Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com) 49
The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.
A poor carpenter... (Score:5, Funny)
Always blames his tools.
However there is a problem with being too aggressive.
Proper Security it tough, if you are going to be 100% secure then chances are you will not be able to perform your business. However there needs to be rules to make sure the company is putting in its best effort into security. If we find that there was a someone who tried to raise flags about security, where management declined because it was too expensive then there should be repercussion. But if there are reasonable checks in place, you shouldn't kil
In the financial sector, proper security is THE most important thing. If you are offering services and you cannot secure your customer's data absolutely, then you shouldn't be offering services.
If proper security is "too expensive" for your profit margin, then you have a failed business model, and shouldn't be offering services.
Financial institutions KNOW this. This is the business they choose to be in, it has a high operating cost and they get paid VERY well to perform these services. They shouldn't be let
In that incomplete analogy, I think a web framework is more analogous to materials than tools.
Blame the software not the License. (Score:4, Insightful)
How the product is licensed doesn't affect the quality of the software.
If the software is of significant complexity, then chances are flaws will be there, and often just like commercial licences software a flaw can be overlooked by many eyes, until the flaw is found.
You haven't thought that through. At all.
Don't appear to know how web servers work or security breaches happen.
All sounds good in theory. But if there is 1% of the people out of the millions of transactions requesting more than 100 rows that will still be thousands of requests that need approval. The supervises will get fatigued at the request and just blanket approve them.
What you can't believe software that happens to be released with an Open Source license could have a security vulnerability.
Granted I expect the flaw is more then just a flaw in the software, but poor network design, excessive trust in the application and/or poor implementation.
But people who just scoff at the idea that Open Source is this just ultra secure system, will often implement it in a poor manor making it vulnerable. Because of a zealot faith in the holy license.
No complex software is without bugs, no complex software is completely secure. I'm a big open source fan but this is reality. Open or closed, there will be bugs and exploits. Subjectively, it seems open source may get fixed more quickly, but that doesn't change the bottom line, which is that the onus is on the company.
Equifax stores tons of sensitive information and it's up to them to protect it properly. No excuses, no finger pointing, no passing the blame. They are responsible, period.
I heard it was... (Score:1)
It is open source ... (Score:3, Insightful)
In that case, why don't they make their own product.
Often there is just as much time and effort to review code, of a complex application, then it would take a dev team to build an app customized to the actual business need, vs using a general purpose software.
JAVA! (Score:2)
>Model-View-Controller (MVC) framework for Java
There's your problem right there.
Security demands simplicity.
MVC for java off IBM is a top grade choice for security. This is why you use cloud though, you can blame IBM at least till the flaw is isolated.
;)
Had this problem with a credit card company... (Score:2)
Yes Yes (Score:3)
The cost of doing business online (Score:2)
Equifax Corporate Officers (Score:3)
None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.
Maybe it was global warming. Or Trump.
If you don't invest in open source (Score:1)
you are not allowed to place any blame on it
equifaxsecurity2017.com (Score:1)
Root cause = SJW hiring practices (Score:1)
You hire a liberal arts music major as head of security to fill a gender diversity quota, and then you're surprised by this?
I don't think it was SJWs. I think she was well connected and managed to land a bunch of compliance gigs that have nothing or little to do with technology and Equifax regards security as a good starter position for c-level executives and PHBs instead of being a terminal position for some former teen-hacker.
Let it soak for a second. If you work in IT.. even as tech takes over the world.... even as infosec mismanagement crises have been first page news for several years.
YOU ARE WORTH LESS THAN THE MANAGEMEN
Struts Fault? (Score:2)
They do not care about spending money to protect the information they have data mined.
Open source is better, if you use it right! And put the time in to do "YOUR" due diligence! They did not!
Re:Struts Fault? CORRECTION (Score:2)
credit collection businesses
I should have said
credit reporting businesses
Don't store data unencrypted! (Score:2)
You have to assume your servers will get hacked. It doesn't matter what software you're running. Someone will find a way in. Any competent developer starts with that assumption and designs around it. That's why you never ever EVER store sensitive data unencrypted! They're looking for someone to blame for their incompetence.
Well they're entitled (Score:2)
Well they're entitled to ask for a full refund of whatever they paid for it.
Not confirmed (Score:2)
They are missing the point of open source. (Score:2)
The point of open source isn't, "free software you don't have to pay anyone to develop!" but rather, it's software that you can audit and don't have to take anyone's word that it does what they claim. Honestly, when your data is both highly valuable and sensitive you should at the very least hire another company to review the source code.