Looks like Equifax was breached

[JoeWras]

Quote:

Originally Posted by MichaelB Info on the cause of the breach. Equfax was aware of the bug but had not yet undergone any remediation. https://arstechnica.com/information-...month-old-bug/

Because, you know, it was *labor intensive and difficult* to install the patch.

Don't get me started. I've seen how this works in other environments. Patching -- even for security -- frequently does not get the priority it deserves. That lack of priority is a failure of management.

[Chuckanut]

More Equifax issues, this time in Argentina:

https://krebsonsecurity.com/2017/09/...x-has-my-data/

As I read this article employee IDs and passwords were easily obtainable. Thus offering strangers easy access to the Equifax dispute system in Argentina. YCMTSU! (You can't make this stuff up)

Note: bold emphasis mine.

Quote:

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: "admin/admin." We'll speak about this Equifax Argentina employee portal -- known as Veraz or "truthful" in Spanish -- in the past tense because the credit bureau took the whole thing offline shortly after being contacted by KrebsOnSecurity this afternoon. The specific Veraz application being described in this post was dubbed Ayuda or "help" in Spanish on internal documentation. Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The "list of users" page also featured a clickable button that anyone authenticated with the "admin/admin" username and password could use to add, modify or delete user accounts on the system. A search on "Equifax Veraz" at Linkedin indicates the unit currently has approximately 111 employees in Argentina. Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots. However, all one needed to do in order to view said password was to right-click on the employee's profile page and select "view source," a function that shows displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee's password in plain text:

[easysurfer]

More on the lack of security during the breach:

Quote:

Equifax's world-beating breach of 143 million Americans' sensitive personal and financial information was the result of the company's failure to patch a two-month-old bug in Apache Struts, despite multiple reports of the bug being exploited in the wild. A patch for the vulnerability ("Apache Struts CVE-2017-5638") was issued on March 6. Equifax's website was breached by exploiting the bug in "mid-May," more than two months after the patch was issued. In the interim, there were widespread reports of "mass attacks" by hackers exploiting CVE-2017-5638. Despite these reports, Equifax did not patch their infrastructure, leaving it -- and 143 million Americans -- vulnerable to the breach that followed. This isn't the only gross negligence in recent Equifax history, either. In Argentina, researchers discovered that a system holding similarly sensitive data about people in Argentina and other South American countries was configured to allow root access with the username and password combo of "admin/admin."

https://boingboing.net/2017/09/14/th...my-action.html

To add insult to injury, there's not mention about the breached data being encrypted, so the assumption is probably not.

[MRG]

Quote:

Originally Posted by JoeWras Because, you know, it was *labor intensive and difficult* to install the patch. Don't get me started. I've seen how this works in other environments. Patching -- even for security -- frequently does not get the priority it deserves. That lack of priority is a failure of management.

Yeah and there's risk involved with the patch! I mean if it's wrong we might have an outage and no-one be able to access the data. Even the theif.

Wondering who their external auditor(s) are? Public company housing other people's sensitive data should be covered by standard audit praticices. My last couple of years I spent time of several audits, with different external auditors.

Patch management was always a big issue especially around security holes. Perhaps it was an unresolved issue?

[jollystomper]

Quote:

Originally Posted by MRG Yeah and there's risk involved with the patch! I mean if it's wrong we might have an outage and no-one be able to access the data. Even the theif.

That is why companies have multiple environments for testing, quality assurance, integration testing, etc. to test out things like security patches before they roll them into production environments.

Too many shy away from doing this due to the cost... but it is insurance to minimize exposure to these very types of situations.

It also speaks to folks not staffing those areas sufficiently enough, or, worse (in my view) outsourcing things like patch management to third parties.

[MRG]

Quote:

Originally Posted by jollystomper That is why companies have multiple environments for testing, quality assurance, integration testing, etc. to test out things like security patches before they roll them into production environments. Too many shy away from doing this due to the cost... but it is insurance to minimize exposure to these very types of situations. It also speaks to folks not staffing those areas sufficiently enough, or, worse (in my view) outsourcing things like patch management to third parties.

Agreed. Heck it was Apache.
We'd spray across multiple Apache servers so you could potentially upgrade one instance live, if it fails the load balancing took it out of the cluster.

[zedd]

Quote:

Originally Posted by MRG Agreed. Heck it was Apache. We'd spray across multiple Apache servers so you could potentially upgrade one instance live, if it fails the load balancing took it out of the cluster.

Right. Rolling updates to individual nodes in a multi-node web-tier cluster fronted with a load balancer. Easy-peasy. But what do I know, I've been out of IT for three years.

[Senator]

You would think they would know better...

Quote:

Scores of accounts on Equifax's website in Argentina allegedly were protected by the same generic username and password: "admin."

https://www.cnbc.com/2017/09/14/equi...-database.html

[explanade]

Did they have incompetent or lazy IT staff?

Did they have an IT staff or did management keep costs down by hiring consultants.

[Chuckanut]

Here's something I heard about on Equifax's website.

Can you find something that might be just a bit out of date in the opinion of some people?

https://aa.econsumer.equifax.com/aad...c_pop_security

Quote:

Security and Encryption In the United States, you can order all Equifax products online with confidence using Netscape and Internet Explorer, since they support the recommended 128-bit key length encryption SSL (Secure Sockets Layer). International versions support 40-bit encryption. SSL and 128-bit encryption If you have Netscape Navigator, simply select 'Help' from the Menu Bar, then click on 'About Netscape' and you will obtain a screen of information including the version. If you see language referring to 'International Security', then your browser does not support 128-bit encryption. If you see language referring to 'U.S. Security' or 'Domestic Security,' then your browser does support 128-bit encryption. If you have Internet Explorer, go to a secure page (a secure page uses the prefix 'https'). With your cursor positioned anywhere on the secure page, click on File (from the main menu), then Properties. Click on the tab marked 'Security' and look under the heading 'Privacy strength.' It will show you have 128-bit or 40-bit encryption. To See If Your Session Is Encrypted If you are running Netscape Navigator, look in the lower left-hand corner of the browser. You will see a small key as an indication that your session is running in an encrypted mode. When your session is not encrypted you will see a broken key. If you are using Internet Explorer, you will see a lock icon displayed in the bottom right corner of the window when you are on a secure page. To See If 128-bit Encryption Is Enabled If you are using Netscape Navigator, it is possible that your 128-bit encryption feature may be disabled. To verify, select 'Options' then 'Security Preferences' then 'General.' There should be a check next to the 'Enable SSL v2.' Click on the 'Configure' button. The 'Configures Ciphers' window will appear. Make sure the first item ('RC4 encryption with a 128-bit key') is checked, then click on 'OK'. Microsoft Internet Explorer does not allow you to turn the security features off.

[easysurfer]

Tried enrolling for that Premier ID thing from Equifax about a week ago. Still waiting that verification, ready to enroll email from them.

Pretty much afraid to ask them what's going on for fear might delay things even more .

[braumeister]

Quote:

Originally Posted by easysurfer Tried enrolling for that Premier ID thing from Equifax about a week ago. Still waiting that verification, ready to enroll email from them. Pretty much afraid to ask them what's going on for fear might delay things even more .

Got mine on Sunday. Maybe you should call?

I was also reminded that about ten years ago DW was working on an HR/payroll system and found that the admin password had been hard coded so it could never be changed. She brought it to the attention of the company but instead of getting it fixed they ignored it since they were planning to switch to a different system in three years time.

[easysurfer]

Quote:

Originally Posted by braumeister Got mine on Sunday. Maybe you should call? I was also reminded that about ten years ago DW was working on an HR/payroll system and found that the admin password had been hard coded so it could never be changed. She brought it to the attention of the company but instead of getting it fixed they ignored it since they were planning to switch to a different system in three years time.

Did you have to call? If so, how long was the wait?

Not in the mood to call and be a guinea pig unless I really have to .

I just went back online on the enrollment page and entered my info. Got the thank you, wait for follow up email, if nothing in a few days, check spam folder . Also asked for cell number to text and verify..but didn't get no text...Grrr!

If I don't hear back, think I'll give til Oct 1st to give a call. That should give enough time for Equifax's new executives to move in and be organized and give the idea that people do matter and are not just a number. I hope .

[athena53]

Quote:

Originally Posted by Fermion The equifax pin is a joke. It is just the month/day/year you freeze your credit plus the time in hours and minutes. So if you were to post you froze your credit today, I know a large portion of your pin already. 09122017

Well, crap. I just checked the paperwork from my Equifax credit freeze and now I know exactly when I froze my credit. Whatta bunch of bozos. I'll probably wait for the giant tide of calls to pass and then demand a new PIN. Reminds me of my university in the pre-Internet days, when they posted sheets of final and midterm grades by SS number "to protect students' privacy". When it was pointed out that posting SS numbers was also a violation of privacy, they very cleverly changed to posting grades by SS number in reverse order.

[easysurfer]

Quote:

Originally Posted by athena53 Well, crap. I just checked the paperwork from my Equifax credit freeze and now I know exactly when I froze my credit. Whatta bunch of bozos. I'll probably wait for the giant tide of calls to pass and then demand a new PIN. Reminds me of my university in the pre-Internet days, when they posted sheets of final and midterm grades by SS number "to protect students' privacy". When it was pointed out that posting SS numbers was also a violation of privacy, they very cleverly changed to posting grades by SS number in reverse order.

I probably shouldn't chuckle, but I do remember privacy methods used back in the day of student privacy.

[Sunset]

Quote:

Originally Posted by explanade Did they have incompetent or lazy IT staff? Did they have an IT staff or did management keep costs down by hiring consultants.

Reports are they had a Music Degree person hired as head of IT security. No IT experience needed I guess.

https://www.nbcnews.com/business/con...ureaus-n801706

[easysurfer]

Well, I ended up calling Equifax today after all. I decided to fill out the enroll info again and got an email today about following a link for final verification. As soon as I tried, the page crashed (I think because my credit is frozen) and said for me to call a number. So I did that to try to verify in person but I flunked the questioning .

So, I ended up sending an email with a copy of my liscense as government photo ID and copy of a utility bill. Now I have a case number with their customer service. Pretty much a pain, especially as the questions I got asked was a bit confusing and a bit subjective I think.

[Rustic23]

Don't knock music majors when it comes to computers!!! I had one working for me, and he was the best programmer we ever had. We grew to understand there is a symmitry
between music and computers.

[growing_older]

Can it get any worse?

Equifax violated standard practice when it created a new website for users to put in their personally identifiable information to see if they were involved in the breach. This is exactly what users are told to watch out for to prevent phishing attacks. The site equifaxsecurity2017.com had problems with how it was setup and whether it was even secure.

A rival website securityequifax2017.com was created to mock the Equifax efforts. Then Equifax themselves mixed up the site names and sent official tweets that sent users to the mock site.

https://www.theverge.com/2017/9/20/1...ity-monitoring

[MRG]

Quote:

Originally Posted by Sunset Reports are they had a Music Degree person hired as head of IT security. No IT experience needed I guess. https://www.nbcnews.com/business/con...ureaus-n801706

Thanks.

Nice to see the audit police attack. They should. These folks appear to follow a worse practices guide.

Far as music... I w*rked in IT with 2 musicians. Both were bad. That doesn't mean squat. I w*rked with great and horrible people of all backgrounds and educations. I had to watch the guy who taught me 370 assembly language fail. Miserably and publicly. Just because we are great at one aspect of something doesn't guarantee anything.