
Apache Struts Statement on Equifax Security Breach - Randgalt
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
======
mevile
The problem is that Equifax put within webserver's reach information that had
no business being there. Apache Strut's vulnerability is unfortunate, but it
shouldn't have been the keys to the kingdom, where the kingdom is the personal
information of nearly the entire US adult population with a credit history. If
I knew a service relied only on the security of a web server to protect deeply
personal information such as my name and SSN I'd never sign up. We didn't have
that choice with Equifax.

Having said that, definitely keep up on the vulnerabilities of software you
use. It's hard though, especially when you're relying on a great deal of
dependencies. A company the size of Equifax should have had a team dedicated
to this. A team. It doesn't seem like they had anyone who knew anything about
basic security at all.

~~~
tptacek
This is a problem, yes, but I think it's worth keeping the perspective that
it's a practically universal problem.

That doesn't mean we should be letting Equifax off the hook. But nobody should
pretend that RCE on an on-prem webserver wouldn't be game-over, for the entire
internal network, across the majority of the Fortune 100.

We have as a society chosen to trade the security of our personal information
for greater and cheaper access to products and services. Nobody on HN will
like that fact (at least, as stated bluntly like that; plenty of them do like
the increase to their earnings capability that results from that tradeoff),
but it's generally true.

~~~
harshreality
> But nobody should pretend that RCE on an on-prem webserver wouldn't be game-
> over, for the entire internal network, across the majority of the Fortune
> 100.

You certainly have more experience with this than the vast majority of the
rest of us, but with that kind of data on millions of people, shouldn't it be,
and why isn't it, standard practice to put servers storing that data behind an
extremely limited API, with a firewall in place to monitor queries and
responses and severely rate-limit or stop additional traffic if something
suspicious happens, until the monitoring people can take a look?

~~~
tptacek
Because that not only adds operational expense but also requires engineering
teams to have a level of systems engineering expertise and diligence that
virtually no line-of-business software project has.

~~~
ethbro
*adds operational expense without a counterparty willing to pay for that expense

Those with data on Equifax's servers aren't Equifax's customers, so other than
"not having a PR cluster&#@_" economic incentives are not aligned to prevent
this.

~~~
sillysaurus3
It's probably best to treat Equifax specially rather than making an example
out of them for the rest of the industry to follow.

~~~
concede_pluto
If they aren't qualified to design with least privilege, what _are_ they
qualified for, beyond maybe cat videos?

~~~
tptacek
I've spent about half my professional career finding vulnerabilities in the
software of developers who are convinced they're "qualified to design with
least privilege".

------
smaili
_Our general advice to businesses and individuals utilizing Apache Struts as
well as any other open or closed source supporting library in their software
products and services is as follows:

1\. Understand which supporting frameworks and libraries are used in your
software products and in which versions. Keep track of security announcements
affecting this products and versions.

2\. Establish a process to quickly roll out a security fix release of your
software product once supporting frameworks or libraries needs to be updated
for security reasons. Best is to think in terms of hours or a few days, not
weeks or months. Most breaches we become aware of are caused by failure to
update software components that are known to be vulnerable for months or even
years.

3\. Any complex software contains flaws. Don't build your security policy on
the assumption that supporting software products are flawless, especially in
terms of security vulnerabilities.

4\. Establish security layers. It is good software engineering practice to
have individually secured layers behind a public-facing presentation layer
such as the Apache Struts framework. A breach into the presentation layer
should never empower access to significant or even all back-end information
resources.

5\. Establish monitoring for unusual access patterns to your public Web
resources. Nowadays there are a lot of open source and commercial products
available to detect such patterns and give alerts. We recommend such
monitoring as good operations practice for business critical Web-based
services._

~~~
upstarter
> 1\. Understand which supporting frameworks and libraries are used in your
> software products and in which versions. Keep track of security
> announcements affecting this products and versions.

This issue is solved by having your server OS download and install security
updates automatically, which amounts to more or less uncommenting 1 line of
config.

 _Edit:_ Downvoter(s), please comment.

~~~
solomatov
I am not the downvoter (and I didn't donwvote you) but I explain why it won't
help. Struts is packaged as a jar file which is distributed inside of the war
file which is basically application. The struct's jar is an essential part of
the application and it can't be updated separately by the OS.

------
gedy
This is not Struts' "fault"... An entity like Equifax cannot hold such private
info and power over our finances, then not have multiple layers of protection
to prevent this. You expect bugs in user faceing software, so you protect
against breaches so that you don't expose 140 MILLION damn records..

~~~
luckydata
You could stop at "An entity like Equifax cannot hold such private info and
power over our finances"

Credit rating is an instrument of control used by banks and credit card
organizations to force us into debt we don't want.

This system is CRAZY and I don't understand why normally anti-establishment
and "leave me alone" Americans so sheepishly agree to be involved in a system
that hurts our individual liberties every day.

When I came to this country the "credit score" system was the single most
incomprehensible thing about american society. Still is.

~~~
ams6110
> why normally anti-establishment and "leave me alone" Americans so sheepishly
> agree to be involved

Because it's a private system, and it's at least theoretically voluntary.
Nobody forces you to get credit cards or borrow money.

Credit cards are immensely convenient. I hardly ever carry cash anymore. I buy
everything from coffee to lunch to groceries to gasoline using credit cards,
and pay the balance every month. If I had to make arrangements to always carry
cash to cover those sorts of expenses, it would be frustrating.

~~~
umanwizard
Can't you use a debit card?

~~~
tayo42
Debit cards dont have the same protection as credit cards.

~~~
howlgram
Please tell me why, i don't get it

~~~
tayo42
Chargebacks and protection and against fraud are the biggest reasons I think.

------
orange_county
Apache brings up a good point about having layers of security. I wonder how
Equifax was storing the data. Was it just plain text files?

------
solomatov
As a Java developer, this gives me the lesson not to use smart meta
programming facilities, like reflection, where possible. You reduce amount of
code, but at the cost of making your protocols injectable to arbitrary code
often in unobvious ways.

~~~
tannhaeuser
That's a good conclusion to take away. But reflection and dynamic bytecode
manipulation is used in Java all over the place. Class loaders are a core Java
feature, and reflection is used in almost all modern annotation-based packages
for DB access, object serialization, remoting, dependency injection, etc.

Heck, any JITing language requires process images allowed to execute code in
dynamic memory segments, such that basic NoExecute hardware features can't be
used. Combine this with Java server-side apps being run in a single
process/address space, and I hope you can see that, if nothing else, from a
security PoV Java is a dead end.

------
idibidiart
PCI anyone?

------
0xbear
Not The Onion: Equifax's "chief security officer" majored in Music
Composition:
[https://www.linkedin.com/in/susan-m-93069a/](https://www.linkedin.com/in/susan-m-93069a/).
How did she even get this job?

~~~
DavidWoof
I honestly couldn't care less what she majored in a quarter century ago. Do
you honestly believe a CS bachelors degree from a couple of decades ago would
have any relevance to information security today?

~~~
0xbear
Certainly more relevance than a Music degree. Having been a security
researcher in the past would have helped too, but that's not on the menu
either.

I would like to understand the thought process that resulted in hiring a Music
major to run an organization in charge of protecting one of the largest troves
of PII in the history of mankind.

~~~
watwut
Around 5 years into career, it does not matter what you studied or whether you
finished. It matters only what you do now and how old are you. The process
starts with music major getting job out of music industry and then working her
way up the corporate ladder just as anybody else ever worked his way up -
except with having some disadvantage in the beginning.

~~~
0xbear
Do you apply this line of reasoning to your doctors and lawyers as well?

~~~
wglb
Check what batchelor degrees the majority of Lawyers have. It might surprise
you.

Most practicing programmers that are called engineers are not trained in
Engineering either. Computer Science is not Engineering.

~~~
0xbear
What's a "batchelor" degree? If you meant "bachelor", I was quite pleased to
see that the surgeon who was about to operate on me also had a pre-med
engineering degree from MIT.

~~~
wglb
What undergraduate degree do your lawyers have?

------
throwaway699552
Interesting to also note that the "workaround" listed in the first
announcement by the Apache Struts team was wrong. I followed the directions
and my web application was still vulnerable. They have since updated it, but
without an announcement.

------
yogthos
I think this highlights the general problem of Java EE style architecture.
There are many moving pieces and many permutations of how they interact
together. It's practically impossible to understand it in its entirety, and
thus impossible to guarantee that it's secure. You're basically plugging holes
as you find them, but you're never sure that there aren't more holes you don't
know about.

~~~
w4tson
I call bullshit.

The EE eco system while not perfect is basically a best in class for framework
for everything we've learned about building business apps over the last 20
years.

~~~
makomk
CVE-2017-9805 is yet another deserialization vulnerability from a language and
set of frameworks that seem designed to produce an endless stream of
deserialization vulnerabilities. This should very much reflect on Java EE.

~~~
Lightbody
Normalized by usage I would be surprised if it's actually as high as you
suggest. The more popular a platform is, the more attention from bad actors
there will be. Every platform has had similar vulnerabilities along the way.

For example:

[https://www.google.com/search?q=rails+rce&ie=UTF-8&oe=UTF-8&...](https://www.google.com/search?q=rails+rce&ie=UTF-8&oe=UTF-8&hl=en-
us&client=safari)

