.

      Are you an academic? Just that it doesn't sound like you have any experience at all in protecting complex real world business systems.

      • by ka9dgx ( 72702 )

        Re: My background/motivation:

        Nope, I make gears for a living. I used to be a system administrator. The facts are that there are no fundamentally secure operating system choices in the consumer / commercial space worth considering. Windows, Linux, MacOS, none of them can be made secure, it's all just a single zero-day exploit (or old NSA toolbox) away from being owned.

        The reason is that they all fail to implement the principle of least privilege, instead using ambient authority as a universal lubricant to

  • Data was leaked, management enjoyed a great round of insider trading, they botched up the page for verifying if your information was leaked, and now the most obvious next step: scapegoating.

    What can we expect next? Shut up settlements after a long protracted court battle meant to make people forget about it, slap on the wrist from government/justice, just for the next rounds of leak to prove that they have learned nothing.

    Equifax hack is the end of privacy even for those who are careful about it. You can be

  • Regardless of the system you use, setting up a system like this directly on the Internet is what's to blame. Obviously it's a little more expensive to develop a proper web application and checks and balances on what it can do but no part that is not the "View" should be online.

  • Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com."

    We should wait for the "equifaxsecurity2018.com" release.

  • I wonder what they used for their horribly broken website https://www.equifaxsecurity201... [equifaxsecurity2017.com], which can't even seem to reliably tell you if you were affected by the incident. But I'm not surprised that a company with such shitty security to allow practically all adult Americans' identities to be exposed can't even get their check to find out if you have been exposed right. But, based on the numbers, and subtract everyone who does not have a credit history (age 17 and under), it's safe to assume that *every

  • The exploit is not the root cause, the exploit only became possible in a live environment because they failed to properly follow governance processes during development.

Real computer scientists don't program in assembler. They don't write in anything less portable than a number two pencil.

Working...