After Equifax Breach, Major Firms Still Rely on Same Flawed Software (zdnet.com) 62
Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.
Well duh.... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:1, Informative)
You could at least try to get your trolling right. Tesla CEO said that people who didn't like volatility shouldn't invest in them. He never said anything about avoiding them if they expect to make money. He's also explicitly stated that they're very likely to start turning profits in Q3/Q4 of this year...so there's that. But by all means, go back to your negative blathering.
Re: (Score:1)
Just left a meeting discussing solving that (Score:2)
> C level people rarely understand technology enough to properly communicate the risk and benefit of security. It just isn't typically in their wheel house.
I just left a meeting with the CEO of our security company in which we discussed how to solve this. Heck, even the technical C people, like a CIO of a major company, are busy with many different things - desktops, network, on-premise servers, cloud .... They don't have time to really understand each of the vulnerabilities that comes out every day.
They
Re: (Score:1)
A data breach makes money for the C-levels. If they can wait six months between the breach and the announcement, they can short their stock early on, and in two quarters, cash in when the company stock values plummet, and the SEC here in the US cannot touch them. Even if they just short/dump the stock a few days ahead, they have made a mint, as insider trading is something that isn't enforced these days.
Re: (Score:2)
More likely this is about lazy/ignorant security practices than a cynical decision to save money short term.
Equifax got away, so why change? (Score:5, Insightful)
Re: (Score:3)
This is exactly correct. There's no money in fixing security problems, insurance will pay any damages, and executives are shielded from any liability anyway. And all they have to do is give consumers a year of free "credit monitoring."
Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happe
Re: (Score:2)
Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happened.
We can't do that, as software engineers don't often write any code from ground-up and often don't control how code they write is used. In civil engineering it is possible to control all aspects of the project and very clearly limit its scope of use. Now imagine building a skyscraper when the foundation was designed by someone else, you have no control over how closely the spec was followed during construction, and at some point some madman would try to land a 747 on it. That is how civil engineering as soft
Re: (Score:2)
Do you know how many groups/people have a hand in even new home construction? The foundation was poured by concrete specialist, he plumbing by plumbers, the dry wall was manufactured by companies specialized in it etc. Now for a skyscraper the number sky rockets with all of the specialized construction materials and techniques required. An Architect or CE has to trust that each of them has delivered to spec. Things get tested on site, e.g. slump tests, but by and large the contractor must deliver to spec. T
Re: (Score:2)
Maybe there would be fewer bad hamster wheel owners if the hamsters had a way to push back. If the hamster was a PE, and the penalty for signing off on something they were forced to rush through was "you'll never work in the industry again and will be sued out of existence," the level of cowboy development would go way down.
The fact that whole branches of software development can go in and out of fashion in 6-month cycles is a bug, not a feature. No one will support this because most techies think regulatio
faa level code audits cost way to much to do (Score:2)
faa level code audits cost way to much to do. and also why should the 1099 or H1B risk being fired / kicked out by not signing off.
Re: (Score:1)
Re: (Score:2)
If you really need to fix the problem, you *must* hold the decision makers accountable.
There will always be some personnel that will do what they are asked, because they don't care or they don't know how bad things are. If they can't find any in their own country, they will offshore to developers in a country that just have no reason whatsoever to care.
Re: (Score:2)
Because the orders are not illegal, just wrong... And you'll be fired for not following them. You might even be fired just for pointing out that the orders are wrong.
Re: (Score:2)
Equifax is more like sending the box of rivets saying "PATCH RIGHT NOW" and the box gets left under someone's desk for 6 months, then the bridge falls down.
But it's more like a box with cover panel, some rivets and an assembly robot with a description saying "if someone taps this specific rivet on a specific angle with a specific amount of force, it may fall out, leaving other rivets vulnerable to similar attacks that may eventually weaken the structure enough for the bridge to collapse" and all they have t
Re: (Score:1)
Not quite. The problem with software patches is that they can and do cause things to break occasionally. Reference most recently the patches for the Intel CPU bugs which ended up breaking more than they fixed. I personally had a 2k8 server render itself unbootable because it has a particular model AMD CPU that could not execute certain instructions that were present in Intel's patch. Fault to Microsoft for not doing enough testing but it appeared to affect only certain AMD CPUs.
More like, we replaced the ri
Re: (Score:2)
Would have been great to use this as data to ensure Equifax was punished for that breach. Now it becomes the status quo...
Re: (Score:3)
insurance will pay any damages
If there were significant damages, this would be part of the solution, not part of the problem. Insurance companies are quite good at assessing risk and delivering targeted recommendations which must be followed to get lower premiums. The problem is that there are no real damages for insurance companies to pay, so none of these incentives come into play.
Maybe what we need is statutory damages for privacy breaches, which apply above and beyond any provable actual damages. Say, $100 for each social securi
Why Patch (Score:3, Insightful)
How many Equifax executives have gone to prison?
Put them in chains, and other executives might notice.
Consultant-built Software (Score:3, Informative)
One problem is that companies continue to run software that was built as a one-off by some consulting company, offshore vendor or similar. They either don't exist anymore, or want millions to even look at the code again.Those packages need these out-of-date frameworks and other software as dependencies, and the company doesn't have the expertise in-house to know whether a patch will break something. In my line of work, the main offender is awful Java thick client applications, and these often require a _specific_ point release of some horribly outdated JRE/JDK. But JEE web apps are even worse in this regard...and despite the hype around app-of-the-month, there are TONS of these systems from the 2000s floating around in big companies.
Consulting companies should be required to at least hand over the source code for software they produce if they're not interested in maintaining it long-term as an actual product. And if a company is relying on some system as a dependency, they shouldn't allow their vendors to walk away without fully understanding what they've left running on their systems.
Re: (Score:2)
The problem is none of the companies hiring these consultancies understand what they're getting...
They should demand source code, should demand a second source supplier, should demand ongoing maintenance, should demand that the software store data and communicate using documented protocols so that its easily replaceable.
But very few people ever make these demands, so few of the consultancies cater to them.
It should be due diligence to insist on all of the above and have a thorough procurement policy, but fo
Re: (Score:2)
Note that a lot of these top-100 companies is chock full of outdated closed source software too.
On a recent random check of a few laptops from one of those sorts of companies, the average was about 2 years since they last received any update whatsoever from Microsoft (their update mechanism had broken and they had no reporting about it). I was working with another company and they were intentionally using a commercial product from a company that went out of business 15 years ago, because it would be too mu
Re: (Score:2)
So ignore the truth, check.
Probably all relying on same version of WebSphere (Score:1)
(or some other ill-conceived and bloated atrocity that will never receive security updates because they cost too much money)
Re: (Score:1)
Maybe you should read up on WebSphere and figure out why these huge enterprises may be all mysteriously holding onto an ancient and buggy fork of an open source project.
If you allow them to do it... (Score:2)
Was this flawed software deemed "non-complaint" by a government regulatory body of some sort after the Equifax breach?
No?
Well, then, why the hell would you expect things to change? The financial sector isn't going to do anything that costs money or time that doesn't personally benefit them unless you force them to.
Re: (Score:2)
I share the thought that those downloads do not *necessarily* mean the company deployed insecure software, but to say that 'most of these companies' are patching the security issues is way too optimistic. Sure some, but most are completely oblivious.
Re: (Score:1)
I too am Ameri..... wait no I can't type that with a straight face. I would be embarrassed to be an American. I'm glad I'm not.
Re: Witch hunt (Score:2)
Shills be shillin'
More hype (Score:2)
How many went to jail for Equifax breach? (Score:3)
What it lost was money, right? And who lost it? The shareholders.
All bonuses and pay all these executives wee gorging themselves in, was not clawed back. They did not go to jail. They paid the fines and compensation using shareholder's money.
Why would they change?
Why would you expect them to change?