Get a proper grip on your application security and patching—lest it cost you your business.

Equifax hack: This story gets worse and worse. And worse.

Last week, Equifax lost control of 143 million records, including sensitive, identity-related personal information, such as birth dates, addresses, and SSNs. It’s frankly terrifying.

That much we know, but what we don’t know is how. Without that, we can’t begin to draw lessons from the debacle.

But we can make some edumacated guesses. In this week’s Security Blogwatch, we measure the app sec angle.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  The $1,000 emoji machine 

The fundamentals of application security

What’s the craic? Here’s Dan Goodin’s good summary:

The breach Equifax reported [last week] very possibly is the most severe [ever] for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. … Full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers.

The 143 million US people Equifax said were potentially affected … means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come.

The Equifax breach also stands out for the way the company has handled [it]. … For one thing, it took the Atlanta-based company more than five weeks to disclose. … Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the … discovery of the breach [which] at a minimum gives the wrong appearance.

What's more, the website [that] Equifax created to notify people of the breach, is highly problematic. [It] doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax. [And] a username for administering the site has been left in a page that was hosted here.

Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes. … A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks.

Brian Krebs calls it a Dumpster Fire:

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived. … The Web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted … is completely broken at best, and little more than a stalling tactic … at worst.

In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked … on their mobile phones. … Others (myself included) received … instead a message that credit monitoring services we were eligible for were not available. … Entering gibberish names and numbers produced the same result.

After [I] broke the story in 2013 that Experian had given access to 200 million consumer records to Vietnamese man running an identity theft service, two different law firms filed class action suits. … That case was … remanded to state court, where it is ongoing. That case was filed in 2015.

In 2015, a breach at Experian jeopardized the personal data of at least 15 million consumers. [In May 2017, I] reported that fraudsters exploited lax security at Equifax’s TALX payroll division.

What we need now is the characteristic bluntness of an Aussie. Troy “@troyhunt” Hunt doesn’t disappoint:

What a mess. … What an absolute mess this situation is.

Looking at how this … debacle has panned out, the real problem they have now is trust.

And Jonathan “@jeunice” Eunice ramps up the ALL-CAPS indignation:

Dear @Equifax … you have undermined America.

Equifax’s incompetence is EPIC. Yet they patter on about being leaders in data protection. Their negligent arrogance is MONSTROUS.

OK, so where are the app sec lessons? Lily Hay Newman speaks of America's Identity Crisis:

With Equifax's revelation that 143 million Americans may have had their SSNs stolen … security experts are pressing for a fundamental reassessment in how, and why, we identify ourselves. … SSNs, which have been around since the 1930s, have only one intended purpose: to track US citizens' earnings and contributions to … Social Security. [But] "The card was never intended to serve as a personal identification document," [says] the Social Security Administration.

Your Social Security number is supposed to be kept secret, which is an increasing challenge. … It would be possible for organizations to implement strong and diverse authentication factors that cut down on the dramatic exposure that currently exists with SSNs. … The impacts of Equifax's breach could push the company to advocate for new identifiers and authenticators.

And of course there’s the small issue of keeping up to date with patches, as Steven J. “@sjvn” Vaughan-Nichols explains:

According to an unsubstantiated report by equity research firm Baird, citing no evidence, the blame falls on the open-source server framework, Apache Struts … a popular open-source software programming Model-View-Controller (MVC) framework for Java.

In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. … Equifax's technical expertise, it has been shown, is less than acceptable.

If the problem was indeed with Struts, it was with a … serious security problem in Struts, first patched in March: [CVE-2017-5638. So] is it the fault of Struts developers or Equifax's developers, system admins, and their management? … The people who ran code with a known "total compromise of system integrity" should get the blame.

What's … likely is that Equifax's long list of mistakes shows just how technically challenged, if not entirely inept, it has been.

George V. Hulme’s headline says it all: Equifax Rated ‘F’ in Application Security Before Breach:

If a September 8, 2017, report from security risk ratings provider BitSight Technologies … is accurate, hints of Equifax slipping in its security efforts have been present for months.

BitSight graded Equifax an F in Application Security. … With its F rating for the past 60 days, Equifax is ranked in the bottom 10 percent of all companies.

For Patching Cadence, BitSight graded Equifax a D, which is in the bottom 30 percent of all companies. … According to BitSight’s report, [it] had steadily trended worse during the past year.

(The BitSight Security Ratings Report was not obtained directly from BitSight Technologies. BitSight does not share their ratings publicly.)

Won’t somebody explain how we got here? Rohit “@rksethi” Sethi gives it go:

Application security is really not a top priority for most security groups. … You could be compliant with best practices and have nothing by way of web application security.

If you receive a degree in programming, there’s a chance you don’t learn anything about security. … Programmers learn software development, but not how to do security. There’s a gap in training.

Typically you have software developers rushed to get software out the door, without taking additional steps to build more secure software. [They] just build the software and deal with issues later, rather than deal with it up front.

But where are the apologists for Equifax? Heed Ryan Gallagher’s balanced viewpoint: [You’re fired—Ed.]

Come on guys! Take it easy on Equifax! I'm sure they regularly extended the same understanding to people disputing erroneous credit reports, as they are now asking of the public.

Yep, you gotta straighten your app sec posture. Do you need any more convincing? Christine “@BrideOfLinux” Hall asks How Much Will the Data Breach Cost Equifax?

Untold tens of millions of dollars.

A recent study conducted by the independent research group Ponemon Institute … found that in the US the average total cost of a data breach is … $225 [per] record compromised.

Could it get any worse? Uh, YES—according to Brian Krebs (again):

Earlier today, this author was contacted by … Hold Security LLC. … It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

If you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.

But wait, it gets worse. From the main page … was a listing … of complaints and disputes filed by Argentinians who had … contacted Equifax … to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this … included more than 14,000 such records.

Meanwhile, Chris “@northerncodemky” Richards searches for the silver lining (and fails):

Well it's a good thing they don't have every single little detail on almost everybody.
 

The moral of the story? Get a proper grip on your application security and patching—lest it cost you your business.

And finally …

The iPhone X sucks out your soul [a couple of naughty words]

Hat tip: Xeni Jardin

The fundamentals of application security


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U.S. Office of War Information (cc0)

Topics: Security