Seriously, Equifax? This Is a Breach No One Should Get Away With(nytimes.com)
nytimes.com
Seriously, Equifax? This Is a Breach No One Should Get Away With
https://www.nytimes.com/2017/09/08/technology/seriously-equifax-why-the-credit-agencys-breach-means-regulation-is-needed.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region®ion=top-news&WT.nav=top-news
19 comments
What really puzzles me is the response or lack thereof of those agencies' testimony, if that's what's they're called, during the Congressional hearings. They basically stated that their ratings were nothing more then opinions. And still they're being taken seriously.
I think this incident is a very good argument for why NSA and the agencies in other countries should focus on publishing known exploits. This was probably not one that was known, but it shows what could happen if criminals get access.
I don't understand that logic? The NSA's mission is not to find exploits, it's just a means to an end. If they released the problems they find, there is literally no business case to justify the NSA spending money on finding exploits to then have them closed.
Arguments like that would make more sense to suggest that a new agency is setup to find and fix faults in software. You're keeping the agency's mission focused.
Problem with an agency like that is that in effect it's government support for software companies. Microsoft, Google, Apple could cut back on security processes because they know the tax payer is picking up the tab.
Government shouldn't be in the market, they should hold the market to account for bad actors. We should make having security breaches a painful cost. The market would adjust to meet the macro economic environment.
Arguments like that would make more sense to suggest that a new agency is setup to find and fix faults in software. You're keeping the agency's mission focused.
Problem with an agency like that is that in effect it's government support for software companies. Microsoft, Google, Apple could cut back on security processes because they know the tax payer is picking up the tab.
Government shouldn't be in the market, they should hold the market to account for bad actors. We should make having security breaches a painful cost. The market would adjust to meet the macro economic environment.
According to Wikipedia, NSA is also tasked with the protection of U.S. communications networks and information systems. By not disclosing the exploits they find, they put the information systems at risk. If they can find it, someone else can too.
I mean, Equifax is quite literally in the business of making sure people don't get away with things. It would be unfair to their mission for them to continue as a going concern.
I wonder if Equifax will face any international action, for example here in the UK we have Data Protection laws that can be used to fine companies for such breaches, although it's not entirely clear if British customer data has been affected.
Still, Equifax are probably quick to tell everyone if you've missed one payment on your credit card, but took a few months to say they've been hacked? Doesn't seem fair
Still, Equifax are probably quick to tell everyone if you've missed one payment on your credit card, but took a few months to say they've been hacked? Doesn't seem fair
> ...although it's not entirely clear if British customer data has been affected.
It has [0]:
"... Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents ... no evidence that personal information of consumers in any other country has been impacted."
[0]: https://www.equifaxsecurity2017.com
It has [0]:
"... Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents ... no evidence that personal information of consumers in any other country has been impacted."
[0]: https://www.equifaxsecurity2017.com
> quick to tell everyone if you've missed one payment on your credit card, but took a few months to say they've been hacked
Yes, I believe Equifax may finally get a bit of karma on this one. Unfortunately, at a lot of others' expense.
Yes, I believe Equifax may finally get a bit of karma on this one. Unfortunately, at a lot of others' expense.
This is kinda how I feel. https://equifaxbreach2017.com/
FYI. That is not the real site.
FYI. That is not the real site.
[deleted]
I think it's important to take a step back, take a breath, and look at this rationally.
Look at what actually happened. Equifax was using the Spring framework. This is a very safe, popular choice. They were using what everybody else uses.
There was a critical vuln in the framework, and they failed to update their box for N months. But we're talking only a few months. N is very small -- maybe four? And yeah, you can argue that four months is an absurdly long time to have a known critical vuln in production. But I guarantee you that everybody reading this is similarly vulnerable. Whatever company you work for, if you do not have regular pentests, you are no better off. And even if you do, it's overwhelmingly likely that you've overlooked some lonely outdated server that's still running on your network because Bob set it up a year ago and forgot about it and oh look now you have a pivot into your whole network.
It seems very strange to choose this one company and crucify them just because they lost your data. Everybody is insecure everywhere always, and we've learned to tolerate this by pretending it's not true or that it doesn't exist or that it's not a big deal. But you know what? It is true. That truth will continue to manifest itself in the years to come. No matter how much you'd like it not to be true, your stuff will still get stolen. Usually you just don't hear about it.
Yes, it was stupid for them to have everybody's PII attached to that one webserver. A single point of failure should never result in compromising the whole system. But think about how that architecture would work in practice. A customer service rep still needs to get at most of your data. It's a credit bureau. Where would the data be stored in a way that a remote code exec wouldn't be able to snag it?
Equifax's crime boils down to "they failed to run the equivalent of sudo apt-get update on their framework." When you're managing a fleet of hundreds or thousands of machines, this is a situation that almost all of us have wound up in. If we can't get it right, why do you want the execs' heads to roll? Are you sure you won't be next on the chopping block?
Think about it this way: the time between "someone discovered a vuln in Spring" and "the attackers stole 150M credit reports" was just a few months. Are you sure Equifax wasn't a victim here? Someone threw a cinderblock through their window and made off with their trove of data.
Food for thought.
Look at what actually happened. Equifax was using the Spring framework. This is a very safe, popular choice. They were using what everybody else uses.
There was a critical vuln in the framework, and they failed to update their box for N months. But we're talking only a few months. N is very small -- maybe four? And yeah, you can argue that four months is an absurdly long time to have a known critical vuln in production. But I guarantee you that everybody reading this is similarly vulnerable. Whatever company you work for, if you do not have regular pentests, you are no better off. And even if you do, it's overwhelmingly likely that you've overlooked some lonely outdated server that's still running on your network because Bob set it up a year ago and forgot about it and oh look now you have a pivot into your whole network.
It seems very strange to choose this one company and crucify them just because they lost your data. Everybody is insecure everywhere always, and we've learned to tolerate this by pretending it's not true or that it doesn't exist or that it's not a big deal. But you know what? It is true. That truth will continue to manifest itself in the years to come. No matter how much you'd like it not to be true, your stuff will still get stolen. Usually you just don't hear about it.
Yes, it was stupid for them to have everybody's PII attached to that one webserver. A single point of failure should never result in compromising the whole system. But think about how that architecture would work in practice. A customer service rep still needs to get at most of your data. It's a credit bureau. Where would the data be stored in a way that a remote code exec wouldn't be able to snag it?
Equifax's crime boils down to "they failed to run the equivalent of sudo apt-get update on their framework." When you're managing a fleet of hundreds or thousands of machines, this is a situation that almost all of us have wound up in. If we can't get it right, why do you want the execs' heads to roll? Are you sure you won't be next on the chopping block?
Think about it this way: the time between "someone discovered a vuln in Spring" and "the attackers stole 150M credit reports" was just a few months. Are you sure Equifax wasn't a victim here? Someone threw a cinderblock through their window and made off with their trove of data.
Food for thought.
They were using what everybody else uses. But not everybody else has financial data on so many people behind this framework. If you're dealing with this kind of data there are some additional requirements. I've worked at a few banks and they all provide a lot of extra security on top of those frameworks. So no they're not just victims in this.
I read that top management sold a lot of stock prior to the news coming out about the breach. I hope they get sued for prior knowledge or whatever that is called.
I read that top management sold a lot of stock prior to the news coming out about the breach. I hope they get sued for prior knowledge or whatever that is called.
>Someone threw a cinderblock through their window and made off with their trove of data.
Sure, but maybe - just maybe - given that their "mission" was to keep those data safe or "safe enough" they could have installed a somewhat tougher glass on that window.
The general point of "you had one job" remains IMHO valid, independently from how bad other people/companies security is.
Also, when there is a break-in you normally notice the broken window in a timely fashion, if the reports are accurate the hackers seemingly got the data over two or three months time or however it took months to notice it.
Sure, but maybe - just maybe - given that their "mission" was to keep those data safe or "safe enough" they could have installed a somewhat tougher glass on that window.
The general point of "you had one job" remains IMHO valid, independently from how bad other people/companies security is.
Also, when there is a break-in you normally notice the broken window in a timely fashion, if the reports are accurate the hackers seemingly got the data over two or three months time or however it took months to notice it.
Sounds a little more like someone "threw a cinder block through a window" and then climbed in, wandered around the office until they found the records room, found a way to pry the locks open on the filing cabinets, and then stayed there for a few months to pass files out the window one at a time.
But nobody noticed the broken glass, no one saw any evidence that the records rooms were opened when they shouldn't have been, and nobody saw the hundred million files headed out the window?
I understand this could have happened to anyone, but I don't expect the sec ops at a credit reporting agency to be average.
But nobody noticed the broken glass, no one saw any evidence that the records rooms were opened when they shouldn't have been, and nobody saw the hundred million files headed out the window?
I understand this could have happened to anyone, but I don't expect the sec ops at a credit reporting agency to be average.
Oh really? I thought it depends on how big the bank is. Agencies giving tripe-A to junks were punished so harsrhly...