
House Oversight Committee Report on Equifax Breach [pdf] - chair6
https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
======
txcwpalpha
> The attackers transferred this data out of the Equifax environment,
> unbeknownst to Equifax. Equifax did not see the data exfiltration because
> the device used to monitor ACIS network traffic had been inactive for 19
> months due to an expired security certificate.

> Equifax had allowed over 300 security certificates to expire, including 79
> certificates for monitoring business critical domains.

(on page 2 of the Executive Summary)

I've been following the Equifax breach story but this is the first I'm hearing
about the expired certificates. That is shockingly bad.

I'm a little disappointed in the final "conclusion" of the report, though. The
end of the executive summary basically chalks the breach up to two things:
"Equifax's IT management structure was complicated" and "Equifax uses legacy
software that is hard to secure". These _are_ valid points, but these are also
issues that nearly every single major corporation in the world faces, and yet
many of them still manage to prevent (or at least mitigate) major breaches.
These aren't good enough reasons to explain why Equifax failed so
spectacularly compared to every other bureaucratic company with legacy
software.

Also, I know this report isn't meant to be a remediation strategy roadmap, but
it's also pretty disappointing that the recommendations section is basically
just 3 pages of fluffy, vague, "X and Y should work together to increase
cybersecurity" bullshit. Such a high profile incident would have been a great
time for the federal government to really show some leadership (or at least
strong guidance) in this realm, but they really didn't. I mean hell, at least
link your recommendations to the NIST Cybersecurity Framework...

~~~
danShumway
If the House's conclusion is that software of this complexity is impossible to
secure, then it seems reasonable that we should treat any data stored in it as
insecure. Maybe companies as complex as Equifax shouldn't have access to the
data they have access to.

I'm pretty tired of companies telling me that it's fine for them to hoover up
extremely sensitive information like my social security number and then
turning around after a breach and saying, "well, there was nothing we could
do."

It can't be both. If it's impossible to secure companies, then maybe Merriott
shouldn't be asking for anybody's real name when they sign up for a hotel.
Maybe we should stop using credit agencies for identity verification and start
investing government resources into a separate 2-factor system. Maybe you
should have a legally protected right to lie to businesses that ask for your
personal information.

Equifax leaked personal information for 50% of the US population. If you were
voting, and there was a 50% chance that your ballet and voting history was
going to be leaked publicly after the election, you would expect either:

A) Someone is so incompetent that they're going to jail, or

B) The system we're using is so fundamentally broken that we need to rethink
the core paradigms of how it's built.

To me, a report like this sounds like the House is saying that where corporate
security is concerned, B is the answer.

~~~
jonwachob91
>>> maybe Merriott shouldn't be asking for anybody's real name when they sign
up for a hotel

It's important to distinguish that it wasn't actually Marriott that had the
data breach. It was starwoods resorts, now a marriott owned entity, but at the
time of the breach it was not a marriott property. Marriott is being
attributed to the guilty party b/c they now own starwood, but Marriott's
systems were never breached, so marriott should keep doing what they are doing
(presumably) and transition all the starwood systems over to the more secure
marriott systems (which I believe they already said they are doing).

~~~
danShumway
That's a really good point, Marriott just had an unlucky purchase.

That being said, between the recent Google+ breaches, to the older Target
breaches, it increasingly feels like I'm flipping a coin when I trust
companies with data.

Based on Marriott's handling of this breach, they seem to be decent at
security. But I don't know how as a consumer I could tell that in advance of
all of this.

~~~
arduanika
> Marriott just had an unlucky purchase

M&A is a culprit in no small number of these cases, so let's be crystal clear:
M&A does not absolve anyone of responsibility. Let me know when the
underwriting bankers have their bonuses garnished for lack of due diligence,
and then you can tell me about how "it wasn't actually Marriott that had the
data breach". Let's say it loudly and clearly: no, it _was_ Marriott that had
the data breach.

~~~
danShumway
Eh. The breach happened before Marriott had any control or agency to stop it.
Their due diligence in buying the company wouldn't have protected any
consumers, it would have just meant the breach was someone else's problem. My
understanding (of course, correct me if I'm wrong) is actually that their
purchase is the reason the breach was disclosed -- Marriott buying the company
and doing its own internal audit on their systems is why we know about it now.

So I don't actually feel a ton of ill will to them, even though I agree that
doesn't absolve them of the fact that they bought it, and it is now very much
_their_ problem to deal with. It may not be your fault that the puppy that you
bought isn't house trained, but I'm still not going to clean your carpet for
you.

Having said that, this kind of underscores what I was talking about above. If
Marriott themselves couldn't tell in advance that the company they were buying
was an insecure liability, how the heck am I supposed to be able to tell?

If it's not feasible for a company like Marriott or Verizon to know in advance
of an acquisition which companies are secure and which companies aren't,
consumers have no chance. There's no feasible way for a consumer to protect
themselves in that world.

~~~
arduanika
> The breach happened before Marriott had any control or agency to stop it.

Strongly disagree, this is playing with variables.

Marriott2016 + Starwood2016 = Marriott2017.

Marriott, the present day company, absolutely includes the company that had
the "control or agency to stop it".

> it would have just meant the breach was someone else's problem

This isn't a wash. Tort is only effective if the party responsible gets
punished, so it's very important which party gets punished. If Marriott had
discovered the breach in due diligence, the Starwood investors' payout would
have taken a big hit.

As it happens, there's two behaviors that need to be disincentivized: Starwood
designed faulty systems, and pawned off its ramshackle legacy crap to the
highest bidder; and Marriott2016 (much like Equifax) glommed together so many
legacy systems that the likelihood of breach intensified (though to Marriott's
credit, the attack doesn't seem to have escalated out of the former Starwood
into the parent systems. I'd still like to see steep fines imposed, but way
smaller than on Equifax, proportional to that contained scope).

The penalty on Marriott2017 should be steep enough to encourage future buyers
to step up their due diligence enough to put the acquiree's payout at risk,
while also rewarding Marriott for catching the leak before escalation.

> It may not be your fault that the puppy that you bought isn't house trained,
> but I'm still not going to clean your carpet for you.

I like your analogy a lot.

~~~
danShumway
> Marriott2016 + Starwood2016 = Marriott2017.

This is a good point that I wasn't considering. It's not like Starwood
vanished when it got acquired. It's still there, it just got rolled up into
Marriott. So even if I wasn't mad at Marriott2016, most of the people who I am
mad at are currently working at Marriott2017.

> Starwood designed faulty systems, and pawned off its ramshackle legacy crap
> to the highest bidder

Also agreed on penalties, and that's a good way of phrasing the problem. I
don't think that Marriott should be let off the hook for having to deal with
the breach. And while I've been trying not to criticize their security
response, their social response has basically been, "look over there, free
credit monitoring," which is clearly insufficient.

------
jedberg
> Recommendation 6: Reduce Use of Social Security Numbers as Personal
> Identifiers The executive branch should work with the private sector to
> reduce reliance on Social Security numbers.

I'm disappointed this is recommendation 6, but at least it is in there. I'm
also disappointed that they suggest the executive fix this problem instead of
legislating a solution. Hopefully they take some action on their own
recommendation!

~~~
dragontamer
The executive branch is the proper solution.

If Congress mandates a solution, then it'd be like the VHS stuff all over
again. Congress writes a thingy about VHS in the 1980s, and its completely
irrelevant 10 years later. (If a law states that something with VHS is done a
certain way, will it apply to DVDs or BluRays when they are invented 10 years
later? Or to streaming media 20 years later??)

The Executive Branch is the one that actually runs the government. Legislative
Branch / Congress sets policies, but shouldn't set solutions. Law goes out of
date incredibly quickly.

Ex: If Congress says that RSA Tokens are to be used instead of SSNs, what
happens if a better invention (ex: Google Titan) comes out? Furthermore, even
if Congress writes a certain policy down (ex: Two Factor Authentication is
necessary to protect bank accounts), the Executive Branch is still the ones
who enforce the matter.

So in the case of Two Factor Authentication (legal requirement of banks to
protect your bank account), the Executive Branch says that "3-personal
questions + Password" counts as two-factor security in the USA. And that's why
you have so many banks implementing "3-secret questions".

\------------

So regardless, the job will come down to the Executive Branch.

~~~
jedberg
The legislative solution would be to mandate a national ID with a
cryptographic token, and then leave it up to the executive to define the
implementation.

Right now, even if they wanted to, the executive can't force a national ID.

~~~
dragontamer
> The legislative solution would be to mandate a national ID with a
> cryptographic token, and then leave it up to the executive to define the
> implementation.

That's still too specific. "national ID with a cryptographic token" means that
OpenID / Paypal-based single-sign on logins are __illegal __.

Yeah, writing laws is hard as heck, and Congress is NOT the experts in the
field of cryptography / login security. So Congress will get it wrong if they
even tried to write the law in that manner. Executive Branch __CAN __hire
experts (ie: 18f, NIST, etc. etc.) to define best practices.

As such, the proper legislative solution would be to mandate "industry best
practices of identity protection, as defined by (Insert Agency Here, maybe
NIST)".

~~~
jonlucc
> "national ID with a cryptographic token" means that OpenID / Paypal-based
> single-sign on logins are illegal.

Why? Why doesn't it just mean that there's a canonical government system that
doesn't touch PayPal or OpenID that can be used for stuff that would currently
be tied to your social security number?

~~~
dragontamer
PayPal touches your SSN, as it is tied to your bank account. (Bank accounts
require a "Individual Taxpayer Identification Number", which is the SSN for
any citizen. Non-citizens get a different ID, but really its the TIN that is
the cause of all of these security issues). So yes, really, the proposed
wording would probably make Paypal illegal.

You have a point on OpenID, but my overall point is that OpenID would
__probably __be sufficient for most financial transactions on today 's
internet. OpenID is basically equivalent to Paypal's security model.

Neither Paypal nor OpenID require 2-factor or security tokens. I think they're
an optional feature. But in any case, the Paypal / OpenID model of
identification (Paypal controlled website verifies password, and sends a token
to the 3rd party website) would be sufficient for today's security.

\----------------

Of course, none of this even touches upon Equifax. Equifax uses SSNs to
identify people, and often without their knowledge or consent. Equifax is a
service to the financial industry, to help keep tabs on individual's history.

So the Paypal model will NOT work with Equifax's use case, because the
individuals don't always know when they are being tracked. Maybe it'd have to
be something to OAuth's model.

In any case, I'm not an expert either. I just appreciate the difficulty of
this problem.

------
mbesto
> In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked
> on an aggressive growth strategy, leading to the acquisition of multiple
> companies, information technology (IT) systems, and data. While the
> acquisition strategy was successful for Equifax’s bottom line and stock
> price, this growth brought increasing complexity to Equifax’s IT systems,
> and expanded data security risks.

> Second, Equifax’s aggressive growth strategy and accumulation of data
> resulted in a complex IT environment. Equifax ran a number of its most
> critical IT applications on custombuilt legacy systems. Both the complexity
> and antiquated nature of Equifax’s IT systems made IT security especially
> challenging. Equifax recognized the inherent security risks of operating
> legacy IT systems because Equifax had begun a legacy infrastructure
> modernization effort. This effort, however, came too late to prevent the
> breach.

As someone who works in Tech M&A, I often tell clients "hackers go after the
weakest link and you just acquired a new link". They nearly unilaterally
ignore this advice and ignored hardening even the smallest of acquisitions,
because well, "growth". Someday people will learn.

~~~
dv_dt
If you start with the accounting assumptions that work on security is a cost,
and storing of private data is not a liability then all the actions are
rational within the narrow scope of profit optimization. (I'm not in agreement
of this, but it seems to be true). Equifax holds these assumptions even more
strongly because their fundamental existence is founded on monetization of
private data.

~~~
nawtacawp
This afteraction also validates breaches are not a liability, in the end their
sharevalue recovered nearly immediately.

------
Someone1234
Just want to talk about Recommendation 6 (Recommendation 6: Reduce Use of
Social Security Numbers as Personal Identifiers). Page 96.

The recommendation is essentially "Try to convince the public and private
sector to use them less." But I'd argue it is well passed time that SSNs be
replaced by something fit for purpose. SSNs were never designed to be a unique
form of ID, and using things like the cardboard card as further verification
is almost comical.

I'd like to see an aggressive alternative that uses the best of our security
knowledge and then have it vetted by everyone in the security industry with a
pulse. We've seen other countries try this. But most of those countries
outsource it to the lowest government bidder, who hide the inner workings
behind proprietary claims, and never vet the resulting proposal.

Instead we need something more akin to the United States Digital Service, a
publically created proposal (fully released specs) that is vetted by every
academic and security expert they can find.

The hardest part will be saying "no" to requirements creep. Allow certain
government agencies to continue to use SSNs for now, and have the new ID
"flip" into an SSN behind the scenes. Better than needing five hundred
different departments to adopt the new standard before it can go live.

~~~
viraptor
> Try to convince the public and private sector to use them less.

It's gov, so they can do more. It can also be "By 202x using SSN for
identification in non-SS purposes becomes illegal."

------
yalogin
Why is Equifax in business still? I don't get it.

A company like Bear Sterns got "killed", Enron and others got litigated out.
But it looks like Equifax did not face any consequences. Its high time we
treat data as an asset class and regulate accordingly. Particularly personal
information is acquired by every company and is treated as a valuable
commodity. Companies get acquired purely for the amoutn of data they have. The
market has already declared it as an asset why is it not regulated?

~~~
g051051
Bear Stearns failed because it was overextended on subprime mortgages and lost
the ability to conduct business when the cash dried up.

Enron was convicted of massive, deliberate accounting fraud. The company
wasn't viable without the fraud.

Not even remotely similar to the Equifax breach.

~~~
arduanika
Dissimilar from Enron only in that Equifax was never convicted for its fairly
deliberate negligence of the public interest, or for its massively distributed
tort, because the civil case is infeasible, and because no law or regulation
is adequate to cover what ought to be criminal case -- this I think is
yalogin's point.

The security patch here is not a technical solution. It's to wipe out the
stockholders of any company this negligent, and repossess the spare homes of
the entire C-suite. That should cover most attack vectors pretty reliably.

~~~
g051051
> its fairly deliberate negligence of the public interest, or for its
> massively distributed tort

If anything, the report says the _opposite_ of that.

> It's to wipe out the stockholders of any company this negligent, and
> repossess the spare homes of the entire C-suite.

This is why we don't get any real reform...citizens have these insane ideas on
how to "fix" the problem. How can the government take you seriously?

~~~
arduanika
> the report says the opposite

My comment was not aimed at agreeing with the majority report. Would you
dispute my characterization of those expired certs as "negligence"? Or perhaps
you don't consider the budget meetings that declared how low cybersecurity
fell on the list of priorities as "fairly deliberate"?

> insane ideas

Hmm, maybe you're right. Monetary penalties for undesirable behavior is
insane. Let's repeal all tort laws and cancel criminal fines, and make no
attempt to levy proportional damages for anything. Let the C-suite keep their
options!

> How can the government take you seriously?

If all else fails, a yellow vest might help. I'm hoping it doesn't come to
that here.

~~~
g051051
> Would you dispute my characterization of those expired certs as
> "negligence"?

I would. Does the report indicate that the cert was expired due to budget
issues? Does it show that cybersecurity was low priority? Again, the report
shows the opposite: they had solid policies and procedures in place, but the
failures seem to be in execution and training.

> Monetary penalties for undesirable behavior is insane.

No, that's just fine. And Equifax took a huge stock hit, had to make a
potentially cash generating service free for everyone, has to earn back its
reputation, etc.

> Let's repeal all tort laws and cancel criminal fines, and make no attempt to
> levy proportional damages for anything. Let the C-suite keep their options!

Show the _criminal_ activity that resulted in the breach (by Equifax, not the
attackers). Show the _damages_ that have resulted from the breach.

> If all else fails, a yellow vest might help. I'm hoping it doesn't come to
> that here.

If it does, it won't be over the Equifax breach (or even the other 4 larger
breaches: [https://abcnews.go.com/Technology/marriotts-data-breach-
larg...](https://abcnews.go.com/Technology/marriotts-data-breach-large-
largest-worst-corporate-hacks/story?id=59520391)).

~~~
arduanika
> Does the report indicate...

> Does it show...

> the report shows...

I'm not asking you whether the House Republicans would call the expired certs
negligent, or the security underprioritized. I'm asking _you_ , as the reader
of a technical forum. Do you believe everything the government tells you? Or
here, what one party tells you? At the very least, read the minority report
linked elsewhere in this thread, and interpolate.

> huge stock hit

Nowhere near huge enough, and it rebounded once it was clear there were
basically no consequences.

> has to earn back its reputation

Why? Equifax could care less what its unwilling inventory thinks of it.

> Show the criminal activity...

Name one victim whose damages are large enough to merit hiring a lawyer to
comb all the contracts to identify the line where a bank promised that Equifax
promised that the victim's data would be safe, and I'll show you a breach of
contract. Hint: it's a different line for each victim.

> Show the damages...

Precisely my point: the damages to the public are "massively distributed" and
infeasible to pin down, which is why there should be a criminal penalty, like
we do for say, ozone-depleting chemicals.

> it won't be over the Equifax breach

(sigh) you're probably right.

~~~
g051051
> I'm not asking you whether the House Republicans would call the expired
> certs negligent, or the security underprioritized. I'm asking you, as the
> reader of a technical forum.

No, that's not negligent. Nor was security "underprioritized". If you read the
reporting on the issue (whether the government report or just reputable news),
it show solid processes and procedures, but there were implementation flaws.
There is no amount of security that will ever be perfect.

> Do you believe everything the government tells you? Or here, what one party
> tells you? At the very least, read the minority report linked elsewhere in
> this thread, and interpolate.

Considering that the report matches all the other reputable reporting on the
issue? Yes, I believe it. Equifax is claiming "factual errors", but I'd have
to see their response before commenting on that.

> Nowhere near huge enough

That's your opinion, but the market has decided otherwise.

> Equifax could care less what its unwilling inventory thinks of it.

Correct. I was talking about their _customers_...the businesses that supply
and use their data and services.

> Name one victim whose damages are large enough to merit hiring a lawyer to
> comb all the contracts to identify the line where a bank promised that
> Equifax promised that the victim's data would be safe, and I'll show you a
> breach of contract. Hint: it's a different line for each victim.

Once you do that, prove that the information came from the Equifax breach, and
not one of the dozens of other breaches, let alone the 4 other large breaches
I cited.

> the damages to the public are "massively distributed" and infeasible to pin
> down, which is why there should be a criminal penalty, like we do for say,
> ozone-depleting chemicals.

Or their negligible and impossible to detect at any meaningful level.

> (sigh) you're probably right.

It's troubling that you seem to think violence is some sort of solution to any
problem, let alone _this_ problem.

~~~
arduanika
> the market has decided

Like do you understand what an externality is? When I say it's not huge
enough, it's pretty clear that I don't mean Equifax is overvalued & people
should all go out and short it. The lawmakers and regulators have decided that
the externality will have no significant consequences. The market hardly
decides anything here; it reacts.

My reading of the reports is that this company was roughly in line with common
practices. My point is that common practices must change.

~~~
g051051
> The lawmakers and regulators have decided that the externality will have no
> significant consequences.

No, they just haven't finished yet. There's already been some new regulation,
and I believe more to come, for the credit industry as a whole.

> The market hardly decides anything here; it reacts.

If Equifax's customers decided that they couldn't safely do business with it,
then Equifax would cease to exist.

> My reading of the reports is that this company was roughly in line with
> common practices. My point is that common practices must change.

I certainly agree there, wholeheartedly. But you seem to be singling out
Equifax, when it's an industry wide problem.

------
strict9
There is so much to comment on and digest in this report, but the lifecycle of
an attack diagram[1] on page 31 (figure 164) is something every software
developer should burn in to memory.

It is easy to fall in the trap of seeing the most miniscule of vulnerabilities
and dismissing it as "no one could ever possibly utilize that as a vector,
it's not critical."

But that miniscule vulnerability becomes a single link in a ladder to
everything in the system. Every seemingly-small vulnerability matters, like
this painfully shows.

[1] referenced here: [https://blog.hellobloom.io/how-hard-was-the-equifax-
hack-a3b...](https://blog.hellobloom.io/how-hard-was-the-equifax-
hack-a3bae36f9e6f)

~~~
jacquesm
That's something you keep seeing as a pattern in many hacks. It is rarely just
one mistake, usually a chain of small ones, each of which doesn't look all
that bad by itself.

~~~
freehunter
That's why technologies like SIEMs exist. No number of humans could look at
logs across all the various systems and spot anomalies within them, but a SIEM
can. But only if it's turned on, ingesting data, running a useful ruleset, and
crucially: only if someone is watching the output.

------
infodocket
The report linked here is the House Oversight Committee (Majority) Staff
Report.

Another report from the committee's minority is also available.

[https://democrats-
oversight.house.gov/sites/democrats.oversi...](https://democrats-
oversight.house.gov/sites/democrats.oversight.house.gov/files/Equifax)
Minority Report - FINAL 12-10-2018.pdf

~~~
arduanika
Link not working for me. Try:

[https://democrats-
oversight.house.gov/sites/democrats.oversi...](https://democrats-
oversight.house.gov/sites/democrats.oversight.house.gov/files/Equifax%20Minority%20Report%20-%20FINAL%2012-10-2018.pdf)

Key recommendations from the minority report:

"Based on the investigation conducted by the Committees, four key legislative
reforms proposed by Democrats would help prevent future cyberattacks:

[A] hold federal financial regulatory agencies accountable for their consumer
protection oversight responsibilities;

[B] require federal contractors to comply with established cybersecurity
standards and guidance from the National Institute of Standards and Technology
(NIST);

[C] establish high standards for how data breach victims should be notified;

[D] and strengthen the ability of the Federal Trade Commission (FTC) to levy
civil penalties for private sector violations of consumer data security
requirements."

On [B], they note that "Equifax was a federal contractor at the time of its
data breach".

On [D], they note that "In the three years before the Equifax data breach, the
company spent only about 3% of its operating revenue on cybersecurity—less
than the company spent on stock dividends...Civil penalties would incentivize
private sector companies to prioritize and invest in continually upgrading and
deploying modernized IT solutions and applying cybersecurity best practices."

------
citilife
The report doesn't appear to mention that you could just login to their web
portal with an obvious password [1]. It also doesn't appear to be under the
purview to look at the leadership team selling stock[2]. Both of which it
should consider when reviewing the competency and ethics of an organization
managing and profiling nearly everyone in the U.S.

Speaking of which... why is it only ~50% of the adult population in the U.S.?

If the intruders were going around the Equifax network at will (which from the
report it appears they were). We should assume 100% of the data was breached.

[1] [https://www.cnbc.com/2017/09/14/equifax-used-admin-for-
the-l...](https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-login-
and-password-of-a-non-us-database.html)

[2] [https://www.bloomberg.com/news/articles/2018-03-14/sec-
says-...](https://www.bloomberg.com/news/articles/2018-03-14/sec-says-former-
equifax-executive-engaged-in-insider-trading)

~~~
sorlon
_The report doesn 't appear to mention that you could just login to their web
portal with an obvious password [1]._

That was a different portal and a different breach.

------
evolvedlight
The most alarming part of this is that it appears that the intrusion was only
discovered when the new SSL monitoring certificates were being checked to
ensure that the appliance was again "on". I wonder how long it'd have taken if
someone hadn't spotted something suspicious by accident at that point - I'm
sure we've all spotted bugs or flaws by accident when testing a completely
different feature.

------
Twirrim
>The Equifax data breach and federal customers’ use of Equifax identity
validation services highlight the need for the federal government to be
vigilant in mitigating cybersecurity risk in federal acquisition. The Office
of Management and Budget (OMB) should continue efforts to develop a clear set
of requirements for federal contractors to address increasing cybersecurity
risks, particularly as it relates to handling of PII. There should be a
government wide framework of cybersecurity and data security risk based
requirements.

From my understanding of FEDRAMP, all of the things that Equifax failed to do
should be already covered. Software patching, isolation of data, audit trails
etc. etc. Seems more like a massive auditing fail.

~~~
g051051
Reading through the timeline, it shows that at every step Equifax was trying
to do the right thing...internally publishing vulnerabilities, applying
patches, scanning for vulnerabilities, etc. The policies and procedures were
good.

One difference is that previously Equifax claimed a single employee failed to
scan and patch a system. I don't see a reference to that in the report. All I
see now is that someone scanned a system improperly:

> The scan did not identify any components utilizing an affected version of
> Apache Struts. Interim CSO Russ Ayres stated the scan missed identifying the
> vulnerability because the scan was run on the root directory, not the
> subdirectory where the Apache Struts was listed.

------
loteck
Check out how Equifax started rolling heads starting on page 50. They pinned
the fact of not patching Struts on a SVP who was one of hundreds of people
notified of the need to patch Struts. But he didn't _forward_ that email, so
he's toast!

Now pardon me while I go route my patch management procedures through the
nearest baffling and inane dependency.

 _A senior Equifax official was terminated for failing to forward an email –
an action he was not directed to do – the day before former CEO Richard Smith
testified in front of Congress. This type of public relations-motivated
maneuver seems gratuitous against the back drop of all the facts_

------
ne0n
> Equifax, however, did not fully patch its systems. Equifax’s Automated
> Consumer Interview System (ACIS), a custom-built internet-facing consumer
> dispute portal developed in the 1970s, was running a version of Apache
> Struts containing the vulnerability. Equifax did not patch the Apache Struts
> software located within ACIS, leaving its systems and data exposed.

1970s? Am I reading that right? HTML wasn't even developed yet.

~~~
g051051
Most likely they had a web front end that talks to the legacy system. Very
common in big companies.

It was probably developed very quickly, possibly outsourced, and just stuck in
front of the older system with minimal re-engineering.

Many years ago, I worked on a system that put an X Windows front end in front
of a mainframe app that used a 3270 emulator to interact with parts of the
legacy app. I imagine this is somewhat similar.

------
Nelkins
Anyone got any stories of being affected by this breach?

~~~
pfranz
The problem is identifying which breach caused your problem. Often, criminals
use data from multiple breaches. Inaction on data security is actually
lowering the liability for companies and pushing more responsibility onto
individuals.

------
artursapek
> Equifax did not see the data exfiltration because the device used to monitor
> ACIS network traffic had been inactive for 19 months due to an expired
> security certificate. On July 29, 2017, Equifax updated the expired
> certificate and immediately noticed suspicious web traffic.

Ouch.

------
lifeisstillgood
What does the baseline of "good enough security" look like? For physical banks
it looks like money stored in vaults with no staff access, cash in transit
stored with market dye, etc etc

For the non physical world I have some ideas

\- The entire infrastructure of IT can be rebuilt in an automated fashion and
is done so in a prod-parallel equivalent at least weekly

\- Any chnage to "vital" files on any server is audited

\- err?

------
cronix
This is the equivalent to "We offer our thoughts and prayers" after a mass-
shooting.

------
onetimemanytime
>> _" Equifax's IT management structure was complicated" and "Equifax uses
legacy software that is hard to secure"_

I feel for them (not!). BUT they shouldn't store any valuable data then. They
should be not-insurable.

