Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com) 49

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.

  • A poor carpenter... (Score:5, Funny)

    by Ritz_Just_Ritz ( 883997 ) on Monday September 11, 2017 @06:04PM (#55177299)

    Always blames his tools.

    • Until there are real consequences for this type of lax security why would anyone expect the behaviors to change? Throw a few billion dollar fine at them and maybe they will address the issue. But if the expected fines and penalties are low enough to be factored into the cost of doing business then nothing will change. The congressmen and Senators will stomp about and hold hearings, the CEO might get let go, but the culture isn't going to change unless the very existence of these large data holders is p

      • However there is a problem with being too aggressive.
        Proper Security it tough, if you are going to be 100% secure then chances are you will not be able to perform your business. However there needs to be rules to make sure the company is putting in its best effort into security. If we find that there was a someone who tried to raise flags about security, where management declined because it was too expensive then there should be repercussion. But if there are reasonable checks in place, you shouldn't kil

        • In the financial sector, proper security is THE most important thing. If you are offering services and you cannot secure your customer's data absolutely, then you shouldn't be offering services.

          If proper security is "too expensive" for your profit margin, then you have a failed business model, and shouldn't be offering services.

          Financial institutions KNOW this. This is the business they choose to be in, it has a high operating cost and they get paid VERY well to perform these services. They shouldn't be let

    • Always blames his tools.

      In that incomplete analogy, I think a web framework is more analogous to materials than tools.

  • Blame the software not the License. (Score:4, Insightful)

    by jellomizer ( 103300 ) on Monday September 11, 2017 @06:06PM (#55177305)

    How the product is licensed doesn't affect the quality of the software.
    If the software is of significant complexity, then chances are flaws will be there, and often just like commercial licences software a flaw can be overlooked by many eyes, until the flaw is found.

  • ...a downlevel WebSphere server with an unpatched critical vulnerability. Now, granted, this is rumor. Can anyone confirm or disprove?

  • It is open source ... (Score:3, Insightful)

    by AnthonywC ( 4415891 ) on Monday September 11, 2017 @06:11PM (#55177335)
    They have NO ONE to blame but themselves, it is OPEN SOURCE which means they can actually review the code and fix issue.

    • In that case, why don't they make their own product.

      Often there is just as much time and effort to review code, of a complex application, then it would take a dev team to build an app customized to the actual business need, vs using a general purpose software.

  • >Model-View-Controller (MVC) framework for Java
    There's your problem right there.

    Security demands simplicity.

    • MVC for java off IBM is a top grade choice for security. This is why you use cloud though, you can blame IBM at least till the flaw is isolated. ;)

  • When I had to change my password for a credit card website, I got prompted for my full Social Security number. When I called up customer service, the rep was disturbed that I had to enter my Social Security number into the website. A supervisor got looped into the call and informed us that, yes, you need to put your in full Social Security number on the website to reset your password. A password reset over the phone require confirmation of my street address and the last four numbers of my Social Security nu

  • Yes Yes (Score:3)

    by American AC in Paris ( 230456 ) on Monday September 11, 2017 @06:14PM (#55177357) Homepage
    I think that if we've learned anything from this incident, it is that Equifax is a competent, professional organization that prides itself on its honesty and transparency, and that they are tirelessly acting in the best interests of the general public.
  • Doing business of any kind, online, is inherently insecure. There's a lot of risk for consumers, and a lot of expense for businesses to stay as secure as possible (which isn't very). Sucks for people who need a credit score.

  • Equifax Corporate Officers (Score:3)

    by xxxJonBoyxxx ( 565205 ) on Monday September 11, 2017 @06:15PM (#55177367)
    >> is it the fault of Struts developers or Equifax's developers, system admins, and their management?

    None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.

  • If you don't invest in open source (Score:1)

    by Anonymous Coward

    you are not allowed to place any blame on it

  • Yup, I went to the site and it asked for name and last 6, and I was like "GTFO"... Are you kidding me? How can these imbeciles NOT know that this looks like a classic phishing site.

  • Root cause = SJW hiring practices (Score:1)

    by Anonymous Coward

    You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?

    • I don't think it was SJWs. I think she was well connected and managed to land a bunch of compliance gigs that have nothing or little to do with technology and Equifax regards security as a good starter position for c-level executives and PHBs instead of being a terminal position for some former teen-hacker.

      Let it soak for a second. If you work in IT.. even as tech takes over the world.... even as infosec mismanagement crises have been first page news for several years.

      YOU ARE WORTH LESS THAN THE MANAGEMEN

  • Seems to me, Equifax is! as are all the credit collection businesses. Professional Extortion artists! They collect data on everyone. Then sell access to that information to the financial industry (Credit Checks). And if you want to protect yourself you are supposed to pay them to protect (Lock) your credit history.

    They do not care about spending money to protect the information they have data mined.

    Open source is better, if you use it right! And put the time in to do "YOUR" due diligence! They did not!

  • You have to assume your servers will get hacked. It doesn't matter what software you're running. Someone will find a way in. Any competent developer starts with that assumption and designs around it. That's why you never ever EVER store sensitive data unencrypted! They're looking for someone to blame for their incompetence.

  • Well they're entitled to ask for a full refund of whatever they paid for it.

  • This is only hear-say. It was never confirmed by Equifax or FireEye.

  • The point of open source isn't, "free software you don't have to pay anyone to develop!" but rather, it's software that you can audit and don't have to take anyone's word that it does what they claim. Honestly, when your data is both highly valuable and sensitive you should at the very least hire another company to review the source code.

