There's something missing
What about the bit where some of the Argentinian systems have admin/admin credentials?
And what about the rules that the each user's ID and password is the same?
Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company's mega-breach are revealed in a new entry to …
Seems like the incompetence was caused by ignorance.
It was reported on Slashdot yesterday that Susan Mauldin, the woman in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security.
If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
So ignorance was followed by cover-up.
So ignorance was followed by cover-up.
From what I have seen so far, that's generally SOP in companies that do not allocate enough resources for security. It tends to come accompanies by sacrificial heads of security who will be sacked for their inability to either extract sufficient budget to do the job (an unfair fight as best) or an inability to spot they're being set up as the patsy.
Given the amount of money it was raking in (some of which is about to get nuked) it has no excuse on the budget side.
(At the bottom of the linked article is a video about a reporter trying to get information about his personal exposure in a safe manner - which seems it only took 42 minutes. No surprise there, then. Muppets).
"lists no education related to technology or security"
I don't think you can read too much into that. Plenty of useless comp sci graduates around. For someone who's in a position to retire now there's plenty of time to have gone on workplace training. Tim Berners-Lee has a BA (albeit in physics).
And security is a large part human factors; if they'd had a techie in charge we might now be reading about the massive Equifax phishing scam.
Besides which, have you ever known a CISO who was actually empowered to force developers to do anything. Somebody set up that admin/admin account and it won't have been anyone with "chief" in their job title.
"This has absolutely nothing to do with developers. They simply didn't have a patching program sufficient for an enterprise data gathering organisation."
These two sentences nicely illustrate what's wrong with a large number of developers today.
Patching and security; all somebody else's problem.
In the shops I've worked, security patches is a grind-it-out never ending process. It is not exciting, not inventive, does not bring attention to your coding or talent. It is the take-out-the-trash job of computer science. It is not career enhancing, and its the first thing to get outsourced because no one wants to spend even one year doing something that does not help you move forward as a developer. 10 years fixing patches and your technical abilities will have atrophied and you will be unemployable at any real computers science job. That said, it is necessary work that must be done.
Sure you have a lot of educated idiots with tech degrees when it comes to InfoSec, but you have a lot more when they don't have this background.
What we are beginning to see, is the lack of experience and practice in more disciplines than just InfoSec who are responsible for this breach.
For example, where was auditing, compliance, risk management and operations? These aren't InfoSec disciplines, these are straight up management disciplines designed to ensure everyone is doing whatever their job is effectively.
For this reason, it isn't just the tech bosses like the CIO who should step down. The top officers responsible for auditing, compliance, risk and operations should also step down.
The CEO should also step down, as his/her primary role is to protect the stock holders. Obviously this wasn't done, and he continues to fail in this regard.
If (IF) this were true, one might want to ask how she got that role and who was the moving agent, and why. Personal connections? PR?
That said, more important than that would be, how the message about the bug did NOT travel up the way it should have. Well, we know "how", but at which point it was patted down as "Thanks for your concerns so eloquently put in 3532215 e-mails. After thorough investigation we have decided no further action be taken".
This irks me. "You haven't got the right letters after your name, so are not qualified to have an opinion".
My first degree was in music. I now work as a software engineer. I've met people who tell me they've "done" CompSci. And they know fuck-all. The most solid programmers I had the fortune to work with to date studied biochemistry and medieval history respectively.
Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.
Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.
Why did nobody tell me this at the start? There's me learning differentiation , integration , fluid dynamics , youngs modulus, resonant circuits etc ad infintum, when I could have just chosen "Navel Gazing" and gone on a bender for 3 years.
I find it a little sad that you apparently dont pick up any useful information or skills on a "dosent matter what subject" degree . Dosent that make it a waste of time?
Didnt you learn how to learn in school ?
does it really take 3 years to learn how to learn? (5 years if you count your A levels.)
"On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else."
Sadly too many squander that perfect chance. I know a lot of people who graduated with degrees and moved on to IT and know absolutely nothing, worse still they have no common sense, not logical problems solving abilities and basically just seem to have stopped learning about anything after college except when Big Brother is on next! I never had the opportunity to study beyond college but I've never stopped learning on my own volition. Playing with computers for almost 40 years since I was 7 years old, I make it point to ensure I learn something new every day, anything I can just something to make each day worthwhile, often I can't get to sleep at night unless I've gained some new piece of knowledge, large or small. I hate sitting in the office surrounded by people who've had the good fortune to study education to a higher level than I and yet they've simply stopped learning anything, they simply drift through life with hardly any passion for anything anymore, tragic. You try to fire them up discussing new facets of IT and nothing, surely they were hungry for knowledge once or was that their parents forced them into IT because that's where the money was and now they're trapped, wasting opportunities some people would sell their right arm for?
Well the poster a couple of posts above that mentioned that he like to make sure he learns something new every day or he cant sleep. So I offered that nugget in the hopes he wasnt aware of that.
I wasnt. I guess you think of nevada as inland and LA on the beach . Turns out CA is a bit bendy.
Its like a geographic optical illusion. I was in Canada once and worked out I was further south than at home in UK . Also I bet its further across the bottom England than it is from to top to bottom .
"degree was in music... work as a software engineer. "
In that case go get an Engineering degree, after all that will be a walk in the park for you and you are already getting paid as an Engineer so it would be professional development. Then join the Professional Association that regulates the practice or Engineering and you will be an Engineer.
There is a reason that profession is regulated in many areas. The consequences of not requiring minimum education were, and still are, repeated catastrophes. Equifax is just a recent one example.
<quote>...just move the boss to another company to still earn lots of money whilst being incompetent.</quote>
At my former WROK PALCE (CW Shark Tank readers will 'get it'), the CIO had a katana mounted on a plaque on the wall behind her desk.
It bore the inscription:
The Reward for Incompetence
It was used a few times. until the bills for 'carpet cleaning' got the CFO annoyed.
"...katana mounted on a plaque on the wall..."
"I have to say Boss that this kind of dedication to constantly reminding oneself that anyone in a position of power, even a king, is always a single hair's width away from their doom is truly worthy of admiration..."
I've been trying to get them to correct incorrect details on my profile since 2016. That stupid dispute site never worked properly. I'd create or reset an account and it wouldn't let me login so I could never see their responses.
Funnily enough it works now, since they've patched it.
They still won't correct the wrong info.
I'll be lodging a complaint with ICO next, but I suspect they'll be equally useless.
All corporations are muppets, and becoming more muppety, year on year:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Those people at "information is beautiful" are going to need to start using log scaling the way things are progressing
A class action suit is in the works, and the complete response for Canadian "customers" is:
Are you concerned you are affected by the Canadian impact of the breach against Equifax?We are still investigating, but this is what we know now:
Only a limited number of Canadians may have been affected.
We are working on finding out how many.
The breach is contained.
At this point, it seems the personal information that may have been breached includes name and address and Social Insurance Number.
We will update this information as we learn more.
"We are still investigating, but this what we know now:" Or "no now" or "no know". Rumsfeld must be coaching this team.
"Only a limited number of Canadians may have been affected." Well, there are a limited number of Canadians so they may all be infected. "We are working on finding out how many" but trust us, it is limited and "The breach is contained" - perhaps within some pastebin account or Yours for only 9.99 Loonies.
Finally, "it seems the personal information that may have been breached includes name and address and Social Insurance Number". May have included those items and may have included a whole lot more.
Rest assured Canadians, and carry on. Oh, and please reserve me a couple of bunks far away from the mobsters to the south.
That's OK. Nobody would be using social security numbers for ID, would they ?
Would they ?
No, You Can't Have My Social Security Number
Didn't the government promise that SSNs wouldn't be used for ID?
The Canadian link for Social Insurance Number (SIN ) responsibility/usage is at:
https://www.canada.ca/en/employment-social-development/services/sin/reports/code-of-practice/section-2.html
The algorithm for generating numbers is known, as it is used by companies( e.g. banks) to validate a given SIN. Having a secret algorithm to generate a SIN does not help the situation. No matter how the SIN is generated, at some point, the number is given to a bank or employer or credit check bureau. Hence, if these companies' security is breached, we are in the same situation. The resolution to not perpetuating this problem is via better processes, not technology. If the numbers were not easily associated to names, this problem would not exist. For example, one could post a list of 50 SINs which are generated by the public algorithm. No one would be able to determine 1) who the SINs belong to and 2) if the SINs were in use. So a list containing only these 50 numbers means nothing.
If you want to open someone's password protected payslip, find out their NI number, chances are this is all you need to do.
If you work for a company where some pen pusher has gone this way to make their life easier, they perhaps need some lessons in security awareness, and companies responsibility for protecting personal data in a secure and responsible manner...
"There’s a good chance you’ve spent time recently on a chore you didn’t sign up for: finding out if hackers possibly stole information about you from Equifax Inc. - What makes the situation especially awful is that you never had much choice about entering into a relationship with Equifax."...
-
https://www.bloomberg.com/news/features/2017-09-14/thank-you-for-calling-equifax-your-business-is-not-important-to-us
That extra revenue stream may hopefully be come to an end in the US - hope Europe will follow soon.
Europe is leading the US by a wide margin in this - the EU General Data Protection Regulation (EU GDPR) is already in force and becomes fully mandatory on May 25th, 2018. This unifies the much stronger stance on privacy prevalent in Europe - in part this is due to different perception; Europeans generally care more about e.g. your neighbor knowing how much you make but less about nudity than their US counterparts.
The EU GDPR has significant fines attached, i.e. 4 percent of annual global turnover or 20 million Euros (about 22 million dollars), whichever is greater.
The EU GDPR has significant fines
Whilst agreeing that the US authorities are laggards on data protection (undoubtedly Google are trying to ensure this remains so), we've yet to see how European regulators interpret and enforce the GDPR rules.
I suggest that the draconian sounding GDPR fines will not reflect in any way what organisations actually pay. Looking at other regulatory fines, anybody expecting big numbers could well be disappointed. Take UK energy supplier E.ON. They had an obligation to install "advanced meters" at all business premises by April 2014, and failing to do so would incur a penalty of "up to 10% of UK turnover", which was about £9bn. So in theory they could have been fined £900m. In practice, they missed the target by a significant measure, and the penalty imposed was £7m. Technically the actual fine element was only two quid, with £7m paid to an "industry related charity".
So, if that's indicative of the thinking of regulators (and Ofgem are the most aggressive regulator when setting penalties), what do you think Talk Talk would have been fined if GDPR had been in force back in 2015? My guess is around £6m-10m. Better than the £400k they got fined by the ICO at the time, but still dwarfed by the £35m cost of sorting the mess out that they reported. And if they had been fined that £6m-10m, it would have been a measly 0.4% of TalkTalk's £1.8bn turnover that year. I think that's what people should expect when GDPR comes into force, I'm afraid.
“It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,"
.
https://www.bloomberg.com/news/articles/2017-09-08/one-thing-all-of-government-agrees-on-equifax-deserves-grilling
======================
"Equifax Hack Is ‘Exhibit A’ in Case for Regulation - ‘Pathetic’ Remedies .... The company’s remedies for the breach were "pathetic" and that offering one year of free credit monitoring to consumers provided "scant protection" to those who were harmed. Equifax should offer free credit monitoring indefinitely and should drop its charges of up to $10 to consumers who want to freeze their credit"
.
https://www.bloomberg.com/news/articles/2017-09-11/equifax-hack-is-exhibit-a-in-case-for-regulation-durbin-says
======================
"We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims," the attorneys general said. "Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families.”
.
https://www.bloomberg.com/news/articles/2017-09-15/equifax-asked-by-ags-to-stop-selling-credit-monitoring-services
"Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so."
"That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete."
https://www.nytimes.com/2017/09/08/your-money/identity-theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html
A permanent credit freeze is the only way to address this effectively for now. If this article is suggesting that it will be done - I don't believe it. I called my congressman and demanded that Equifax do this for free and give at least 3 free "unfreeze" actions for the future.
I don't think all readers here know that all other reporting agencies synchronize to catch up to the same level of data accuracy within a maximum of 3 months, So it isn't always necessary to write a letter to all three of the big ones. They all get the same data eventually. I only had to put a free fraud alert on one of the big three, and it spread to the other two automatically. Unfortunately they only last 90 days. I be damned if I'm going to pay for Equifax's mistakes!!
Equifax warehouses the most intimate details of Americans’ financial lives, from the credit cards in their wallets to the size of their medical bills. But the company doesn’t face the constant monitoring and auditing that help strengthen banks’ systems and data protections. Despite the wealth of sensitive information in its databases, Equifax, in essence, falls through the regulatory cracks.
https://www.nytimes.com/2017/09/08/business/equifax.html
----------------------------
So if a data-storage credit agency loses pretty much everyone’s data, why should it be allowed to store anyone’s data any longer? Here’s one troubling reason: Because even after one of the gravest breaches in history, no one is really in a position to stop Equifax from continuing to do business as usual. And the problem is bigger than Equifax: We really have no good way, in public policy, to exact some existential punishment on companies that fail to safeguard our data. There will be hacks — and afterward, there will be more.
Consumers also have piddling rights over how Equifax may continue to use their credit data. “There’s nothing in any statute or anything else that allows you to ask Equifax to remove your data or have all your data disappear if you say you no longer trust it,”
https://www.nytimes.com/2017/09/08/technology/seriously-equifax-why-the-credit-agencys-breach-means-regulation-is-needed.html
There is an answer to this: make every agency that uses personally identifiable data in it's profit-making enterprise be completely responsible for the safe, and secure handling of that data. Make any profit-making user of that data responsible to at least one level higher than that of the individual who actually "owns" that data, since said agencies are making a profit from that data.
Nobody I know willingly serves their personal data to the web "with intent" to have it used for other peoples/companies purposes. Granted, they should know better; but how does that make them "fair targets" for criminal enterprises? Oh, and by the way, just how does not knowing that the big Data Corporations refuse to take care of an individual's personal data make that individual responsible?
'Debt Collectors Have Figured Out A Way To Seize Your Wages & Savings'
http://www.huffingtonpost.com/2014/06/02/debt-collectors-wages-savings_n_5364062.html
------------------------------------
'It's Disturbingly Likely That Your Credit Report Is Wrong'
http://www.huffingtonpost.com/2014/08/11/credit-report-bureau-mistakes-_n_5661956.html
It's shocking that some companies would own a lot of data related to your private life and you would have no right about how these data are handled, used, transmitted to somebody else.
Each one should have the legal right to ask those companies to erase his/her personal data. Whatever social media gurus say, privacy does still exist.
They should have been reading The Register! I read about this bug on this site, I sent up the balloon and we had it patched overnight. I found a ready-to-use curl command that I could use to show the devs just how serious the problem was, and there were no arguments.
I'm actually a bit surprised by how few international-headlines breaches were caused by that bug.
I was at a presentation 2 weeks ago by one of the 2 people who publicly pushed hard for open source code, 10 years ago. Internet Hall of Fame, ICANN security committee, etc.
He's now switched gears completely.
He said that 10 years ago, there was 50 million lines of open source code and that it would be reviewed by multiple sets of eyes.
However, today there are 50 billion lines of code - most of which will never be reviewed by more than the author.
Does it also explain why a database with hundreds of millions of people's details did not have any intrusion detection, query limits, isolation from the front-end web-app, etc.etc.etc.
Even with complete root access to a web-app server, you shouldn't be able to just suck out the entire database without SOMETHING noticing.
you shouldn't be able to just suck out the entire database without SOMETHING noticing.
Well, everybody claims they have these controls in place. Its just that after a breach, it turns out they didn't, or the controls didn't work. I used to work on commercially sensitive data for a large, high public profile company. We certainly had internal access controls on folders, but it wasn't clear if there was any more than that. I asked our IT people and my line managers if we had the means to check when files were being access and what happened to them (eg out of hours snooping, mysterious volume transfers, or even atypical access by a permitted user). I was told "yes, yes, we've got all that". But when asked for examples of the monitoring, nothing was ever produced. And no alarm bells were set off when a colleague emailed his entire Outlook archive to his home email address on his last day in the office.
I'm going to guess that patching Struts on hundreds of internal applications was decided to be too difficult in a short time.
So they patched their external-facing routers/firewalls to remove #cmd=xyz strings from http headers.
And it went wrong or wasn't applied everywhere, regardless, the attacker found a way past this to an affected server.
Data breaches happen - but this is a company whose whole raison d'etre is looking after data - and they managed to lose the lot! If a bank had lost all its customer's money, they'd be shut down.
Personally, this is what upsets me the most about this particular breach.
Judging by the quality of sales calls I get, I think they are used to dealing with Senior Security officers not having a security background.
Every day I get multiple "how product x can solve your GDPR issues" bullshit, or worse, the "Artificial Intelligence" secret sauce product that can detect alert you to all you security issues, type calls.
Congratulations Equifax......You blame the very people who have, in all likelihood, been pressuring for more frequent security patching as well as other changes. This is why being a CISO is truly a terrible job. If you do it well nothing happens and it's BAU. But you are viewed as not making any money for the company, or bringing in more customers...in fact all you do is spend money and slow up project delivery. A CISO is always seen as a major thorn BUT the minute something goes bang all the eyes turn to the CISO....he or she is then screwed, and the most laughable part is that they are often not on the board (despite the C tag) and they are certainly earning far less than other C-Level execs.
Where are the defenders of outdated software, the defenders of lethargy when it comes to software patching when you need them, hey ?
I keep saying you need to keep your software up-to-date, at all costs ... costs are within reason, if you plan appropriately ...
I see everyone here is fine with dissing the manglement of Equifax, but, honest question, how's YOUR patching going ?
One wise saying, patch or feel sorry! If you cannot get a patch from your software purveyor in a timely manner, choose another who can ... you will notice the best are usually FFS purveyors.
I've got f-all in formal education for >INFORMATION< technology.
My background is military electronics (RF systems) and automotive systems. Somehow (dumb luck and being a computer geek/hobbyist for decades) I landed a sysadmin position.
I don't leave default passwords set on systems. My kids don't either, hell, my 8 y/o can tell you what a botnet is (albeit in rather broad strokes).
I wouldn't hire anyone with a master's degree in computer science much less give them Chief Security concerns, unless they spend time regularly (if not daily) familiarizing themselves with the absolutely latest discoveries and changes in Cyber Security. Including but not limited to attending hackers conventions, consulting with specialists, and reading, oh and did I mention reading. The degree (piece of paper) is useful to start a discussion, after that ongoing education is required regardless of your base education. I'd happily take a music major who is invited to present regularly at conventions over a CS major who graduated 5 years ago, and is still using the system he learned on in the computer labs in college. Security is a domain that changes daily. Your last year's implementation is already outdated, along with your degree. When you are a company responsible for storing the involuntarily provided significant personal information of every American who uses credit you WILL have the absolute latest technology in place - and a staff that evolves regularly.
While that is all nice and well and having only a degree in music doesn't prevent you from being a kick-ass security pro, statistically speaking it makes it incredibly unlikely that you have any shred of a clue whatsoever in that field. It puts the onus of proving otherwise squarely on you or else it lets people entirely rightfully assume you're a clueless numpty who got the job on the merits of entirely different body parts than her brain.
Doesn't really matter. If they are a bunch of script kiddies who lucked upon an open gap due to well-posted systemic failures, they are just pouncing and doing what feral children do. IF they are part of a well-funded criminal syndicate, we are all toast. These guys know what the game is and they will dredge up what they need and then send it on down the line for the bottom feeders to enjoy.
If this is a true State-level breach, then much will be withheld until the best possible time for non-monetary purposes.
The worst possible outcome is that this is one of many eruptions yet to come. And if it isn't, then what the fuck could it possibly be?
Perhaps the end of this "distributed" electronic economy?
I see a lot of folks sticking up for the two that got sacked. Excuse me, but they knew about it, failed in their implementation and then what? Did nothing? These two are not off the hook. Expect to see them in congressional hearings at the very least.
As for Equifax, sure they are doing what they can to assuage consumers fears, but not enough. Their check your SSN site is still a joke. A user should be able to just put the last 4 of the SSN in, along with a last name and get results. WITHOUT signing up for anything.
I expect a class action lawsuit will be forthcoming. It will present damages so high that Equifax will be no more. What monies they have after the pay out will go to government fines and an escrow account used to pay for identity protection for the entirety of the US for the next 80 years. They are finished as a company. Anyone besides damage control folks would be wise to start looking elsewhere for work.