A few weeks ago Equifax was breached and stirred up a lot of discussion in the infosec community on several topics, from how to prevent this from happening to how could you even let this happen, and I wanted to go over a few points on why this is such a monumental disaster and not just something that could be “forgiven” like the Target breach.
First thing’s first, Equifax was breached due to a vulnerability in Apache Struts CVE-2017-5638. In summary, Apache Struts is an open-source platform (meaning anyone can view and sometimes edit the source-code) that is a framework for developing Java EE web applications. So it’s a framework that can help make stuff on websites. The reason this is significant is because Apache Struts had a vulnerability published on March 8th, 2017 that could lead to remote code execution (RCE), allowing an attacker to remotely control a machine. RCE’s are the worst types of vulnerabilities to have on your systems, so of course the patch published to fix this vulnerability should’ve been priority #1. This was not a zero-day exploit used, it was a public exploit that everyone knew about and could use if they knew their target, so there was no excuse for Equifax not to have patched their stuff.
Second, this isn’t a small scale operation. This is a company that has every adults social security number and ironically gives arbitrary reports on how you’re doing in life, financial wise. If this were some mom-and-pop shop that was small scale, no one would care as much. The scale of this breach is the reason why there’s so much outrage, and rightfully so.
Third, is the blatant insider trading that went on. The CFO and two presidents of the company sold shares a few days after they confirmed they got breached. Something here doesn’t sound right to me personally because I don’t want to believe a CFO and two presidents of a company the size of Equifax could be this stupid. If it were an IT guy or something then I could believe it, but the people who get lectured about insider trading the most doing something this obvious means they’re incredibly stupid or we’re not getting the full story. It’s worth to note it wasn’t mentioned how many shares they sold, so if they just sold a few then I’d chalk it up to coincidence.
Finally, is how they handled this whole ordeal. Not just them too, but TransUnion and other credit agencies have also raised their prices on freezing credits so they can profit off of other people’s misery. Equifax has made it a giant PIA to freeze credit online, and it’s pathetic that they are even still charging people for it. We’re paying them for their mistake, literally. This whole thing is so backwards it’s hilarious.
So what went wrong? Obviously the Apache Struts exploit compromised a server with customer data on it, but why did it even get to that point? The lack of a patching system is an obvious point here, where most companies have dedicated patching days in the month, it’s clear Equifax did not (or if they did they didn’t do it right). A kicker is Equifax BLAMED Apache Struts. You cannot blame anyone if you’re using open-source software on an internet-facing server with a history of vulnerabilities. The other critical piece here is that Equifax stored their data in plain, clear, text, which is arguably the biggest no-no possible for storing sensitive data. The Payment Card Industry (PCI) is a security standard that makes companies who deal with sensitive data (SSNs, CCNs, etc.) complaint with standard such as encryption and patching. The key point is to never ever store PCI data in clear text, so anyone could read it. If the data was encrypted using a secure algorithm, then salted with a long salt to make it more secure then it wouldn’t be as big an issue because all the attacker has is gibberish but that isn’t the case.
It was also reported that a hacker was able to login to the Equifax Argentina Employee web portal using the credentials admin:admin. So in summary, it’s clear that Equifax doesn’t not care at all about security and it’s more of a theater for them instead of taking it seriously and hiring legitimate professionals to assess their environment instead of having the internet do it for them. So what does this mean for Equifax? Hopefully it means the end. Life without another credit agency would be great, but in reality some C-level executives will “retire” and then they’ll get fined, then get sued and be in court for 10 years and maybe in 13-14 years we’ll get a class-action lawsuit check in the mail for $3. This whole thing could’ve been prevented if they just patched their systems regularly (especially internet-facing ones) and stored their data securely.
So now what? The first thing is to freeze your credit so no one can make any queries against your SSN. It costs about $30 and can be done via phone:
Equifax: 1-800-685-1111 (NY residents 1-800-349-9960 and for you Canadians 1-800-465-7166)
Make sure to keep your PIN because that’s the only thing that can unfreeze your credit.
You could also take the extra step of getting a credit monitoring service like Lifelock but they have questionable results so do your own research and determine if it’s worth it.