81 comments

[ 4.9 ms ] story [ 136 ms ] thread
If you retire, how do the dynamics of a criminal prosecution change?

What is the chance that these executives flee to a non-extradition country such as Russia or China for a bit, "just in case"?

Some people flee to the EU because they can make a plea against extradition based on the appalling human rights abuses in the US prisons.

I hope Lauri Love wins on that front.

The EU is way more serious than the US is about consumer privacy though. Might not help them in this case.
They need to take a look at their software development area as well.

https://www.fastcompany.com/40468811/heres-why-equifax-yanke...

Do they not get their apps security scanned? In my experience checking all requests go over HTTPS is the first thing that the security teams check. You'd think since Equifax works with banks they'd force them to adhere to some kind of security testing.
Exactly! This is so bad. Way worse IMHO than a failed patch or default admin/admin password in terms of showing a lack of competence. Those are ops issues. This showed core issues in their ability to architect and develop secure code. This wasn't a missed patch or config file, it was flat out not knowing how to write an even remotely secure (on the wire) application.
TIL their Chief Security Officer is a music major...
Are you a bigot or something? Don't you understand the requirement to hire based on diversity?
Some of the best engineers that I worked with have been Linguists, Music/Composition majors or Physicists.
Wait until you find out that some of the best security folks didn't major in anything!
Going out on a limb but given the massive security breach, it seems we are not dealing with the best security folks here.

Just to expand, there is nothing wrong with having a music degree, there are qualified, experienced people who don't hold the degree in their current field. Except in this case we start from the end, given the situation, we are assuming we are not dealing with qualified, experienced people but amateurs. So then we are looking and combing through their credential, proof of competence etc., and so far it doesn't look good.

You'll be shocked to discover that some IT folks never graduated or even went to college. Hell, some didn't even graduate high school.
Literally not related to their competency or experience in the field
I wonder how much they get in their retirement package ?
"Retire?" Do they mean like retire to a federal prison?
no, that's where the poor and disadvantaged retire to. and the occasional disgraced public servant.
I think it's important to take a step back, take a breath, and look at this rationally.

Look at what actually happened. Equifax was using the Struts framework. This is a very safe, popular choice. They were using what everybody else uses.

There was a critical vuln in the framework, and they failed to update their box for N months. But we're talking only a few months. N is very small -- maybe four? And yeah, you can argue that four months is an absurdly long time to have a known critical vuln in production. But I guarantee you that most people reading this work at companies that are similarly vulnerable. Attacks are simply rare.

Whatever company you work for, if you do not have regular pentests, you are no better off. And even if you do, it's overwhelmingly likely that you've overlooked some lonely outdated server that's still running on your network because Bob set it up a year ago and forgot about it and oh look now you have a pivot into your whole network.

It seems very strange to choose this one company and crucify them just because they lost your data. Everybody is insecure everywhere always, and we've learned to tolerate this by pretending it's not true or that it doesn't exist or that it's not a big deal. But you know what? It is true. That truth will continue to manifest itself in the years to come. No matter how much you'd like it not to be true, your stuff will still get stolen. Usually you just don't hear about it.

Yes, it was stupid for them to have everybody's PII attached to that one webserver. A single point of failure should never result in compromising the whole system. But think about how that architecture would work in practice. A customer service rep still needs to get at most of your data. It's a credit bureau. Where would the data be stored in a way that a remote code exec wouldn't be able to snag it?

Equifax's crime boils down to "they failed to run the equivalent of sudo apt-get upgrade on their framework." When you're managing a fleet of hundreds or thousands of machines, this is a situation that almost all of us have wound up in. If we can't get it right, why do you want the execs' heads to roll? Are you sure you won't be next on the chopping block?

Think about it this way: the time between "someone discovered a vuln in Spring" and "the attackers stole 150M credit reports" was just a few months. Are you sure Equifax wasn't a victim here? Someone threw a cinderblock through their window and made off with their trove of data.

Except of course, it wasn't a cinderblock through a window. It was completely silent. Even if your firewall is great, you can still smuggle data out of a network using DNS alone.

Food for thought.

> But I guarantee you that most people reading this work at companies that are similarly vulnerable.

We hold Equifax to a higher standard because of the nature of the data that it collects.

> Everybody is insecure everywhere always

Some of us think that's neither necessary nor inevitable.

> If we can't get it right, why do you want the execs' heads to roll? Are you sure you won't be next on the chopping block?

In some professions, including many engineering ones, gross negligence is punished with the removal of one's ability to practice professionally. It's imaginable that if there were consequences for one's actions, things wouldn't be "insecure everywhere always".

Really, how am I still finding people taking time out to defend the incredible ineptitude of a privacy-oblivious company in a hated industry?

The point is, you can hold them to whatever standard you want to. We collectively have not figured out any techniques to achieve the goal: to be impervious, always. And that's what you demand (or "require," as patio is fond of saying).

You can disagree with that, but you'd be hard-pressed to justify that position. Six decades of computing history would contradict you. And as someone who saw the landscape of real-world codebases and deployments at nearly a hundred companies, there is almost always a way in. People are smug thinking their code is great till you show them an SQL injection that works, or pop up an alert(1) on their favorite front end framework.

The moment the world freaks out about this lack of security, we've all lost. Imagine a dystopian future where the only way to write consequential software is to have it approved by three committees. You might think that's how it already is, but we can move way farther in that direction. Just look at how hard it is to run a simple medical study.

Nobody is asking for perfect security.

We just expect a company that stores the highly personal information of hundreds of millions of people to have better security than that of a random blog site maintained by one guy in his basement.

Well, you are asking for perfect security. Everyone here is. That's what it means not to ever be breached. I think that's the uncomfortable truth we've obscured. We are asking for the impossible.

If you don't feel that way, I propose asking some of your pentester friends how they feel about the breach. Somewhere between unsurprised and shrug, probably.

It doesn't change a thing that this situation demands higher security. We're fighting against forces of nature. Except instead of extinguishing forest fires, we're asking for the equivalent of no forest fires, ever, and arguing vehemently that modern technology is so good that forest fires should not have been allowed to happen.

> Well, you are asking for perfect security.

No need to read the rest of your comment. I'm not biting.

Here they left the door wide open. Google does not leave the door wide open. Google does not have perfect security. But we expect them to make the cost to an attacker high enough that it requires massive investment for a successful breach. Why should we expect less for a company that keeps 140+ million customer records?
They can be held to a much higher standard than this - a system that can leak all the sensitive data due to an error in the web app. You are describing an amateur architecture where there is a web app directly communicating with a database of sensitive information, and that web app has full access to the database. No experienced developer would do that.
And what would they do?

Everyone either goes silent or describes an idealized architecture that has glaringly obvious flaws in regards to meeting business goals.

I think maybe the top ten companies in our industry do this at scale well enough to work. Maybe.

1) keep an asset register up to date. This would include libraries used.

2) subscribe to a service that alerts on vulnerabilities in the assets listed in 1). Run Nessus scans. License cost you a bit over $1k a year.

3) invest in a resource to maintain the register and respond to alerts. Tie them into a governance model so management are aware of risks and can divert time and money when needed to mitigate

Security is a process not a technology. Nothing I've mentioned here is sexy or advanced.

> We collectively have not figured out any techniques to achieve the goal: to be impervious, always.

What? It takes vigilance, training, competence, and a culture of security. Oh, and lots and lots of money backing it up. If your company isn't willing to make that commitment, then your company shouldn't legally be allowed to handle any sensitive data at all. The legal consequences of a leak will be moderated if it is proven, by fellow professionals, that a company took every standard precaution necessary based upon the sensitivity of the data in question. Nobody (except for perhaps yourself) seems to be claiming that Equifax's technical chops were anything but inept.

> Six decades of computing history would contradict you.

Feel free to actually cite anything at all supporting your position, rather than glibly appealing to inevitability.

> The moment the world freaks out about this lack of security, we've all lost.

As if we haven't already lost? The Equifiax leak is a privacy disaster of the highest order.

> Imagine a dystopian future where the only way to write consequential software is to have it approved by three committees.

I welcome this dystopia with open arms, if it means it can save us from defeatists who have given up on the idea that software doesn't have to be completely terrible.

What? It takes vigilance, training, competence, and a culture of security. Oh, and lots and lots of money backing it up. If your company isn't willing to make that commitment, then your company shouldn't legally be allowed to handle any sensitive data at all.

I have personally breached companies that fit this description. That was my job, and it's why I was hopefully the last person to breach that particular facet of their landscape.

But pentests can't catch everything. That's the dirty secret that is also somehow not a secret. The very next commit could make that pentest obsolete. Ditto for spinning up a server.

As if we haven't already lost? The Equifiax leak is a privacy disaster of the highest order.

Well, what do you think will happen from this? That may be true, yet the world will go on. We've been trained to accept the current system as inevitable, but SSNs aren't a security mechanism. The underlying absurdity is that we view leaking them as a disaster rather than recognizing and replacing the fact that we all rely on their secrecy.

If someone wants to impersonate your identity, they can usually find a way. This breach will certainly make that easier, but I'm not sure it will affect the actual fraud rate. Time will tell.

(I'm aware far more than SSNs were leaked. The point is that it was a bad idea to have this central point of failure in the first place. If it wasn't Equifax, it would've been someone else.)

> The very next commit could make that pentest obsolete. Ditto for spinning up a server.

This is addressed by "vigilance". And no, we still aren't asking for perfect security. Even on human-scale timeframes, the odds of a single exploitable vulnerability being introduced in any aspect of the software, for even a moment, are 100%. But if it takes only a single vulnerability to completely exfiltrate the whole of a company's sensitive data, then you're going to be hard-pressed to find anyone calling that a securely-designed system. I'm sincerely sorry that a career spent in the trenches has left you so jaded and cynical, but we can do better, and hopefully we as an industry do so before the government looks at our inability to self-regulate and imposes double-secret-hyper-SOX on all of us.

(comment deleted)
More importantly I hold them criminally liable for their actions or lack thereof after the incident. There should be no retirement here. The CEO should already be in jail pending bail and should be found guilty and sent away for a long time. If found not guilty, we must amend laws to make sure the CEO goes to prison for a long time next time this happens. Nothing else will work. Fines will not work. Congressional hearings will not work. After all, we all read about how many phone calls the DNC and the RNC require our representatives and senators to make and how much money they must raise.

Prison for CEO and the board should be the least we need to do.

I strongly dislike the credit agencies as much as the next person but I have to ask: Guilty of what?

Just because something you don't like happened doesn't mean someone goes to jail. This is the hard but important idea you have to learn in a civilized nation. Bad stuff happens, and you don't just get revenge on whoever is nearby. This was a crime entirely perpetrated by another party. You don't get to transfer their guilt onto someone who may have been reasonably diligent.

Now the issue on aggregating the data in the first place is another conversation.

> Guilty of what?

In US we have a lot of what's called regulatory crimes. For example, https://www.law.cornell.edu/uscode/text/42/1320d%E2%80%936

Similar laws can be created to deter people from violating privacy of financial information. We can call what's happened a negligent disclosure financial information.

GP mentioned that

> This was a crime entirely perpetrated by another party.

I think I didn't make myself clear. I, personally, do not think the people who actually exploited the vulnerability should be the main target of any law enforcement investigation.

What I want to build are strong incentives to ensure that vulnerable data is as secure as possible. Unless the pressure goes to the top, this will not happen. This means that it is not enough to find a scapegoat in mid-management who might not have much of a say in how things run.

I don't even hate credit rating agencies. If the CEO and the board go to prison (or a slightly less desirable outcome if they don't and we get strong regulations to make sure people do in any such future incidents) will make the rating agencies stronger. They will be able to go to investors and say look, we have to do things this way and it won't hurt your bottom line because everyone else has to follow the same regulation as well! It is just the cost of doing business. If they disagree, they are more than welcome to go to prison themselves for anything that happens.

You are victim blaming and should take a hard look at your thinking.
encrypt the data, store the keys on a different (set of) machine(s)
Running the same version of Spring, or different versions?
Oh wow...I think I disagree with everything in this comment.

If you can't monitor critical bug notifications and can't fix or provide a compensating control, you should not be in security.

I hope all affected parties are able to sue them.

It is unreasonable to equate "most people ... work at companies" with either a corporation that is an essential (obligatory) component of participation in modern society, or one with a value of $17.5B. Either and this breach would be fairly inexcusable, but both and it is really an egregious failing.

Most people work for companies with neither the data anybody would much care were stolen, nor the resources to secure it. Equifax had both, bigly.

I cannot for the life of me fathom how you think this is okay. I've worked in far less stringent environments than I would expect from Equifax and we would never have allowed a vulnerability like that to last a few days, let alone months.

This is indeed food for thought, and what I'm mentally chewing on is: why would you - or anyone - make such outlandish statements in a comment on HN? Are you seriously excusing them for reasons that effectively boil down to "this could have happened anywhere"? Do you really hold companies that hoard such sensitive data sets to that low a standard, and if so, why? Whyyyyyy?

He isn't excusing it, he's making this point this is far more common, and if you looked at any of the fortune 100, in sure you will find the same or WORSE practices.

I agree with his assessment, I just wish it was otherwise. Many orgs are simply lucky they have not been actively targeted by a determined attacker - they would be lambs to the slaughter.

This is a company, one of three, which contains the credit data of hundreds of millions people, and a central figure in approving all sorts of financial transactions. Not only do they hold highly valuable data, they also have plenty of resources to draw upon to build an exceptional level of security. I think they very well should be held to a much higher standard then a random company using the Spring framework.
I'm sorry, but I don't accept this, and find it to be a rather upsetting justification of negligence. I've worked at multiple F100's, and in situations storing data far less critical or voluminous compared to Equi, our security protocol was FAR more rigid. Google's secure data solution is a fantastic demonstration of this, and I would be taken aback if I found out they were 4 months delayed for a critical vuln in even a peripheral system. (I say this while I currently have no relationship to G, and despite being an often-critic.)

Even in academia, where we absolutely were understaffed, insecure, and compromised, we stayed on top of the CVEs for the tools we used and did our damnedest to not fall behind. I fully reject that a group with the resources of Equifax could not have been more proactive.

I also think it's entirely understandable to crucify this company, as NOT ONLY were they lax in their job, their failure resulted in material harm for individuals who had no meaningful choice but to participate with them. I find the idea of these "Structurally mandated protection rackets" appalling enough that I certainly would hold one of them to a harsher standard than I would a typical company. With great power etc etc.

(comment deleted)
It's likely that the compromised Equifax data was plaintext log files of people trying to log in for things like free credit reports or to dispute items on their credit reports, which contained all the data required to log into these parts of the website (e.g. names, date of birth, address, SSN, etc.)
Their published document says the stolen information includes documents from disputes. Also only a small number of people (compared to the scope of the failure) would ever use their website. It's much more than logs.
This is not a technical failure; it's a failure in basic house keeping. For a company that size you would expect processes in place such as a maintained asset register and patch maintenance in place. Not having these controls in place is gross negligence. This is not a small startup we are talking about, this is a multimillion dollar company that can afford a small team to implement basic process driven security controls.

The fix is not a simply apt-get. Upgrading struts can break things and testing and verification takes time... but it's a machine hosted on the internet with troves of customer data... as such I think your being too easy on them.

> Yes, it was stupid for them to have everybody's PII attached to that one webserver. A single point of failure should never result in compromising the whole system. But think about how that architecture would work in practice. A customer service rep still needs to get at most of your data. It's a credit bureau. Where would the data be stored in a way that a remote code exec wouldn't be able to snag it?

A particular customer service rep needs to be able to get at most of one person's data at a given point in time. In fact, they should probably be somewhat rate-limited as to how many people's data they can look at in a given period of time. The front-end server that runs the app that serves up this data probably should not even be allowed access to the full set of data at any given point in time. Also, presumably this has to happen from a desktop computer at a call center that's at a company that contracts with Equifax, so it would be reasonable to assume those computers are VPNing to some Equifax network, not that access to all customer data from any internet address is a necessity.

This is a the big issue. Too many people complain about that one patching issue. Yes, we know everything is broken in some way, but that doesn't stop anyone from constructing layers of defence where even with a full compromise of one system you get very limited access internally.

That should've been a huge point of the published document, not just "we didn't patch, so it's game-over".

That's like saying we've all written code susceptible to a buffer overflow, so when a medical device (or air traffic control or whatever) vendor does the same then it's ok.

There's a reasonable expectation that those sorts of companies produce very resilient, fail safe software.

Credit reference agencies deal in PII. It's their main asset. It's incumbent on them to protect that data with secure coding practices, proper patching policies, pen-testing, etc. Above all else, that's their key professional obligation.

If they refuse to do this, they shouldn't be in business. I would go so far as to say that given their size and available financial assets they should be held criminally liable. There's no reasonable excuse for them not securing the data entrusted to them.

Just because that's the way things are doesn't mean that's the way they should be. Maybe if there were harsher punishments for companies that were lax with consumer data, consumer data hacks wouldn't be so damn prevalent.
> I think it's important to take a step back, take a breath, and look at this rationally.

> Whatever company you work for, if you do not have regular pentests, you are no better off.

> It seems very strange to choose this one company and crucify them just because they lost your data.

This company literally has the one of the juiciest gold mines of exploitable personal data in existence. They should be crucified because standards should be higher for them than almost any other enterprise.

And unlike stolen addresses and credit card numbers (which can be changed), this genie can't be stuffed back into the bottle.

"The accidental nuclear launch was blamed on a single piece of software in a web service" -> Is obviously a stupid assessment.

"Equifax was the victim of a hole in Apache Struts" -> Likewise.

Nothing so valuable should be safeguarded such that a single failure results in total loss. It is utterly their fault.

>> It seems very strange to choose this one company and crucify them just because they lost your data

Why? I crucify every company that loses my data. I would imagine that most people do. This company lost everyone's data.

We live in a world where if you have an online presence you need to keep on top of all security patches. You need to do penetration testing. You need to practice secure coding practices. In my experience, often at larger companies you have to fight to make sure that everyone in the organization understands how important security is and to make sure that it gets prioritized properly.

It's not about the security issue in particular, it's about an organization that didn't have proper security practices. This wasn't an unknown security issue, it was a reported and fixed issue.

(Also, they were using Struts, not Spring.)

> Everybody is insecure everywhere always,

Not everyone has this amount of personal data, including social security numbers, names, credit history on 140M Americans. So no, it' not "just like everybody"

> N is very small -- maybe four?

That is a ridiculously long time for a company holding the kind of data they are. "Yeah, yeah enterprise whatevs, I know". But I work in enterprise as well and we patch and roll out security updates within days. Like you said, it is mostly "apt-get upgrade" run from Chef or whatever management system they got.

> "they failed to run the equivalent of sudo apt-get upgrade on their framework."

Don't agree with that. It's like saying "The train conductor _just_ had to press the break in time. It's a simple action. Let's not overreact here..."

> machines, this is a situation that almost all of us have wound up in.

I somehow never wound up holding personal data of 140M people. And if someone told me to "hold that data", I'd say "sorry, I am not qualified, it is highly likely I'll mismanage it and it will be hacked".

> Are you sure you won't be next on the chopping block?

No it's not. Because I don't have the personal or financial data of that many people in my care.

They also made sure their execs sell shares before the news and delayed news as long as possible.
Equifax's entire job is maintaining highly sensitive financial information. That's their reason for existence, that's how they make money. Following a sort of, I don't know, stackoverflow level of quasi "good enough" practices might be fine for J. Average Corporation but it isn't fine for a company like Equifax.

The question on the table is whether or not Equifax could have prevented the data breach with the application of up to, oh, let's say a few tens of millions of dollars in resources (personnel, equipment, what-have-you) and merely applying common sense and industry accepted best practices. The answer seems to be: unquestionably yes. At least for this breach. And so, because that amount of money is much less than even their annual profits, Equifax has unquestionably acted negligently in that they had both the resources and the obligation to prevent the breach, but did not. There's no excuse for that.

> I guarantee you that most people reading this work at companies that are similarly vulnerable.

And I 100% support holding them responsible for damages caused by that.

Netflix: Oops, we let an unauthorized user watch all videoes.

US Navy: Oops, we let an unauthorized user launch all ICMBs.

I would hold each of these parties 100% responsible for those respective damages.

> look at this rationally.

Rationally, organizations would take different security precautions depending on the consequences of a hypothetical breach.

They have a Chief Security Officer. If there was one thing that was in the direct line of this person's responsibility, it would be a security issue like this.

Food for thought.

> Yes, it was stupid for them to have everybody's PII attached to that one webserver.

No, see, this right here is the part where you and I disagree with each other. This wasn't stupid, this was negligent.

Once you have a certain amount of customer PII, you have to act like an adult. You put all the PII behind a special interface and database and hire a well-paid team of security specialists to take care of it. There should be people whose entire job is to read about new exploits and be updating that PII system within hours, not weeks.

A good PII system should have triple-A: authentication, authorization, auditing. You should know for certain who is calling the PII system, how often, for what records. You should have automatic audits/alarms looking for clients who are suddenly increasing their call rate (or better yet, rate limit each client). Automatic searches for clients whose behaviour has changed suddenly. When someone is clearing out your PII, you should know very quickly.

Equifax did not do the adult things. They got owned, and now 150m people are at risk.

It was a Struts vulnerability, not Spring. Sounds like they were using both.
Almost everything stupid here has been addressed, but I'll just add:

> Even if your firewall is great, you can still smuggle data out of a network using DNS alone.

That's why large enterprises have internal networks with no external access. Also why many security/network teams monitor the changes in volume as well as profile of traffic like DNS. You should be doing that anyway, because it allows trivial spotting of malware contacting CC servers.

"You are no longer David Webb."

"From now on, you will be known as; Mark Rohrwasser."

"Welcome to Equihax."

"Why did you leave your last job?"
“I felt I had contributed all I could and felt undervalued so I’m seeking a new opportunity”
Ah deploy those golden parachutes and sail off to the Bahamas while giving 140M American a big fat middle finger.

I can see the justification for those large compensation packages for CxO only when something like this happens they would bear the corresponding responsibility - maybe even forced to sell a few yachts or a few summer homes here and there maybe to offset the investigation costs even.

Perhaps with enough heat they'll start clawing back some of that money.
Only in jail as far as I am concerned, why would be the only one to suffer.
I was pretty sure it was true that the CISO had no experience at all after listening to the first two or three minutes of the video interviews that were available here[1], but apparently they don't want anyone to see interviews with the CISO from before the breach (as they have been scrubbed from the internet.) I have never seen anybody say cloud so many times in two minutes.

By the end of the interview, I felt sorry for her. I have no idea if she had relevant experience or not, she just sounded like someone who has been conditioned to argue that delays in new development are unacceptable, and that the cloud is inevitable, and if it costs more to do it right then you'll have to make do with less, and cetera and so forth. I'm not terribly shocked that they've taken down these interviews, but I am very sorry I didn't save a copy when I found them.

The interviews were still available for viewing as of 12:31pm Eastern Time on Sept 10, and there are transcripts that you can find following the links in the article, which has been updated to note the videos were scrubbed from the internet.

[1]: https://www.hollywoodlanews.com/equifax-chief-security-offic...

"The full interview videos went far in explaining what may have been the eventual cause of the massive leak of information now gravely affecting 143 million Americans."

Serious question, is there any way this might actually count as destroying evidence?

It says the interviews were removed by user, but I saw them and they were briefly still playable after they were first reported on. Someone must have been keen enough to snag a copy. They were eye opening.

The transcript does not include the quote that really brought it home for me, "resistance to the cloud is futile" – I wonder what else it does not include...

https://archive.is/Je7Yi

https://archive.is/6M8mg

I think we're looking at this all wrong. It doesn't matter what the technical details are. If you're controlling something dangerous it's your responsibility to ensure it doesn't do damage or hurt anyone.

Take a car for example. If you're driving and you allow the car to hit someone and they die, you are charged with manslaughter. It's your responsibility to operate it safely. It doesn't matter if the conditions were difficult. In fact it's worse - you shouldn't have operated the car.

It's the same concept here. They were operating something dangerous and did not take the necessary steps to ensure our safety.

They should go to jail.

Agreed.

Though I think it's debatable whether leaking SSNs is comparable to manslaughter.

It might be worse. But I dont know how anyone can weigh destruction of one life vs ruining thousands of people's lives (or at the very least increasing the general angst among society at large).
They leaked far more than SSNs.

This also raises a real question about scale and distributed harm. If killing someone is wrong, what is stealing one ten-thousandth of a lifespan (through stress and monetary loss) from a hundred million people?

If the credit history data of many people have been copied from Equifax, then the effectiveness and value of credit identity verification measures using the exact same data from the other two agencies and any company relying on those services severely drops. One wonders how that aspect of the industry will change going forward...