Even if nation state resources weren't needed that doesn't necessarily take away from the fact that it [may] have the hallmarks of a nation state attack.
I only scanned TFA but it didn't' seem to say "Wow, this was a sophisticated attack only a country could pull off," but more of "the [scant] evidence so far seems to point to..."
Yes. Just not wanting to give Equifax a pass. I could imagine this kind of attitude: "Well, we were super secure, it's just that we were up against the whole of China...nobody could have headed this off..."
I agree it doesn't say that. But TFA announces the possibility. Other articles will be written by other people. The collection of articles is at Equifax's disposal to reference. So, an example of a very simple security practice they can't manage is relevant in my mind.
No, it goes into considerable detail about the nature of the attack, how it changed once it was passed off from an "entry team" to a more advanced group of hackers, and the level of sophistication.
Again, the article mentions that the initial group struggled to get any sort of foothold after the initial intrusion...it wasn't until the "advanced" team took over that the real breach began: bypassing firewalls, installing back doors and web shells, etc.
The fact that they were a somewhat critical component of the Western financial system and didn't recognize their vulnerability to nation state attacks (if that's what this was) makes the behavior even worse.
Hopefully someone is taking stock of weak points to the system global system and making some sort of corrective plans but I sort of doubt it. Which is alarming. We all like to think adults somewhere are in control but it looks like maybe not.
Considering everything we now know about Russia's attempts to influence our elections and sew division, is it really unreasonable to think they might try to throw a wrench into our credit system?
You'll notice the post you are replying to didn't use the word "hack", it said "attempts to influence our elections and sew division", which is something Facebook ads would do quite well.
I agree that hysteria over "election hacking" is tedious, but so is blanket dismissal that a foreign state actor would have an interest in influencing a US election. Of course they would.
Why would you assume that a single actor used a single approach in attacking the election process? These election systems would have some extremely useful data for targeting those Facebook ad campaigns:
Apart from CNN throwing the phrase "ties with Russia" like the period at the end of the sentences for things as little as an interview being aired on Russian TV (true story from CNN [1]), do we have reasons to think the "Russians hacked the election"? Are you telling me our systems aren't resilient to attacks from other nation-states? If so... what's the NSA doing?
How, by getting Equifax to hire IT staff that does not see the wisdom in patching known vulnerabilities?
> everything we now know about Russia's attempts to influence our elections and sew division
Be careful what you believe. To date there has not been hard evidence that the Russian government was involved in any of the mischief that has been discovered.
It could just as easily have been an activist group within Russia or even (sadly) the US intelligence agencies looking to fan the flames of war with Russia.
There has been consistent conflict between the US and Russia all along since the cold war ended. And certainly lots of mischief on both sides. The danger in this case is allowing US propagandists to frame the recent mischief as cyber warfare, which it is not.
Considering the way that information about the alleged hacks have been strategically leaked and timed to convince the American people to resent Russia, it's pretty clear what the objective is.
Wars don't just happen, they are the result of significant propaganda effort. We are seeing the beginnings of it with the outrage over "meddling". It's only going to get worse. Expect to read additional revelations about Putin's character and Russian society/culture. The goal is to gradually foment mistrust and hate to the point where Americans actually consent to a war which may kill many Russians and many Americans.
Propagandists like the US President's own son and close associates will stop at nothing to frame the Russian government with emails and undisclosed meetings. The scope of the deception is almost unbelievable.
> It could just as easily have been an activist group within Russia or even (sadly) the US intelligence agencies looking to fan the flames of war with Russia.
Neither of those square with observed data, unless you posit a rather massive conspiracy to control that information.
And you still have to contend with a highly suggestive narrative involving key Trumpistas, key Russians, a gloating "denial" from Putin himself, highly suspicious correlations between Trumpist-public actions and private meetings, and the fact that the administration has zero credibility with their stories, having been repeatedly caught out brazenly lying about significant events.
Not to mention, eventually Mueller's investigation will come out. That should be amusing.
> The danger in this case is allowing US propagandists to frame the recent mischief as cyber warfare, which it is not.
Care to elaborate? What do you call it? I've always preferred 'info war' ('cyber' is just insipid), but unfortunately that phrase has been rather coopted.
> Wars don't just happen, they are the result of significant propaganda effort
Very, very true. And we have at least three players here, all spinning in support of their own motives. I just believe you've misidentified the motives of at least one of them.
What is the observed data? Anyone who had a VPS in Russia could have been responsible for the data that is currently known to the public. The intelligence agencies claim there is additional data but it appears unlikely that there actually is.
> Trumpistas
I think it's important not to let distaste for Trump interfere with analysis of this issue. Trump attempts to maximize all publicity in his favor, which is why he thanked "the Russians" for leaking the HRC emails. Just as many lobbyists for Ukraine hire American officials as consultants, Russian firms have in some cases hired former American officials and influencers to help with business/political goals in the US. This is just a normal phenomenon and not in and of itself cause for alarm.
> having been repeatedly caught out brazenly lying about significant events
They found themselves in an unexpected situation where the Russia story got legs that they had not anticipated. Some lies had been told thinking that the non-story would go away faster, and some Trump affiliates were caught in those lies. As unappealing as it is, the lies were probably the right strategy at the time for Trump, since his political enemies had made the Russia story front page news for a period of weeks.
> Care to elaborate? What do you call it?
Russia has first world state actor hacking capability. There is a decent chance that a Stuxnet-like worm has deeply penetrated many of the firms that make voting machines used in US elections. If anything, evidence of minor pentesting artifacts on the web servers of a few voting machine companies ought to make us think Russian involvement is less likely rather than more likely.
The stuff we saw in the past year (phishing, pentesting) requires such little sophistication that moderately interested teenager could have done it. Might Russia have some sort of after school program for patriotic teens? Certainly it might, but any such program would not be considered likely to have any impact other than the remote possibility of a lucky chain of events.
I think it's relevant to consider "Russia" the government vs any of the millions of moderately tech-savvy Russian people who might have been involved in content farming or low-sophistication hacking/phishing.
Since the probability of one of those attacks succeeding is so low (and likely had nothing to do with the 2016 US election outcome) having people conducting those attacks on Russian soil would much more likely be viewed by the Russian government as a liability, analogous to someone in Alaska launching home made missiles into Russia trying to "help" US interests.
Only in the most myopic, partisan political mindset can anyone take seriously the notion that somehow "The Russians" knew how to leverage < $200K in ad spend on Facebook and Twitter to shift the outcome of the 2016 US presidential election. It's just a ludicrous claim, and one that anyone actually doing marketing or involved in budgeting for social media marketing would laugh at without hesitation. It relies on the same sort of fiction that existed during the cold war that imagined super-genius Russian scientists creating super-weapons that would wipe out the US. It's useful for fear-mongering, but much more a figment of the imagination than based in reality.
I think if we look at motive and potential effects on the financial system it's very likely to have been a state sponsored attack.
Coming right on the heels of economic sanctions and a stream of threats my wild guess is North Korean involvement. Or else that's who they'll eventually blame it on. Or who knows.
Which none of this in any way excuses Equifax's shockingly bad behavior.
I used to work for a company that had a big security hole that would allow you to log in as any user as long as you knew the user's UUID (I know, right?) I logged a ticket and raised the issue up the flagpole to let folks know that if someone slipped in some code (we ran a lot of third party javascript) to harvest UUIDs, they could fairly trivially log in as an admin and do some serious damage. The issue sat for months (MONTHS!) until finally a user complained about some non-https content being loaded on our login page, which sparked a whole security review, and gave me an opportunity to bring additional attention to my ticket, which finally got fixed.
This kind of crap is out there, and people don't give it the attention it deserves until they get bitten in the ass. Thankfully, my company didn't get bitten, but if we had, it could have been very bad, and the fact that the issue was called to people's attention and they didn't do anything about it would have made it look that much worse.
Why didn't you fix it? (I don't mean this harshly, just curious.)
Ultimately, this kind of stuff is something IMO a professional programmer should just do. It's irresponsible to let stuff like this go and you should do whatever it takes to make management understand. In a healthy organization it shouldn't even be questioned by management, you just tell them you found a security issue that will cost the company billions and has to be fixed immediately. In an unhealthy organization, maybe you just slip this into some other work without telling management.
Great question, and in the end it comes down to politics and team siloing. A large corporation with a lot of projects and priorities, and no single Security person to raise the issue with. At the time I wasn't in a position to Just Do It and then tell everyone "Hey, this needed to be done, I got it done, now I need a QA resource to test it and then we need to deploy it to prod" without some backlash from multiple source (my boss, the team that owned the product, etc).
Now (and given everything that's happened in the industry in recent years) I would definitely push more, and maybe fix it on my own, but at the time I just shook my head, and sent follow-up emails every few months to try to keep visibility on the issue.
At large companies with politics and bureaucracies you can't really just come in and create a PR for a bug you've found like you'd do in a smaller shop or a startup.
If the code is not responsibility of you (your team / department) all you can do is create work requests / JIRA tickets for people/team responsible for the code.
You wouldn't even have access to the repository or dev/test environments for the affected system most likely.
And it might just sit there for months until it eventually gets picked up and fixed. Or it will never be fixed.
Not to sound patronizing, but you've clearly never worked in a large enterprise.
Teams are siloed. Code is siloed. The deployment process is siloed. Etc.
Do I know where the code lives? If I do, do I -have access to the code-? Write, as well as read? Will my checking in code trigger a huge change review process that will cause people to yell at me for touching code I'm not in charge of? Will my checked in code be picked up as part of what goes to prod? If not, do I have a way to get the code into that process? Etc.
Very few companies of that scale are just a "check the code out, fix it, create a pull request, and watch it work its way into prod".
Not even a large enterprise, just anywhere there's any sort of formal process. Very, very few companies outside a startup with a single product+handful of employees are able to just make code changes like that all willy nilly. Especially to something as sensitive as authentication.
It's like saying "why didn't the NASA engineers just fix the o-rings on the Space Shuttle Challenger? After all, they knew there was problems with them and people's lives were ask risk." They did what they could, which was this: http://www.lettersofnote.com/2009/10/result-would-be-catastr...
Well, you can have a formal process that allows contributions from anyone, which is what I was trying to allude to with "watch it work its way into prod". But I agree, generally speaking if you have a formal process, and you're not on the team, and/or can't convince a product owner of the need, there is no way to get it done.
I worked at Garmin previously which is definitely a big company. On my team I don't think I'd have had trouble convincing management that it needs to be done or otherwise been able to sneak it into other work. I'm concerned that as a profession we're too accepting of "well management won't let me do it" even when the consequences are high. To me it feels like designing a bridge that will collapse and kill people just because your manager said to.
UUIDs aren't exactly guessable, any hole which lets someone "slip in some code" is way more serious than a persistent login token.
It's not great to have a non-revocable login token, but a "UUID that lets anyone log in as you" is how a lot of API access tokens work, which is why they usually have a mechanism where you can regenerate them if you know they are compromised.
I don't disagree with your premise that "a lot of crap is out there" though. Working in small to medium enterprises (SMEs) really opens your eyes about the real level of security of most sites.
Yes, a suitably random and therefore 'unguessable' secret is, fundamentally, the underpinning for auth systems, and some of those secrets utilize UUIDs.
No to the idea that these are comparable. Those are not -user identifiers-. A user identifier, vs a 'secret', require different perspectives in how they're treated, in API, in UI, etc.
For -any- sort of security model you figure out what bits of data must be kept secret, vs what bits of data should be treated as 'known'. A user identifier should always falls into the latter camp, a password or other credential falls into the former.
You said it yourself, "usually have a mechanism to regenerate them if you know they are compromised" - you really, REALLY don't want to have to regenerate your user identifiers if they leak out; that's almost invariably going to involve a great deal of complexity, breakages, regressions, etc. You're effectively changing the primary key of every entry in every database you have that this user exists in. Better to just not make them required to be kept secret for your security model. And even -that- assumes that they were -meant- to be secret; no developer is going to assume that about user identifiers, so you better have made that explicit to everyone who ever touched the code, or you just introduced a bunch of avoidable security holes.
It's fun how when a big corporation is hacked it's always "a sate sponsored group with 0-days worth millions of dollars", but then again nation states themselves keep getting hacked by "a lonely autist in a basement that's just very smart for his own good".
What isn't a 'state-sponsored attack' nowadays?
Seriously it's been a while since I've heard of an attack that wasn't eventually claimed to be state-sponsored.
It's a bad idea to dismiss this claim. I haven't worked through whether the claim has merit, but China has an entire division dedicated solely to finding these kinds of issues in other countries. They exploit them ruthlessly. I'm sure a lot of Russian hackers aren't as independent as they seem, either. And of course, the NSA does all of this vs the rest of the world, though I'm not sure they'd be interested in the Russian equivalent of the Equifax situation.
A lot of people seem to feel like 'state-sponsored attack' and 'attack enabled by massive security management problems' are mutually exclusive. It is completely possible, and history indicates very likely, that Equifax was both massively incompetent and attacked by a state-sponsored organization. The state actors are working very hard to find these kinds of vulnerabilities, so it makes perfect sense that gaping security issues are being exploited by the people who are putting the most time into finding them.
It doesn't matter if it was as state or not, it should have been so comprehensive, or easy.
The basic design of where the data was placed, and how easy it was to traverse the network, combined with a stunning lack of monitoring means that it could have almost have been a script kiddie who did this.
Because as we all know, the US is special and gets to fuck with everybody else's elections (up to and including the violent overthrow of a democratically elected government and state executed assassination), but do it to them and suddenly it's a warlike act.
> Because as we all know, the US is special and gets to fuck with everybody else's elections (up to and including the violent overthrow of a democratically elected government and state executed assassination), but do it to them and suddenly it's a warlike act.
I have no idea of your political inclinations, but generally I find it odd that the right is overall giving a pass to Russia with this. Deflecting as you are doing, and not answering the issue at hand.
Russia, formerly via Communism, was all but our enemy shortly after WW2. They are still an adversary. So, we decided it was in our best interest to fuck with them, and many other countries because we were "the good guys". Yes, this got convoluted and contrived, and completely futile -- especially w.r.t. Vietnam, the Bay of Pigs, Panama, and many others I imagine.
But even considering all that, it still doesn't justify Russia interfering with our election. Surprising? No.
But why are so many on the right giving Russia a free-pass? It all seems to be the same motivation that kept us in Vietnam for years after it was known to be a waste: To avoid admitting you were wrong; to try and save face.
I don't think they should get a free pass, so good job on your assumptions there, kiddo.
I'm more taking issue with people that are shocked, just shocked that other counties would treat the US the way that the US treats other countries. It's childish and amusing. The power of American Exceptionalism, what can you do?
> I don't think they should get a free pass, so good job on your assumptions there, kiddo.
The first sentence of my reply explicitly stated that I was not talking about you, just that you are doing the same thing the right is doing to deflect. Remember, this was your original low effort post:
>> muh russian hackers
>This nonsense is really getting old
So to claim now that:
> I'm more taking issue with people that are shocked, just shocked that other counties would treat the US the way that the US treats other countries.
Is what you are taking issue with appears to be disingenuous. You implied all this Russia hacking stuff was nonsense.
> Mandiant, the security consulting firm hired by Equifax to investigate the breach, said in a report distributed to Equifax clients on Sept. 19 that it didn't have enough data to identify either the attackers or their country of origin.
Isn't it possible that with the incredible bounty of state-power hacking tools floating around the web that it's just a criminal organization? Or are we trying to paint a cold-cyber-war narrative to put Equifax in a sympathetic light?
Ah yes, the super-spy excuse. That worked well before, why not go for it again.
It basically boils down to "Don't blame us, we are up against the super-sophisticated Chinese / KGB / aliens etc". It's a way to deflect blame.
> . In a speech at the University of Georgia last month, he [now ex-CEO] described a stagnating credit reporting agency with a “culture of tenure” and “average talent.”
When the CEO talks publicly about average talent, you can be sure the real talent is well below average.
> > . In a speech at the University of Georgia last month, he [now ex-CEO] described a stagnating credit reporting agency with a “culture of tenure” and “average talent.”
That was his description of the organization he inherited, in 2005. It was not his opinion of the organization as it stands now.
Hope I don't forget about this case, when I need to argue about maintenance costs, security upgrades etc, also that's why I like Go so much, you don't need or supposed to use a full fledged framework, at most a router with no dependences and lightweight, but best if nothing.
>... some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions ...
The following sentence:
>Others involved in the investigation aren't so sure, saying the evidence is inconclusive at best or points in other directions.
is the exact opposite.
And the one following is even worse:
>One person briefed on the probe being conducted by the Federal Bureau of Investigation and U.S. intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn't point to China. The person declined to name the country involved because the details are classified.
So with the investigation still not concluded there is a small number (not quantified) of people saying it was a Nation-State AND Chinese, another small group (also not quantified) saying that it was NOT a Nation-State (and thus NOT Chinese) and ONE single person stating that State-Sponsored intelligence "may have played a role" BUT NOT Chinese.
All the rest ia about how good are (or were) the people at Equifax and how hard they tried to make this not happen, but of course you can do nothing if you are the target of a Nation-State intelligence, particularly if Chinese.
The web shell identified, China Chopper, actually has an English UI (not Chinese as the article claims). The only relationship to China is that it was originally compiled by a user that regularly visits the Google HK domain.
I can't believe Bloomberg would publish that. Why not write "nobody knows but the authorities are investigating" or just wait until there is actual news to report on? Why fluff it up and make up what is essentially gossip at this point? Journalist standards seem to be declining across the board.
Sure, it's possible it was a state-sponsored attack, but that mostly doesn't matter. What matters is that this system should have never been set up in the first place. There's no reason that we need to consolidate this data into one big target, and then put that target into an easily breachable safe.
So then it follows that Equifax and similar agencies are structural weak points in our banking system and dismantling them asap is vital to national security.
Claiming victimization by a "state-sponsored" actor has now become the "go to" tool in public relations crisis management of data breaches.
Rather than admit their own complete failure and negligence these companies are now seeking to portray themselves as victims along with the people they have permanently put at risk and profited from in the process. It's disgusting.
If you leave your car unlocked with the keys in the ignition and someone steals the car, you are not a victim you are an idiot.
"Never attribute to malice that which can be adequately explained by stupidity, but don't rule out malice." - 'Hanlon's Razor' (possibly Heinlein's Razor), by Robert Heinlein and others
I have to say at first I felt the same way most of the other commenters did: Claiming this was a state-sponsored attack is a convenient scapegoat.
I'm still skeptical, but I wouldn't dismiss it outright.
I think in the next 6-12 months, if a wholesale PII marketplace doesn't appear, the odds of a state-sponsored attack go up dramatically. The economics of wholesale fraud are such that you make money selling to other fraudsters, not trying to exploit the information yourself (setting up new accounts, taking over existing accounts, etc..).
For what it's worth, even if this attack was executed by actors unaffiliated with the government, this information WILL make it's way to intelligence organization(s) in their home country. Unlike in the US, foreign and domestic intelligence services maintain a much closer relationship with the hackers in their home country.
And I suppose the Chief Security Officer at the time, who held a degree in music an had no relevant experience in technology or security, was a state-appointed spy, too? Surely the Russians pulled a lot of strings to get her into that position. There is no other possible explanation.
> had no relevant experience in technology or security
This has been thoroughly debunked. She had extensive industry experience in a series of increasingly important security and compliance roles going back at least 15 years. Furthermore, the Bloomberg article even paints her in a positive light as someone trying to do the right thing against corporate opposition.
Not that I agree or disagree with the attack being state sponsored, but what other way to find people potentially ripe for being turned into spies than those with crushing debt, or other publicly available judgements against them?
Money is a great motivator, especially when you can use one database to find those in most desperate need of it who are also working for companies ripe for exploitation.
"The business generates a gross margin of about 90%."
Well, I can see why they would have to cut costs associated with employing customer service representatives to handle requests for copies of credit reports from consumers.
Faced with such financial pressures, they probably had no choice but to make private consumer data accessible via public internet and use a "web app" in order to scale back their costly customer service headcount.
This has all the hallmarks of sound business judgment.
I'm surprised how many readers reject the premise outright. I thought the part 'this wasn't a credit card play, this wasn't a get info on every American play' was somewhat compelling. plus the part about looking into a handful of people with high security value?
> Groups known to exploit web shells most effectively include teams with links to Chinese intelligence, including one nicknamed Shell Crew.
That's just silly. It is very common when exploiting web apps to utilize a web shell to persist your access and then to work from that to implement better and more permanent access.
Web shells are easy to find and they make a lot of noise (POSTs in the web logs). They are very easy to spot in any org that has their web/app roots under version control, so advanced adversaries will use them temporarily - not install 30 of them
> One of the tools used by the hackers—China Chopper—has a Chinese-language interface, but is also in use outside China, people familiar with the malware said.
China Chopper is an old web shell[0]. It works by having a very thin server component that simply runs an eval of a POST variable. Most of the intelligence is in the thick client (read about it at the links below - its pretty cool but by no means advanced).
While it was developed in China - the interface is in English[1]. There isn't even much of an interface, as it will reconstruct the server file explorer, shell, db connection etc.
You can't identify China Chopper from just the server component, since it is a simple:
Most decent scanners will have a signature for "exec("[1]
This is what I still don't understand about the Equifax hack. They had an entire infosec team, ran a SOC, had all sorts of high-end product installed (including complete traffic logs) yet someone could exfil 10GB+ of data using a known web app exploit and simple web shell.
There is more to this story, and it will be told in what happen once the attackers penetrated the first web server and how they were able to pull of the lateral moves to get to the credit database. I sense there is going to be some horrible security practice and hygiene on the internal network that allowed this to happen (think broad permissions, full database access, no db query monitoring, no encryption internally, etc.).
98 comments
[ 3.0 ms ] story [ 169 ms ] threadA different Equifax site had an admin account with the password..."admin"
https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-l...
I only scanned TFA but it didn't' seem to say "Wow, this was a sophisticated attack only a country could pull off," but more of "the [scant] evidence so far seems to point to..."
The Equifax hack has the hallmarks of Equifax's complete incompetence when it comes to security, and that is all.
They did say "...sophisticated team of hackers..." so who knows, right.
The fact that they were a somewhat critical component of the Western financial system and didn't recognize their vulnerability to nation state attacks (if that's what this was) makes the behavior even worse.
Hopefully someone is taking stock of weak points to the system global system and making some sort of corrective plans but I sort of doubt it. Which is alarming. We all like to think adults somewhere are in control but it looks like maybe not.
Be cautious when declaring an event as being born from malice, when the event is adequately explained by incompetence.
"No CEO would be able to withstand a targeted attack from such a motivated adversary!"
I agree that hysteria over "election hacking" is tedious, but so is blanket dismissal that a foreign state actor would have an interest in influencing a US election. Of course they would.
https://www.apnews.com/cb8a753a9b0948589cc372a3c037a567
Pretty sure that qualifies as 'unauthorized access'.
https://www.washingtonpost.com/news/the-fix/wp/2017/09/23/wh...
And in case you're interested, here it is from a more colorful source;
https://theintercept.com/2017/09/28/yet-another-major-russia...
[1] https://youtu.be/rSzYc_gSx44
How, by getting Equifax to hire IT staff that does not see the wisdom in patching known vulnerabilities?
> everything we now know about Russia's attempts to influence our elections and sew division
Be careful what you believe. To date there has not been hard evidence that the Russian government was involved in any of the mischief that has been discovered.
It could just as easily have been an activist group within Russia or even (sadly) the US intelligence agencies looking to fan the flames of war with Russia.
There has been consistent conflict between the US and Russia all along since the cold war ended. And certainly lots of mischief on both sides. The danger in this case is allowing US propagandists to frame the recent mischief as cyber warfare, which it is not.
Considering the way that information about the alleged hacks have been strategically leaked and timed to convince the American people to resent Russia, it's pretty clear what the objective is.
Wars don't just happen, they are the result of significant propaganda effort. We are seeing the beginnings of it with the outrage over "meddling". It's only going to get worse. Expect to read additional revelations about Putin's character and Russian society/culture. The goal is to gradually foment mistrust and hate to the point where Americans actually consent to a war which may kill many Russians and many Americans.
Neither of those square with observed data, unless you posit a rather massive conspiracy to control that information.
And you still have to contend with a highly suggestive narrative involving key Trumpistas, key Russians, a gloating "denial" from Putin himself, highly suspicious correlations between Trumpist-public actions and private meetings, and the fact that the administration has zero credibility with their stories, having been repeatedly caught out brazenly lying about significant events.
Not to mention, eventually Mueller's investigation will come out. That should be amusing.
> The danger in this case is allowing US propagandists to frame the recent mischief as cyber warfare, which it is not.
Care to elaborate? What do you call it? I've always preferred 'info war' ('cyber' is just insipid), but unfortunately that phrase has been rather coopted.
> Wars don't just happen, they are the result of significant propaganda effort
Very, very true. And we have at least three players here, all spinning in support of their own motives. I just believe you've misidentified the motives of at least one of them.
What is the observed data? Anyone who had a VPS in Russia could have been responsible for the data that is currently known to the public. The intelligence agencies claim there is additional data but it appears unlikely that there actually is.
> Trumpistas
I think it's important not to let distaste for Trump interfere with analysis of this issue. Trump attempts to maximize all publicity in his favor, which is why he thanked "the Russians" for leaking the HRC emails. Just as many lobbyists for Ukraine hire American officials as consultants, Russian firms have in some cases hired former American officials and influencers to help with business/political goals in the US. This is just a normal phenomenon and not in and of itself cause for alarm.
> having been repeatedly caught out brazenly lying about significant events
They found themselves in an unexpected situation where the Russia story got legs that they had not anticipated. Some lies had been told thinking that the non-story would go away faster, and some Trump affiliates were caught in those lies. As unappealing as it is, the lies were probably the right strategy at the time for Trump, since his political enemies had made the Russia story front page news for a period of weeks.
> Care to elaborate? What do you call it?
Russia has first world state actor hacking capability. There is a decent chance that a Stuxnet-like worm has deeply penetrated many of the firms that make voting machines used in US elections. If anything, evidence of minor pentesting artifacts on the web servers of a few voting machine companies ought to make us think Russian involvement is less likely rather than more likely.
The stuff we saw in the past year (phishing, pentesting) requires such little sophistication that moderately interested teenager could have done it. Might Russia have some sort of after school program for patriotic teens? Certainly it might, but any such program would not be considered likely to have any impact other than the remote possibility of a lucky chain of events.
I think it's relevant to consider "Russia" the government vs any of the millions of moderately tech-savvy Russian people who might have been involved in content farming or low-sophistication hacking/phishing.
Since the probability of one of those attacks succeeding is so low (and likely had nothing to do with the 2016 US election outcome) having people conducting those attacks on Russian soil would much more likely be viewed by the Russian government as a liability, analogous to someone in Alaska launching home made missiles into Russia trying to "help" US interests.
Only in the most myopic, partisan political mindset can anyone take seriously the notion that somehow "The Russians" knew how to leverage < $200K in ad spend on Facebook and Twitter to shift the outcome of the 2016 US presidential election. It's just a ludicrous claim, and one that anyone actually doing marketing or involved in budgeting for social media marketing would laugh at without hesitation. It relies on the same sort of fiction that existed during the cold war that imagined super-genius Russian scientists creating super-weapons that would wipe out the US. It's useful for fear-mongering, but much more a figment of the imagination than based in reality.
Coming right on the heels of economic sanctions and a stream of threats my wild guess is North Korean involvement. Or else that's who they'll eventually blame it on. Or who knows.
Which none of this in any way excuses Equifax's shockingly bad behavior.
Even tech readers. I worked with a veteran who would just take that kind of stuff as fact because "17 intelligence agencies cant be wrong"
This kind of crap is out there, and people don't give it the attention it deserves until they get bitten in the ass. Thankfully, my company didn't get bitten, but if we had, it could have been very bad, and the fact that the issue was called to people's attention and they didn't do anything about it would have made it look that much worse.
Ultimately, this kind of stuff is something IMO a professional programmer should just do. It's irresponsible to let stuff like this go and you should do whatever it takes to make management understand. In a healthy organization it shouldn't even be questioned by management, you just tell them you found a security issue that will cost the company billions and has to be fixed immediately. In an unhealthy organization, maybe you just slip this into some other work without telling management.
Now (and given everything that's happened in the industry in recent years) I would definitely push more, and maybe fix it on my own, but at the time I just shook my head, and sent follow-up emails every few months to try to keep visibility on the issue.
Obviously I got out of that environment pretty quickly, but you're not in a position to just do things at big companies. Probably most of them.
If the code is not responsibility of you (your team / department) all you can do is create work requests / JIRA tickets for people/team responsible for the code.
You wouldn't even have access to the repository or dev/test environments for the affected system most likely.
And it might just sit there for months until it eventually gets picked up and fixed. Or it will never be fixed.
Teams are siloed. Code is siloed. The deployment process is siloed. Etc.
Do I know where the code lives? If I do, do I -have access to the code-? Write, as well as read? Will my checking in code trigger a huge change review process that will cause people to yell at me for touching code I'm not in charge of? Will my checked in code be picked up as part of what goes to prod? If not, do I have a way to get the code into that process? Etc.
Very few companies of that scale are just a "check the code out, fix it, create a pull request, and watch it work its way into prod".
It's like saying "why didn't the NASA engineers just fix the o-rings on the Space Shuttle Challenger? After all, they knew there was problems with them and people's lives were ask risk." They did what they could, which was this: http://www.lettersofnote.com/2009/10/result-would-be-catastr...
It's not great to have a non-revocable login token, but a "UUID that lets anyone log in as you" is how a lot of API access tokens work, which is why they usually have a mechanism where you can regenerate them if you know they are compromised.
I don't disagree with your premise that "a lot of crap is out there" though. Working in small to medium enterprises (SMEs) really opens your eyes about the real level of security of most sites.
Yes, a suitably random and therefore 'unguessable' secret is, fundamentally, the underpinning for auth systems, and some of those secrets utilize UUIDs.
No to the idea that these are comparable. Those are not -user identifiers-. A user identifier, vs a 'secret', require different perspectives in how they're treated, in API, in UI, etc.
For -any- sort of security model you figure out what bits of data must be kept secret, vs what bits of data should be treated as 'known'. A user identifier should always falls into the latter camp, a password or other credential falls into the former.
You said it yourself, "usually have a mechanism to regenerate them if you know they are compromised" - you really, REALLY don't want to have to regenerate your user identifiers if they leak out; that's almost invariably going to involve a great deal of complexity, breakages, regressions, etc. You're effectively changing the primary key of every entry in every database you have that this user exists in. Better to just not make them required to be kept secret for your security model. And even -that- assumes that they were -meant- to be secret; no developer is going to assume that about user identifiers, so you better have made that explicit to everyone who ever touched the code, or you just introduced a bunch of avoidable security holes.
It doesn't matter if it was as state or not, it should have been so comprehensive, or easy.
The basic design of where the data was placed, and how easy it was to traverse the network, combined with a stunning lack of monitoring means that it could have almost have been a script kiddie who did this.
_almost_
This nonsense is really getting old
And yes, "it's the russians" is now a joke where I work when servers are down, or someone makes stupid mistake and breaks the build.
And there's little doubt Russia interfered with the USA's election. To what degree is being investigated.
I have no idea of your political inclinations, but generally I find it odd that the right is overall giving a pass to Russia with this. Deflecting as you are doing, and not answering the issue at hand.
Russia, formerly via Communism, was all but our enemy shortly after WW2. They are still an adversary. So, we decided it was in our best interest to fuck with them, and many other countries because we were "the good guys". Yes, this got convoluted and contrived, and completely futile -- especially w.r.t. Vietnam, the Bay of Pigs, Panama, and many others I imagine.
But even considering all that, it still doesn't justify Russia interfering with our election. Surprising? No.
But why are so many on the right giving Russia a free-pass? It all seems to be the same motivation that kept us in Vietnam for years after it was known to be a waste: To avoid admitting you were wrong; to try and save face.
I'm more taking issue with people that are shocked, just shocked that other counties would treat the US the way that the US treats other countries. It's childish and amusing. The power of American Exceptionalism, what can you do?
The first sentence of my reply explicitly stated that I was not talking about you, just that you are doing the same thing the right is doing to deflect. Remember, this was your original low effort post:
>> muh russian hackers >This nonsense is really getting old
So to claim now that:
> I'm more taking issue with people that are shocked, just shocked that other counties would treat the US the way that the US treats other countries.
Is what you are taking issue with appears to be disingenuous. You implied all this Russia hacking stuff was nonsense.
I mean, sometimes foreign governments do hack stuff, and when they do they will sometimes leave evidence of who was behind it.
It's far from conclusive in this case, and there's a lot of speculation, but the article is completely up-front about that.
Isn't it possible that with the incredible bounty of state-power hacking tools floating around the web that it's just a criminal organization? Or are we trying to paint a cold-cyber-war narrative to put Equifax in a sympathetic light?
It basically boils down to "Don't blame us, we are up against the super-sophisticated Chinese / KGB / aliens etc". It's a way to deflect blame.
> . In a speech at the University of Georgia last month, he [now ex-CEO] described a stagnating credit reporting agency with a “culture of tenure” and “average talent.”
When the CEO talks publicly about average talent, you can be sure the real talent is well below average.
That was his description of the organization he inherited, in 2005. It was not his opinion of the organization as it stands now.
All in all it revolves around:
>... some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions ...
The following sentence:
>Others involved in the investigation aren't so sure, saying the evidence is inconclusive at best or points in other directions.
is the exact opposite.
And the one following is even worse:
>One person briefed on the probe being conducted by the Federal Bureau of Investigation and U.S. intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn't point to China. The person declined to name the country involved because the details are classified.
So with the investigation still not concluded there is a small number (not quantified) of people saying it was a Nation-State AND Chinese, another small group (also not quantified) saying that it was NOT a Nation-State (and thus NOT Chinese) and ONE single person stating that State-Sponsored intelligence "may have played a role" BUT NOT Chinese.
All the rest ia about how good are (or were) the people at Equifax and how hard they tried to make this not happen, but of course you can do nothing if you are the target of a Nation-State intelligence, particularly if Chinese.
The web shell identified, China Chopper, actually has an English UI (not Chinese as the article claims). The only relationship to China is that it was originally compiled by a user that regularly visits the Google HK domain.
Too big to flail.
Who knows what other actors could have exploited it instead or as well?
In any case the incompetence was the root cause and I wouldn't trust Equifax to speak my weight.
Rather than admit their own complete failure and negligence these companies are now seeking to portray themselves as victims along with the people they have permanently put at risk and profited from in the process. It's disgusting.
If you leave your car unlocked with the keys in the ignition and someone steals the car, you are not a victim you are an idiot.
Well, no. You are both a victim and an idiot. These things are not mutually exclusive.
I'm still skeptical, but I wouldn't dismiss it outright.
I think in the next 6-12 months, if a wholesale PII marketplace doesn't appear, the odds of a state-sponsored attack go up dramatically. The economics of wholesale fraud are such that you make money selling to other fraudsters, not trying to exploit the information yourself (setting up new accounts, taking over existing accounts, etc..).
For what it's worth, even if this attack was executed by actors unaffiliated with the government, this information WILL make it's way to intelligence organization(s) in their home country. Unlike in the US, foreign and domestic intelligence services maintain a much closer relationship with the hackers in their home country.
If the data never sees the light of day in the shadier parts of our internet then their narrative is more belieavable.
http://www.marketwatch.com/story/equifax-ceo-hired-a-music-m...
https://en.wikipedia.org/wiki/Peiter_Zatko
This has been thoroughly debunked. She had extensive industry experience in a series of increasingly important security and compliance roles going back at least 15 years. Furthermore, the Bloomberg article even paints her in a positive light as someone trying to do the right thing against corporate opposition.
Money is a great motivator, especially when you can use one database to find those in most desperate need of it who are also working for companies ripe for exploitation.
Well, I can see why they would have to cut costs associated with employing customer service representatives to handle requests for copies of credit reports from consumers.
Faced with such financial pressures, they probably had no choice but to make private consumer data accessible via public internet and use a "web app" in order to scale back their costly customer service headcount.
This has all the hallmarks of sound business judgment.
That's just silly. It is very common when exploiting web apps to utilize a web shell to persist your access and then to work from that to implement better and more permanent access.
Web shells are easy to find and they make a lot of noise (POSTs in the web logs). They are very easy to spot in any org that has their web/app roots under version control, so advanced adversaries will use them temporarily - not install 30 of them
> One of the tools used by the hackers—China Chopper—has a Chinese-language interface, but is also in use outside China, people familiar with the malware said.
China Chopper is an old web shell[0]. It works by having a very thin server component that simply runs an eval of a POST variable. Most of the intelligence is in the thick client (read about it at the links below - its pretty cool but by no means advanced).
While it was developed in China - the interface is in English[1]. There isn't even much of an interface, as it will reconstruct the server file explorer, shell, db connection etc.
You can't identify China Chopper from just the server component, since it is a simple:
Most decent scanners will have a signature for "exec("[1]This is what I still don't understand about the Equifax hack. They had an entire infosec team, ran a SOC, had all sorts of high-end product installed (including complete traffic logs) yet someone could exfil 10GB+ of data using a known web app exploit and simple web shell.
There is more to this story, and it will be told in what happen once the attackers penetrated the first web server and how they were able to pull of the lateral moves to get to the credit database. I sense there is going to be some horrible security practice and hygiene on the internal network that allowed this to happen (think broad permissions, full database access, no db query monitoring, no encryption internally, etc.).
[0] https://www.fireeye.com/blog/threat-research/2013/08/breakin...
[1] http://informationonsecurity.blogspot.com.au/2012/11/china-c...
[2] https://www.tenable.com/pvs-plugins/9488