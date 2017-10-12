Equifax Website Hacked Again, this Time To Redirect To Fake Flash Update (arstechnica.com) 58
For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits.
It just keeps getting better!
The problems is that we have little say on the data that Equafax has on us. It is not like we went to Equafax and gave them the info, they had been collecting it for years without our direct permission.
In short Equafax just screwed everyone, and to be joyous about this hack, even if it were to put them out of business, is like celebrating the crook going to jail, after he had burned down your home and lost everything. You are still suffering, even if justice was served.
The problem is IT security is so complex, that most regulations would either be ineffective: because the nature on how the hacks happen will change, overly punitive: where hacks could be used to kill a company, or a company would be afraid to use computers to expand their business. Also it could send a wrong chilling effect, where now most companies are trying really hard to secure their systems from many different methods, to just doing what is legally stated, thus creating more problems.
id10t? (Score:3)
Surely the definition of stupidity is when you keep on doing the same thing and expect different results?
to make it very clear: Equifux are scum. DANGEROUS scum. Don't go there! Not now. Not ever.
THIS MEANS YOU!
But wait, there's more! (Score:1)
If you're a comedian, it's good for more material than even Trump currently.
Trump did nothing wrong. When he gets us to the moon for real you'll eat your words.
This may not have been Equifax (Score:5, Interesting)
This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/DNS_spoofing
Equifax was responsible for setting up a separate website to deal with this hack. Doing so increased the likelihood of stuff like this happening (which it has, apparently *twice* now). So, even if this "wasn't Equifax", I'm still going to blame them for failing web security fundamentals.
Re: (Score:3)
This sounds suspiciously like a DNS poisoning attack, which could have been impacting his ISP, but targeting a domain used by Equifax. Such attacks are completely outside of the control of the target. https://en.wikipedia.org/wiki/... [wikipedia.org]
That's a possibility, but the story is subtitled "Malware researcher encounters bogus download links during multiple visits.", and one would hope a malware researcher would have considered it. The article says it could be due to an ad the site was displaying:
It's not yet clear precisely how the Flash download page got displayed. The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that's responsible for the redirects. In that case, the breach, technically speaking, isn't on the Equifax website.
2020 can't get here soon enough (Score:3)
Can't wait until Adobe kills Flash in 2020 and everyone moves away from that piece of garbage.
Don't worry, we'll find another piece of garbage to infest our computers, tie up CPU cycles unnecessarily and generally annoy internet users and make webpages unsufferably bloated long before Flash's demise.
Re: (Score:2)
Cron can't agree to an updated End User License Agreement.
People have been predicting Flash will "end soon" for about two decades. It doesn't. It's the reverse of the Duke Nukem Forever pattern. "Unvaporware"? Or how people now ask the Moonies at the airport to define "soon".
Why is this even possible? (Score:4, Insightful)
Any private citizen who would commit a tiny, insignificant fraction of this kind of blunder would be behind bars, with his assets seized. What is so special about a company that should have been shut down weeks ago?
And why is that CEO still at large?
just asking for some greyhats (Score:2)
You know what would be an ironic rebalancing of the cosmos?...
He's not behind bars.
Then again, maybe it's for the better. It's so hard to get a hand on those bastards when the state protects them.
Bootstrapping stage 0 of Rust (Score:2)
Why would we keep using C and C++ when there's a better language out there in the form of Rust?
Because there exist many non-PC platforms to which a C compiler or a C++ compiler has been ported but a Rust compiler has not. How would you even bootstrap stage 0 [github.com] of a Rust compiler on a new ABI if it's written in Rust and there are no other independent implementations of Rust? My best guess, which I haven't tried, is to go back to some OCaml compiler, build old Rust, and then build new Rust from that.
If corporations are people... (Score:3)
I don't remember who said but they said, "I'll believe corporations are people when we can cut their head off."
Corporate Comprimise Bingo anyone?? (Score:2)
What i would suggest is that the entire IT staff and C_O group repeat after me
"Would you like me to tell you the Daily Specials?"
"Would you like fries with that or Maybe upgrade to Our new LOADED FRIES"
Incompetence... (Score:5, Interesting)
At this point you have to wonder if it isn't time to revive the idea of a corporate death penalty.
How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors? What's Equifax's excuse going to be this time?
How long would anyone keep doing business with an armored car company that keeps forgetting to lock the doors?
Businesses don't care - it is the consumers being hurt, not the businesses using Equifax's services. It would be like a local store that keeps getting broken into and robbed in the middle of the night. Would a person stop buying from them just because they're losing stuff? It doesn't effect them (assuming the data doesn't get modified). As long as they have what the person wants at a reasonable price when they want it, why should they care that the business has a loss problem?
Stop being so judgemental (Score:3)
You people act as though Equifax is made of money that they can lavishly spend it on securing the highly sensitive financial data of consumers who never gave the company authority to collect and share it in the first place. Equifax only made $3.1 billion last year; they have a lot of wealthy shareholders and executives whose lifestyles depend on a high revenue to profit ratio.
Sure, Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company, but that could happen to anyone.
/s
I'm shocked (Score:5, Interesting)
I'm more shocked to know there's 65 antivirus providers. Is Windows really that bad?
Completely and totally INCOMPETENT! (Score:3)
So, what do we do now? The management at Equifax has now proven beyond any reasonable doubt that they are completely incompetent, totally incapable of being responsible for the data they collect. Who takes over? Can the government come in and take control? Or would that be worse? Who needs to be in charge at Equifax to stop the bleeding and secure their systems?
Furthermore: The incompetence now evident should, in my opinion, be considered criminal negligence, considering how many people are affected, and by 'affected' I mean 'potentially or in fact having their lives RUINED'. Round up the management at Equifax, everyone who was responsible for the decisions that led us to this point, put them under arrest, and bring criminal indictments against them. I'd much rather prefer severed heads on poles lining Wall Street, but we don't do that sort of thing in this country so I'll settle for mandatory jail time, megafines, seizing of assets, and court orders prohibiting these idiots from ever working in the finance industry ever again -- or anywhere else that can affect the lives of hundreds of millions of people. I'm sure Walmart would just love to have them as greeters, or maybe the Jiffy Lube down the street will hire them.
Re: (Score:2)