Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

After Equifax Breach, Major Firms Still Rely on Same Flawed Software (zdnet.com) 62

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.
This discussion has been archived. No new comments can be posted.

After Equifax Breach, Major Firms Still Rely on Same Flawed Software

Comments Filter:
  • Well duh.... (Score:5, Insightful)

    by Kenja ( 541830 ) on Monday May 07, 2018 @01:44PM (#56568654)
    A data breach may cost money later, but changing would cost money now, which is all stock holders care about.
    • by Anonymous Coward

      A data breach makes money for the C-levels. If they can wait six months between the breach and the announcement, they can short their stock early on, and in two quarters, cash in when the company stock values plummet, and the SEC here in the US cannot touch them. Even if they just short/dump the stock a few days ahead, they have made a mint, as insider trading is something that isn't enforced these days.

    • by Raenex ( 947668 )

      More likely this is about lazy/ignorant security practices than a cynical decision to save money short term.

  • by sinij ( 911942 ) on Monday May 07, 2018 @01:48PM (#56568684)
    This behavior is very logical. Equifax got away with gross negligence in the area of data security. It follows that expenditures on data security can be minimized. Updates and technical expertise costs money, market-driven approach would be to keep already paid-for systems in place and outsource maintenance of these old systems to the lowest bidder.
    • This is exactly correct. There's no money in fixing security problems, insurance will pay any damages, and executives are shielded from any liability anyway. And all they have to do is give consumers a year of free "credit monitoring."

      Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happe

      • by sinij ( 911942 )

        Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happened.

        We can't do that, as software engineers don't often write any code from ground-up and often don't control how code they write is used. In civil engineering it is possible to control all aspects of the project and very clearly limit its scope of use. Now imagine building a skyscraper when the foundation was designed by someone else, you have no control over how closely the spec was followed during construction, and at some point some madman would try to land a 747 on it. That is how civil engineering as soft

        • by plopez ( 54068 )

          Do you know how many groups/people have a hand in even new home construction? The foundation was poured by concrete specialist, he plumbing by plumbers, the dry wall was manufactured by companies specialized in it etc. Now for a skyscraper the number sky rockets with all of the specialized construction materials and techniques required. An Architect or CE has to trust that each of them has delivered to spec. Things get tested on site, e.g. slump tests, but by and large the contractor must deliver to spec. T

      • by sheph ( 955019 )
        If it's due to negligence then yes I completely agree. It's all well and good to blame the engineer if the design is flawed due to incompetence. However, if it's because of pressure from above to ignore security issues, or go with the cheapest option rather than the best option and push forward with bad design then those making that decision should be held accountable.
      • Would have been great to use this as data to ensure Equifax was punished for that breach. Now it becomes the status quo...

      • insurance will pay any damages

        If there were significant damages, this would be part of the solution, not part of the problem. Insurance companies are quite good at assessing risk and delivering targeted recommendations which must be followed to get lower premiums. The problem is that there are no real damages for insurance companies to pay, so none of these incentives come into play.

        Maybe what we need is statutory damages for privacy breaches, which apply above and beyond any provable actual damages. Say, $100 for each social securi

  • Why Patch (Score:3, Insightful)

    by Anonymous Coward on Monday May 07, 2018 @01:48PM (#56568688)

    How many Equifax executives have gone to prison?

    Put them in chains, and other executives might notice.

  • by ErichTheRed ( 39327 ) on Monday May 07, 2018 @01:50PM (#56568696)

    One problem is that companies continue to run software that was built as a one-off by some consulting company, offshore vendor or similar. They either don't exist anymore, or want millions to even look at the code again.Those packages need these out-of-date frameworks and other software as dependencies, and the company doesn't have the expertise in-house to know whether a patch will break something. In my line of work, the main offender is awful Java thick client applications, and these often require a _specific_ point release of some horribly outdated JRE/JDK. But JEE web apps are even worse in this regard...and despite the hype around app-of-the-month, there are TONS of these systems from the 2000s floating around in big companies.

    Consulting companies should be required to at least hand over the source code for software they produce if they're not interested in maintaining it long-term as an actual product. And if a company is relying on some system as a dependency, they shouldn't allow their vendors to walk away without fully understanding what they've left running on their systems.

    • by Bert64 ( 520050 )

      The problem is none of the companies hiring these consultancies understand what they're getting...

      They should demand source code, should demand a second source supplier, should demand ongoing maintenance, should demand that the software store data and communicate using documented protocols so that its easily replaceable.

      But very few people ever make these demands, so few of the consultancies cater to them.

      It should be due diligence to insist on all of the above and have a thorough procurement policy, but fo

  • (or some other ill-conceived and bloated atrocity that will never receive security updates because they cost too much money)

  • Was this flawed software deemed "non-complaint" by a government regulatory body of some sort after the Equifax breach?

    ...
    No?

    Well, then, why the hell would you expect things to change? The financial sector isn't going to do anything that costs money or time that doesn't personally benefit them unless you force them to.

  • All they showed was how many downloads, not how many implementations. I'm sure my company has downloaded a copy of the software too, we use local copies of various repos. We don't use Struts anywhere, we just prefer to maintain local repos.
  • None. Right?

    What it lost was money, right? And who lost it? The shareholders.

    All bonuses and pay all these executives wee gorging themselves in, was not clawed back. They did not go to jail. They paid the fines and compensation using shareholder's money.

    Why would they change?

    Why would you expect them to change?

Avoid strange women and temporary variables.

Working...