Ramblings of an old Doc
Musicians and Updates
Published on September 16, 2017 By DrJBHL In Personal Computing


More on the saga of Equifax, or, "How not to do IT".

So, more has come out on how the debacle that is Equifax IT came about. First, what went wrong, and then the who.

The chronology can be read here. In addition to that, the basic problem is noted:

"The software problem was detected in March and a recommended software patch was released shortly afterward. Equifax said the database intrusion began in May and continued until July.

Security experts said Equifax had more than enough opportunity to block intruders by sealing the security hole. “There is no excuse for not following basic cybersecurity hygiene,” said Nate Fick, CEO of the security firm Endgame. “Some heads should definitely roll for this; it’s only a question of how many.” - Sweet and Liedtke, AP.

The Apache Strut defect was noted in 3/17, and a patch was made available.

"The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application." - Equifax

That is simply unforgivable. Pretty much anyone with a reasonable knowledge base in IT - and quite a few without that know to update their apps and OSs. 

Now the "who" and probable "why".

Two people were 'resigned' very quickly after all this had become known this past week: Equifax's CTO and their Chief Security Officer.

The latter, it turns out (Susan Mauldin), was a Music major in college, without any IT training on her CV at LinkdIn. Her internet presence is being assiduously scrubbed, also. Maybe she had post grad training in IT. Maybe not. The 'criteria' for her employment should be interesting, when and if they ever come out.

So, the financial security of 143 million people depended on a n00b? Seriously? Now you know the why of regulation. You wouldn't want DeBakey as a composer, nor as the Conductor of the New York Philharmonic, and you wouldn't want Joe the Plumber as your Neurosurgeon. 

But, that's what you got. Now, are things so horrible that you have to run in circles while screaming and shouting? No. Why? Because your Social Security number is basically on every form you ever filled out, along with lots of other data, already out there - this is breach number 23, just this year. Think about the forms in your Doctor's office...

So as a reasonable guide, with alternatives...this: https://qz.com/1079253/the-complete-guide-to-the-equifax-breach/ - You shouldn't "do nothing". Certainly credit monitoring, a good password manager with local storage, and switching passwords. 

As for credit freezes? That's a lot of work. The phone call is simple. The mailing of the necessary documents is a lot more cumbersome, and you have to do it for the three agencies. Separately. And it lasts all of three months, then all over again, id you want to continue it.

Also, if you apply for monitoring from Equifax (a one year deal for "free" [lol]), you are agreeing you cannot sue for any damage from the breach (lawyers moved fast). And there are bigtime suits in the works (see last linked source below).

Any of our mavens from the Dark Side are more than welcome to add thoughts.

Oh yes...watch out for phishing as a result of this newest gift from "N00bs R Us".










Comments (Page 2)
on Sep 19, 2017

Well, obviously the buyers didn't know...




on Sep 19, 2017

Should one mention the people who sold some of their stock three days prior to make a public announcement regarding the breach?

They said they didn't know... 

Thought it was 2-3 days after the breach event, not 2-3 days before public announcement which was much later.  Either way, doesn't pass the smell test.  Not even close.

on Sep 19, 2017

EFX is averaging about 400k shares traded every trading session.   Each trade has a buyer and a seller.   The only irregularity I'm seeing is a sharp decrease in trading volume on August 6th--not increase.   

on Sep 19, 2017

Thought it was 2-3 days after the breach event, not 2-3 days before public announcement which was much later.  Either way, doesn't pass the smell test.  Not even close.

San Francisco Chronicle 9/7/17 LINK

[quote]The sales all occurred before the company publicly reported the breach, a disclosure that quickly sent its stock tumbling more than 13 percent Friday. The timing of the sales could attract federal scrutiny, legal experts say, though proving insider trading would be difficult. A company spokeswoman said the executives did not know about the breach when they sold their shares.[quote]

Hard to believe they were unaware.

on Sep 19, 2017

Thanks.  That's it.   Selling by registered insiders right after they discovered the breach, but before it went public, certainly does the trick.

on Sep 20, 2017

One would assume that shorts are obvious, but maybe not?


on Sep 20, 2017


Hard to believe they were unaware.

I'd bet pounds to a pinch of sh!t that they knew well in advance of it being made public.  That's the upper crust and corporate high-rollers for you.... slippery one day slimier the next.