Equifax: Let the Blame Game Begin

Equifax Blames Apache –> Apache rebuts; in the end Consumers still Lose

Equifax appears to be blaming a vulnerability in the Apache Software Foundation’s Apache Struts Web Framework, according to a post on Apache.org.  The Apache Struts Project Management Committee’s post (PMC) goes on to say that the assumption that the Equifax breach may have relied on a vulnerability in the struts framework that was discovered on September 4, 2017. The post posits that this indicates that if the attackers relied on this vulnerability this would be a zero-day exploit since the issue was not detected until well after the attacks which took place starting in mid-May of 2017.  Furthermore, the PMC’s post asserts that this particular exploit outlined in CVE-2017-9805 may have existed for nine years, however, it was not a known issue during that timeframe and in fact the PMC asserts that as soon as Apache became aware of the issue a fix was developed and made available.

PMC’s post goes on to outline a few key steps that businesses and individuals using Apache struts (or any other supporting software) should implement:

  1. inventory the frameworks and libraries you are using in your software development and products and maintain visibility into new releases, patches, vulnerabilities, etc. for each of those;
  2. create and utilize a process to test and roll-out security fixes in shorter time-periods (e.g. days vs. weeks);
  3. don’t build your products on the assumption that the software you are using is flawless;
  4. create security layers — don’t create a situation where a breach from the presentation (e.g. webpage layer) can endanger underlying back-end data; and
  5. establish baselines to monitor for unusual traffic or data flows which will help to identify network anomalies and potential intrusions and exfiltrations.

 


<opinion>

Dear Equifax:

please wake up and realize that finger-pointing, trying to blame Apache or any other software products, in addition to the incredibly poor-timing of the executive stock option sales before this breach was made public are not going to help you in the court of public opinion, nor in any court of law where jurors may sit.

As a consumer, and a business professional it would have been reassuring to learn that the breach was only to grab encrypted records, since that is how you should be storing our data, or to learn that you were giving those executives the boot since the mere appearance of impropriety was tantamount to deceit and malfeasance.  However, you chose instead to state that the executives had no idea there had been a breach days after it was discovered (in spite of the fact that the breach had been underway since mid-May) and then to assert that it wasn’t really your fault since the attacker used an exploit to exfiltrate unencrypted records.  Furthermore, if Equifax had done input validation or sanitization then the vulnerability in struts could not have been exploited in the first place, see this post from Imperva.

Needless to say, at this early stage in the game, Equifax’s handling of this breach since it was discovered appears to be a case study in what not to do.  As Equifax’s shares continue their downward movement and as consumers and businesses alike start to realize the repercussions of this breach, it is unlikely that Equifax has issued a single statement or taken a single step to help themselves, or their consumers and users.

Several days after the breach was disclosed, some Equifax executives were able to sell their stock at $145-$146/share — today Equifax shares closed at $113.12  Meanwhile 143M of us are waiting to sign up for “free” credit monitoring so we can see when someone tries to use this data to steal our identities.  However, as the OPM breach taught us, data is worth so much more than just identify theft.  Once you get enough data points on a person the sky’s the limit.

In short, thanks for encrypting our precious data that would have cost you a little bit of money and would have slowed down some of your back-end processes but would have made the attackers work a whole lot harder to grab our data (in a readable and usable format).

Sincerely,

John Q. Public

 

We have covered this in a few other posts recently.Round Up (09/11); Equifax: Perception = Reality (09/08); Equifax: 143M Americans breached (09/07)

Tags:

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories