the rum soaked fist: internal martial arts forum

[Snork]

From http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/:

Equifax has confirmed that a web server vulnerability in Apache Struts that it failed to patch months ago was to blame for the data breach that affected 143 million consumers.
...
The cited Apache Struts flaw dates back to March, according to a public vulnerability disclosure. Patches were released for the vulnerability, suggesting that Equifax did not install the security updates.

In related news, it was discovered that Equifax in Argentina had left the administrator username and password for a publicly accessible web portal as 'admin'/'admin', exposing the personal data of 14k people: https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

[everything]

What the hell. admin/admin? Seems like teenagers could probably run a more secure site.

Is anyone taking the fall for this clusterfuck and are they hiring any competent people to start fixing things?

Also will Equifax have the hell sued out of it?

[Steve James]

What the hell. admin/admin? Seems like teenagers could probably run a more secure site.

True. But, you also know that people are really bad at keeping passwords. The expectation is that people with access to your data will be more careful.

Is anyone taking the fall for this clusterfuck and are they hiring any competent people to start fixing things?

Probably the person who set login to admin/admin, or neglected to change the password, will be canned, along with his supervisor.

Also will Equifax have the hell sued out of it?

The FTC is investigating the breach, and there might be charges of fraud levied. I.e., they told customers that their data would be safe, but failed. Imo, though, it all depends on what an individual has lost because of the breach. Imo, it can't be considered a crime unless there was criminal intent. They might try to charge Equifax with criminal negligence, but that would put the onus of the crime on the one who was hacked. I think that filing charges for bad trade practices would be more successful.

For ex., when VW fudged the emission numbers for its diesel engines, they ended up being fined, and forced to buy back the affected vehicles. Equifax can't make restitution in the same way.

[Snork]

Of some concern is this post in the krebsonsecurity.com comment section:

I went to Equifax web page, started the account freeze process yesterday and after submitting all required data, received the message that the request can not be fulfilled at this time … “try again later …” I tried about five minutes later, submitted all information again and this time the page opens, offering three options to unfreeze the account … obviously, they froze my account the first time but never provided the PIN number which I would now need to unfreeze it.

It seems as though the Equifax online credit-freezing service can freeze your credit without actually giving you the security PIN. It's possible people have used it, and gone away thinking that it has crashed, without realising that their credit is now frozen (and they do not have the pin to be able to unfreeze it). I would not recommend using this service, but perhaps try calling them, if you want to make the freeze.

[Snork]

Is anyone taking the fall for this clusterfuck and are they hiring any competent people to start fixing things?

Equifax was using a security company called "FireEye" to protect them against these kind of attacks. Hilariously, there was even a case study on their website which was quickly deleted: http://www.theregister.co.uk/2017/09/11/equifax_incident_response_omnishambles/. However, despite FireEye's apparent failure to protect Equifax's data, Equifax have hired them to investigate the attack and apparently also to handle public relations. That's going as well as could be expected.

[Snork]

Also will Equifax have the hell sued out of it?

One thing that's not mentioned very much is the fact that 200k+ card numbers were stolen. Card details now fall under the PCI DSS which is an exhaustive set of security rules enforced by the card schemes (VISA, MasterCard, etc.) which must be implemented for a company to handle card data. In order to store card data Equifax must have been under PCI level D (the highest level) and the card PAN numbers should have been encrypted (and all security patches applied). Although details are sketchy, it seems clear that Equifax were not PCI compliant at the time of the breach. This is embarrassing because Equifax is a member of the PCI standards council: https://www.pcisecuritystandards.org/get_involved/participating_organizations. If you have a security breach involving card data (as here) and you are found to have not been PCI compliant when you have declared yourself to be (forms must be signed) then the card schemes can impose heavy fines and even worse, order your merchant acquirers to drop you as a customer - meaning you can no longer process card payments. It can take a few months for the proper investigations to take place, but it seems likely that by the end Equifax will not be looked upon favourably by any card schemes.

[Steve James]

Equifax Says CIO, Chief Security Officer to Exit After Hack

https://www.bloomberg.com/news/articles ... ter-breach