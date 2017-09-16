Slashdot is powered by your submissions, so send in your scoop

 


Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com) 51

Posted by EditorDavid from the what-could-go-wrong dept.
phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.
The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.

Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.

  • Not noticing?? That's bad (Score:4, Informative)

    by davidwr ( 791652 ) on Saturday September 16, 2017 @10:44AM (#55209557) Homepage Journal

    I can see a company delaying patching serious bugs long enough to test it and make sure the fix isn't worse than the bug.

    I can see a company treating bugs that aren't reported as being serious as non-serious.

    I can see a company assessing a "serious" but and determining it's not serious in their environment and not treating it with urgency.

    But that's not what happened here.

    Heads deserved to roll and at least two did.

      They didn't officially notice the breach until after they sold off their stock shares... So they say.

  • Good news everyone! (Score:1, Informative)

    by mrsam ( 12205 )

    The company has finally figured out how to use a random number generator, from TFA:

    The company clarified that consumers placing a security freeze will be provided a randomly generated PIN.

    What will happen with the one that sold they stock before annoncement.
    • The three executives who sold stock before the data breach became public knowledge are being investigated by the SEC for insider trading. Unless they can prove that this was a "routine" sale (I.e., consistently sold shares every quarter) and the timing was coincidental, they are facing my fines and/or prison sentences.

  • Patching is not the only answer. (Score:5, Informative)

    by ErikTheRed ( 162431 ) on Saturday September 16, 2017 @10:52AM (#55209605) Homepage

    I have some (extremely limited) sympathy for patching "deep applicaiton infrastructure" things like Struts, because it can take quite a bit of QA to make sure that the patches don't break the application or make the problem worse. That being said, it's a top priority and companies - especially in a PCI or similar compliance environments - need to budget the time and resources to deal with issues like this, because they will pop up on a regular basis.

    That being said, this problem could have been blocked without patching. First of all, an application-level proxy / API that sanity checks the types and rate of requests should have been between the public web application and the database back end. All sorts of mischief can be either stopped or at least slowed down here, and the failure to have something list this is a major architectural error. Secondly, a reverse-proxy (or load balancer) could look for attacks of this nature and block them before the get to the web server. F5's products are explicitly capable of stopping this CVE, and I'm sure some of their competitors can do it as well.

    Security needs to exist in layers, because at some point people will screw up at one layer or another. That's just human nature, and it will not change until AIs take over the world and enslave us, but that's a problem for 2019.

  • Get diversely fucked.

  • So, one year they send me two documents. One says "pci compliance". One is for data breach insurance. I do the PCI, and toss the insurance. The next year, they send me PCI compliance, and charge me for the insurance. I call, tell them no, as I don't have any hackable databases, unless you break into my office and pull out handwritten credit card numbers from each individual file. I argue with them, and they tell me that it is mandatory. I read the policy, and find it is almost useless. If I don't PC

  • what a bs. (Score:3)

    by kiviQr ( 3443687 ) on Saturday September 16, 2017 @11:22AM (#55209705)
    A company that holds that much information should have top notch security. That includes penetration testing, penetration detection and multiple layers. Public layer should never have access to database that has that much information. There should be an internal webservice that returns filtered information information. This is 101 security!
  • One would think that after suffering one of the worst breaches ever in terms of the potential damage, a company would look for fresh perspectives, and not hire the new leaders from within.

      One would think that after suffering one of the worst breaches ever in terms of the potential damage, a company would look for fresh perspectives, and not hire the new leaders from within.

      Perhaps not too many outside leaders are interested in being hired as officers on a sinking ship?

  • ..but were David Webb and/or Susan Mauldin amongst those execs that sold shares before the breach was made public?

  • Clearly, the root cause here is cat parasites that impaired judgement of the board and execs to ignore basic security practices in a trust and consumer data line of business. It is like mice getting attracted to cat urine smell, only with your financial information.

  • FTP: "Thus, MarketWatch reports, Equifax 'admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began.' And even then, Equifax didn't notice (and remove the affected web applications) until July 30."

    I'll be interested to see how Equifax is punished for their lack of security in allowing the sensitive data -- not even given willingly to them -- of 143 million Americans to be stolen. Our laws in this country give slaps on the wrist to t

  • Its interesting that an Open Source API Apache Struts (likely a few jar files in a web application) caused this issue. Good old reliable and free Apache Struts. This isn't a simple run patch.exe and all is good scenario by some admin. You'd have to update the jars to the fixed apache versions (hopefully these exist), retest everything in the app, and rerelease it to production.

