equifax hack

[mike acker]

(OpEd)

(1) Give the poor condition of commercial computer security The Hack was inevitable.

(2) the credit reporting agencies should not have been allowed to collect the information they have collected -- and then use it in a negative way against people -- affecting job applications and insurance rates as well as loan applications.

(3) the Old Sage teaches that "tis an illl wind that blows no good". Perhaps this will lead to a general and proper adoption of PGP/GnuPG

Reference essay

Excerpt

Somehow, no one seemed to realize that connecting the Internet to everything was a terrible idea despite also being a great idea. We built information super-highways...yay, great...but most businesses forgot the guardrails.

Today, the hacks and breaches are hitting banking and credit companies, government databases, voting machines, and public utility infrastructure. That stolen data can't always be changed, like your date of birth. Unless the government decides to reissue everyone a new social security number, once it's stolen, it's permanently vulnerable to exploitation.

the key is simple: you can't change your DoB or SSAN. well, not like a password anyway.

and it should be noted : you can't change your fingerprints, iris scans, facial recognition data either -- although it should be noted one could wear a mask, or latex fake fingerprints, or contact lenses...

but we could be approaching the point where it will be more straight forward to adopt general use of PGP/GnuPG for authentications -- as should have been done in the late 90s.

[altair4]

Or do what saved Battlestar Galactica from the Cylon malware attack. Get them off the fracken network.

[mwbworld]

Plus (and I'm not the first to observe) the extortionist aspect to them.

Step 1: Gather all your confidential and risky financial data in one poorly secure place
Step 2: Charge to protect that data that they put at risk and failed to keep safe through poor security
Step 3: PROFIT!

[mike acker]

preliminary dx:

Equifax attackers may have exploited Apache Struts

in regards to system security -- or the lack thereof -- the application software may be at fault when an attack succeeds. it will be interesting to see what information comes to light on this equifaxhack.

[deleted]

Who will watch the watchers?

[kc1di]

to protect your self - here are some good suggestions:
https://www.consumerreports.org/equifax ... ax-breach/
https://www.cnet.com/how-to/a-guide-to- ... ta-breach/

[altair4]

Or do what saved Battlestar Galactica from the Cylon malware attack. Get them off the fracken network.

Equifax began in 1899. I am fairly certain there was no internet back then. The only people who understand network security are the Chinese and the Russians so unless Equifax asks one of them to set up security for them it's best to take Equifax off the fracken network.

Second best is government regulation and meaningful punishment for violations of those regulations but that is not likely to happen:

Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies.

Unless of course the Chairman of some powerful Senate committee was affected by this hack.

[mike acker]

Dan Gooden (Ars Technica) report

Critical Apache Struts bug was fixed in March. In May, it bit ~143 million US consumers.

Excerpt

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.

good read -- recommended

Update:

Helpnet Security Report

Excerpt

The attackers who breached Equifax managed to do so by exploiting a vulnerability in its US website, the company has finally confirmed. The vulnerability in question was Apache Struts CVE-2017-5638.

Further Reading:

Bruce Schneier

[BenTrabetere]

The only people who understand network security are the Chinese and the Russians so unless Equifax asks one of them to set up security for them it's best to take Equifax off the fracken network.

I think there are people outside Russia or China who are savvy about network security. I do not know the conditions on other countries, but it is my experience that in Corporate America issues like network security are passed through "Risk Assessment" filters. Anything trapped by the filter are treated as unnecessary expenses that are detrimental to C-level bonuses and the stock holders.

Second best is government regulation and meaningful punishment for violations of those regulations but that is not likely to happen:

C-level executives should be held accountable for their actions. I cannot remember where I saw it or who suggested it, but a fitting punishment I found amusing called for the CIO, CFO and CEO at Equifax should have their personal credit ratings dropped to 350, and a fine should be the difference between their compensation package and the compensation package for the lower 90% of employees at the firm. It will never happen, but amusing to consider....

[slipstick]

https://directorblue.blogspot.com/2017/ ... e-job.html

[mike acker]

CNBC Essay of aftershock from the Equihack

Equifax will not survive fallout from massive breach, says technology attorney

Excerpt

Grossman thinks it is almost inevitable that this will result in a new cybersecurity law.

"I see this as the straw that broke the camel's back. When you think about it and you compare our privacy protections to what they have in the EU, it's a joke in this country," he said.

For example, in Europe, citizens have the "right to be forgotten" and have data removed from online, he noted.

before you finish thinking: Sharyl Attkisson: The Price of Power

we are likely to get some hulabaloo and then a weak, ineffective response. be sure to read Bruce Schneier essay

is this stuff all politics? hardly. it's also a computer topic, related to product liability and security. there's folks in favor of better computing -- and those opposed. in the end, here in the land of the Dollar Bill: Money Talks.

[altair4]

we are likely to get some hulabaloo and then a weak, ineffective response.

That is my fear as well. A lot of indignation from elected officials and someone may get fired yet Equifax is allowed to survive to mess up another day.

This has been going on for a while: Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop

And there's this bit of sloppiness: Equifax used the word 'admin' for the login and password of a database

Equifax should be dissolved as a corporate entity. It can then be absorbed by Experian, TransUnion, and Innovis

[mike acker]

{
snip
}


Equifax should be dissolved as a corporate entity. It can then be absorbed by Experian, TransUnion, and Innovis

you're on the right track:

Equifax, Experian, TransUnion, Innoviss et.al. should be dissolved. These are illegal invasions of privacy.

[WharfRat]

It's certainly frustrating when people, myself included, go through painstaking steps to protect their sensitive personal information only to have it breached by hackers from a company that collects it from creditors.

It's disheartening when you think about how many institutions one deals with and the mountain of information they have about you.

[Portreve]

Or do what saved Battlestar Galactica from the Cylon malware attack. Get them off the fracken network.

That would be NuBSG, just to be clear.

Anyhow, to the points being raised here by just about everyone...

This is why I don't trust the private sector more than government. Safety, security, ethics, and the like are the absolute last concern on company executives' minds, especially where it involves the customer or, for that matter, the general public. To tell the truth, I am completely sick and fed up with that particular segment of the U.S. population which has this ideological-driven mindset which says less government is always good, because more government = totalitarian state. Of course, that particular segment normally uses such terms as "socialism" and "communism" even though what they intend by that use is actually Stallinism, which is neither legit socialism nor legit communism.

Government, left completely to its own devices, would probably be only somewhat bad. We have our history of corporatist usurpation of political power to thank for the significantly more-evil (or at least more corrupt) government we have come to know in the United States. Businesses, in my experience, do everything they can to minimize liability and maximize profit. They will compromise safety and cut corners at every opportunity. Usually, they are pretty good at dodging responsibility by hiding behind walls and walls of doublespeak, of lobbying-produced necessary laws and regulations which consequently don't exist, of deliberately ambiguous phrasing of laws which do exist, or just simple mega-CYA to shield the company from any kind of responsibility, let alone legal liability.

Two executives from Equifax have been sacked. Who knows, they may even go to court. The fact of the matter is this is just one single example of how crappy companies are run, particularly where there is inadequate oversight.

On the other hand, given that the U.S. Government is, as the saying goes, "the finest government money can buy", it begs serious questions about who it is exactly we can trust to ensure the right thing is done. It's a good thing this was a data breach which will affect "everyone" including the wealthy, and not another instance of gun crime or mass shootings, where we could rest assured nothing whatsoever would be done (because, of course, of yet another political hot potato)...

[Night Wing]

Companies who collect private data on the public should be held accountable and they aren't held accountable when the sensitive private data they collect on millions of people is hacked. Equifax will issue the usual "I'm sorry and apologize" excuse and pay a big fine money wise and that will be it. Then it will be back to "business as usual".

Instead of paying a fine, there should be a federal law which states if a any company holding sensitive private data on people gets hacked, the company should be fined a huge amount plus the people responsible, from the CEO on down the ladder, should go to jail for a long time as well. Equifax knew about the vulnerability and didn't apply the Apache security patch for two months after the patch was released to Equifax. Then Equifax's so called IT security people didn't apply the security patch for whatever reason and to add insult to injury, it didn't notify anyone it was hacked until 45 days later.

My take on this. This is just like as big as the Enron scandal. I sincerely hope Equifax does go out of business for this breach. I can just hear the CEO of Equifax coming up with the usual "plausible deniability" excuse of, " I was never informed of a security vulnerability". Yeah, right.

[mwbworld]

Equifax, Experian, TransUnion, Innoviss et.al. should be dissolved. These are illegal invasions of privacy.

Yes please. Heck - the whole credit rating/reporting system is just plain broken - IMHO.

[Portreve]

Reuters: U.S. Senator Warren introduces Equifax bill, launches industry probe

So, Equifax will give you free credit report monitoring if you ask, but in exchange for waiving your rights to go after them for their culpability in this matter. Now, that's just rich, isn't it?

[mike acker]

{
snip
}
Equifax knew about the vulnerability and didn't apply the Apache security patch for two months after the patch was released to Equifax.
{
snip
}

from what I read in one of the notes about Apache Struts CVE-2017-5638 was that to install the corrective service IT Techs would have to (1) install the updated Apache Software,and (2) REBUILD all of the online apps which were using that software.

it's easy to see this is not trivial

what do you do? take Equifax OFFLINE for a week and have the Techs work doubles until it's all rebuilt ?

as Mr. Schneier has mentioned: until doing it right is less costly than slopping through corporations will continue taking the cheap way out.

historically corporations have regarded losses due to software problems as "just part of the cost of doing business". It appears now, Equifax at least, -- won't be able to cover the loss.

if I remember right the US Constitution says something about the right of the people to be secure in their homes, and papers, and effects, and further, the 14th amendment went on to expand such protection to everyone -- as everyone was to enjoy equal protection under the law. This was originally focused on Civil Rights, BUT: Privacy IS a Civil Right ( 4th Amendment ).

as far as I'm concerned any corporation engaged in aggregating and/or selling of PII -- is a CRIMINAL organization.

Be sure to watch Sharyl's video "The Price of Power" -- which I linked earlier in this thread.

[BenTrabetere]

from what I read in one of the notes about Apache Struts CVE-2017-5638 was that to install the corrective service IT Techs would have to (1) install the updated Apache Software,and (2) REBUILD all of the online apps which were using that software.

it's easy to see this is not trivial

Regardless, action should have been taken. Equifax had ample time to address the issue and, based on everything I have read, it chose to do nothing. If the breech had not occurred I have little doubt the problem would still exist at Equifax.

what do you do? take Equifax OFFLINE for a week and have the Techs work doubles until it's all rebuilt ?

Yes. I am not sure that would be necessary; however, if that what it takes to address a publicized vulnerability, then Equifax should go offline. IMO, in the wake of the breech Equifax should go offline permanently.