* Posts by SailingDutchman

4 publicly visible posts • joined 12 Apr 2017

Missed patch caused Equifax data breach

SailingDutchman
Thumb Up

Re: Architectural issues as well?

A combination of architecture and policies could absolutely enable a company to patch many, if not most, critical vulnerabilities in very little time.

To illustrate, I was able to patch for Heartbleed and POODLE in less than a day because a) the right architecture was in place (F5 BIG-IPs front-ending all public-facing entry points) and b) the execs had my back and supported the right policies.

To contrast, my bank (one of the top-three in size in the USA) took almost a year to patch some of these high-sev vulnerabilities.

By the way, let's stop calling F5 BIG-IPs "load balancers" - they're Application Delivery Controllers (ADCs). Balancing the load is but one of many of its features. Why is this important? F5-gear is expensive and there are plenty of lower cost (or even 'free') load balancers out there. Why pay for F5 LBs if you can use AWS ELBs for 'free'...? Execs, PMs, Business Units, and Developers usually don't know the difference and have no idea what functionality they're giving up...

SailingDutchman
Coat

By their own admission, Equifax was likely not in compliance with the PCI-DSS, even though they store credit card data.

Under the PCI-DSS they had "one month" to patch their servers after the patch was released, which means that they should completed the patching process around April 10.

There is, however, one important piece of information Equifax is not disclosing: which version of Struts they were running at the time of the breach. This lack of information is a tad suspicious, as it leaves room for the interpretation that they were running a version that was already obsolete by last year. The CVE-database lists a number of vulnerabilities of 4 and higher. Under PCI-DSS, all of those must be patched within one month after a fix is available. There are several 10s from last year.

For instance, all versions 2.3.x before the patch (2.3.32) are vulnerable. Given that Equifax was unable to patch their servers within the required one-month period, is it all that unlikely that they patch very infrequently and were still running an older version. Say, Struts 2.3.4.1 from August 2012? Or 2.3.24.1 from April 2015? In short, a version that suffered from a number of other high-sev vulnerabilities?

Granted, the PCI-DSS isn't exactly a model for the tightest security, but if a company like Equifax can't even meet those standards I fear the worst.

Fancy talking to SAP about your indirect licensing concerns? Straw poll says no

SailingDutchman

SAP seems to be mum about the decentralization/dispersion of apps inherent to cloud migrations. Such migrations tend to greatly increase "indirect access" and SAP is catching on.

The official statement conveys that customers will not be charged with back maintenance. However, it appears likely that many companies will suddenly find themselves owing additional fees moving forward. SAP's move may in fact drive some customers to find alternative vendors since paying increased fees may not be exceed the budget. Of course, SAP's tack isn't new; many vendors will (deeply) discount the initial acquisition. But ne'er the annual maintenance.

Extracting oneself from SAP is a costly and lengthy preposition as well, so it remains to be seen SAP will lose ground there. On the other hand, I would not be unsurprising to see a drop in new customers.

As you stare at the dead British Airways website, remember the hundreds of tech staff it laid off

SailingDutchman

Google search page still showing "sorry page"

As of now, Google's search results page is showing "British Airways - Splash Page" as the home page. The Google cache shows the actual "sorry page" from the outage.

Sigh... more developers who don't understand that they shouldn't use "200 OK" when displaying an error page. Of App Delivery folks who can't or don't want to support proper 5xx-codes. Or both.

I'm adding the screen captures to my list of examples for when I once more try to explain the difference between "503" and "200". It probably won't make a difference, though.