Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com) 150
For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.
Wow (Score:1)
It just keeps getting better!
Re: (Score:3)
NUKE IT FROM ORBIT, it's the only way to be sure (Score:2)
Re:Wow (Score:5, Insightful)
The problems is that we have little say on the data that Equafax has on us. It is not like we went to Equafax and gave them the info, they had been collecting it for years without our direct permission.
In short Equafax just screwed everyone, and to be joyous about this hack, even if it were to put them out of business, is like celebrating the crook going to jail, after he had burned down your home and lost everything. You are still suffering, even if justice was served.
Re:Wow (Score:5, Insightful)
Re:Wow (Score:5, Insightful)
The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business. Also it could send a wrong chilling effect, where now most companies are trying really hard to secure their systems from many different methods, to just doing what is legally stated, thus creating more problems.
Re: (Score:1)
or a company would be afraid to use computers to expand their business.
You say that like it is always a bad thing. But some things should not be so easily accessed from the internet. Maybe the data that the credit bureaus aggregate should be one of those things.
So you now have to wait a few days before getting approval for a new line of credit, big fucking whoop.
Re: (Score:2)
Any rules on IT security will not be confined to just Credit Agencies. This will affect a local Mom and Pop shop that has an online store website setup.
Incompetence is not a valid excuse (Score:5, Insightful)
The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business.
Claiming that a problem is complex is not a valid excuse for doing the job incompetently such that it results in harm to others. If you cannot manage sensitive data safely then you either need to exit the business or step your game up. They do not get a free pass just because it's a hard problem. If the security problem is that hard that they need government indemnification then they DEFINITELY need to be regulated. Medicine is easily as if not more complex than IT security and yet doctors are held liable for malpractice and are highly regulated. I see no reason why ITprofessionals should be held to a lesser standard of care if they want to manage sensitive data like credit histories or medical records.
Regulations don't have to specify specific technology or tactics. They just have to specify that they have to keep the data secure, what secure means, and outline punishments for failure to do so. If they cannot handle the risk then don't get into the business.
Re: (Score:2, Interesting)
Medicine is easily as if not more complex than IT security
You have no idea what the nature of infosec is. The way the human body operates doesn't change weekly. There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die. In IT, it's weekly patches or you are fucked. It's relearn how it works over and over and over your whole career. Penicilin still works at least some of the time. Nothing from infosec lasts a tenth as long. There is no sitting still with technology.
And that does not even begin to tackle the largest, most ad
Re: (Score:2)
perhaps being an info slut and allowing access to your holes to any one who wants it is not a behavior that lends itself to disease avoidance. i for one will be just fine with equifax dying because of their malfeasance.
Disease and mutations (Score:2)
There aren't dozens of damning new plagues daily that everyone has to take medicine for or they die.
Not sure what planet you live on but there literally are new diseases every day (ever hear of mutations?) and people do literally die from them. Every day, all around the world. Diseases like influenza and malaria are constantly mutating and overcoming even our best attempts to shield against them. And unlike you I'm not talking about a figurative death either. Literally millions of people die - literally die - every year because of new versions of diseases that our immune systems and medical technology
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The one thing that is impossible in the field of IT security is the consumers waking up. Everything else is possible.
Re: (Score:3)
You can hate Equifax all you want, but you should really be also complaining about all the other companies that are giving it to them.
If nobody freely (or with some $$$) gave them your information when you signed up for stuff, they wouldn't have a business.
Exactly .... (Score:3)
I understand the purpose of credit reporting agencies, and I don't have a blanket hatred or dislike of them like some people. (Hey, sorry if you're irresponsible with your money all the time and don't pay your bills when due. That doesn't make the "messenger" evil when they perform the function of warning others about your financial behavior.)
But Equifax? They've long been frustrating because of a lack of care in verifying the data they collect, and a general unwillingness to correct mistakes on credit repo
You've got plenty of say (Score:3)
This is the philosophy of "You always have a choice". It's popular with the right wing, libertarians, corporations and the Republican party. You can try pointing out that it's not possible to find a bank or credit card that doesn't do business with Equifax and also impossible to live without either but I've found those arg
Re: (Score:2)
Hence why I said directly.
The paperwork doesn't say Can I give this information to Equafax? Where I can check yes or no on it.
Re: (Score:3)
Re: (Score:2)
The OS only matters if you can't do the work at the application level. Java could have been involved, but only because jvms are so common. Otherwise it would have needed to be some non-virtual machine language, like C or some such.
The thing is, if you can compromise a web application sufficiently to allow you to download and execute a binary, and you have your data available at the account that's contacting the web, no further security breaches are needed to have EVERYTHING copied over. Or erased. Or se
Re: (Score:2)
(I wonder how often they send an actual decryption key after payment...and how often the acceptance of payment is the last you hear of them.)
If you're referring to ransomware, the vast vast vast majority is just a scripted turn-key system. Set it and forget it. If word got out you didn't decrypt, nobody would pay, and nobody is looking at the data that got encrypted, that would leave a trail back to the culprit. So it's almost 100% of the time you pay, you get the key, and so long as you don't do whatever got you automatically infected in the first place again, you won't be re-infected. Just business.
id10t? (Score:5, Insightful)
Surely the definition of stupidity is when you keep on doing the same thing and expect different results?
to make it very clear: Equifux are scum. DANGEROUS scum. Don't go there! Not now. Not ever.
THIS MEANS YOU!
Lots of folks don't have a choice (Score:3)
Re: (Score:2)
ew! this milk has gone bad! let me try again.. yeah, no, still bad! maybe one more time... oh, that one was chunky, gross!
Re: (Score:2)
Surely the definition of stupidity is when you keep on doing the same thing and expect different results?
No, that's the definition of trying again. Stop repeating this fallacy. If you play basketball, and you miss a basket once, you get the ball back and shoot it, are you stupid because you are hoping for better results this time? Of course not!
Re: (Score:2)
I see what you did there. /slowclap
But wait, there's more! (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
If you're a comedian, it's good for more material than even Trump currently.
Re: (Score:3)
Trump did nothing wrong. When he gets us to the moon for real you'll eat your words.
Re: (Score:2)
Huh, I thought we had already been there a couple of times last century. Or was that fake news too?
Re: (Score:2)
Hey, I bet a lot of people would not mind shooing him on the moon.
This may not have been Equifax (Score:5, Interesting)
This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/DNS_spoofing
Re:This may not have been Equifax (Score:5, Interesting)
Equifax was responsible for setting up a separate website to deal with this hack. Doing so increased the likelihood of stuff like this happening (which it has, apparently *twice* now). So, even if this "wasn't Equifax", I'm still going to blame them for failing web security fundamentals.
Re: (Score:3)
Re: (Score:3)
Re:This may not have been Equifax (Score:4, Informative)
This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/... [wikipedia.org]
That's a possibility, but the story is subtitled "Malware researcher encounters bogus download links during multiple visits.", and one would hope a malware researcher would have considered it. The article says it could be due to an ad the site was displaying:
It's not yet clear precisely how the Flash download page got displayed. The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that's responsible for the redirects. In that case, the breach, technically speaking, isn't on the Equifax website.
Re: (Score:1)
- Equifax.com running non-Equifax ads?
- Internet Explorer
These two alone make me question the article... Posting anon since I've already modded this thread
-Syn3rg
Re: (Score:2)
Wouldn't encryption prevent the web browser from making a secure connection to a spoofed Equifax server?
Re: (Score:1)
Wouldn't encryption prevent the web browser from making a secure connection to a spoofed Equifax server?
No. The data between server and client is encrypted, but then the client has to use a DNS request, fetching data outside the encrypted channel, to determine where to go next. Even if the DNS request was encrypted, the result would still be the same if the DNS cache is poisoned.
Re: (Score:2)
Never run into this before so new to me, but centerbluray.info is being back linked to majestic.com https://www.robtex.com/dns-loo... [robtex.com]
https://majestic.com/reports/s... [majestic.com] one time use (cookie)
2020 can't get here soon enough (Score:5, Insightful)
Can't wait until Adobe kills Flash in 2020 and everyone moves away from that piece of garbage.
Re: (Score:2)
Don't worry, we'll find another piece of garbage to infest our computers, tie up CPU cycles unnecessarily and generally annoy internet users and make webpages unsufferably bloated long before Flash's demise.
Re: (Score:2)
I think it's called HTML5.
Re: (Score:1)
Re: (Score:2)
Cron can't agree to an updated End User License Agreement.
Re: (Score:1)
People have been predicting Flash will "end soon" for about two decades. It doesn't. It's the reverse of the Duke Nukem Forever pattern. "Unvaporware"? Or how people now ask the Moonies at the airport to define "soon".
Re: (Score:2)
But there are always other craps. What about HTML5? :P
Re: (Score:2)
That won't happen before advertisers pressure W3C to include every BS from Flash into web standards.
Why is this even possible? (Score:5, Insightful)
Any private citizen who would commit a tiny, insignificant fraction of this kind of blunder would be behind bars, with his assets seized. What is so special about a company that should have been shut down weeks ago?
And why is that CEO still at large?
Re: (Score:2, Interesting)
The CEO isn't at large. He was dismissed . . . with tens of millions of dollars. Remember, in the USA, corporations are people. They have all the rights, and none of the responsibilities.
just asking for some greyhats (Score:2)
You know what would be an ironic rebalancing of the cosmos?...
Re: (Score:2)
He's not behind bars.
Then again, maybe it's for the better. It's so hard to get a hand on those bastards when the state protects them.
GO after the company (Score:1)
Equifax has been controversial since it was started in 1899 to serve retailers who wanted to extend credit to customers. Their existence and business practices spawned a few laws.
It's an inherently unethical business.
But here is some bad karma coming there way: Years ago, I was at a talk that had an Equifax exec on its panel. They have to put up with the same shit as we do (there is also Experian and Transunion that also fucks everything up). But she is able to clean stuff up internally fast for herself
Re: (Score:2)
I just hope for a sympathetic terrorist to park the next plane in the correct building this time.
I mean, think of all the sympathy and support they could get! These terrorists are really bad at PR, I tell ya.
Re: (Score:2)
It's the Hamiltonian dream of a government of, by, and for the public corporations. Jefferson's Republic is dead, man. The mercantilism he and his compatriots fought against now rules the day. Free market capitalism has been replaced with "systemically important financial institutions" that will get bailouts courtesy of taxes excised from the middle class - the same people who got screwed over by Equifax.
Re: (Score:2)
Bootstrapping stage 0 of Rust (Score:2)
Why would we keep using C and C++ when there's a better language out there in the form of Rust?
Because there exist many non-PC platforms to which a C compiler or a C++ compiler has been ported but a Rust compiler has not. How would you even bootstrap stage 0 [github.com] of a Rust compiler on a new ABI if it's written in Rust and there are no other independent implementations of Rust? My best guess, which I haven't tried, is to go back to some OCaml compiler, build old Rust, and then build new Rust from that.
Re: (Score:2)
Off-topic here, but ... can Rust do cross compiling? If so, add an output target for the new platform, cross compile, test. Less work if you can get away with it. If not, more work, yay!
Reflections on Trusting Rust (Score:2)
Even if you can cross-compile, you can't ensure that the cross-compiler binary is free of Ken Thompson's self-propagating "trusting trust" attack [stackexchange.com] unless you bootstrapped it from an independently developed compiler [dwheeler.com].
Re: (Score:2)
Yes, Slashdot has not entirely lost the pedantic jackassery that was part of making it great back in the time before time.
Someone wake me up when Natalie, statues, and hot grits come back in style though.
Re: (Score:2)
If corporations are people... (Score:4, Insightful)
Re: (Score:2)
I don't remember who said but they said, "I'll believe corporations are people when we can cut their head off."
Re: (Score:2)
Well, all the C-level managers and the BoD, yes.
Re: (Score:2)
Prisons are for-profit. Also, if you didn't already know, you might be surprised to learn how much cheaper-than-china production happens in them (in the USA).
Corporate Comprimise Bingo anyone?? (Score:2)
What i would suggest is that the entire IT staff and C_O group repeat after me
"Would you like me to tell you the Daily Specials?"
"Would you like fries with that or Maybe upgrade to Our new LOADED FRIES"
Incompetence... (Score:5, Interesting)
At this point you have to wonder if it isn't time to revive the idea of a corporate death penalty.
How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors? What's Equifax's excuse going to be this time?
Re: (Score:2)
How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors?
Businesses don't care - it is the consumers being hurt, not the businesses using Equifax's services. It would be like a local store that keeps getting broken into and robbed in the middle of the night. Would a person stop buying from them just because they're losing stuff? It doesn't effect them (assuming the data doesn't get modified). As long as they have what the person wants at a reasonable price when they want it, why should they care that the business has a loss problem?
The most likely reason why it c
Re: (Score:2)
The thing is, it wouldn't affect Equifax much if the data *WAS* modified. They don't care much whether it's accurate or not.
Corporate death penalty doesn't accomplish anythin (Score:2)
Re: Incompetence... (Score:1)
corporate death penalty
I am sick of this term. It pretends that it is as controversial as killing people.
Re: (Score:2)
Logical fallacy in play - because a past abuse was not punished should not prevent new abuses from being punished.
Re: (Score:2)
Stop being so judgemental (Score:5, Funny)
You people act as though Equifax is made of money that they can lavishly spend it on securing the highly sensitive financial data of consumers who never gave the company authority to collect and share it in the first place. Equifax only made $3.1 billion last year; they have a lot of wealthy shareholders and executives whose lifestyles depend on a high revenue to profit ratio.
Sure, Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company, but that could happen to anyone. /s
Re: (Score:1)
If they they can't afford to protect the data then they have no business collecting it. They don't deserve to exist as a business.
If they can't afford to ensure the accuracy of the data, then they should be responsible for all damages caused by it being inaccurate. And considering how difficult it is to ensure that the data about anyone is accurate, or even to know that you're being damaged, the damages should be multiplied by a few thousand. After all, they're the ones making it difficult to ensure that
Re: (Score:2)
Equifax only made $3.1 billion last year
That's revenue, they made much much less in profit.
I'm not sure it matters how much they spend on security anyway, they're failing on the basics now.
I'm shocked (Score:5, Interesting)
I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
Re: (Score:1)
I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
Don’t be naïve. People write viruses to infect operating systems that are on the most machines. The main reason why Linux is so secure is because viruses would be less successful in targeting them. Also, since they hold the majority of less-savvy users, it makes more sense. Of course Linux is secure. Hardly anyone writes viruses for it.
Re: (Score:2)
No, the main reason that Linux is more secure is that MS stripped out all the security from the OS that they emulated in order to make it run faster on a smaller, cheaper, machine.
MSWindows as designed for a single user machine operated without any network connections. Linux was designed from the start as a multi-user OS with network connections. So security has had to be retrofitted into MSWindows.
I understand that they've done a pretty good job, but because of their EULA I'll never really know.
Re: (Score:2)
If I remember my history correctly, Bill Gates actually stole IBM Dos and rebranded it, because IBM wouldn't protect its assets in any way as they were "trade secrets."
But I believe he may be referring to microsoft's very partial and selective (and frequently broken) POSIX/CAPI implementation, such that they could support compiled code and advertise some sort of not-rewrite-everything-from-scratch migration path away from UNIX, back in the day.
Re: (Score:2)
Bill Gates, on being notified by his parents that IBM was looking for an 8086 OS, bought QDOS from the Seattle Computer Club with an exclusive license and gave IBM a nonexclusive license for QDOS after a quick cleanup job and name change. This meant that, when other computer companies were able to make good clones (basically a BIOS that did the same things as IBM's), they could buy their OS from Microsoft instead of IBM.
I'm not aware that there were any illegalities in here, although it was definitely a
Nope, just that big. (Score:1)
No single Antivirus meets the needs of every user or business. You've got home users who need simplicity, you've got business users who need manageability, you've got gamers who need performance, and developers who need control. You've got different countries with different language needs. You've got your for cost, and your freeware. Finally you've got up starts and Open Source options. Etc. Etc.
What is more surprising is when th
Re: (Score:3)
I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
Yes.
Completely and totally INCOMPETENT! (Score:4, Interesting)
So, what do we do now? The management at Equifax has now proven beyond any reasonable doubt that they are completely incompetent, totally incapable of being responsible for the data they collect. Who takes over? Can the government come in and take control? Or would that be worse? Who needs to be in charge at Equifax to stop the bleeding and secure their systems?
Furthermore: The incompetence now evident should, in my opinion, be considered criminal negligence, considering how many people are affected, and by 'affected' I mean 'potentially or in fact having their lives RUINED'. Round up the management at Equifax, everyone who was responsible for the decisions that led us to this point, put them under arrest, and bring criminal indictments against them. I'd much rather prefer severed heads on poles lining Wall Street, but we don't do that sort of thing in this country so I'll settle for mandatory jail time, megafines, seizing of assets, and court orders prohibiting these idiots from ever working in the finance industry ever again -- or anywhere else that can affect the lives of hundreds of millions of people. I'm sure Walmart would just love to have them as greeters, or maybe the Jiffy Lube down the street will hire them.
Re: (Score:2)
Re: (Score:2)
Failure of culture and controls (Score:2)
My opinion? This is what happens when you have BEAN COUNTERS and PAPER SHUFFLERS making engineering decisions, instead of engineers and other educated, qualified personnel!
I am an engineer and I also happen to be a certified accountant. I can assure you that engineers do not as a general proposition make better (or worse) business decisions than any other category of worker. The problem at equifax was NOT an engineering failure, nor did it happen because engineers weren't making engineering decisions. It was a failure of company culture and a lack of risk controls. The engineering flaws that were exposed were simply predictable knock-on effects of the poor business contro
Re: (Score:2)
Re: (Score:2)
Engineers tend to make different kinds of mistake than do accountants. With engineers running the company this particular kind of mistake probably wouldn't have happened. Actually, with accountants running the company it wouldn't have either. Accountants would have paid attention when the Wall street investors were told that it was a bad investment because the staff wasn't properly trained and they had no backup plan to deal with a break in. Apparently the people running the company were confidence men,
Symantec (Score:2)
... into installing crapware Symantec calls Adware.Eorezo
This sentence doesn't parse. Why "calls ..." after the crapware's name?
hxxp//:? (Score:2)
Eventually, his browser opened up a page on the domain hxxp//:centerbluray.info
a) That's (almost) a URL, not a domain
b) What's with the "hxxp"?
c) The : is in the wrong place
Re: hxxp//:? (Score:2)
Makes the whole story seem kinda suspicious, doesn't it...
Alternate Perspectives (Score:1)
One might argue that a "malware researcher" might already be at increased risk of having already contracted some sort of exploit that might manifest as a malicious redirect.
Then again, where Equifax and their recent security fumbles are concerned, it's certainly within the realm of possibility that such an exploit found its way into their services. Unless there's an independent and unbiased analysis of the Equifax systems and protocols, it's unlikely we'll ever be certain.
Re: New Credit Terms (Score:2)
So you're giving credit entirely? Good for you! But, ah, have "fun" getting a rental car next time you travel...
Oh, and you'll also need to give up use of the entire banking system. And maybe move to North Korea and renounce your citizenship. THEN you'll no longer be in the Credit Slander Bureau's databases. Maybe...