Is this why Equifax was hacked?

darkerz

I feel like some of the responses on here are in part tied to her being, well, a her. On reddit, and on here, particularly unconstructive commentary... Before you get ready to type out your angst and rebuttal, to utterly destroy me on the internet, continue below.

Some of the brightest people I've met in IT at all levels had as little as a GED and 10-20 years of experience, as much as a degree in an unrelated field.

End of the day, it's easy to **** on someone because they don't have a Security + or a degree in Comp Sci. However, consider why multiple companies would then interview, vet, reference check and finally hire a person on their path to CISO, particularly due to their lack of certs, for example. The negative, pessimistic mind will assume and/or infer "nepotism, corruption and/or paddling unqualified to the top", however the realist has to understand a company won't prop up, hire and compensate someone 6-8 figures because they are bad at what they do.

These vulnerabilities and breaches could, and do, happen to plenty (TONS) of companies every day. The adversary will always outpace and out innovate you. Assume breach, develop a security post-breach lifecycle thereafter. As the 21st century continues, this will only get worse.

jibtech

I can't (and will never try to) speak for Reddit. That said, I don't think the issue has anything to do with gender. I don't even think it has to do with the fact that Equifax was breached.

For many people, and certainly for me, the problem is the systemic lack of disregard for data security, given the sensitivity of the information they possess. Even worse, these were conscious decisions.

Information being stored in plaintext. That was a design decision. Where was the due diligence? Where was the code review?

A freeze PIN that is nothing more than a time stamp? That is patently ridiculous. If it had been a unix time stamp that was generated, I could chalk it up to incompetence. But someone made that decision, coded it and Equifax signed off on it at some level.

The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery.

None of these were unknown vulnerabilities, or even failures to patch in a timely manner. The hole may have been outside of their control, but what the hole revealed was an organization with little to no regard for the security of data that can adversely affect the lives of millions of people.

This wasn't a CISO who had been in place for 60 days when this happened. She had been there for plenty of time to address these glaring flaws, and didn't. Either she was ineffective as a CISO, or she was incompetent. All of these issues fall well within the scope of a CISO at a large enterprise, and every CISO knows that they will be held accountable in this kind of a situation. This was negligent at best. Criminally so, in my opinion.

For the record, 20+ years in IT, with a high school diploma. I judge people based on what they do, not what their degree is. What she did was a poor job.

stryder144

Well said, jibtech. It isn't a matter of gender, education, or what color their car is. It is plainly a matter of incompetence on many different levels. I have 22 years of leadership experience in the military. As such, even if I had taken over the CSO job at Equifax the day before the breech was announced, I would take responsibility for it and responsibility for a solution. Plain and simple. And that is how I view the whole mess. How are they responding to the situation? So far, several have sold off stocks (insider trading, a felony), provided inadequate freeze PIN security (not criminal but not intelligent, either), and saving PII data in plain text...I can't even comment on that one, you know, since often times full-disk encryption and file encryption are built into the operating systems (thus, free!!! Think BitLocker and EFS for Windows Servers) and many databases come with encryption builtin or at a very afford price.

Thankfully, they are providing some enterprising author (Brian Krebs, for instance) a self-writing best seller on what the heck not to do to secure sensitive information. A treasure that will be mined by comedians, politicians, and security professionals for decades to come. Heck, I'm going to label it the new "Data Breach of the Century".

Sadly, it is the American people who can least afford such a data breach that will ultimately pay the price for their negligence.

Danielm7

jibtech wrote: »

Information being stored in plaintext. That was a design decision. Where was the due diligence? Where was the code review?

A freeze PIN that is nothing more than a time stamp? That is patently ridiculous. If it had been a unix time stamp that was generated, I could chalk it up to incompetence. But someone made that decision, coded it and Equifax signed off on it at some level.

The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery.

None of these were unknown vulnerabilities, or even failures to patch in a timely manner. The hole may have been outside of their control, but what the hole revealed was an organization with little to no regard for the security of data that can adversely affect the lives of millions of people.

Outside of the time stamp PIN, which yes, is dumb, is any of this other info even known? There is speculation that it used a strut2 vuln for the breach, even the struts foundation said they don't know which one and it might be a zero day. Put most other security folks in that position, even at a high management layer. Even scan, pen test, code review, etc, all comes up clean and someone finds a new unknown bug and takes advantage of that, would you have seen it ahead of time? We don't even know how much data each record takes. They could be all pretty short text records and queried out slowly, even for 143 million, over a period of time as regular web traffic doesn't have to look like very much at all. I know everyone wants to roast one person but it's really not that cut and dry, and I doubt has anything at all to do with what school majors someone had 20 years ago.

Daneil3144

jibtech wrote: »

The fact that whether you were affected is purely random, with differing answers given even when the same data is entered. That is a particularly egregious act of jackassery.

Explain?

stryder144

Krebs On Security mentioned that an Argentinian Equifax employee portal had a user name of admin and a password of admin. If that is the type of jackassery that Equifax allowed then it is no wonder a vulnerability may have been exploited. Heck, the hackers may have broken down an already unlocked door, for pete's sake. Personally, someone's major doesn't really matter, in my opinion. This isn't a case of one person being at fault but as more of the story unfolds it seems that there were multilevel, systemic issues with the entire organization worldwide. Naturally, even the breaking news isn't necessarily accurate, what with editorial slat coming into play (everyone wants to roast a credit reporting agency because of what their core job is). We can armchair quarterback this to death and still not focus on the right thing: making sure that our Rome isn't burning while we fiddle a ditty in honor of Equifax!

mbarrett

p@r0tuXus wrote: »

Think this CISO was one of the 3 executives that sold part of the $1.8 million in shares just a couple days before the announcement? And they say "they" were not aware of the hack. If she's in that position, she sure better have known of it.

No.
Not according to the information that was published.
https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack

I doubt they actually didn't know - something of this magnitude, and senior executives don't know what's going on? Something smells...

infosec123

darkerz wrote: »

however the realist has to understand a company won't prop up, hire and compensate someone 6-8 figures because they are bad at what they do.

You must be new here, and by here I mean the business world... Here is a link to get you started on the topic.


http://abcnews.go.com/Business/story?id=2859246

Those lucky devils epitomize the concept of failing upward -- when incompetence is inexplicably rewarded.
The phenomenon is most common in the business world, where the typical scenario plays out like this: A high-paid CEO does a poor job running a company, takes an enormous severance, and lands on his feet with a better job at a bigger corporation.

Try Googling the term fail upwards, and welcome to the business world!

EANx

darkerz wrote: »

I feel like some of the responses on here are in part tied to her being, well, a her. On reddit, and on here, particularly unconstructive commentary... Before you get ready to type out your angst and rebuttal, to utterly destroy me on the internet, continue below.

No gender bias here, someone is good at what they do or they aren't. She wasn't. Defending a woman because of their gender won't get you any dates, stop being an apologist and focus on the facts:

She was the CISO
Equifax was hacked

She had a fiduciary duty to the shareholders and she failed in that role.

scaredoftests

Exactly! @EANx.

jcundiff

You want me to believe that the CFO ( one of the 3 who sold stocks days after the breach...WEEKS before the announcement) didnt get the message they had been breached? If you believe that, then please contact me offline as I have some hurricane proof ocean front property in Kentucky I would like to sell

This is going to be the textbook case study of how not to handle a breach/notification for years to come.

DatabaseHead

EANx wrote: »

No gender bias here, someone is good at what they do or they aren't. She wasn't. Defending a woman because of their gender won't get you any dates, stop being an apologist and focus on the facts:

She was the CISO
Equifax was hacked

She had a fiduciary duty to the shareholders and she failed in that role.

+1 good post.

cyberguypr

jcundiff wrote: »

This is going to be the textbook case study of how not to handle a breach/notification for years to come.

Tell me about it! We are actually starting to incorporate this debacle and the the aftermath in our BC/DR tabletop exercises under "do not do this or be these peeps".

p@r0tuXus

"Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374.. Gamble sold more than 13 percent of his stake in Equifax.. Equifax shares tumbled 13 percent to $123.81..."


Using at least 13% for calculation purposes and the other two values we know for certain...
I figured... 51,155 shares at $142.31/ea. = $7,279,868.05
13% of those 51,155 shares was 6,650 @ $142.31/ea = 946,361.5 (~$946,374 gains)


Were he not to have sold them that day, then after the 13% devaluation,
those 51,155 shares @ $123.81/ea = $6,333,500.55
The CFO would have lost a whopping $946,367.50, instead he essentially lost nothing.


Since his shares dropped in value (~$823,336.5), those 6,650 shares would have been devalued by ~$123,025, had he kept them through the devaluation. One could argue he profited ~$123,025.

But where is evidence of guilt and intent? How could he have known it would go down roughly 13% and that selling 13% would stym his losses? Well... I don't know. But I would think a CFO of one of the largest credit agencies is no mathematical slouch and his timing and the amounts are very suspicious. How does a company detect a data breach and the CFO of the company not know, anyway?

jibtech

Danielm7 wrote: »

Outside of the time stamp PIN, which yes, is dumb, is any of this other info even known? There is speculation that it used a strut2 vuln for the breach, even the struts foundation said they don't know which one and it might be a zero day. Put most other security folks in that position, even at a high management layer. Even scan, pen test, code review, etc, all comes up clean and someone finds a new unknown bug and takes advantage of that, would you have seen it ahead of time? We don't even know how much data each record takes. They could be all pretty short text records and queried out slowly, even for 143 million, over a period of time as regular web traffic doesn't have to look like very much at all. I know everyone wants to roast one person but it's really not that cut and dry, and I doubt has anything at all to do with what school majors someone had 20 years ago.

For me, it is less about the vulnerability that led to the hack, and more about the shoddy security practices that the hack revealed.

Storing passwords in plaintext is asinine, and isn't something that just happens. It was designed by someone and Management signed off on it.

The freeze PIN structure was also ridiculous. It isn't a naturally occurring string that was used. Someone took the time stamp and then formatted it to reflect that structure. It was then dropped into the database. There are numerous design and implementation steps that had to have occurred before the PIN implementation went live.

The final insult was the page to identify whether you have been breached, which has numerous flaws.

The arbitration language was ridiculous. Equifax claims it was a mistake, because it came from a boilerplate statement. Once again, a failure to review the code and content prior to implementation.

Next was the requirement for six digits of the SSN. With six digits and the date of birth, the first three digits are trivial to identify. A company that has just suffered a massive data breach, whose core business model includes the ability to discern between two consumers is now asking for more detailed sensitive information to be entered on a web site that is already known to have flaws in its design.

Finally, the randomness of the results. When users enter their information, they are receiving conflicting answers on whether their data is breached. In fact, when resting the accuracy of the system, a last name of Test and SSN last six of 123456 reported back as having been breached. All evidence indicates that the website for checking whether you have been breached is in fact only security theater with no real effect.

Combined, these examples point to a fundamentally flawed data security mindset at Equifax. As the CISO, responsibility for that data security falls directly on her shoulders. This isn't about gender. This isn't about her educational background. It boils down to ineffectiveness, incompetence or willful negligence.

Whichever of these applies, it certainly is deserving of scorn from the technology community as a whole, and the security community in particular.

jcundiff

p@r0tuXus wrote: »

"Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374.. Gamble sold more than 13 percent of his stake in Equifax.. Equifax shares tumbled 13 percent to $123.81..."


Using at least 13% for calculation purposes and the other two values we know for certain...
I figured... 51,155 shares at $142.31/ea. = $7,279,868.05
13% of those 51,155 shares was 6,650 @ $142.31/ea = 946,361.5 (~$946,374 gains)


Were he not to have sold them that day, then after the 13% devaluation,
those 51,155 shares @ $123.81/ea = $6,333,500.55
The CFO would have lost a whopping $946,367.50, instead he essentially lost nothing.


Since his shares dropped in value (~$823,336.5), those 6,650 shares would have been devalued by ~$123,025, had he kept them through the devaluation. One could argue he profited ~$123,025.

But where is evidence of guilt and intent? How could he have known it would go down roughly 13% and that selling 13% would stym his losses? Well... I don't know. But I would think a CFO of one of the largest credit agencies is no mathematical slouch and his timing and the amounts are very suspicious. How does a company detect a data breach and the CFO of the company not know, anyway?

All math aside, the CFO ( and other 2 senior leaders) had access to material nonpublic information regarding the breach, and sold stock very rapidly after they learned they were breached. Textbook case of insider training. A high power lawfirm ( dont remember the name) has already filed motions on these sell offs, so hopefully the SEC throws the book at them. I see a CFO position open as well as the CSO role in the near future

beads

Public facing website accessible database(s) "secured" with secret squirrel credentials like: admin/admin and people are concerned with the gender of the CSO? Really? How about just plain allowing incredibly lax security.

Please, if your going to remain a public entity, just fire everyone in security and start over from scratch.

Simply unforgivable.

- b/eads

mgmguy1

jcundiff wrote: »

All math aside, the CFO ( and other 2 senior leaders) had access to material nonpublic information regarding the breach, and sold stock very rapidly after they learned they were breached. Textbook case of insider training. A high power lawfirm ( dont remember the name) has already filed motions on these sell offs, so hopefully the SEC throws the book at them. I see a CFO position open as well as the CSO role in the near future

None of Senior Management will spend a day in Prison. I only know of one CEO in recent memory who went to prison and that was Stewart Parnell. The only reason he went to prison was because people died from the tainted peanut butter scandal of 2009. Since this is a Financial crime and and it's wall street the most these guys will get is a slap on the wrist and pay a fine. I even doubt congress will force Equifax and companies like them to shore up there security or business practices .

mgmguy1

Daneil3144 wrote: »

You decide?

Wow, In case anyone was wondering this screenshot is correct. I thought it may be a gag but it's real I checked it my-self. The above is correct

jcundiff

mgmguy1 wrote: »

None of Senior Management will spend a day in Prison. I only know of one CEO in recent memory who went to prison and that was Stewart Parnell. The only reason he went to prison was because people died from the tainted peanut butter scandal of 2009. Since this is a Financial crime and and it's wall street the most these guys will get is a slap on the wrist and pay a fine. I even doubt congress will force Equifax and companies like them to shore up there security or business practices .

Reading is comprehension... No where did I say anything about prison, simply that I hope the SEC throws the book at them, which as you stated would most likely be fines. :O which hits them where it hurts most. And as far as CEOs doing time, you ever heard of Bernie Ebbers?

Daneil3144

jibtech wrote: »

Finally, the randomness of the results. When users enter their information, they are receiving conflicting answers on whether their data is breached. In fact, when resting the accuracy of the system, a last name of Test and SSN last six of 123456 reported back as having been breached. All evidence indicates that the website for checking whether you have been breached is in fact only security theater with no real effect.

Wow. I didn't think was true. Had to test it myself...how is this not public information?

UnixGuy

Might as well have Kanye West as a CISO

jibtech

Daneil3144 wrote: »

Wow. I didn't think was true. Had to test it myself...how is this not public information?

It is public. Unfortunately, the sheer volume of material in this debacle means some things get overshadowed. Remember that most of this is well over the head of the general public who have proven fairly apathetic with regards to breaches. At some point, security researchers and news outlets that cover it start to sound a lot like Charlie Brown's teacher.

jibtech

I haven't confirmed it myself, but word is that the API used by the site has a default value when it receives an error. It defaults to saying your data was exposed.

Fake data with no results = error = potential breach result.

Server issues = error = potential breach result.

Actual breached data = potential breach result.

Basically, anything that is slightly off results in being told that your data is potentially at risk. But that has nothing to do with any actual insight into the breach.

mgmguy1

My new question for the powers that be? What about the other credit agencies like TransUnion and Experian. Have they been hacked? What is their security looking like?

jibtech

mgmguy1 wrote: »

My new question for the powers that be? What about the other credit agencies like TransUnion and Experian. Have they been hacked? What is their security looking like?

Experian was breached in 2015, exposing information belonging to about 15 million users who subscribed to T-Mobile. Not aware of any TU breaches, but take that with a grain of salt. The breach at Exp was associated with the theft of a single file that contained all of the data. It is hard to assess any particulars outside of that, since the scope was so limited. Either way, it is only a matter of time. These agencies are treasure troves of information, and will be targets for a long time to come.

jcundiff

Plain and simple, they failed to properly patch CVE-2017-5638. Patch was available in March, they had at minimum 8-9 weeks to patch this vuln and avoid the breach. A excellent example of failure to exercise due care and should be seen as gross negligence.

DatabaseHead

jcundiff wrote: »

Plain and simple, they failed to properly patch CVE-2017-5638. Patch was available in March, they had at minimum 8-9 weeks to patch this vuln and avoid the breach. A excellent example of failure to exercise due care and should be seen as gross negligence.

Thanks for posting..... Informative.

TheFORCE

Not to play devils advocate but people at that level rearly have much technical background and even if they did, they lose the edge once they move up the chain to those levels.

To add to that, organizations of that size rearly have one CISO or CSO. They have multiple levels of them and all reporting to someone higher.

At the CSO levels I'd expect other CISO's to be reporting and im turn the CSO to report to the CRO ( Chief Risk Officer). These types of roles dont necessarily only deal with Information Security but with all aspects of Security. Security is just part of the job, but its not the only job.

Thus people at those roles usually have experience in different areas of the business and business decision process. Bottom line, they care about the bottom line and cost savings.

jcundiff

TheFORCE wrote: »

Not to play devils advocate but people at that level rearly have much technical background and even if they did, they lose the edge once they move up the chain to those levels.

To add to that, organizations of that size rearly have one CISO or CSO. They have multiple levels of them and all reporting to someone higher.

At the CSO levels I'd expect other CISO's to be reporting and im turn the CSO to report to the CRO ( Chief Risk Officer). These types of roles dont necessarily only deal with Information Security but with all aspects of Security. Security is just part of the job, but its not the only job.

Thus people at those roles usually have experience in different areas of the business and business decision process. Bottom line, they care about the bottom line and cost savings.

Not from my experience ... I work for a very large financial sector player, we have one CSO, every bank we deal with has one CSO... all of whom are are technical, come from a security background and know what is going on in their environment... maybe I have just been lucky