back to article Equifax couldn't find or patch vulnerable Struts implementations

Equifax was just as much of a trash-fire as it looked: the company saw the Apache Struts 2 vulnerability warning, failed to patch its systems, and held back a public announcement for weeks for fear of “copycat” attacks. Those Infosec for Absolute Dummies tips were made official by ex-CEO Richard Smith, by way of evidence …

  1. Anonymous Coward
    Anonymous Coward

    Here's the really sick thing:

    "Equifax Amassed Salary Details for People at 7,100 Companies. Inside the U.S. credit-reporting firm is a warehouse of corporate secrets like none other, a database tracking the careers and earnings of bankers, technology workers and other personnel across the country. Even after Equifax failed to prevent hackers from tapping a separate trove of information on 143 million Americans, employers probably won’t stop feeding it updates, because they rely so much on analytics that Equifax provides."

    https://www.bloomberg.com/news/articles/2017-10-02/equifax-has-amassed-salary-details-for-people-at-7-100-companies

    1. Notas Badoff
      IT Angle

      Re: Here's the *other* really sick thing:

      "Smith justifies the company's much-criticised delay announcing the breach on the grounds that a disclosure might have seen crims pile on with multiple attacks."

      “A mounting concern also was that when any notification is made, the experts informed us that we had to prepare our network for exponentially more attacks after the notification, because a notification would provoke 'copycat' attempts and other criminal activity.”

      Otherwise, of course, they would have had to shut down their Internet connections. Which they couldn't possibly do because *profits!*. Sooo... those profits - from "as early as May 13" until patched? Cough it up, on top of the other fines. It just has to be that stupidity is not a 'bonus'

      1. Charles 9 Silver badge

        Re: Here's the *other* really sick thing:

        Well ask yourself. Which would've cost them more? A several-month blackout or paying for the fallout?

        As for not spilling, remember what the stupidest thing the man who first found gold in California was: telling about it.

  2. pblakez

    here you go Equifax

    example CVE-2017-5638 march patch

    edit maven file with updated struts version 2mins

    from

    <!-- https://mvnrepository.com/artifact/org.apache.struts/struts2-core -->

    <dependency>

    <groupId>org.apache.struts</groupId>

    <artifactId>struts2-core</artifactId>

    <version>2.5.10</version>

    </dependency>

    to

    <!-- https://mvnrepository.com/artifact/org.apache.struts/struts2-core -->

    <dependency>

    <groupId>org.apache.struts</groupId>

    <artifactId>struts2-core</artifactId>

    <version>2.5.10.1</version>

    </dependency>

    run build with unit tests 2-3mins

    upload to test server 10-15 mins

    functional testing on this minimal how many places do you upload files in your web app

    upload to prod server 10-15 mins

    maybe restart the server 30sec- 1min

  3. The Boojum

    "while the company searches for a replacement willing to take on the task of extracting it from a deep, dark, hole."

    complicated by the candidates needing to calculate exactly how much they can extract from the company themselves without bringing it down.

  4. GreggS

    Perhaps

    They should hire the hackers. They know a lot more about Equifax's customers than the rest of the Equifax board do.

    1. Warm Braw Silver badge

      Re: Perhaps

      They know a lot more about Equifax's customers

      The victims of the data theft weren't Equifax's customers, they were Equifax's raw material...

      1. Eddy Ito

        Re: Perhaps

        Exactly, companies like Facebook at least have to appear to care about the herd they are farming for fear of mass retribution or revolt while Equifax has no such check as they know there is little to nothing the herd can do.

  5. Anonymous Coward
    Anonymous Coward

    Not surprised they couldn't find the susceptible components.

    As a "person", they couldn't tie up my name with the two different formats of address used. The Electoral Roll in my area does NOT use the PAF format, so I've ended up with two different Equifax records. Experian and Callcredit have managed to join the two. Equifax's response - I need to persuade my Bank not use the PAF format but to use the Electoral Roll format. Muppets!

    1. SoaG

      Two different credit reports depending how you write your address?

      That actually sounds like good feature!

  6. CrazyOldCatMan Silver badge

    Just why Equifax couldn't find vulnerable Struts implementations remains the subject of ongoing investigations

    Because "DevOps"..

    Probably.

  7. Anonymous Coward
    Anonymous Coward

    Well prepared team?

    I'm sure we haven't heard the end of this story for quite some time yet, given what's at stake here. And yet, one security company, in a recent blog post about the hack, suggested we should all follow the example of Equifax, saying that "Equifax was clearly prepared to handle the fallout from a breach. That’s a sign of a well trained, well prepared team. We should all follow their example."

    1. Charles 9 Silver badge

      Re: Well prepared team?

      IOW, it costs less to handle the fallout and bribe and legislators to keep regulations lax than it is to actually do things right.

  8. Aodhhan

    More lies

    Step 2 in every breach incident playbook is to notify the FBI.

    let them make the decision on when to announce and to whom.

    There's no excuse for delaying this information to law enforcement. Unless of course, there is illegal activity you are trying to hide.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022