forgot password register

reset password

register

patrick.net

 

#misc


#housing #investing #politics #random more»
764,533 comments by 11,146 registered users, 2 online now: BayAreaObserver, YesYNot

new post
« prev   misc   next »
1 BayAreaObserver   2017 Sep 14, 1:26am   ↑ like (0)   ↑ dislike (0)     quote        
Failure to patch two-month-old bug led to massive Equifax breach.

The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more two months earlier, officials with the credit reporting service said Thursday.

"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.

As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site.

Equifax's update confirms a report published last week by a firm called Baird Equity Research. It provided no source for the claim that Equifax was breached through an unidentified Apache Struts vulnerability. Two days later, the Apache Software Foundation issued a statement saying it didn't know one way or the if a Struts vulnerability was involved. CVE-2017-5638 is separate from CVE-2017-9805, a separate Apache Struts vulnerability that was patched last week.

Full Article: https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
2 FortWayne   2017 Sep 14, 8:36am   ↑ like (2)   ↑ dislike (2)     quote        
And these assholes want 10 to freeze my credit. I want to sue these scoundrels!!!
5 drBu   2017 Sep 16, 7:44am   ↑ like (0)   ↑ dislike (0)     quote        
FortWayne says
And these assholes want 10 to freeze my credit.

same here, I tried to freeze my credit yesterday and they demanded money.
6 rpanic01   2017 Sep 16, 8:00am   ↑ like (0)   ↑ dislike (0)     quote        
Booger says

Probably nepotism.
7 anonymous   2017 Sep 16, 10:58am   ↑ like (0)   ↑ dislike (0)     quote        
rpanic01 says


Probably nepotism.


She'll soon be Trump's head of Cyber Security. He hires the best.
8 SpecialSnowflake   2017 Sep 16, 11:02am   ↑ like (0)   ↑ dislike (0)     quote        
drBu says
FortWayne says
And these assholes want 10 to freeze my credit.

same here, I tried to freeze my credit yesterday and they demanded money.


That would be Experian. Equifax, TransUnion and the other two (names elude me at the moment) do it for free.

users   about   suggestions   source code   contact  
topics   best comments   comment jail  
10 reasons it's a terrible time to buy  
8 groups who lie about the housing market  
37 bogus arguments about housing  
get a free bumper sticker:

top   bottom   home