There's something missing
What about the bit where some of the Argentinian systems have admin/admin credentials?
And what about the rules that the each user's ID and password is the same?
Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company's mega-breach are revealed in a new entry to …
Seems like the incompetence was caused by ignorance.
It was reported on Slashdot yesterday that Susan Mauldin, the woman in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security.
If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
So ignorance was followed by cover-up.
So ignorance was followed by cover-up.
From what I have seen so far, that's generally SOP in companies that do not allocate enough resources for security. It tends to come accompanies by sacrificial heads of security who will be sacked for their inability to either extract sufficient budget to do the job (an unfair fight as best) or an inability to spot they're being set up as the patsy.
Given the amount of money it was raking in (some of which is about to get nuked) it has no excuse on the budget side.
(At the bottom of the linked article is a video about a reporter trying to get information about his personal exposure in a safe manner - which seems it only took 42 minutes. No surprise there, then. Muppets).
"lists no education related to technology or security"
I don't think you can read too much into that. Plenty of useless comp sci graduates around. For someone who's in a position to retire now there's plenty of time to have gone on workplace training. Tim Berners-Lee has a BA (albeit in physics).
And security is a large part human factors; if they'd had a techie in charge we might now be reading about the massive Equifax phishing scam.
Besides which, have you ever known a CISO who was actually empowered to force developers to do anything. Somebody set up that admin/admin account and it won't have been anyone with "chief" in their job title.
"This has absolutely nothing to do with developers. They simply didn't have a patching program sufficient for an enterprise data gathering organisation."
These two sentences nicely illustrate what's wrong with a large number of developers today.
Patching and security; all somebody else's problem.
In the shops I've worked, security patches is a grind-it-out never ending process. It is not exciting, not inventive, does not bring attention to your coding or talent. It is the take-out-the-trash job of computer science. It is not career enhancing, and its the first thing to get outsourced because no one wants to spend even one year doing something that does not help you move forward as a developer. 10 years fixing patches and your technical abilities will have atrophied and you will be unemployable at any real computers science job. That said, it is necessary work that must be done.
Sure you have a lot of educated idiots with tech degrees when it comes to InfoSec, but you have a lot more when they don't have this background.
What we are beginning to see, is the lack of experience and practice in more disciplines than just InfoSec who are responsible for this breach.
For example, where was auditing, compliance, risk management and operations? These aren't InfoSec disciplines, these are straight up management disciplines designed to ensure everyone is doing whatever their job is effectively.
For this reason, it isn't just the tech bosses like the CIO who should step down. The top officers responsible for auditing, compliance, risk and operations should also step down.
The CEO should also step down, as his/her primary role is to protect the stock holders. Obviously this wasn't done, and he continues to fail in this regard.
If (IF) this were true, one might want to ask how she got that role and who was the moving agent, and why. Personal connections? PR?
That said, more important than that would be, how the message about the bug did NOT travel up the way it should have. Well, we know "how", but at which point it was patted down as "Thanks for your concerns so eloquently put in 3532215 e-mails. After thorough investigation we have decided no further action be taken".
This irks me. "You haven't got the right letters after your name, so are not qualified to have an opinion".
My first degree was in music. I now work as a software engineer. I've met people who tell me they've "done" CompSci. And they know fuck-all. The most solid programmers I had the fortune to work with to date studied biochemistry and medieval history respectively.
Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.
Anyone who has studied at undergraduate level will attest that it does not matter what you study (bar vocational degrees such as law or medicine), It's your attitude to learning that matters. You get taught HOW to learn. I went to university thinking I'd learn everything about my subject. On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else.
Why did nobody tell me this at the start? There's me learning differentiation , integration , fluid dynamics , youngs modulus, resonant circuits etc ad infintum, when I could have just chosen "Navel Gazing" and gone on a bender for 3 years.
I find it a little sad that you apparently dont pick up any useful information or skills on a "dosent matter what subject" degree . Dosent that make it a waste of time?
Didnt you learn how to learn in school ?
does it really take 3 years to learn how to learn? (5 years if you count your A levels.)
"On graduating, I left knowing just how little I know, but with the confidence to know I can pick up any damn book and learn a subject just as well as anyone else."
Sadly too many squander that perfect chance. I know a lot of people who graduated with degrees and moved on to IT and know absolutely nothing, worse still they have no common sense, not logical problems solving abilities and basically just seem to have stopped learning about anything after college except when Big Brother is on next! I never had the opportunity to study beyond college but I've never stopped learning on my own volition. Playing with computers for almost 40 years since I was 7 years old, I make it point to ensure I learn something new every day, anything I can just something to make each day worthwhile, often I can't get to sleep at night unless I've gained some new piece of knowledge, large or small. I hate sitting in the office surrounded by people who've had the good fortune to study education to a higher level than I and yet they've simply stopped learning anything, they simply drift through life with hardly any passion for anything anymore, tragic. You try to fire them up discussing new facets of IT and nothing, surely they were hungry for knowledge once or was that their parents forced them into IT because that's where the money was and now they're trapped, wasting opportunities some people would sell their right arm for?
Well the poster a couple of posts above that mentioned that he like to make sure he learns something new every day or he cant sleep. So I offered that nugget in the hopes he wasnt aware of that.
I wasnt. I guess you think of nevada as inland and LA on the beach . Turns out CA is a bit bendy.
Its like a geographic optical illusion. I was in Canada once and worked out I was further south than at home in UK . Also I bet its further across the bottom England than it is from to top to bottom .
"degree was in music... work as a software engineer. "
In that case go get an Engineering degree, after all that will be a walk in the park for you and you are already getting paid as an Engineer so it would be professional development. Then join the Professional Association that regulates the practice or Engineering and you will be an Engineer.
There is a reason that profession is regulated in many areas. The consequences of not requiring minimum education were, and still are, repeated catastrophes. Equifax is just a recent one example.
<quote>...just move the boss to another company to still earn lots of money whilst being incompetent.</quote>
At my former WROK PALCE (CW Shark Tank readers will 'get it'), the CIO had a katana mounted on a plaque on the wall behind her desk.
It bore the inscription:
The Reward for Incompetence
It was used a few times. until the bills for 'carpet cleaning' got the CFO annoyed.
"...katana mounted on a plaque on the wall..."
"I have to say Boss that this kind of dedication to constantly reminding oneself that anyone in a position of power, even a king, is always a single hair's width away from their doom is truly worthy of admiration..."
I've been trying to get them to correct incorrect details on my profile since 2016. That stupid dispute site never worked properly. I'd create or reset an account and it wouldn't let me login so I could never see their responses.
Funnily enough it works now, since they've patched it.
They still won't correct the wrong info.
I'll be lodging a complaint with ICO next, but I suspect they'll be equally useless.
All corporations are muppets, and becoming more muppety, year on year:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Those people at "information is beautiful" are going to need to start using log scaling the way things are progressing
A class action suit is in the works, and the complete response for Canadian "customers" is:
Are you concerned you are affected by the Canadian impact of the breach against Equifax?We are still investigating, but this is what we know now:
Only a limited number of Canadians may have been affected.
We are working on finding out how many.
The breach is contained.
At this point, it seems the personal information that may have been breached includes name and address and Social Insurance Number.
We will update this information as we learn more.
"We are still investigating, but this what we know now:" Or "no now" or "no know". Rumsfeld must be coaching this team.
"Only a limited number of Canadians may have been affected." Well, there are a limited number of Canadians so they may all be infected. "We are working on finding out how many" but trust us, it is limited and "The breach is contained" - perhaps within some pastebin account or Yours for only 9.99 Loonies.
Finally, "it seems the personal information that may have been breached includes name and address and Social Insurance Number". May have included those items and may have included a whole lot more.
Rest assured Canadians, and carry on. Oh, and please reserve me a couple of bunks far away from the mobsters to the south.
That's OK. Nobody would be using social security numbers for ID, would they ?
Would they ?
No, You Can't Have My Social Security Number
Didn't the government promise that SSNs wouldn't be used for ID?
The Canadian link for Social Insurance Number (SIN ) responsibility/usage is at:
https://www.canada.ca/en/employment-social-development/services/sin/reports/code-of-practice/section-2.html
The algorithm for generating numbers is known, as it is used by companies( e.g. banks) to validate a given SIN. Having a secret algorithm to generate a SIN does not help the situation. No matter how the SIN is generated, at some point, the number is given to a bank or employer or credit check bureau. Hence, if these companies' security is breached, we are in the same situation. The resolution to not perpetuating this problem is via better processes, not technology. If the numbers were not easily associated to names, this problem would not exist. For example, one could post a list of 50 SINs which are generated by the public algorithm. No one would be able to determine 1) who the SINs belong to and 2) if the SINs were in use. So a list containing only these 50 numbers means nothing.
If you want to open someone's password protected payslip, find out their NI number, chances are this is all you need to do.
If you work for a company where some pen pusher has gone this way to make their life easier, they perhaps need some lessons in security awareness, and companies responsibility for protecting personal data in a secure and responsible manner...
"There’s a good chance you’ve spent time recently on a chore you didn’t sign up for: finding out if hackers possibly stole information about you from Equifax Inc. - What makes the situation especially awful is that you never had much choice about entering into a relationship with Equifax."...
-
https://www.bloomberg.com/news/features/2017-09-14/thank-you-for-calling-equifax-your-business-is-not-important-to-us
That extra revenue stream may hopefully be come to an end in the US - hope Europe will follow soon.
Europe is leading the US by a wide margin in this - the EU General Data Protection Regulation (EU GDPR) is already in force and becomes fully mandatory on May 25th, 2018. This unifies the much stronger stance on privacy prevalent in Europe - in part this is due to different perception; Europeans generally care more about e.g. your neighbor knowing how much you make but less about nudity than their US counterparts.
The EU GDPR has significant fines attached, i.e. 4 percent of annual global turnover or 20 million Euros (about 22 million dollars), whichever is greater.
The EU GDPR has significant fines
Whilst agreeing that the US authorities are laggards on data protection (undoubtedly Google are trying to ensure this remains so), we've yet to see how European regulators interpret and enforce the GDPR rules.
I suggest that the draconian sounding GDPR fines will not reflect in any way what organisations actually pay. Looking at other regulatory fines, anybody expecting big numbers could well be disappointed. Take UK energy supplier E.ON. They had an obligation to install "advanced meters" at all business premises by April 2014, and failing to do so would incur a penalty of "up to 10% of UK turnover", which was about £9bn. So in theory they could have been fined £900m. In practice, they missed the target by a significant measure, and the penalty imposed was £7m. Technically the actual fine element was only two quid, with £7m paid to an "industry related charity".
So, if that's indicative of the thinking of regulators (and Ofgem are the most aggressive regulator when setting penalties), what do you think Talk Talk would have been fined if GDPR had been in force back in 2015? My guess is around £6m-10m. Better than the £400k they got fined by the ICO at the time, but still dwarfed by the £35m cost of sorting the mess out that they reported. And if they had been fined that £6m-10m, it would have been a measly 0.4% of TalkTalk's £1.8bn turnover that year. I think that's what people should expect when GDPR comes into force, I'm afraid.
“It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,"
.
https://www.bloomberg.com/news/articles/2017-09-08/one-thing-all-of-government-agrees-on-equifax-deserves-grilling
======================
"Equifax Hack Is ‘Exhibit A’ in Case for Regulation - ‘Pathetic’ Remedies .... The company’s remedies for the breach were "pathetic" and that offering one year of free credit monitoring to consumers provided "scant protection" to those who were harmed. Equifax should offer free credit monitoring indefinitely and should drop its charges of up to $10 to consumers who want to freeze their credit"
.
https://www.bloomberg.com/news/articles/2017-09-11/equifax-hack-is-exhibit-a-in-case-for-regulation-durbin-says
======================
"We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims," the attorneys general said. "Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families.”
.
https://www.bloomberg.com/news/articles/2017-09-15/equifax-asked-by-ags-to-stop-selling-credit-monitoring-services
"Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so."
"That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete."
https://www.nytimes.com/2017/09/08/your-money/identity-theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html