back to article Equifax mega-breach: Security bod flags header config conflict

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration. The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier …

  1. Anonymous Coward
    Anonymous Coward

    I can confirm the e-mail address breach.

    Had it happen to me as well on an Equifax specific e-mail address. At the time Equifax's support blamed it on a third party contact management company who only had access to the e-mails.

    AFAIK Equifax never publicly acknowledged this.

    1. VinceH

      Re: I can confirm the e-mail address breach.

      "Had it happen to me as well on an Equifax specific e-mail address. At the time Equifax's support blamed it on a third party contact management company who only had access to the e-mails."

      I've had it happen on an address specifically used for a credit reference agency - it was either Equifax or Experian, but it was a very long time ago - around 2000ish, maybe - and I can't say for certain which of the two it was. Under the circumstances, it's easy to think it must have been Equifax, but I couldn't swear to it.

      I'm pretty sure it was the first time I ever received spam at a company-specific address. ISTR contacting them and getting brushed off with "Nope, not a problem with us, guv."

      1. tom dial Silver badge

        Re: I can confirm the e-mail address breach.

        The vulnerability appears from the list of affected versions published elsewhere to have been relatively old, certainly a good deal older than the March 7, 2017 date on which the patch was released.

        Although it is not essential, it would be interesting to know for each of these exactly when these confirming events occurred. The earliest date might provide some information about when the vulnerability was known to criminals, as against others who pay attention to release and patch notifications and vulnerability database updates. Assuming Equifax is being truthful about when the breach occurred (certainly not a given) it might also speak to whether other vulnerabilities were being exploited, as the first poster reports them saying.

    2. Anonymous Coward
      Anonymous Coward

      Re: I can confirm the e-mail address breach.

      Sue the beggars and close them down.

  2. Alister

    Scott Helme's header.io site is very unforgiving in its marking.

    As a comparison with equifax's score of "D" here's a few others:

    theregister.co.uk: "F"

    www.paypal.com: "B"

    www.ebay.com: "E"

    www.google.com: "E"

    www.experian.co.uk: "E"

    Some of the headers that Scott's site marks you down for are very difficult to implement on real world sites, (Content Security Policy) and others are only just being introduced (Referrer-Policy) and are not generally implemented.

    A fairer representation might be to use the Qualys Labs site

    https://www.ssllabs.com/ssltest/analyze.html?d=www.equifax.com&hideResults=on

    Where equifax.com scores an "A"

    1. sitta_europea Silver badge

      [quote]"Scott Helme's header.io site is very unforgiving in its marking.

      As a comparison with equifax's score of "D" here's a few others:

      theregister.co.uk: "F"...[/quote]

      Well he might have a point...

      Sep 15 21:49:54 mail6 sm-mta[15996]: v8FKnrXC015996: --- 550 5.1.1 <johnleyden@theregister.co.uk>... User unknown (hold)

      ged@mail4:~$ dig +short sitpub.com txt

      "v=spf1 mx a a:lists.theregister.co.uk a:news.theregister.co.uk a:post.theregister.co.uk a:list.theregister.co.uk include:_spf.google.com -all"

      ged@mail4:~$ dig +short news.theregister.co.uk any

      "ANY obsoleted" "See draft-ietf-dnsop-refuse-any"

      ged@mail4:~$ dig +short post.theregister.co.uk any

      92.52.96.119

      ged@mail4:~$ dig +short list.theregister.co.uk any

      "v=spf1 a a:post.theregister.co.uk a:lists.theregister.co.uk mx -all"

      159.100.131.171

      ged@mail4:~$ dig +short lists.theregister.co.uk any

      159.100.131.171

      ged@mail4:~$ dig +short news.theregister.co.uk

      ged@mail4:~$

      1. Alister

        @ sitta_europea

        Not sure of your point?

        You seem to have found an SPF record with a legacy entry in it.

        And last I looked, El Reg was not the holder of confidential credit information or PPI.

        1. sitta_europea Silver badge

          @Alister

          > @ sitta_europea

          > Not sure of your point?

          The Register is very fond of pointing fingers at incompetence, and I'm grateful for it. I read the security 'column' avidly, and I've often been prompted to act by things I've read there.

          I'm not necessarily saying "Let him who is without sin cast the first stone...", but if you're going to point fingers, you might need to be prepared to have them pointed back. The Register published an email address for comments on its article, and yet, when I tried to send mail to that address, The Register's servers tell me the address is unknown. And even if it wasn't unknown they couldn't reply to me, because our servers check the SPF forgery detection stuff, and outright reject anything that results in SPF PERMERROR, and The Register's SPF record has been bollixed for yonks.

          It's not like it's rocket science; if I were managing their DNS,from sitting down at a keyboard to reloading the zone it would take me all of two minutes to fix The Register's SPF record.

          This is just about what to me is a relatively trivial mail system. If it's symptomatic of the general level of attention to detail at The Register it doesn't inspire confidence, because there must be more and far less trivial considerations for the Web presence, purchasing, accounts, payroll and elsewhere.

          So I'm highlighting some things that look incompetent, I'm saying that somebody providing The Register with its infrastructure should be trying a bit harder -- lest they find themselves involved in some scam, and in the unenviable position of having to write about themselves for their own publication -- and I'm saying that 'harsh' might not be unjustified in this case.

          1. Anonymous Coward
            Anonymous Coward

            They certainly don't understand basic security, if they did, they wouldn't publish many of these embarrassingly misleading stories, and be better skilled at spotting when they are being used to spread fakenews.

          2. Anonymous Coward
            Anonymous Coward

            The Register is very fond of pointing fingers at incompetence, and I'm grateful for it. I read the security 'column' avidly, and I've often been prompted to act by things I've read there.

            Old problem. El Reg's management already knows this and it has been repeatedly pointed out to them (including by me). Where this would get funny is if that was for cost saving reasons, because FIXING this will actually save money if they have more than 10 users. The costs for Google business email is an easy route to justify a change to something less likely to listen in to conversations with confidential sources*.

            * They have alternative means for that, but they would IMHO make a good start with not DEFAULTING to shipping information to yonder agencies, but hey, call me picky.

          3. Anonymous Coward
            Thumb Down

            El Reg -n- HTTPS.

            It only took them years to figure out https ..... don't tax them with getting SPF right.

    2. Len
      FAIL

      Not a useful comparison

      That is not a useful comparison. As the name suggests, SecurityHeaders.io tests security headers whereas SSLLabs measures the quality of the TLS connection. They both test something entirely different.

      You can have a stellar record on SSLLabs because the encryption is top-notch and still be susceptible to Cross-Site-Scripting. You would score high on SSLLabs and low on SecurityHeaders.io.

      You can have a stellar record on SecurityHeaders.io because your Content Security Policy is top-notch and still be susceptible to eavesdropping because of poor or missing encryption. You would score high on SecurityHeaders.io and poor on SSLLabs.

      To have your house in order you would want to score well on both.

    3. Aodhhan

      IT IS NOT DIFFICULT TO SET HEADERS.

      Many header settings can be done by properly configuring the web server.

      For instance, to set up "Content-security-policy" on an Apache server you can configure this via the .htaccess configuration file.

      It is true many web sites don't properly configure their sites when it comes to headers. It's a matter of paying attention to detail and using all the available defense in depth techniques to make things more difficult for malicious hackers.

      The Qualys site is good for ensuring encryption protocols and cipher suites; as well as certificate validation. Again, as a matter of attention to detail, you need to understand the limitations of your tools along with their purpose.

      This is a good lesson to all InfoSec professionals. When there is a trend showing you aren't paying attention to detail... you will be nitpicked and harshly criticized; thus damaging your reputation further. This will continue to go on. Wait until all the discovery information comes out about Equifax's network, along with the training and knowledge of their InfoSec staff. The criticism has only just begun.

  3. Anonymous Coward
    Anonymous Coward

    The BBC is reporting 400,000 British consumers' data may have been leaked, which raises the further question as to why British consumers' data was being held on an American server.

  4. TheBorg

    Clowns !! The senior management need to be behind bars - especially those who dumped their stock before the public announcement.

    This company deserves to crash and burn

    1. Mark 85

      This company deserves to crash and burn

      While it deserves to crash and burn, it won't. Something about the myth of "too big to fail".. and "bonuses all around the C-suite for their heroic efforts.".

      1. Eddy Ito

        Well the CIO and the Chief Security Officer both just retired. My question is why did they hire someone with a degree in music composition for the position of Chief Security Officer? That's not to say the CSO wasn't qualified but I'm not sure where security and music intersect especially when it comes to throwing nearly half the population of the US to the wolves with their lax patching practices.

        1. Anonymous Coward
          Anonymous Coward

          My question is why did they hire someone with a degree in music composition for the position of Chief Security Officer?

          Well, that role often has to face the .. You'll get the idea :)

          1. liac

            My question is why did they hire someone with a degree in music composition for the position of Chief Security Officer?

            ...a real life example of the manager in "The IT Crowd"...life imitating art. Really love that series and the casting was sooooo right.

        2. tom dial Silver badge

          A number of the better - i. e., more capable and accomplished - systems analysts and programmers I have known over the last 4 decades or more had degrees in music, and several others were fairly accomplished amateur musicians. My understanding is that this is a relatively well known and documented correlation. I also have known a number of excellent programmers whose organizational management skills were on a par with my 4-1/2 year old granddaughter. The implicit suggestion that hiring someone with a music degree to a CSO job was out of line for that reason is unwarranted and very possibly incorrect.

  5. mwcer

    experian and transunion are even worse, as are many financial sites

    Not sure if Scott Helme's site is that useful. Experian rates a "E", and transunion a "F". Many major banks are "F".

    1. Anonymous Coward
      Anonymous Coward

      Re: experian and transunion are even worse, as are many financial sites

      Can confirm. Several UK banks are F. Also a couple of digital security companies that will remain unmentioned. Still, I welcome these simple kind of audit sites (along with ssl labs and friends), it's nice and easy to ping the URL to the relevant bod in management and get them to budget some time to tighten simple things like this up, usually within the week.

    2. sitta_europea Silver badge

      Re: experian and transunion are even worse, as are many financial sites

      [quote]

      Not sure if Scott Helme's site is that useful. Experian rates a "E", and transunion a "F". Many major banks are "F".

      [/quote]

      At least I can speak for the major banks. Those "F" grades are richly deserved.

  6. J. Cook Silver badge
    Devil

    Oh, it gets better! Apparently a site equifax set up for argentina was coded by either an 8 year old, or someone who has no business coding web pages:

    https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

    "It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever... "

  7. Bruce Ordway

    Experian, FICO, Equifax, TransUnion, Innovis, PRBC

    I'm wondering if any other review will take place as a result of this breach.

    I'm sure there is a need for some of the services these companies provide but they way they have evolved has left me feeling uneasy.

    I especially like this from Wikipedia....https://en.wikipedia.org/wiki/Credit_bureau#United_States

    "So far an economic model to describe this industry has not been attempted, while the fundamentals are counter intuitive to any market known, since other industries (finance, banking, insurance) sponsor consumer reporting agencies to process information while consumers pay CRAs to receive that information. The utility of the consumer is hard to calculate since the consumer is given no recourse to correct mistakes processed about them, hence the dynamics of this triangle involving consumers, credit reporters, and sponsoring industries remain undefined."

    1. sitta_europea Silver badge

      Re: Experian, FICO, Equifax, TransUnion, Innovis, PRBC

      "... the dynamics of this triangle involving consumers, credit reporters, and sponsoring industries remain undefined."

      You mean my credit rating went through the floor when I sued the council for breaking my sitting room window with their verge cutting machine and they refused to pay for it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like