Dissection of the Equifax Data Breach

Equifax

I remember thinking that if I thought the last presidential election was bad, now this. Almost completely unbelievable but of course it was without a doubt true. You would think that following the data breach that Target and the OMB breaches would set a tone, and organizations both in the government and private sector would start to take genuine steps in the right direction… You were wrong. You would also think that the Information Security vertical as well as our nation’s politicians would take steps in the right direction. Because in September of 2017 your most valued and coveted authentic ion and identification token was made null and void, because of a data breach. But first some history, introductions and a few points of information.

You were wrong again.

Corporate greed octopus

The transpiration of the Equifax Breach: September 2017.

In September of 2017 Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop — Krebs on Security and

So while there were some unbelievably epic technical failures that permitted the breach to occur, there were organizational, political and legal issues that in some ways created a total eclipse of the technical failures failures themselves, which warrants detailed examination at this point.

The problem is that Tim Berners-Lee and the Internet Protocol were not designed for the operation of Capitalism’s practices in Adam Smith’s free market whatsoever.

Capitalism co-opted and commodified both of these engineering marvels for it’s own predatory practices, and humanity’s insatiable appetite for convenience ensured it would happen. Lock, Stock and Barrel.

Fundamentally the “Internet” is at direct odds with Capitalism’s values and principles or shall we say the “business logic” of Capitalism.

To demonstrate this in a way over-simplified but yet effective manner let’s examine an article by Teri Radichel entitled Why Patching Software Is Hard: Organizational Challenges | Infosec News Ireland. Ironically enough just take a precursory look at the org charts and the roles and responsibilities of any of the C-Suite Information Security and Information Technology positions as well as the separation of labor you will understand. Perhaps, you work in this sector and have experienced this first-hand?

So this is the first position Teri describes, and it’s a true depiction. What I have cited here is the whole description excluding the first and last sentence. Sounds like a great job don’t it? A lot of empowerment to ensure the security of the “Business”?

CISO

“They must push for security, but not too hard because the company may let the CISO go if requirements are “blocking business initiatives.” On the other hand, when a breach occurs, the company blames and fires the CISO (or the CISO leaves knowing that getting fired is inevitable). When executives hire CISOs, they may ask questions to make sure the CISO is “reasonable” when it comes to security, meaning that he or she won’t be too insistent on stringent security policies. I doubt the CISO failed to tell the company to patch software.”

Second position depicted. Ah yes, the Security Team to which I have worked in myself. Pretty much a title with a lot of dis-empowerment and emasculation poured into it, and little to no C-Level backing or support to get it’s mission done. A figurehead element of the organization itself. This is the rule, NOT THE EXCEPTION in most organizations.

The Security Team

“At many companies, the security team makes policies and recommendations but may have no authority to enforce them. Security professionals often handle security appliances and act as auditors but cannot make any changes to networks or systems that run applications. If the security team didn't’t recommend that the business install the latest software patches, or had the authority to enforce or implement patching and didn't’t do it, then perhaps they were to blame. Often this is not the case.”

The risk of causing any and all downtime regardless of the rhyme or reason behind it means the loss of Capital. This is must avoided at all COSTS.

The IT Team

“Requirements may include scheduling a deployment window and defining a rollback plan if the change introduces the risk of downtime.”

These three sentences list obstacles created by the Business to ensure that they maximize profits sometimes even at the cost of ignoring outright hastily crafted software that is laden with bugs that lead to dangerous exploits that lead to loss of Personally Identifiable Information (PII) with little regard to the customers but plenty of regard to their share holders, and why not? They are only obligated to give you some worthless “credit monitoring/identity theft solution”, usually not even fines are levied or prosecution gets carried out (But trust me… we get into that later on).

Software Developers

“Development teams are usually under a lot of pressure to release projects quickly. They must implement the prioritized tasks assigned to them by product managers and business owners. They won’t want to risk creating a production bug that creates considerable losses, delays the project, and puts their job at risk.”

Product Managers and Business Owners

Quite simply if we boil this down enough, on a tactical level these personnel have direct control of “means of production” and the “labor power” of everyone involved in the engineering of the corporate network architecture and the software development life cycle. When the smoke clears they want to increase profits period.

Teri has hit the nail right on the head here, no drama, just the facts.

“Assignments to create or change software starts with approval from a group of people who review the list of proposed projects and decide which ones get funded. Often this group is devoid of security professionals and consists of business people focused on revenue-generating or cost-saving business goals. The rewards this group receives are based on delivery of projects in a specified time-line and budget, and the faster the better. Deploying new software versions delays deliverables, so they have no incentive to prioritize this work.”

You make over 300 times the average salaried employee whatever industry he or she works in? GTFO? You better know, you want to play with the big boys then know it or GTFO. But we all know you don’t have to, and most of the time you will maintain your Capital even when you and you alone are accountable for the FAILURE.

The CEO

“Did the CEO know the status of patched software and system inventory throughout the company? He should have.”

Teri’s conclusion is a thing of beauty, but unfortunately like Rosa Parks Security sits at the back of the bus. The problem is that to most companies Security is not as high of a priority as PROFIT. End of story. Elvis has just left the building. Most companies pay huge amounts of “lip service” to the weight information security carries within their organizations but it is really more like lipstick on a pig. A paper thin veneer.

So, with almost little to no hope on the political and legislative fronts this is the way things will stay. So, with most information security/information technological certification and training organizations creating huge monetary obstacles for young men and women in this day and age to get certified and gain entry into the industry, then things will stay the same, and apparently we must all deep down inside want things to stay the same. Lastly, we our nation’s (The greatest country on the planet) public schools offering little to no information technology/information security curriculum in even the most basic of training such as HTML, javascript, etc .etc. Worse even, many of our youth are completely apathetic when it comes to evening scouring the Internet with YouTube, or Google to find some truly outstanding resources that would teach them everything they need to become true ninjas. They more concerned with memes and other things. Please don’t get me wrong, I don’t want to paint America’s youth with broad strokes here, but you get the picture. We are all stewards of our resources. Then we surely have made our bed, but you dear reader what are you gonna do about it?

Security Is a Matter of Priority

Do businesses know that patching software is critical? They do now. Why arena’t they doing it? Patching needs to be a priority. It takes time and money from other important projects that offer more immediate and visible value compared to protection against a potential threat. Companies praise teams for completing projects quickly, despite obvious security problems. When is the last time you heard a CEO stand up and praise a team in front of the whole company for patching software? Companies need to do more than talk about security; they need to implement measurable business processes that truly make it a top priority.

I leave you with this excellent article concerning CIO and CISO titleship and how the C-Suite demonstrates how much weight they put into the impact this position puts on the “Organization”. I found it very funny indeed in the comments section of this post that many individuals who “Call Themselves” Information Security Professionals were opposed to having their names, photos and/or a small bio on the C-Suite web page, because it was make them a “Target”. Please. Please, stop over romanticizing what you do to put food on your table.

A Chief Security Concern for Executive Teams — Krebs on Security and InfoSec Handlers Diary Blog - Critical Apache Struts 2 Vulnerability (Patch Now!).

Following the Equifax breach Congress convened the subcommittee on digital Commerce and Consumer Protection

Brace and Pace yourselves because it’s 3 Hours and Six Seconds in total duration. This subcommittee raised some very important questions and if consider yourself a Information or (“Cyber”) Security professional or are responsible for protecting corporate data and it interests or governmental, then I seriously consider it your duty to watch it.

Following this subcommittee hearing a report was authored by the U.S. House of Representatives Committee on Oversight and Government Reform on the Equifax Breach. This document is gem in a literal sea of shit regarding many information security documents namely penetration test reports and data breach reports, and ironically it was put out by politicians… Republican politicians. Seriously it is one of the best documents I have ever come across regarding official information security reports and findings. SANS gave it the utmost praise and recognition as well in Just Released: The Congressional Report on Equifax Hack | SANS Security Awareness. So while this report came out on approximately 10 December 2017, there was also a new bill introduced entitled Secure and Protect Americans’ Data Act (2017; 115th Congress H.R. 3896) - GovTrack.us in October of 2017 but it died and was never enacted. So as of this writing there is no other bills being pushed to Secure and Protect the citizen’s of the United States PII.

But if we look back to May, 04, 2017 we can see that the Honorable Representative Barry Loudermilk of Georgia introduced and sponsored H.R.2359 - FCRA Liability Harmonization Act, and to summarize the bills purpose, HR 2359 amends the Fair Credit Reporting Act to limit the recovery amount available in a class action lawsuit to the lesser of $500,000 or 1% of the net worth of the defendant. The bill also eliminates the awarding of punitive damages. Can you say “Legal Crime”. Lucky for us (so far) this bill was not passed… Yet. Surprised it wasn’t though.

So what else would the government do in the wake of the breach, well at first it seemed to be that in the immediate aftermath of the breach the director of the CFPB Richard Cordray was willing to take the steps necessary to take some sort of tangible impactful action against Equifax, but that never materialized because in mid November 2017 Cordray officially resigned from the position.

Following Cordray’s departure from the agency, Rep. Mick Mulvaney was Appointed to the position by POTUS. Knowing Mulvaney’s political history and stances on these policies I doubt anything will be done at this point, and it appears that Legal Reader and Business Insider agree Investigation into Equifax Hack Stalled by CFPB Head, Mulvaney, A year after Equifax breach, no enforcement actions.

Ironically, in early December 2018 Mulvaney was promoted to the Acting White House Chief of Staff, White House Chief of Staff: Mick Mulvaney to be acting White House chief of staff, Trump announced in tweet today - CBS News. There are a good number of other respected newspapers and journals in the business world reiterating this point on many fronts such as Hack Will Lead to Little, if Any, Punishment for Equifax - The New York Times and Why Trump Is Backing Off Equifax Hack Probe - Forbes.

Now it’s time to examine the “technical” failures that caused this breach.

  1. www server: permitting HTTP request methods that are “dangerous” and possibly permitted the uploading of “webshells”, or could have been a well know Apache vulnerability. So whether they were running Apache, Nginx, Tomcat, Struts whatever, within the server configuration files they should have “disallowed” all unsafe HTTP methods such as PUT, DELETE, TRACE at a minimum and it would behoove you not to read the following UnRestricted Uploads to WWW Servers as well as This post on the same subject. With a legacy web based application the actual servers themselves must be configured correctly and hardened accordingly with Best Business Practices (BBP), and UnRestricted File Upload (UFU) is NOT a very hard thing to protect against in regards to Labor Overhead or your Security Team’s Professional Knowledge Base.
  2. Passwords: Unencrypted. I am not going to say anything here, it’s just FAILURE. Not salting and hashing passwords, no excuse.

  3. Data at Rest: Not Encrypted. So this depends on the approach you are taking to encrypt the “Data”. Most SQL Acid compliant RDBMS support encryption of data at rest these days and I know that yes this task can provide even a very proficient engineer with a modest level of complexity and labor overhead with proper planning and commitment it can be successfully implemented. If you are encrypting the actual data storage volume, almost every operating system can do this. So there are no excuses.

  4. Network Architecture was not compartmentalized and segmented off enough from other corporate networks: Strict segmentation and security configuration options should have been engaged and enabled at both layer 2 and 3 for the ACIS environment, regardless of the network device vendor that was used. In regards to firewalls the campaign lasted for 76 days, for the ips that originated in Germany and China why didn’t the block these on external internet facing Router ACLs or on the two firewalls.

  5. SSL Proper management and configuration on devices that needed it: So Equifax had acquired an SSLv device, what was the deployment history on it, was it correctly configured to begin? They should have addressed their failure to effectively manage their corporate assets (e.g. SSL certificates). This is/was another aspect of “I threw money at a problem by purchasing this new security device”, but did not have the expertise, or initiative to deploy it in a sane manner with correct configurations, AND YET YOU STILL GOT PWNED. Tragically many many organizations fail to manage SSL certs in a stable and sane manner because the responsibility is delegated down to business owners and application owners and also sometime developers and for some reason the Security is so DIS-EMPOWERED that they have no power to enforce correct management of SSL Certs. I can almost guarantee this happened. But no, lets not admit that.

  6. Static Code Analysis: proper sensitization of input and output strings? I mean it’s legacy code? How long has it been in production? Have you ever even run fortify on it? How about just a static code analysis, so much for Application Security I guess. UNACCEPTABLE.

  7. Apache Struts: Given the fundamental design of Apache Struts, Jakarta, and Tomcat and their notorious historical chronology of security vulnerabilities over the years, why do enterprise organizations still use it? The Spring framework is a more secure, stable and sane alternative to struts, Gabriel Avner of White Source Software, does an excellent job of explaining why you should be moving over to the Spring Framework in this blog post Apache Struts Vulnerabilities vs Spring Vulnerabilities. Note: Many pentesters and Security researchers hype python quite a bit, but it is refreshing to see how Java itself can fit into the Pen Testing Methodology, especially with Web Applications.

  8. Too many acquisitions: with zero focus on what the security risk challenges were. When carrying out an offensive campaign “Bad Actors” will carry out protracted reconnaissance efforts to paint a detailed 3 dimensional depiction of your organizations “Cyber” footprint, make no mistake about it. One of first steps in this process is going to be someone in the “crew” looking at how many acquisitions have been made in the last few years, and when they map this out logically as far as network connectivity goes and other details, this will denote areas of focus that will possibly lead to serious weak point or low hanging fruit for compromising your network and the data that sits on it.

Miscellaneous Notes: First when you look at the big picture in some ways I have to believe that the Struts vulnerability, was not what initially led to this breach at all. It was the other technical issues first and the comes the Struts vulnerability coupled with all the Organizational Issues. There is however something that bothers me, is in the report about using a “Security Scanner” to scan for the vulnerability on Struts and also a the mention of adding a new snort signature to their IDS. It comes off as though perhaps some members of the Global Security Team weren’t qualified enough to conduct effective security scanning Operations regardless of what scanner they were using and the same goes for Snort. This is a serious problem, and although I mention under the technical aspects of the dissection it is really an organizational issue that falls upon the Security Team Manager and Human Resources.

To conclude the Technical Portion I leave you with the 2nd part of Teri Radichels article Why Patching Software Is Hard: Technical Challenges | Infosec News Ireland, which I consider another MUST READ from IT Managers on down to Sysadmin. Drop the mike.

The value of the data compromised is the cornerstone of the Citizens of the United States of America’s ability to vet themselves against our current form of Capitalism, Health Care, Governmental Agencies and the Credit Agency itself is the fulcrum on which we gain access to credit in order to buy homes, cars, etc. This data should be looked at as analogous to one step down from FOUO or Confidential in many ways, but we as a people fail to make that comparison, and perhaps most of are completely apathetic to that point in the zealous name of CONVENIENCE. But down the road we will all Pay the price for it.

And here is what they are hawking these days… Compare Equifax Credit Monitoring Products | Equifax

Stay positive.

SideNote: I guess my next post should be the compromise of the 2016 Election, but that picture still has not completely finished painting itsself.


© 2013–2019 Look here to take a look at my projects and code Github  CodePen  FreeCodeCamp