Did Equifax leak your personal information
« prev   misc   next »
1 BayAreaObserver   ignore (1)   2017 Sep 14, 1:26am   ↑ like (0)   ↓ dislike (0)     quote        

Failure to patch two-month-old bug led to massive Equifax breach.

The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more two months earlier, officials with the credit reporting service said Thursday.

"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.

As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site.

Equifax's update confirms a report published last week by a firm called Baird Equity Research. It provided no source for the claim that Equifax was breached through an unidentified Apache Struts vulnerability. Two days later, the Apache Software Foundation issued a statement saying it didn't know one way or the if a Struts vulnerability was involved. CVE-2017-5638 is separate from CVE-2017-9805, a separate Apache Struts vulnerability that was patched last week.

Full Article: https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
2 FortWayne   ignore (0)   2017 Sep 14, 8:36am   ↑ like (2)   ↓ dislike (0)     quote        

And these assholes want 10 to freeze my credit. I want to sue these scoundrels!!!
5 Ernie   ignore (0)   2017 Sep 16, 7:44am   ↑ like (0)   ↓ dislike (0)     quote        

FortWayne says
And these assholes want 10 to freeze my credit.

same here, I tried to freeze my credit yesterday and they demanded money.
6 RC2006   ignore (0)   2017 Sep 16, 8:00am   ↑ like (0)   ↓ dislike (0)     quote        

Booger says

Probably nepotism.
7 anonymous   ignore (5)   2017 Sep 16, 10:58am   ↑ like (0)   ↓ dislike (0)     quote        

rpanic01 says


Probably nepotism.


She'll soon be Trump's head of Cyber Security. He hires the best.
8 KimJongUn   ignore (0)   2017 Sep 16, 11:02am   ↑ like (0)   ↓ dislike (0)     quote        

drBu says
FortWayne says
And these assholes want 10 to freeze my credit.

same here, I tried to freeze my credit yesterday and they demanded money.


That would be Experian. Equifax, TransUnion and the other two (names elude me at the moment) do it for free.

Comment as anon_1c765 or log in at top of page: