
Equifax Argentinian portal secured with admin/admin - mjcl
https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/
======
tptacek
I used to jokingly call my Matasano partner daveg "admin/admin", because he
would unironically check for admin/admin before testing in earnest. You'd
laugh, because in our field you're supposed to break in with a memory
corruption exploit that you worked out remote and black-box. But there he is,
every Nth test (for single-digit N's), with an admin login.

This stuff is a lot more common than we like to acknowledge.

Unrelated tale of interest: I did my first web pentest in 2005 (I've been
doing security work since '94-95, but I was a developer for several years
before 2005 and missed the start of web pesting). And, I shit you not, the
very first input I tested --- a login form --- had a 'OR''=' SQL injection on
a plaintext password lookup. It warped my expectations for what to expect on
web pentests for years.

~~~
Tade0
I don't work in security, but _most_ of the routers I that ever wanted to gain
access to had some type of default credentials like admin/admin or
admin/abc123 etc.

~~~
0xfeba
I've found the last few years they have generated, pretty difficult, passwords
printed on the side now. At least, consumer routers...

------
milkytron
Given over a month to examine the breach in private, you'd think they would
have checked and remediated this massive security flaw. It makes me wonder,
did anyone working on the Argentina site know about the US breach? Did anyone
try raising a flag saying, "Hey guys... maybe we should change this
admin/admin login?"

And if so, what were they responded with?

There are just too many questions to ask, and I'd love for every single one of
them to be answered with honesty, but my hope at this point is dwindling.

Everything in the news about Equifax just exclaims all the worst possible
words one can use to describe a company.

~~~
foobarian
It seems to me that the systematic incentives in place with EFX simply do not
require good security.

Security is expensive. But fraud/breaches at a CC company hit the wallet
directly and hence it is relatively cheaper to invest into securing their
infrastructure. With EFX though, there is no direct loss of revenue; it is the
CC companies that are hit. Until now there was no directly measurable effect
of their security practices and so it didn't incentivize any investment. And
lastly these are old organizations with old systems and a lot of momentum, and
again without a correcting force.

If someone was starting up a new credit reporting agency today can you imagine
the security/compliance/auditing gauntlet they would have to run through to
even open the doors? Very interesting events indeed.

~~~
yeukhon

        If someone was starting up a new credit reporting agency
        today can you imagine the security/compliance/auditing 
        gauntlet they would have to run through to even open the
        doors? Very interesting events indeed.
    

Perhaps, but you'd be surprised to learn fintech / new insurance companies
aren't compliance ready espeically at launch time when they are already
serving customers (in fact, I doubt some of them were even licensed when they
first started). As long as you can dodge the ball / ask for extension, you are
fine. This is why you'd hire a skillful security compliance officer to
negotiate with the auditors. Or, you can choose to run your startup in stealth
mode first, and then slowly deal with the laws.

My experience with compliance is not in the fin/banking industry, and perhaps
doesn't apply to anybody at all. When I had to deal with SOX compliance, I
just had to make sure audit logs were in place and they were exported to a
safe and auditable log, along with clear documentation about where things
were, roles and privileges of different user groups, how accounts are
created/terminated/updated etc, rather we have backups or not.

If you say developers must have access to this production S3 bucket, totally
cool, for as long as the manager responsible for this system is aware (if
written somewhere will be even better). The auditors don't care the actual
implementation. If your internal site superuser login is admin/admin, they
don't care. If you allow public access to a secret portal, they don't care.
Your boss signs off the risk, auditor is happy to move on to the next item.
Auditors don't care how many times you backup a day, or which copy is retained
for 7 years as per SOX; as long as you did everything SOX requires, you are
good.

YOU DO NOT tell auditors how your system actually work because that's digging
a grave for yourself. You sell your system to auditor like speaking to a
customer, with as little information about the backend as possible. This is
called minimize impact zone. If your system runs on five different DBs, have
ten micro-services, a couple monitoring and alerting tools, and a dozen other
stuff, well, please do not tell them all of the above. Choose what you can
present and what you can defend. Limit what you show.

The auditor just wanted to see if there were logs and whether management had
any clues what was going on. Don't spill the secrets so they won't question
(e.g. do not tell them there is a publicly accessible secret portal).
Communicating with auditor is a very mindful skill, not something to be taken
lightly. If you encounter a very technical auditor, yes, you'd face a tougher
interview, but they are not there to judge your incompetence, just going to
keep asking questions till you spill secrets, then HAHA, they now have
something to write.

For an institution like Equifax, there are too many holes to cover up at once,
so they will limit exposure as much as possible. I'd say being a credit agency
they also have leverage, although that's just my conspiracy: all four agencies
work with each other to make sure no one's credit is affected by compliance
report... No one wants to piss off a credit agency.

~~~
liberte82
I work with auditors regularly, can confirm. Naively believed in my first year
of employment that this was a cooperative relationship with them there to help
us understand our security weaknesses. Boy was I corrected on that quickly!

------
kitotik
Very thankful for the security community keeping up the diligence on this.

If this can manage to stay in the news cycle for several more days, something
may actually be done. Otherwise, (and this seems far more likely) the world
will move on, Equifax will rebrand, and the cycle will continue...

~~~
outoftacos
I hope more public security shaming like this happens, consequences and
lawsuits be damned. This is getting too tiresome, we've been tolerating
incompetence and bad management for too long.

~~~
AnimalMuppet
Yes, this is incompetence. Gross, egregious, horrible incompetence.

Problem is, though, it only takes one incompetent person - or even one person
making a mistake one time - to open the door for a massive breach. Requiring
perfection of humans in order to maintain security... that's not a workable
approach.

Yes, this was inexcusable. But also, our current approach to security is
fatally flawed.

~~~
tambienben
So what approach do you recommend?

~~~
Kluny
Criminal charges against the company for security negligence. Seize their
assets and close them down.

Back in the 90's hackers used to get criminal charges for getting into secure
systems. Now tech companies are a little more intelligent about it and they
pay bounties to hackers. It should go all the way in the other direction
though, the responsibility for getting hacked should fall on the company that
gets hacked for their shit security.

------
cddotdotslash
What legal protections do "security researchers" have to conduct this kind of
investigation? After getting into the panel by using the admin/admin default,
they continued to click around, clicked into user accounts, exposed passwords,
etc. I understand the value of what they're doing (and their own internal
policies to not release said data), but as far as I'm aware, there is no law
that would protect them if Equifax decided to attempt to get them prosecuted
under the Fraud/Abuse Act.

Every time there's a big-name company in the news, all the various security
firms seem to go to town seeing who can break into the rest of their systems
first. Regardless of intention, it still seems potentially criminal.

------
nkrisc
If it's not, this level of negligence should be criminal. There is no security
ignorance left to claim on this day and age. I hope we learn the details of
the US Equifax breach, and I hope for them it's nothing like this one.

~~~
busterarm
I wonder if people do this on purpose when they really hate their client.

I know I've considered it.

------
djrogers
I suppose at this point nothing about Equifax's security should surprise us,
but this... this is just... wow.

------
sickmartian
Yes, this is stupid. One thing to note thou, DNI is not supposed to be secret
or used as a secret in practice.

~~~
conanbatt
Right: when americans mention that SSN should not be used as a secret, I have
to remind myself that it actually is. DNI's are as good as public, it really
doesnt matter.

------
conanbatt
admin/admin is jokingly terrible, but i can find sympathy: its probably
lazyness that got it there. But storing plain text passwords on a data-
sensitive site? Or plaint text passwords at ANY point.

Veraz is a piece of shit also (I'm argentinian), much like the us
counterparts.

~~~
0xfeba
Do you know if the web portal behind TLS?

------
GFischer
The Argentinean site was created by an Equifax-acquired company that was
called Veraz (that's why the site is called Veraz).

Most of the Equifax subsidiaries used to be different companies, and when I
worked there they all had different technology stacks.

It's even worse than in the U.S. in some cases - in Uruguay, the ONLY credit
bureau was acquired by Equifax, so if it goes down, so does the financial
industry.

On the other side, SSN equivalents (DNI - National Identity Document in
Argentina and CI - Identity Card) in Uruguay and Argentina are NOT treated as
a secret in the same way as they are in the U.S. - most every company has
access to them, and you can even request access to an API to call them (as
noted by other commenters -
[https://news.ycombinator.com/item?id=15234806](https://news.ycombinator.com/item?id=15234806)
).

Uruguayan cards now have chips and biometric facilities too.

Still, more gross negligence on Equifax's part. The Uruguayan operation was
run pretty tightly, I was really surprised to learn that in the U.S. and
Argentina they were not.

------
SubiculumCode
Needs to be sued out of existence. Send a message to corporate America:
Protect Sensitive Data.

~~~
ryandvm
I'm sure Equifax has far more sway with the regulators than consumers. Nothing
is going to change and Equifax isn't going to suffer more than a few million
dollars in symbolic fines.

------
stevennexus
For a company that is supposed to be responsible for a lot of private data,
they aren't very good at security. Makes me wonder how much better or worse
the other credit bureaus are.

~~~
sparky_
Hope for the best but expect the worst.

------
packetized
a play, in two parts:

[https://imgur.com/a/krXIz](https://imgur.com/a/krXIz)

additionally, the twitter account claiming responsibility (@real_1x0123, on
friday, sep 08) for the webshell/compromise just protected their tweets. this
will turn out to be much more interesting than it has been thus far.

~~~
Kluny
Some of those are down already. Here's their salesforce login though:
[https://help.equifax.com/login](https://help.equifax.com/login)

Here's the login for their finance blog: [https://blog.equifax.com/wp-
login.php](https://blog.equifax.com/wp-login.php)

admin/password and admin/admin doesn't work on that one. It lets you keep
trying passwords for a pretty long time, maybe possible to brute force.

I haven't been able to get through any of the others with admin/admin as well.
Maybe someone is on the job.

I can't help thinking of how on-the-ball companies like yahoo, github and
dreamhost are about security breaches for much lower-stakes information. This
whole story is so pathetic. Makes me think the company is being run by people
like my dad, who is barely capable of using a computer for Youtube and the
news, and is constantly fearful and paranoid of "cyber" threats, but won't
take the most basic steps to educate himself or take precautions.

~~~
packetized
Sure was up last Thursday. Cached results are being scrubbed from Google. The
point I'm attempting to illustrate here is that someone appears to have had a
PHP web shell on a force.com endpoint.

~~~
Kluny
Yeah, I was just poking through the others to see if I could score any more
easy wins :)

------
hossbeast
This is a business extinction event for Equifax, right?

~~~
jacquesm
Not a chance. Though they might change their name to Equifix.

------
pharrington
gross/negligence

