Ramblings of an old Doc
Musicians and Updates
Published on September 16, 2017 By DrJBHL In Personal Computing

 

More on the saga of Equifax, or, "How not to do IT".

So, more has come out on how the debacle that is Equifax IT came about. First, what went wrong, and then the who.

The chronology can be read here. In addition to that, the basic problem is noted:

"The software problem was detected in March and a recommended software patch was released shortly afterward. Equifax said the database intrusion began in May and continued until July.

Security experts said Equifax had more than enough opportunity to block intruders by sealing the security hole. “There is no excuse for not following basic cybersecurity hygiene,” said Nate Fick, CEO of the security firm Endgame. “Some heads should definitely roll for this; it’s only a question of how many.” - Sweet and Liedtke, AP.

The Apache Strut defect was noted in 3/17, and a patch was made available.

"The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application." - Equifax

That is simply unforgivable. Pretty much anyone with a reasonable knowledge base in IT - and quite a few without that know to update their apps and OSs. 

Now the "who" and probable "why".

Two people were 'resigned' very quickly after all this had become known this past week: Equifax's CTO and their Chief Security Officer.

The latter, it turns out (Susan Mauldin), was a Music major in college, without any IT training on her CV at LinkdIn. Her internet presence is being assiduously scrubbed, also. Maybe she had post grad training in IT. Maybe not. The 'criteria' for her employment should be interesting, when and if they ever come out.

So, the financial security of 143 million people depended on a n00b? Seriously? Now you know the why of regulation. You wouldn't want DeBakey as a composer, nor as the Conductor of the New York Philharmonic, and you wouldn't want Joe the Plumber as your Neurosurgeon. 

But, that's what you got. Now, are things so horrible that you have to run in circles while screaming and shouting? No. Why? Because your Social Security number is basically on every form you ever filled out, along with lots of other data, already out there - this is breach number 23, just this year. Think about the forms in your Doctor's office...

So as a reasonable guide, with alternatives...this: https://qz.com/1079253/the-complete-guide-to-the-equifax-breach/ - You shouldn't "do nothing". Certainly credit monitoring, a good password manager with local storage, and switching passwords. 

As for credit freezes? That's a lot of work. The phone call is simple. The mailing of the necessary documents is a lot more cumbersome, and you have to do it for the three agencies. Separately. And it lasts all of three months, then all over again, id you want to continue it.

Also, if you apply for monitoring from Equifax (a one year deal for "free" [lol]), you are agreeing you cannot sue for any damage from the breach (lawyers moved fast). And there are bigtime suits in the works (see last linked source below).

Any of our mavens from the Dark Side are more than welcome to add thoughts.

Oh yes...watch out for phishing as a result of this newest gift from "N00bs R Us".

 

Sources:

https://apnews.com/d81f731e423a470a8d6252720dccfe7e?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP

https://www.equifaxsecurity2017.com/

http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15

https://qz.com/1079253/the-complete-guide-to-the-equifax-breach/

http://www.chicagotribune.com/business/ct-equifax-data-breach-0917-biz-20170915-story.html

 

 


Comments (Page 1)
2 Pages1 2 
on Sep 16, 2017

Good post and information. Thanks, Seth.   

on Sep 16, 2017

FWIW, checking the Equifax site to see if your file was affected doesn't commit you to anything and doesn't require you to agree to anything.  It's the subsequent enrollment in the one-year monitoring that (initially) does (did) that but Equifax now claims they're waiving any arbitration language.  No reason to believe them, but there you are.

From what I've read & heard, if you check, the answer is uniformly, "Yes".

 

As an afterthought and in a purely abstract way, the consequences to 143 million people aside, it's nice to see such arrogant pricks humbled.

on Sep 17, 2017

Daiwa

it's nice to see such arrogant pricks humbled.

Truly arrogant pricks are never humbled, they just go quiet for a little while and pop up just as arrogant or moreso someplace down the track.  However, a couple of surgeries come to mind: a lobotomy and castrastion so there's no evil spawn.

And then there's all these highrollers and politicians suggesting we go electronic and cashless. 

on Sep 17, 2017

Daiwa

From what I've read & heard, if you check, the answer is uniformly, "Yes".

I checked before (http://drjbhl.joeuser.com/article/484905/Potentially_143_Million_Peoples_Data_Breached), and rechecked...still negative.

So, you might just be seeing folks who might well have had their data breached.

What I find unforgivable in all this is that it was so easily preventable. I mean, seriously, just who doesn't know that software has to be updated, especially after being informed of a vulnerability and having the patch easily available? A music major.

on Sep 17, 2017

DrJBHL

What I find unforgivable in all this is that it was so easily preventable. I mean, seriously, just who doesn't know that software has to be updated, especially after being informed of a vulnerability and having the patch easily available?

It does seem incredibly stupid doesn't it?  Almost too stupid.  I've been wondering if someone somewhere along the chain was influenced by an outside party.  Equifax would be a huge target.

on Sep 17, 2017

DrJBHL

What I find unforgivable in all this is that it was so easily preventable. I mean, seriously, just who doesn't know that software has to be updated, especially after being informed of a vulnerability and having the patch easily available? A music major.

When such a company is dealing with millions of peoples accounts it IS its responibility to protect that data at all costs.  However, employing an under-qualified person to oversee that responsibility, as it seems happened in this case, makes that company both negligent AND irresponsible.  And for mine, a music major with little to no tech/IT experience is not only under-qualified but somewhat arrogant [possibly a liar] to have walked into such a job.

And there'll be lawyers lining up to represent victims because they all love the smell of a class-action suit in the morning.

on Sep 17, 2017


As for credit freezes? That's a lot of work. The phone call is simple. The mailing of the necessary documents is a lot more cumbersome, and you have to do it for the three agencies. Separately. And it lasts all of three months, then all over again, id you want to continue it.

Credit freezes can be done online for any reason and without any special documentation, for costs ranging from free to $15 depending on what state you're in. The worst of them is Transunion, who requires you to create an account to do it. For the others, you just put in your info and your payment and you're done. Experian requires a duration to be given (up to seven or eight years) but the others don't; it's effective permanently until you unfreeze it.

It's fraud alerts that are only effective for 90 days unless you provide a police report, etc. But you can do those online too, and for free.

on Sep 17, 2017

It does seem incredibly stupid doesn't it?  Almost too stupid.  I've been wondering if someone somewhere along the chain was influenced by an outside party.  Equifax would be a huge target.

 

Behind a lot of technical problems are people problems.    The technical expertise to prevent these problems is probably already all there, at Equifax.   For whatever reason, people just didn't care.   It's work.

 

on Sep 17, 2017

tetleytea

Behind a lot of technical problems are people problems.    The technical expertise to prevent these problems is probably already all there, at Equifax.   For whatever reason, people just didn't care.   It's work.

Absolutely could be the case.

However. that very scenario provides additional opportunity for outside influence.  I'm not sure it should be dismissed as incompetence, attitude, or overwork.  Something of this magnitude warrants a closer look as far as I'm concerned.  Somebody could be sitting with a million dollars in an offshore account right now.

on Sep 17, 2017

The Peter Principle

I interviewed at Equifax about 12 years ago for a project management position.  The distinct impression I got was that the management level above that was looking for someone to take the blame for projects with bad histories that would be assigned to him.  I'm a technical guy; that level of internecine warfare I avoid like the plague (which is why I avoided the academy).  But in that environment, incompetents rising high is no surprise at all. 

 

 

on Sep 17, 2017

Yup, kind of like that.

on Sep 17, 2017


But in that environment, incompetents rising high is no surprise at all. 

And unqualifieds.  During my working life I saw many who had little to no clue what they were doing rise through the ranks to positions of power.  One in particular, who didn't even finish primary school and could neither read or write properly, still used his fingers to count, charmed his way up the managerial ladder and attained a very high level of power and influence..... all because he was 'charming' and had a vibrant personality.  He was the least qualified, made more mistakes than most, and it made no sense, but there he was, area manager and in charge of the factory where I worked.

on Sep 19, 2017

Turns out Equifax had also been hit in March.  Not a lot of detail here, mainly just linking because it seems like I would have to be "making this stuff up":

https://www.cbsnews.com/news/equifax-data-breach-happened-months-before-big-one-hit-report/

One way or another, seems like there's a problem.

on Sep 19, 2017

Should one mention the people who sold some of their stock three days prior to make a public announcement regarding the breach?

They said they didn't know... 

on Sep 19, 2017

Interesting, but what suggests a connection, beyond some people selling their stock?  Equifax stock traded during that time, and every transaction has a buyer and a seller. 

2 Pages1 2