Equifax blames hack on vulnerability that they failed to patch

William Gayde

William Gayde

Posts: 382   +5
Staff

As we continue to learn more about the massive breach at Equifax that exposed the sensitive information of 143 million Americans, officials now believe they have discovered how the attack was executed.

The May hack stems from an Apache Struts bug that was patched in March, two months prior.

The specific vulnerability in question, Apache Struts CVE-2017-5638, exploits specially crafted HTTP headers to allow attackers to execute arbitrary commands on the victim's machine. The vulnerability was labeled as "massive" and was used to exploit countless websites. Two working versions of the attack were also made publicly available online.

Many large institutions such as banks, government agencies and some of the world's top companies use Apache Struts for their web apps.

Vulnerabilities like these happen from time to time and are extremely hard to avoid. This is why developers strongly recommend installing patches as soon as they are available. While Equifax has not officially stated whether or not they patched the bug, there is no real alternative explanation to how the attack could have occurred.

This type of attack is easy for hackers to carry out and labor-intensive for companies to fix. Patching the vulnerability involves manually updating, testing and then re-deploying all Apache Struts web apps that a company uses.

We'll have to wait for the final incident report to know exactly what those web servers were running. Given what we now know, it appears that Equifax's negligence in maintaining their systems is the root cause for one of the financial industry's biggest breaches.

Photo courtesy Getty Images

Permalink to story.

https://www.techspot.com/news/70988-equifax-blames-hack-vulnerability-they-failed-patch.html

 
Why should I even bother patching my own computer anymore? All of my most sensitive information has already been stolen. Thanks , Equifax.
 
Alas, you're only as secure as the dumbest employee of yours.... it's inevitable that all large companies will get hacked at some point... either by gross incompetence (like this one), or through social engineering or some other method...

If you're trusting your information in anyone's hands other than your own, you must operate on the principle that it will be hacked at some point in time.
 
Cycloid Torus said:
Nothing, nobody, nowhere...

So how to: pay bills?, share information?, conduct business?

Is it so broken that there is no 'fixing it'?
Click to expand...
Not at all... you just have to have contingency plans for when your data is exposed.... with most banking/credit card information, the companies take the risk for you - if your card is compromised, you get a new card and your money is refunded to your account... yes, it's a pain to then plug your new # into all your auto-pay thingies... but it's Visa and Mastercard who lose out - don't feel too bad for them though, they still rake in billions in profits every year :)

The reason for all of their security is not "for your protection" like they say... it's for THEIR protection!!

Basically, "being hacked" has just become another "cost of doing business".... much like an earthquake, tornado or hurricane... it's just a terrible calamity that will occur at some point... the cost of which has already been factored into the budget :)
 
  • Like
Reactions: Kibaruk, sdms96825 and wiyosaya
@Squid Surprise
You are right, but I wish there was better protection & enforcement - so the shared costs were less (yes, they make billions - by charging vendors who in turn charge us).
 
Squid Surprise said:
Alas, you're only as secure as the dumbest employee of yours.... it's inevitable that all large companies will get hacked at some point... either by gross incompetence (like this one), or through social engineering or some other method....
Click to expand...

Although your dumbest employee wouldn't usually be administering your web server.
 
Actually, what they're not telling you here is that their own HR employees were using 4-digit PINs to protect people's data. There's a whole article about it that was published in May. So, regardless of this vulnerability, they were bound to lose your data by merely protecting it with super easy-to-determine PINs. It was also extremely clear and evident that they knew this had happened some time ago.

Here's the article: https://krebsonsecurity.com/2017/05...x-security-at-equifaxs-talx-payroll-division/

and a follow-on: https://krebsonsecurity.com/tag/equifax/
 
So to encapsulate Equifax' response, would be it be fair to say, "it's our own, (Equifax'), damned, stupid, negligent fault"?

Hell, I could have written that for them! They didn't have to pay some pricey CEO or publicity firm to do it..
 
Squid Surprise said:
No.... But your dumbest employee can be socially engineered to reveal info.... Please read my entire post next time :)
Click to expand...
Even the dumbest corporation should invest the necessary time, money, and training, to teach the dumbest employee to avoid phishing attempts.

Or, deny them access to a computer terminal altogether, predicated on the results of a standardized IQ test, administered by the company'y HR department.

What this incident should teach, is the fact that an organization the size and significance of Equifax, needs to have an internal, air gapped, private network, in addition to their web based servers
 
Sadly, a very high percentage of companies have NO idea of the underlying software dependencies they are using. Yeah, SURE; "we're using Apache x.y", but that's about as deep as their list goes. Apache Struts is an add-on package;

Apache License 2.0. Website: struts.apache.org.
Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.​

aka, it's a means to integrate Java into Apache -- and that is NOT a requirement, it's a choice, just like Perl, PHP and MySql are web server choices. The astute admin tracks every dependency, the version, when it was installed, updated and every critical CVE on each dependency. THE ADMIN BLEW IT - HIS MANAGER BLEW IT - EQUIFAX BLEW IT! Sadly, they are not alone :sigh:
 
Even when patches come out, they still need to be tested to avoid anything breaking, it's not as simple as "hey there is a new patch, let's install it right away".

Heck, there is a reason why corporations don't roll out automatic windows updates, among others.
 
  • Like
Reactions: DelJo63
You must log in or register to reply here.

Similar threads

Jimmy2x
New HTTP/2 vulnerability leaves servers in danger of devastating DoS attacks, even from a single TCP connection
Replies
4
Views
122
bviktor
B
Daniel Sims
LG TV owners should update their firmware, webOS vulnerability found in a few models
Replies
8
Views
134
subnex
S
A
Some QNAP NAS devices affected by a critical vulnerability, updates available right now
Replies
4
Views
180
Puiu
Puiu

Latest posts

Back