Looks like Equifax was breached

MichaelB said:
Info on the cause of the breach. Equfax was aware of the bug but had not yet undergone any remediation. https://arstechnica.com/information...caused-by-failure-to-patch-two-month-old-bug/
Click to expand...
Because, you know, it was *labor intensive and difficult* to install the patch.

Don't get me started. I've seen how this works in other environments. Patching -- even for security -- frequently does not get the priority it deserves. That lack of priority is a failure of management.
 
More Equifax issues, this time in Argentina:

https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

As I read this article employee IDs and passwords were easily obtainable. Thus offering strangers easy access to the Equifax dispute system in Argentina. YCMTSU! (You can't make this stuff up)

Note: bold emphasis mine.

It took almost no time for them to discover that an online portal designed to
let Equifax employees in Argentina manage credit report disputes from consumers
in that country was wide open, protected by perhaps the most easy-to-guess
password combination ever: "admin/admin."

We'll speak about this Equifax Argentina employee portal -- known as Veraz or
"truthful" in Spanish -- in the past tense because the credit bureau took the
whole thing offline shortly after being contacted by KrebsOnSecurity this
afternoon. The specific Veraz application being described in this post was
dubbed Ayuda or "help" in Spanish on internal documentation.

Once inside the portal, the researchers found they could view the names of more
than 100 Equifax employees in Argentina, as well as their employee ID and email
address. The "list of users" page also featured a clickable button that anyone
authenticated with the "admin/admin" username and password could use to add,
modify or delete user accounts on the system. A search on "Equifax Veraz" at
Linkedin indicates the unit currently has approximately 111 employees in
Argentina.

Each employee record included a company username in plain text, and a
corresponding password that was obfuscated by a series of dots.

However, all one needed to do in order to view said password was to right-click
on the employee's profile page and select "view source," a function that shows
displays the raw HTML code which makes up the Web site. Buried in that HTML code
was the employee's password in plain text:
Click to expand...
 
Last edited:
More on the lack of security during the breach:

Equifax's world-beating breach of 143 million Americans' sensitive personal and financial information was the result of the company's failure to patch a two-month-old bug in Apache Struts, despite multiple reports of the bug being exploited in the wild.
A patch for the vulnerability ("Apache Struts CVE-2017-5638") was issued on March 6. Equifax's website was breached by exploiting the bug in "mid-May," more than two months after the patch was issued. In the interim, there were widespread reports of "mass attacks" by hackers exploiting CVE-2017-5638. Despite these reports, Equifax did not patch their infrastructure, leaving it -- and 143 million Americans -- vulnerable to the breach that followed.
This isn't the only gross negligence in recent Equifax history, either. In Argentina, researchers discovered that a system holding similarly sensitive data about people in Argentina and other South American countries was configured to allow root access with the username and password combo of "admin/admin."
Click to expand...
https://boingboing.net/2017/09/14/thrice-is-enemy-action.html

To add insult to injury, there's not mention about the breached data being encrypted, so the assumption is probably not.
 
Last edited:
JoeWras said:
Because, you know, it was *labor intensive and difficult* to install the patch.

Don't get me started. I've seen how this works in other environments. Patching -- even for security -- frequently does not get the priority it deserves. That lack of priority is a failure of management.
Click to expand...

Yeah and there's risk involved with the patch! I mean if it's wrong we might have an outage and no-one be able to access the data. Even the theif.

Wondering who their external auditor(s) are? Public company housing other people's sensitive data should be covered by standard audit praticices. My last couple of years I spent time of several audits, with different external auditors.

Patch management was always a big issue especially around security holes. Perhaps it was an unresolved issue?
 
MRG said:
Yeah and there's risk involved with the patch! I mean if it's wrong we might have an outage and no-one be able to access the data. Even the theif.
Click to expand...

That is why companies have multiple environments for testing, quality assurance, integration testing, etc. to test out things like security patches before they roll them into production environments.

Too many shy away from doing this due to the cost... but it is insurance to minimize exposure to these very types of situations.

It also speaks to folks not staffing those areas sufficiently enough, or, worse (in my view) outsourcing things like patch management to third parties.
 
jollystomper said:
That is why companies have multiple environments for testing, quality assurance, integration testing, etc. to test out things like security patches before they roll them into production environments.

Too many shy away from doing this due to the cost... but it is insurance to minimize exposure to these very types of situations.

It also speaks to folks not staffing those areas sufficiently enough, or, worse (in my view) outsourcing things like patch management to third parties.
Click to expand...
Agreed. Heck it was Apache.
We'd spray across multiple Apache servers so you could potentially upgrade one instance live, if it fails the load balancing took it out of the cluster.
 
MRG said:
Agreed. Heck it was Apache.
We'd spray across multiple Apache servers so you could potentially upgrade one instance live, if it fails the load balancing took it out of the cluster.
Click to expand...

Right. Rolling updates to individual nodes in a multi-node web-tier cluster fronted with a load balancer. Easy-peasy. But what do I know, I've been out of IT for three years. :cool:
 
Did they have incompetent or lazy IT staff?

Did they have an IT staff or did management keep costs down by hiring consultants.
 
Here's something I heard about on Equifax's website.

Can you find something that might be just a bit out of date in the opinion of some people?

https://aa.econsumer.equifax.com/aad/sitepage.ehtml?forward=ec_pop_security

Security and Encryption

In the United States, you can order all Equifax products online with confidence using Netscape and Internet Explorer, since they support the recommended 128-bit key length encryption SSL (Secure Sockets Layer). International versions support 40-bit encryption.
SSL and 128-bit encryption
If you have Netscape Navigator, simply select 'Help' from the Menu Bar, then click on 'About Netscape' and you will obtain a screen of information including the version.
If you see language referring to 'International Security', then your browser does not support 128-bit encryption. If you see language referring to 'U.S. Security' or 'Domestic Security,' then your browser does support 128-bit encryption.
If you have Internet Explorer, go to a secure page (a secure page uses the prefix 'https'). With your cursor positioned anywhere on the secure page, click on File (from the main menu), then Properties. Click on the tab marked 'Security' and look under the heading 'Privacy strength.' It will show you have 128-bit or 40-bit encryption.
To See If Your Session Is Encrypted
If you are running Netscape Navigator, look in the lower left-hand corner of the browser. You will see a small key as an indication that your session is running in an encrypted mode. When your session is not encrypted you will see a broken key. If you are using Internet Explorer, you will see a lock icon displayed in the bottom right corner of the window when you are on a secure page.
To See If 128-bit Encryption Is Enabled
If you are using Netscape Navigator, it is possible that your 128-bit encryption feature may be disabled.
To verify, select 'Options' then 'Security Preferences' then 'General.' There should be a check next to the 'Enable SSL v2.' Click on the 'Configure' button. The 'Configures Ciphers' window will appear.
Make sure the first item ('RC4 encryption with a 128-bit key') is checked, then click on 'OK'. Microsoft Internet Explorer does not allow you to turn the security features off.
Click to expand...
 
Tried enrolling for that Premier ID thing from Equifax about a week ago. Still waiting that verification, ready to enroll email from them.

Pretty much afraid to ask them what's going on for fear might delay things even more :(.
 
Last edited:
easysurfer said:
Tried enrolling for that Premier ID thing from Equifax about a week ago. Still waiting that verification, ready to enroll email from them.

Pretty much afraid to ask them what's going on for fear might delay things even more :(.
Click to expand...

Got mine on Sunday. Maybe you should call?

I was also reminded that about ten years ago DW was working on an HR/payroll system and found that the admin password had been hard coded so it could never be changed. She brought it to the attention of the company but instead of getting it fixed they ignored it since they were planning to switch to a different system in three years time. :facepalm:
 
braumeister said:
Got mine on Sunday. Maybe you should call?

I was also reminded that about ten years ago DW was working on an HR/payroll system and found that the admin password had been hard coded so it could never be changed. She brought it to the attention of the company but instead of getting it fixed they ignored it since they were planning to switch to a different system in three years time. :facepalm:
Click to expand...

Did you have to call? If so, how long was the wait?

Not in the mood to call and be a guinea pig unless I really have to :(.

I just went back online on the enrollment page and entered my info. Got the thank you, wait for follow up email, if nothing in a few days, check spam folder :blush:. Also asked for cell number to text and verify..but didn't get no text...Grrr!

If I don't hear back, think I'll give til Oct 1st to give a call. That should give enough time for Equifax's new executives to move in and be organized and give the idea that people do matter and are not just a number. I hope :blush:.
 
Last edited:
Fermion said:
The equifax pin is a joke. It is just the month/day/year you freeze your credit plus the time in hours and minutes.

So if you were to post you froze your credit today, I know a large portion of your pin already.

09122017
Click to expand...

Well, crap. I just checked the paperwork from my Equifax credit freeze and now I know exactly when I froze my credit.:( Whatta bunch of bozos. I'll probably wait for the giant tide of calls to pass and then demand a new PIN. Reminds me of my university in the pre-Internet days, when they posted sheets of final and midterm grades by SS number "to protect students' privacy". When it was pointed out that posting SS numbers was also a violation of privacy, they very cleverly changed to posting grades by SS number in reverse order.
 
athena53 said:
Well, crap. I just checked the paperwork from my Equifax credit freeze and now I know exactly when I froze my credit.:( Whatta bunch of bozos. I'll probably wait for the giant tide of calls to pass and then demand a new PIN. Reminds me of my university in the pre-Internet days, when they posted sheets of final and midterm grades by SS number "to protect students' privacy". When it was pointed out that posting SS numbers was also a violation of privacy, they very cleverly changed to posting grades by SS number in reverse order.
Click to expand...

I probably shouldn't chuckle, but I do remember privacy methods used back in the day of student privacy.
 
Well, I ended up calling Equifax today after all. I decided to fill out the enroll info again and got an email today about following a link for final verification. As soon as I tried, the page crashed (I think because my credit is frozen) and said for me to call a number. So I did that to try to verify in person but I flunked the questioning :facepalm:.

So, I ended up sending an email with a copy of my liscense as government photo ID and copy of a utility bill. Now I have a case number with their customer service. Pretty much a pain, especially as the questions I got asked was a bit confusing and a bit subjective I think.
 
Don't knock music majors when it comes to computers!!! I had one working for me, and he was the best programmer we ever had. We grew to understand there is a symmitry
between music and computers.
 
Can it get any worse?

Equifax violated standard practice when it created a new website for users to put in their personally identifiable information to see if they were involved in the breach. This is exactly what users are told to watch out for to prevent phishing attacks. The site equifaxsecurity2017.com had problems with how it was setup and whether it was even secure.

A rival website securityequifax2017.com was created to mock the Equifax efforts. Then Equifax themselves mixed up the site names and sent official tweets that sent users to the mock site.

https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-identity-monitoring
 
Sunset said:
Reports are they had a Music Degree person hired as head of IT security. No IT experience needed I guess. :facepalm:

https://www.nbcnews.com/business/co...n-scrutiny-intensifies-credit-bureaus-n801706
Click to expand...
Thanks.

Nice to see the audit police attack. They should. These folks appear to follow a worse practices guide.

Far as music... I w*rked in IT with 2 musicians. Both were bad. That doesn't mean squat. I w*rked with great and horrible people of all backgrounds and educations. I had to watch the guy who taught me 370 assembly language fail. Miserably and publicly. Just because we are great at one aspect of something doesn't guarantee anything.
 
Taking a step back and thinking about the credit bureau business in general. Isn't that kind of like legal blackmail?

1) We (being ordinary citizens) didn't volunteer our information
2) Credit activities we do get recorded and monitored and get used against if if our score is low
3) Getting access and corrections to inaccurate reports are up to us to prove who we are

I'm sure there's more.

Sure, I do agree with the need to weed out the deadbeats, but we did similar spying and monitoring, say of our neighbors either we'd be thought of as creepy or stalking.

Okay...done venting... :(
 
growing_older said:
Can it get any worse?

Equifax violated standard practice when it created a new website for users to put in their personally identifiable information to see if they were involved in the breach. This is exactly what users are told to watch out for to prevent phishing attacks. The site equifaxsecurity2017.com had problems with how it was setup and whether it was even secure.

A rival website securityequifax2017.com was created to mock the Equifax efforts. Then Equifax themselves mixed up the site names and sent official tweets that sent users to the mock site.

https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-identity-monitoring
Click to expand...

Yeah I saw that. Couldn't believe they used a different domain name for users to enter sensitive personal data and find info. And now this! Unbelievable! :facepalm:

Supposedly they hired expert consultants to guide them out of their predicament and help handle the PR? Not impressed!
 
easysurfer said:
Taking a step back and thinking about the credit bureau business in general. Isn't that kind of like legal blackmail?

1) We (being ordinary citizens) didn't volunteer our information
2) Credit activities we do get recorded and monitored and get used against if if our score is low
3) Getting access and corrections to inaccurate reports are up to us to prove who we are

I'm sure there's more.

Sure, I do agree with the need to weed out the deadbeats, but we did similar spying and monitoring, say of our neighbors either we'd be thought of as creepy or stalking.

Okay...done venting... :(
Click to expand...

The extortion part is having to pay them for protection - freezes and monitoring.
 
easysurfer said:
1) We (being ordinary citizens) didn't volunteer our information
Click to expand...

I don't like any of this either, but I'm not sure the above is accurate.

Whenever we do an activity that affects our credit, I have to believe that somewhere deep in the contract those credit card companies and other credit grantors disclose that they will report our information to the credit bureaus and by using that credit we consent to them sharing this information.

Most people would say that it's pretty hard to navigate the modern USA without things like mortgages, credit cards, various loans, and renting apartments, but in theory, at least, you have the option of not using any of those and not having a credit file.
 
You must log in or register to reply here.

Similar threads

cbo111
Equifax Data Breach Settlement (Credit Monitoring Instructions and Activation Code
Replies
14
Views
1K
djsander
D
MichaelB
Equifax data breach settlement
4 5 6
Replies
139
Views
14K
aja8888
aja8888
easysurfer
Have You Freezed/Unfreezed Your Credit Yet?
2 3
Replies
60
Views
11K
easysurfer
easysurfer
Chuckanut
  • Locked
Equifax Hacked - Be extra alert
Replies
1
Views
1K
W2R
W2R
R
Fun with Equifax
Replies
10
Views
2K
bUU
bUU

Latest posts

Back
Top Bottom