
US Senate report on Equifax breach [pdf] - otterley
https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf
======
JaRail
Just skimmed the table of contents. Looks like the vast majority of the report
is investigating their patch policy. Okay. Fine. It was bad. But really, I
think they missed the point.

What I really wanted to see was some discussion about how vulnerable the
entire US identity system is in the first place. The data is mostly valuable
to hackers because there's an assumption that anyone with a birthday, social
security number, etc is the person they claim to be.

A verified twitter account shouldn't be more secure than the best the
government can offer. Governments need to step up with an modern identity
system. Having one secret social security number for life is ridiculous.
Having to do financial transactions in-person at a bank so you can present
your driver's license and sign with a pen is ridiculous.

You shouldn't need to use a social security number directly. There should be a
token system where you authorize companies to reference your data. Just like
using twitter to sign into another service. You verify that you're actually
the owner of that identity.

The US needs to learn that social security numbers were never meant to be used
as identifiers. It's awful. Just fix the real problem.

~~~
maxerickson
Social Security numbers are explicitly identifiers. What they are not is
authentication.

The Real ID act was aimed at making driver's licenses more useful as
authentication/proof of identity. Whether it constructively did that is a
separate question.

~~~
JaRail
Sorry, I might not have been clear. What I was referencing there is that they
were never meant to be used as identifiers for people outside of the social
security system. People are not born with social security numbers. A lot of
people in the US don't have them. If you ran a daycare, you couldn't use
social security numbers to track the kids in your customer database. You
wouldn't be able to use them with the parents either because they (should) be
afraid to give them to you. If they did give them to you, you'd have no way to
verify them. It's not the intended purpose.

Real ID was basically just adding citizenship info to your driver's license so
you didn't need to also carry your passport. It didn't fix any financial fraud
issues.

~~~
toast0
> People are not born with social security numbers. A lot of people in the US
> don't have them.

If you're born in a US hospital, you kind of are born with a SSN; through a
program called Enumeration at Birth [1]. It's not mandatory, and many people
aren't born in a hospital, and certainly a great many people aren't born in a
US hospital.

Enumeration at Birth wasn't around when I was born, I believe my parents had
my siblings and I enumerated at the same time; I'd guess when it was requested
for school enrollment.

[1]
[https://secure.ssa.gov/poms.nsf/lnx/0110205505](https://secure.ssa.gov/poms.nsf/lnx/0110205505)

~~~
JaRail
Hadn't heard that. I thought most people still just applied for them when they
wanted to start working. Helpful improvement.

~~~
toast0
Even before enumeration at birth, parents would often want to get a SSN for
their children as it was a requirement to claim them on federal taxes.

------
halter73
Most of the security higher-ups at Equifax interviewed for this report seem
pretty humble. Most admitted they made some mistakes and oversights that
allowed a publically accessible Apache Struts server containing so much
private data to go unpatched for months leading to the massive breach. The
"former Countermeasures Manager" appears to have learned nothing from the
breach however.

> The former Countermeasures Manager at Equifax served in an acting and then
> permanent capacity from 2016 to 2017. He believed Equifax suffered a
> cybersecurity breach because of a “sophisticated” and “highly motivated”
> adversary. He added that, “if asset management was a perfect silver bullet
> then perhaps this may not have happened.” He told Subcommittee staff that he
> does not think the Countermeasures team could have done anything differently
> in response to the March 2017 vulnerability. He was as surprised as anyone
> that Equifax suffered a breach because of the “combination of the
> sophistication of the attack and the talent at Equifax. We had rock stars at
> Equifax who were de facto pillars in the field.” The former Countermeasures
> Manager believes the response to the vulnerability was “not only defensible,
> but justifiable.”

~~~
meddlepal
Posturing for his next management/executive gig.

~~~
kjar
“Rockstars” OK?

------
rectang
The focus of this report on "cybersecurity" is misdirection. Applying security
patches slightly faster is not a solution — so long as the data exists, it
will leak.

The real problem is that Equifax treats data which rightfully belongs to
individuals as its own, and the solution is to give individuals control over
their own data.

~~~
g051051
It's not "data which rightfully belongs to individuals". It's data that
belongs to the institutions reporting to the CRAs. CRAs are data aggregators.
Everything they have on you was either gathered from public records or was
sent to them from an institution that you do business with.

The real problem is that we use publicly available, non-secret data to
establish identity. Instead, we need a secure, unique personal identification
system, as well as tougher punishments for people that commit identity-based
fraud and theft.

~~~
rectang
> _Everything they have on you was either gathered from public records or was
> sent to them from an institution that you do business with._

That is _precisely_ the data that rightfully belongs to individuals. It should
be much, much harder for companies to collect it and sell it.

"Data is a toxic asset." — Bruce Schneier

Pretending that a "secure" system can be devised which will protect that data
is irresponsible, because it is impossible. The data _will_ leak eventually.

When it does, under the current regime, the damage inflicted on individual
victims is wildly disproportionate. Equifax is the analogue to a gross
polluter dumping dioxin into a community's backyards. But getting damages
proportionate to the harm out of Equifax is hopeless, because US laws do not
acknowledge the toxicity of data.

The US needs something like the GDPR in order to protect us from grotesquely
harmful institutions like the CRAs. We are in the early days of the internet,
akin to the early days of the industrial revolution — before the harm that
toxic chemical pollution causes was recognized and regulated.

~~~
g051051
> That is precisely the data that rightfully belongs to individuals.

That is precisely what it's _not_. Your existence isn't a secret. Things like
your address, phone number, and legal information are freely available from a
variety of sources. When you do business with banks or other lending
institutions, you are explicitly granting them the right to exchange your
payment information with other institutions and CRAs. When you seek or attain
employment, you are told if the company makes use of some service like The
Work Number for previous employment and salary tracking.

> Pretending that a "secure" system can be devised which will protect that
> data is irresponsible, because it is impossible. The data will leak
> eventually.

This is sadly true.

> grotesquely harmful institutions like the CRAs

Without CRAs, how would companies judge your credit worthiness? Access to
credit and loans would be much more difficult, and would be much more
expensive, without them. Or some similar mechanism to share that sort of
information.

Again, the harm doesn't come from the CRAs. A CRA doesn't grant an identity
thief access to your accounts, or open credit in your name. That's the banks,
CC companies, utilities, etc. who will open accounts with insufficient proof
of identity.

It's not the _data_ that's toxic, it's the misuse of it. Allowing accounts to
be opened or accessed with easily searched or guessed information is where the
real problem is.

~~~
mikeash
“When you do business with banks or other lending institutions, you are
explicitly granting them the right to exchange your payment information with
other institutions and CRAs.”

It’s not like we have a choice. Every such business participates. I suppose
it’s possible to avoid credit reporting by not having a bank account or
utilities or a job, but that’s not a very practical way for most people to
live.

I don’t see the point in blaming banks instead of credit reporting agencies.
They’re all part of one big system that works together. All parts of the
system make it the way it is. It’s no more sensible to try to blame an
individual component of the system than it is to debate whether to blame a
murderer’s hands or his legs.

~~~
g051051
You need to put the blame where it lies. CRAs simply aggregate data. They
aren't the ones that grant credit. If someone opens a CC in your name, it
wasn't the CRA that did it. So blame the bank or CC company for not
sufficiently verifying identity.

Think about how the process works. A criminal goes online and applies for a
CC, using your personal information. The CC company goes to a CRA to check
credit worthiness. The CRA says "Sure, mikeash is a responsible person who
pays his debts on time". The CC company says "Great!" and hands the criminal
an account in your name. It's the CC company that didn't do the due diligence
to verify that it was really you.

However, since the Equifax hack and the resulting backlash, the CRAs have
started offering much greater consumer control to consumers. Equifax has a
free service that allows you to keep your information locked and actually
notify you in real time when a request is made, that you can block or allow as
you wish. Basically 2FA for credit. If the other CRAs don't have that service,
they soon will.

~~~
mikeash
CRAs could insist on positive verification of identity before they tell anyone
about my credit history. If they did, they’d fix the problem. Because they
don’t, they assis in abuses. Why would I not consider them to share the blame?

~~~
g051051
I don't say they shouldn't share the blame. But simply telling a bank that you
pay your bills on time isn't related to establishing identity. "Does mikeash
pay his bills on time?" "Yes, mikeash pays his bills on time" "Good! Let me
open this account for John Smith".

~~~
mikeash
You literally said that I need to put the blame where it lies and that it lies
with the banks.

A third party I’ve never interacted with gives out my private information
without first asking for my permission. This is a crucial step in a common
pattern of fraud. If they asked me for permission before they gave out my
private info, it would shut down this entire type of fraud. They are fully
aware of all of this, and continue with business as usual anyway. How is any
of this ok?

~~~
g051051
> A third party I’ve never interacted with gives out my private information
> without first asking for my permission.

But they don't give out private information. They don't get anything but some
aggregate data about how well you pay your bills. I.E. how many accounts are
open, how many have been paid late in the last 30 days, etc.

> If they asked me for permission before they gave out my private info, it
> would shut down this entire type of fraud.

That is now possible with the two CRAs:

TransUnion: [https://www.transunion.com/product/transunion-credit-
protect...](https://www.transunion.com/product/transunion-credit-protection)

Equifax: [https://www.equifax.com/personal/products/credit/credit-
lock...](https://www.equifax.com/personal/products/credit/credit-lock-alert/)

Experian and Innovis: I didn't see anything similar, but I'd be shocked if it
wasn't imminent for them as well.

~~~
rectang
Everyone is still opted-in by default! The human tragedies will continue at
nearly the same pace.

These locks just provide a way to shut up the outlier loudest complainers and
a rationale for victim-blaming everyone else. ("You could have locked your
credit, you know...") By what right do the CRAs demand individuals consumers'
time and protection money?

It is incredibly frustrating to see these feckless, disingenuous half-measures
cited as progress. It only confirms to me the futility of collaborating on
market-based solutions with market players whose interests would be harmed by
meaningful solutions.

I wish it didn't come down to imposing regulations, because regulations truly
harm market efficiency. But what choice are we left with?

~~~
g051051
> I wish it didn't come down to imposing regulations, because regulations
> truly harm market efficiency. But what choice are we left with?

But that's what we need. But what do our "leaders" think when people rant and
rave without showing they even understand the problem?

Citizen: I need you to do something about identity theft!

Lawmaker: Yes, it's clear we need to get some regulation in this space.

C: I'm tired of getting turned down for loans, or having credit cards opened
in my name! We need to shut down the CRAs!

L: ... Uh, you know that CRAs don't actually do that? It's your bank or credit
card company that opens the account, they're the ones that need to verify
identity to make sure that people are who they claim to be...

C: Don't try to defend them! They kept me from buying a car!

L: ... Thank you, citizen. I'll get right on it. Vote Quimby!

------
fpgaminer
Relatedly I discovered that a credit freeze with Equifax means exactly
nothing.

Apparently all it takes to lift a freeze with them is your name, address, SSN,
and phone number. They do not ask for the pin that was setup. They don't do
any other verification. That's all you need.

At least, that was the case when I did a temporary lift the other day. Imagine
my horror when I sat there, pin in hand ready to punch it in, only to be
presented with the successful lift screen already...

> He believed Equifax suffered a cybersecurity breach because of a
> “sophisticated” and “highly motivated” adversary.

Given my experience above, I very much doubt there was any sophistication
required. You can probably go to Equifax's admin page and just punch in the
name of the CEO, telephone and address for Equifax's HQ, and be on your merry
way.

~~~
g051051
This is the best, least biased write-up of the breach that I've seen. It's
still fairly damning, but the upshot is that it took a very serious second
attack team to actually capitalize on the flaws that were present:
[https://www.bloomberg.com/news/features/2017-09-29/the-
equif...](https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-
has-all-the-hallmarks-of-state-sponsored-pros)

~~~
x0x0
Or it's a pile of nonsense from a company desperate to deflect blame. How
could poor poor Equifax defend itself against foreign governments?

The reality is Equifax are lazy stupid idiots who

* couldn't patch well known holes in infra for months (note that a 2 engineer startup could do better by eg running rails and checking bundler-audit on every deploy);

* disabled their IDP because they didn't keep a cert up-to-date;

* didn't _notice_ their disabled IDP FOR 10 MONTHS because lazy stupid incompetent;

* strongly appear to have no internal access controls, so regular app users in the db could exfiltrate the entire DB without creating any internal alerts

In contrast to the self-serving nonsense in the Bloomberg article, there was
nothing sophisticated here. These people couldn't get the most basic things
right, all part of the most very basic security posture: patch known holes.
Regularly verify such patching. Run an IDP. Verify the IDP is running. Have
controls around odd behavior or bulk queries for the DB users running on your
front-end boxes.

~~~
g051051
> Or it's a pile of nonsense from a company desperate to deflect blame. How
> could poor poor Equifax defend itself against foreign governments?

Bloomberg has plenty of criticism, they just don't wrap it in the shrill
click-bait headlines of other "news" outlets.

> note that a 2 engineer startup could do better by eg running rails and
> checking bundler-audit on every deploy)

On systems a fraction of the size, with a fraction of the traffic, and not
under a constant withering assault from hackers.

~~~
x0x0
the point -- which I believe you deliberately missed -- is the tools are
available from the very beginning to know if you are shipping code with known
CVEs. It's easily available. I'm not sure why you're invested in pretending
this is super hard, or that it isn't extremely easy to do correctly _if_ it is
a company priority to do so.

As their scale, it's also straightforward to build and maintain the list of
sites you're running, what's running them, and the versions of libs in place.
Particularly because you can have dedicated engineering for the above. It
really comes down to whether it's a corporate priority or not.

~~~
g051051
> I'm not sure why you're invested in pretending this is super hard, or that
> it isn't extremely easy to do correctly if it is a company priority to do
> so.

The enormous amounts of money and time that companies spend on this problem,
and still not get it right, disproves your assertion of simplicity.

~~~
x0x0
And yet there's lots of examples of companies that aren't trivially breached,
and can promptly roll patches for CVEs.

~~~
g051051
And just as many that are breached in spite of their best efforts. Perfect
security is impossible.

~~~
x0x0
Let's not shift the goalposts from competent to perfect.

~~~
g051051
Even _competent_ security is difficult, especially at the scale that large
companies operate at. Attackers are very sophisticated, and patient.

~~~
x0x0
Your implicit claim that it's difficult to

1 - know what assets are on what domains

2 - know the code backing them

is belied by the many competent orgs that do that. And the fact that it's
table stakes for a reasonable security posture.

Further, it's not that technically challenging, not least because it can be
human automated. Detection tools are available right here:
[https://www.metasploit.com](https://www.metasploit.com) for $0. You can have
a human run that once a week against your web properties and do way way better
than Equifax. Because Metasploit would have alerted on the Struts vuln.

It's also not rocket science to have a member of a security team run that
against a list of web properties (that can be trivially sourced from your DNS
server even if they bypassed internal deployment processes).

Nothing about this is sophisticated beyond basic computer skills -- grabbing
known sites from your security docs, backing that up with DNS entries,
alerting on anything missing, and running metasploit from a script. Unless, of
course, you're hellbent on claiming the above is super duper hard.

~~~
g051051
So your proposal is to use _less_ automation, and rely on a human to do a
scan? That's one of the reasons Equifax got into this problem in the first
place.

None of this is trivial, and you saying it is would indicate you really don't
understand modern computer security issues. _This is hard_ , and it's
unfortunately easy to get wrong. And it's a space where even a tiny failure
can lead to large consequences. Not that the Equifax failures were
particularly tiny, but it was clearly more than they could handle.

------
brianpgordon
> Website owners install Secure Sockets Layer (“SSL”) certificates to protect
> and encrypt online interactions with their servers. If an SSL certificate
> expires, transactions are no longer protected. As part of an IT management
> effort unrelated to the Apache Struts vulnerability, Equifax installed
> dozens of new SSL certificates on the night of July 29, 2017, to replace
> certificates that had expired. This included a new certificate for the
> expired SSL certificate for its online dispute portal. The SSL certificate
> needed to be up-to-date to properly monitor the online dispute portal, but
> had expired eight months earlier in November 2016. Almost immediately after
> updating the SSL certificate, company employees observed suspicious internet
> traffic

Obviously "if an SSL certificate expires, transactions are no longer
protected" is just wrong, so what were they _trying_ to say here? Maybe
Equifax's internal monitoring tools were refusing to connect to the target
host because of the expired cert?

~~~
colek42
From my understanding the monitoring client would refuse to connect due to the
expired cert.

------
odomojuli
The specificity of the chapter titles seem almost comical as if generated by a
Markov Chain but unfortunately they are real and terrifying in their
negligence.

~~~
mushufasa
That these titles are full sentences is brilliant. The writers know most
senators, staffers, and media never read the actual reports.

------
canada_dry
The report outlines what can best be described as a fly-by-the-seat-of-your-
pants Info Security shit-show.

It's mind boggling how these folks are responsible for the credit monitoring
(i.e. financial security) of millions of people.

I wouldn't trust them with my family's secret brisket recipe let alone
anyone's personal financial data.

------
wyldfire
> While Equifax’s Countermeasures team is responsible for writing, testing,
> and installing signatures and rules ...

With so many articles talking about Equifax's incompetence, I guess I'm a
little surprised that they even have a Countermeasures team.

> ... his office was using two different versions of Struts and that neither
> was among the versions listed as vulnerable in the alert. He requested
> confirmation that his conclusion was accurate and noted that the business
> impact could be quite heavy if he was incorrect.

Sadly, the business impact ultimately seems much less significant than you
might imagine.

> The senior manager that the developer ultimately reported to did receive the
> alert but did not forward it to the developer or anyone else on the
> developer’s team. As a result, this developer did not receive the GTVM alert
> about the Apache Struts vulnerability.

I wonder if individual devs could/should subscribe to these CVEs? Is that
possible? Not that this dev should have, but that you might want not want to
rely on your company's bureaucracy to figure out important stuff like this.

------
gist
I think says it all about how worthless (in a corrective sense) this report
and investigation was:

From "Recommendations (1)":

> Congress should pass legislation that establishes a national uniform
> standard requiring private entities that collect and store PII to take
> reasonable and appropriate steps to prevent cyberattacks and data breaches.

So there you have it. 'Reasonable and appropriate'. There is such a large
amount of room to wiggle in a statement like that it is laughable (with a
complex subject like this).

~~~
sjy
It's not sufficient to put a bill to a vote, of course, but it's not
worthless. Other recommendations could have been "prosecute Equifax executives
for breaking existing laws," or "do nothing, because federal regulation won't
solve this problem." The US has been making important legal decisions (about
the constitutionality of bills, or the guilt of people who kill in self-
defence, for example) on the basis of a reasonableness standard for centuries.

------
tekkk
From my short experience at monolithic corporations I can only sense the level
of corporate bullshit that has and still is going on in that place (Equifax).
It seems that when that incompetency reaches hazardous levels this is the end
result.

I have been thinking about why and how such systems could be mended and what I
thought was, that when the majority of the system (Equifax managers, other
employees) act as immovable inertia to any positive change by either
obstructing or dismissing it, there should be a system in place that allows
single actors to hit the so-called emergency button. But to have that kind of
system in place, it requires at least one person at the top to have competency
which seems to be a quite unlikely requirement.

It always fascinates me that in many organizations I have been and read about,
the regular employees often _knew_ about the problems they have had and _knew_
that something should have been done about it. I guess it's just that apathy
that gets you when your superiors don't seem to care when you complain, hence
causing a downwards spiral and morale deprivation.

------
ExDeveloper
Why are corporations like Equifax even permitted to exist in their current
form, and collect data on individuals with whom they have no direct business
relationship without their informed consent? These breaches will continue
until we learn that data is more dangerous to retain than nuclear waste.

------
mgleason_3
"...AND SUFFERED A DEVASTATING DATA BREACH" Even the title fails to
acknowledge that WE suffered from their breach.

They took our most personal financial information without our permission, made
money from it and completely failed to protect it. These A-#&@# should have
gone to jail.

The fact that people can say something as stupid as "they did nothing illegal"
and possibly be correct is exactly why we need privacy laws.

------
doggydogs94
Every time a Windows hater slams Microsoft, I like to remind them of this
exploit. It will be years before a Windows vulnerability rivals the damage
from the Equifax hack.

------
catacombs
What a scathing report.

What's even more horrifying by Equifax's complete incompetence before, during
and after the data breach is the fact the company is still making money, no
one lost his or her job and no one went to jail.

I hope this report will spur Congress to hold Equifax executives accountable.

~~~
txcwpalpha
> no one lost his or her job

Eh? Both the CSO and CIO lost their jobs over this. They "retired", but that's
simply a nice way of saying they were fired.

> no one went to jail

I struggle to see why anyone in this situation should be in jail. They did
nothing illegal. At worst, as this report shows, they were woefully
incompetent. If there was a person who had maliciously caused deficiencies in
their security or knowingly disobeyed relevant regulations, that might be
worthy of jailtime. But the moment we start putting people in jail just
because they're bad at their jobs... we'd have to imprison half of the
country.

This is actually a huge issue with the security industry right now. It is very
difficult to find qualified people to fill CISO roles because the general
consensus is that their company _will_ be hacked (either from a 0-day or from
a long-lasting, hard-to-kill vulnerability that has been present since long
before the new CISO arrived), and the CISO will be blamed. As it is, most
qualified security practitioners would much rather choose a consulting
position where they don't have to worry about being blamed. Now imagine how
worse that situation would be if you started threatening every CISO who got
hacked not just with being fired and publicly shamed, but with jailtime, too.

~~~
rectang
It _should_ be hard to fill CISO roles because most companies collect an
excess of toxic PII data.

Over time, perhaps more companies will learn how to avoid aggregating such
data, and gravitate towards business models with smaller liability exposure.

~~~
txcwpalpha
PII or not, companies are still going to be hacked. PII isn't even amongst the
most valuable types of data that attackers are after, nor is it the most
damaging type of data for a company to lose.

It should be hard to fill CISO roles because companies should have high
standards and should be looking for the best of the best to fill those roles.
But that's not what I'm talking about. There is a decent sized pool of
qualified security practitioners that _could_ be CISOs, but none of them want
to be because the current way things work is that they will inevitably get
fired and shamed for something that they had little control over. That's not
good for them, and it's not good for us, because you know what's worse than a
company having a lot of insecure PII? A company that has a lot of insecure PII
that also doesn't have a CISO.

------
tuke
Weird how the report itself doesn't have a date.

------
exabrial
Probably start by having someone with a STEM degree be the chief security
officer, not a music education degree.

~~~
leesalminen
The best developer I’ve ever met had a music degree. Performance clarinet, at
that.

~~~
manquer
While degrees are not required for doing a good job It is also likely you
would not go to a doctor without one, A organization is interested in
accountability degrees provide that validation to some extent.

A degree does not mean anyone is fully qualified for a job just as not having
a degree does not mean he cannot do it. The damning part in Equifax is that
CISO did not have any prior experience in this domain (likely your friend has
worked as developer before)

------
notinversed
This report is brutal, it goes into great detail about the technical
incompetence in many areas.

Yet Equifax is doing better than ever. No new laws, no reform, nobody goes to
jail. All the rich people get to keep their money.

Thoughts and prayers.

~~~
m-p-3
My financial institution was the subject of an internal security breach (rogue
employee who managed to get his hands on millions of customers private
information like social insurance number, DOB, etc) and what do we get offered
to protect from identify theft? A five year subscription to Equifax..

~~~
kalenx
Out of curiosity (not trying to be snarky here, I really want to know), what
should be offered by Desjardins? I mean, no amount of money can prevent
identity theft and I do not see hundreds of ways to reduce the risks --
especially ways that do not involve Equifax or Transunion...

Realistically, apart from the obvious "this shouldn't have happened in the
first place", what more could they be doing?

~~~
sl1ck731
New SSN and a personal Equifax "slave" to update it anywhere and everywhere
its used in my life would be a good start.

They can offer a couple years of their BS identity protection, but your
identity is ruined forever. Your SSN doesn't rotate or expire. There should be
no time limit on any remedy they provide.

~~~
kalenx
Can they actually provide new SSN? I mean, these are government issued, and
I'm not inclined to think that the government will suddenly allow 3M people
(basically 10% of the country) to suddenly change SSN. I fail to see what the
bank can do about it.

~~~
sl1ck731
Exactly. If they can't properly remedy the situation regarding data they
choose to keep then they never should have been allowed to be in business at
all.

