back to article Apache Foundation rebuffs allegation it allowed Equifax attack

The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak. QZ.com, an outlet run by Atlantic Media, alleged that the hack was the result of an attack on Apache Struts, which as we reported last week was found to have a flaw allowing …

  1. a_yank_lurker

    An Attempt at Blame Shifting?

    Ultimately Equinefax is responsible for the website and for proper monitoring of all activity on the site. While the attack may have used an bug in this or that third party code does not absolve them of doing their jobs. Apache is responsible for fixing and providing updates/patches in a timely manner once they have been notified, which all evidence points to Apache being responsible.

    1. Destroy All Monsters Silver badge

      Re: An Attempt at Blame Shifting?

      > Apache is responsible for fixing and providing updates/patches in a timely manner

      While this "responsibility" may fall under "providing a better jop than 99% of the pay-for outfits out there", a quick look at the Apache license will show that:

      https://www.apache.org/licenses/LICENSE-2.0.html

      Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

      Not happy? You know where to find Microsoft. Oh wait...

      1. Anonymous Coward
        Anonymous Coward

        Re: An Attempt at Blame Shifting?

        That's a standard clause you will find in almost any software license (and similar in a huge amount of other contracts)

        Basically, if you loose a stack of cash due to a fault, we will only pay for the cost of replacing the hardware / software.

        You have to prove deliberate negligence to sue for more.

        1. DavCrav

          Re: An Attempt at Blame Shifting?

          "That's a standard clause you will find in almost any software license (and similar in a huge amount of other contracts)

          Basically, if you loose a stack of cash due to a fault, we will only pay for the cost of replacing the hardware / software.

          You have to prove deliberate negligence to sue for more."

          At least under UK law, since you haven't paid for free software, no contract at all has been formed (no consideration), so negligence would be very hard to prove. Especially if you signed something saying 'use at your own risk'.

        2. Anonymous Coward
          Anonymous Coward

          Re: An Attempt at Blame Shifting?

          An anonymous coward was crushed when a stack of cash came loose due to a fault in its... struts?... I'll accept this grammar.

      2. shawnfromnh

        Re: An Attempt at Blame Shifting?

        If they were not so cheap they could have bought redhat or MS and then had professional penetration testing done to totally avert problems like this in the first place. Though it seems they just went with the cheapest solution to get the job done and just assumed everything would be just fine and just left it at that.

        1. netcoder1

          Re: An Attempt at Blame Shifting?

          Has nothing to do with being cheap. Whether it's open or proprietary, software is going to be vulnerable.

          Knowing that, you should puy proper security measures in place to prevent sensitive data from being accessed in the event of a security breach in the frontend software.

          A good understanding of security with proper encryption and segmentation could have easily prevented that.

    2. FuzzyWuzzys
      Thumb Up

      Re: An Attempt at Blame Shifting?

      Absolutely! I buy a car, don't maintain it and the brake shoes don't stop me in time before I smack into someone. The insurance and company and car manufacturer would tell me where to get off double quick time! Just 'cos someone else made something, there is still an owness on you as an operator of a product to play your part in using it safely and properly.

      Equifax got the software and used it, they should have done due diligence and testing and at the level they are at and the incredible burden of looking after such sensitive information, they should continuously be testing and inviting pen-testers to check their kit is up to spec for the job.

      1. Anonymous Coward
        Anonymous Coward

        Re: An Attempt at Blame Shifting?

        owness -> onus

    3. Anonymous Coward
      Anonymous Coward

      Re: An Attempt at Blame Shifting?

      "Ultimately Equinefax is responsible for the website and for proper monitoring of all activity on the site"

      Also a company of that size holding so much critical data should be seriously asking itself about the use of third party software without carrying out its own code reviews. Don't like the overhead? Maybe executives aren't worth those big bonuses, so the money could be found to do the job properly.

    4. David 132 Silver badge
      Coat

      Re: An Attempt at Blame Shifting?

      "Equinefax"... isn't that the site that provides endless trivia about horses (or maybe I'm thinking of eMule)?

      "The hair on a horse's neck is called the mane"

      ..and so on. Unfortunately by the time I get to the facts about horses' shoulder blades, my interest withers.

  2. redpawn
    Facepalm

    Just Terrible

    Your private information around which Equifax was built around was stolen. Now both paying customers and non-paying thieves can take advantage of you now. Be sure to shred your electronic statements so they can't be taken from the servers at Equifax. Don't bother to look up your credit rating, as it has plummeted to zero.

    Just kidding, you never had any privacy to begin with. Got to love the old birthday and SSN thing as ID.

  3. Chris Hills

    The level of chutzpah is outstanding. Has Equifax contributed anything at all to the development of Struts, or are they happy to profit off others' work for nothing?

    1. Anonymous Coward
      Devil

      "or are they happy to profit off others' work for nothing?"

      Just like most users of FOSS software?

      1. Hans 1

        Re: "or are they happy to profit off others' work for nothing?"

        @LDS

        A lot do, indeed, take without give ... but, apparently, quite a few are giving a lot to Apache foundation ...

        http://www.apache.org/foundation/thanks.html

        The thing is, Equifax were 0wned for approx 45 days and are now trying the blame game on Apache ... as you see above, they are not donating ... they could give 5k/year and be on that list ... what is 5k to a company like Equifax ? Exactly ... Maybe they have a contributor ? Maybe ...

        http://www.apache.org/foundation/sponsorship.html

        1. Roland6 Silver badge

          Re: "or are they happy to profit off others' work for nothing?"

          @Hans 1 - A lot do, indeed, take without give ... but, apparently, quite a few are giving a lot to Apache foundation ...

          That list of sponsors should be raising alarm bells across the open source world, particularly given the extent to which Apache is used across the web and hence the number of businesses deriving revenues from its use. Hence what gives me concern is just how little is needed to become a platinum/gold/silver/bronze sponsor(*) and thus the very small number of organisations actually sponsoring Apache (why is a Gold sponsor, paying less than the salary of one engineer?).

          It raises the question as to how a business should be engaging with the open source movement. Should they simply contract with a commercial 'fork' of open source eg. RedHat, IBM's and leave it to that organisation to contribute to the source project, or should they also be contributing directly to projects.

          (*) Although I note the payment levels are broadly in line with those the Open Group charge for membership.

    2. Anonymous Coward
      Anonymous Coward

      @Chris Hills WTF?

      Seriously... Everybody wants FOSS right? Lowers the cost of development and all that.

      And less than 1% of the coders out there contribute to an Apache project or any other FOSS project.

      Frankly, you wouldn't want them to.

      Oh to be clear, Equifax is to blame. But it also highlights the dangers of using Open Source blindly without acknowledging the risks.

      You get what you paid for... and in this case... lax security.

      1. Oh Homer
        Mushroom

        Re: "You get what you paid for"

        Right, because no proprietary software has ever had a years-old unpatched security vulnerability that the vendor sat on for months before fixing.

        Oh wait...

  4. Anonymous Coward
    Megaphone

    Uh huh...

    "Which has Apache antsy, as it's not willing to wear responsibility for a hack that took place before it knew it had a problem"

    Meanwhile why the fight between companies began over legal rights and who was or wasn't (in)directly responsible no further attempts were made to backtrace the source of the attack in an attempt to catch the actual attackers. Because... effort?

    Companies trying to put the blame on Apache is totally laughable, though at the same time poor comedy. They use the software for free, they cut corners by not having to pay, say, Oracle huge license fees for using stuff such as Glassfish, and they're still whining when something goes wrong. Because then it's everyone elses fault (not the attackers of course).

    Companies like that truly and honestly disgust me.

    And even if it was the other way around, so what? Sometimes people tend to forget that in the end Open Source is just that, open source and best effort at best. You need a fix? How about YOU try to fix it yourself, then you can gloat how cool and hip you are and about how others are slacking to keep up. Unless those whiners at qz.com can pull that off I think they should really keep their whining to themselves.

  5. Steve 53

    I know the vendor I work has found the latest Structs vun is picked up by 10 different WAF signature patterns.

    Would imagine the same is true for multiple vendors (WAF, IDS/IPS), which makes you ask if basic steps are being taken by Equifax...

  6. Anonymous South African Coward Bronze badge

    Companies utilizing Open Source can do, nay, MUST do the following :

    - Contribute to OSS by either assigning a programmer/team (on their side) to check for vulnerabilities, or either do a donation on a monthly basis. You won't like it when you're asked to work but won't be getting paid for it.

    - Recognize the need for thorough pen testing, especially if most of your services are on publicly-accessible servers, and have sensitive data or personal information, no matter whether you use M$, Sun, Oracle, Hillbilly or whatever software. Vulnerabilities will exist (incorrect configuration, software bugs etc etc), and it is up to you to make sure you have migitated all of them.

    - Oh, and last, but not least, plan for when a pwnage will occur, what you will do, who will be responsible to sort that mess out, press/social media responses etc etc.

  7. Anonymous Coward
    Anonymous Coward

    Shotty deflection by Equifax.

    A hypothetical scenario that might have existed until 2001 would be that an IRC channel had all THREE creditors rooted and allowed ANYONE to run credit checks on ANYONE. So, hypothetically, Equifax and others have already proven they don't care about thier data house. Oh, yeh, did you know the big 3 only house credit data for the middle class? R.I.P. #CC (good riddance, but thanks for many revelations)

  8. Lion

    Shifting the goal posts

    Apache was right to issue a statement to clarify their position and to answer the accusation make by Equifax. It may be in their best interest to not get into a verbal war with these turkeys and just issue one more statement saying that they would very much appreciate receiving a copy of the Equifax investigation as soon as it is completed. The software is part of the puzzle, but is not the story.

    Equifax would prefer to shift the focus away from the questions that have arisen from the general public concerning the handling of the breach, the company's IT competence and the fact that a company for whom they are not customers can collect, store and use their private data for profit. Questions about 'consent' is putting this industry under the microscope. Law makers are feeling the heat, which basically means manufactured outrage for votes - as dangerous as a rabid animal.

    Cyber criminals are not only greedy bastards, they also love chaos. Equifax is obliging on both counts.

  9. Anonymous Coward
    Anonymous Coward

    And here comes the thunder...

    Subject Access Request Letter

    Dear Equifax Sir/Madam:

    I am writing to you in your capacity as data protection officer for your company. I am a customer of yours, and in light of recent events, I am making this request for access to personal data pursuant to Article 15 of the General Data Protection Regulation. I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to the latest breach in the news.

    I am including a copy of documentation necessary to verify my identity. If you require further information, please contact me at my address above.

    I would like you to be aware at the outset, that I anticipate reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the UK Information Commissioners Office.

    Please advise as to the following:

    1. Please confirm to me whether or not my personal data has or is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.

    a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, video, or voice or other media that you may store.

    b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored, including disaster recovery sites and backups.

    c. Please provide me with a copy of, or access to, my personal data that you have or are processing.

    2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.

    3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.

    a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.

    b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.

    c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.

    4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.

    5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.

    6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.

    7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.

    a. If so, please advise as to the following details of each and any such breach:

    i. a general description of what occurred;

    ii. the date and time of the breach (or the best possible estimate);

    iii. the date and time the breach was discovered;

    iv. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);

    v. details of my personal data that was disclosed;

    vi. your company’s assessment of the risk of harm to myself, as a result of the breach;

    vii. a description of the measures taken or that will be taken to prevent further unauthorized access to my personal data;

    viii. contact information so that I can obtain more information and assistance in relation to such a breach, and

    ix. information and advice on what I can do to protect myself against any harms, including identity theft and fraud.

    b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as

    i. Encryption of my personal data;

    ii. Data minimization strategies; or,

    iii. Anonymization or pseudonymization;

    iv. Any other means

    8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security, and more particularly, your practices in relation to the following:

    a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.

    b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal data has been disclosed, including but not limited to the following:

    i. Intrusion detection systems;

    ii. Firewall technologies;

    iii. Access and identity management technologies;

    iv. Database audit and/or security tools; or,

    v. Behavioural analysis tools, log analysis tools, or audit tools;

    9. In regards to employees and contractors, please advise as to the following:

    a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.

    b. Have you had had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months.

    c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.

    Yours Sincerely,

    Your Ex Customer

    1. Aodhhan

      Re: And here comes the thunder...

      Whew. ok

    2. Ian Michael Gumby

      @AC Re: And here comes the thunder...

      Slow down there perry mason.

      Remind me when did GDPR go in to effect? ;-)

      Before you jump all over Equifax... if they don't have your credit information, nor do the other information brokers like Trans Union... you do realize that you will be paying more for your next loan or mortgage, right?

      Oh believe me, we should sue these monkeys out of bizness. [sic]

      However, that doesn't mean that the information brokers who create your credit score should be tossed out.

      Instead we need to force them to change their business model.

    3. JasonT
      Devil

      Re: And here comes the thunder...

      Typo: You are not their "Customer" - you and your personally identifiable data are their product.

    4. Ian 3

      Re: And here comes the thunder...

      Good job it happened now and not after May 25th 2018!

  10. ecofeco Silver badge
    Mushroom

    Lotta bullocks

    Some of my security mates say this was a social phish hack, from what they've been able to see. Someone high up in manglement got pwned and that was the door in.

  11. Aodhhan

    Corporate Greed

    Using an open source version of Apache was Equifax's choice.

    What will most InfoSec professionals tell you about using open source when it comes to IA or IA-enabled software? Simple: DON'T Accept the RISK.

    I'm willing to bet an InfoSec professional somewhere at Equifax provided this warning. Management Ignored it.

    Or... Equifax decided to not hire InfoSec professionals with experience and training in penetration testing and/or software development testing. Because the open source item would have been addressed as a risk; especially where a web application uses/relies on security (for login and credential protection at a minimum).

    Either way, Equifax is negligent. It's not Apache's fault; this rests square on Equifax's shoulders.

    Credit organizations have more information on us than most people know. For instance: properties purchased/sold, vehicles purchased/sold, credit/debit card use history (location, amount, etc.), marriage(s)/divorce(s) information, organizational memberships, registered to vote and where you've voted history, where and type of hotel rooms you've used, on and on and on. It's a treasure trove of information for Intel and LE agencies to grab on you.

    Credit agencies have had us all by the left nut for a long time, and more of them pop up each year... it's time we use this to reign them back a bit, and set an example to corporate greed executives who think they have a better money maker than a casino.

  12. Aladdin Sane
    Facepalm

    To make the matter even odder, Equifax hasn't said how it was breached. Just that it was breached by something to do with a web app.

    How many people actually read to the bottom of the article? Equifax haven't alleged shit.

    1. Ian Michael Gumby
      Holmes

      @Sane ...

      No shit sherlock! (Hence the icon)

      When they know that they are about to get massively sued in multiple courts / jurisdictions... they are smart to say nothing. Anything they say will be used against them.

      The sad thing... it isn't until a massive breech like this that the industry adopts new changes to improve their service.

      ALL Credit Bureaus can FIX THIS PROBLEM

      All it takes is adding a page to their web site that allows you for FREE to freeze your credit report information and provide a unique Q Code that you can scan as input in to a free app like Google's Authenticator or DUO. So that if you want to apply for credit, you get an alert, you plug in your timed code and then you are up and running. This would shut down most of the identity fraud overnight.

      And it's relatively cheap for the bureaus to implement, albeit they lose $10.00 USD per account.

      But its a heck of a lot cheaper than a lawsuit.

      1. Aodhhan

        Re: @Sane ...

        Are you an Equifax InfoSec employee? You're definitely not a cypher-Sherlock.

        Doing what you suggest doesn't protect a database breach. Just because you freeze your information, doesn't mean the database automatically erases all the information stored there.

        It also doesn't protect the way access is gained to this database by other DBs, systems, employees, etc.

        I think you're reading the wrong books there, Nancy Drew.

        1. 2Nick3

          Re: @Sane ...

          "It also doesn't protect the way access is gained to this database by other DBs, systems, employees, etc."

          I think the purpose is to protect ME when they do have a breach. Because it will happen.

        2. Ian Michael Gumby

          @ Aodhhan ... Re: @Sane ...

          You really are dense... so I'll dumb it down for you...

          Breeches will happen. However, you have to ask yourself what the crooks gain by having the data?

          Hint: Identity theft .

          If you make it impossible for them to open up a line of credit... aka stealing your identity... then the data is worthless for the criminals.

          You remove the value from the data for the criminals. However, you remove the chance for the credit unions making $10.00 per account for the privilege to 'freeze' it.

          As to the database breech. there are other things that they could do, and that is a different topic for discussion.

      2. David 132 Silver badge
        Headmaster

        Re: @Sane ...

        a massive breech like this

        I think you mean "breach", unless you're talking about the back end of a gun, a colossal pair of trousers, or maybe implying that Equifax's security was a huge pile of pants?

        1. Ian Michael Gumby
          Trollface

          Re: @Sane ...

          Touche! now go and google 'BOHICA!'

      3. Orv Silver badge

        Re: @Sane ...

        That'd help, certainly. But the problem comes when someone loses the code. There has to be a recovery system; "sorry sir, you shouldn't have dropped your phone in the pool, now you can't ever get a loan again" isn't going to cut it. So how will they identify you to recover the lost code? Probably with the same information an attacker would have gotten from a data breach.

        The fundamental problem is that financial companies generally don't know who their customers are anymore, and there's no good way for them to verify it. I'm not sure how you fix that. The current schemes (SSN and mother's maiden name) are laughable, but it's not immediately obvious to me how to do better.

  13. Aodhhan

    Equifax... I recommend

    ...purchasing Hilary's book where she blames everyone but herself.

    She too suffered a security breach by not following best practices... believing she was beyond all of this and only worrying about the bottom line.

    She managed to get by without any charges or loss of money. Perhaps you can learn from her!

  14. Ian 3

    Hang on...

    Isn't Struts a front end MVC thing for web sites? Shouldn't it be sat in the DMZ with only carefully controlled and monitored API calls allowed through to the secure zone? Don't you expect your front-end applications and servers to get hacked and injected and horribly abused with malformed requests hence all that monitoring and separation and internal firewalls?

    1. Trixr

      Re: Hang on...

      Dude, no-one has confirmed whether that WAS the breach. Useless to speculate.

      Yes, if Equifax were using Struts and didn't configure it according to best-practice, then sure, hang them out to dry.

  15. 1OldSchool

    Executives Sat on the Story While They Sold Stock at a Profit

    Equifax U.S. Information Solutions President Joseph Loughran probably encouraged IT folks to use simple username/password combos like they did in Argentina when they used *admin/admin*. http://www.bbc.com/news/technology-41257576

    The first customers to sign up for credit freezes reported that simple easy to guess PINS were generated by Equifax, rather than letting customers choose their own up to 15 digit PINS (like TransUnion and Experian did).

    Bottom Line - as is obvious from SEC Regulatory filings, the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2, Equifax could not care less about the precious data they barter and sell as long as executives can be compensated in the millions.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon