Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday October 09 2017, @09:22AM   Printer-friendly
from the shit-rolls-downhill dept.

Submitted via IRC for Fnord666_

In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.

Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.

Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.

Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.

However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.

"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.

Source: https://techcrunch.com/2017/10/03/former-equifax-ceo-says-breach-boiled-down-to-one-person-not-doing-their-job/


Original Submission

Related Stories

Apache Bug Leaks Contents of Server Memory for All to See—Patch Now 12 comments

Submitted via IRC for SoyCow1937

There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.

The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.

[...] Optionsbleed, by contrast [to Heartbleed], doesn't pose as big a threat, but its effects can still be damaging. The risk is highest for server hosts that allow more than one customer to share a single machine. That's because Optionsbleed allows customers to exploit the flaw in a way that exposes secret data from other customers' hosts on the same system. On the Internet at large, the threat is less serious.

[...] Interestingly, the bug was first identified in 2014. Why it's only now being patched is unclear.

Source: https://arstechnica.com/information-technology/2017/09/apache-bug-leaks-contents-of-server-memory-for-all-to-see-patch-now/

[Note: I checked with TheMightyBuzzard, and was informed that, though SoylentNews does run Apache, our systems are configured in such a way as to not expose OPTIONS. In other words, it is believed that we are not susceptible. --martyb]


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Informative) by Anonymous Coward on Monday October 09 2017, @09:28AM (10 children)

    by Anonymous Coward on Monday October 09 2017, @09:28AM (#579209)

    If you have over 200 people and still it is possible for one person to fuck up the whole thing, you really have to re-evaluate your process diagrams!!

    "trust but verify"

    This is nothing but a CEO covering his ass. Criminal negligence on part of the execs and perhaps negligence on part of the one guy as well.

    • (Score: 0) by Anonymous Coward on Monday October 09 2017, @10:25AM

      by Anonymous Coward on Monday October 09 2017, @10:25AM (#579218)

      Not just 1 person, but a person who's job remit included forwarding emails.

      I.e. a secretarial assistant.

      You can't get the minimum wage staff these days. That's why the company failed.

    • (Score: 5, Touché) by zocalo on Monday October 09 2017, @11:01AM (2 children)

      by zocalo (302) on Monday October 09 2017, @11:01AM (#579231)
      Actually, he's technically correct - if one person is to blame, then logically it would have to be individual that carries the ultimate responsibility for a given department, e.g. the person where the buck stops and the shit flows downhill from. In Equifax's case that would be the very recently "retired" CIO, Susan Mauldin who held the ultimately responsible for making sure her 200+ staff were both aware of the problem, knew they had to fix it, and actually did so, but clearly did none of those things. That doesn't preclude Equifax's internal processes including the appointment of a deputy in the event of illness, etc. either, assuming she didn't take any leave between Equifax being made aware of the vulnerability and the discovery of the compromise - or even just for period between notification and the expiry of Equifax's claimed 48 hour window to implement the patch, for that matter.

      None of which absolves Richard Smith from *his* responsibility as CEO to make sure that the CIO and other C-level staff were doing their jobs, of course. Something he apparently completely failed to do by his own admission to Congress where he stated that he did not request any update on the matter for several weeks, by which point it was already too late.
      --
      UNIX? They're not even circumcised! Savages!
      • (Score: 2) by Gaaark on Monday October 09 2017, @04:04PM

        by Gaaark (41) on Monday October 09 2017, @04:04PM (#579295) Journal

        Yes, it is the Captain's...errr the CEO's responsibility. Just ask Kirk.

        Aside, maybe they left Jenn Barber in charge, while Roy and Moss were busy playing "catch the golf ball in your mouth" in their (under)pants.

        Just wondering...

        Sounds like Richard Smith is one of those CEO's who yell at their computer because he's told there is speech recognition/voice activation software on it, lol.

        "Hello computer... computer... hello... HEllo.... HELLO computer.... HELLO!... HELLO!!... COMPUTER!! HELLO!!!"

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 0) by Anonymous Coward on Monday October 09 2017, @05:02PM

        by Anonymous Coward on Monday October 09 2017, @05:02PM (#579311)

        How dare you throw a cisgendered woman, a superior being, under the bus! This is why there are no cisfemale programmers! See how horrible you misogynerds are!

        Haha.... It sounds like Ms. Mauldin ran her department exactly the same way the women here do. It's always just one person at fault. That one person gets fired. Then after a year or so, shit hits the fan all over again, and yet again, it's this one person who fucked up! All their fault! Fire them! Then after a year... well, you get the picture.

        Process? Procedure? QA? A second set of eyes, at least, for the important stuff? What the fuck is that? That just stupid crap that assigned males do, and we know how awful those inferior, incomplete beings are.

        Next stop: now if only the IT department had been 100% womyn-born-womyn, then, obviously, it wouldn't have happened, because, as superior and complete beings, womyn-born-womyn are infallible!

    • (Score: 5, Insightful) by TheRaven on Monday October 09 2017, @11:13AM (5 children)

      by TheRaven (270) on Monday October 09 2017, @11:13AM (#579236) Journal
      If one person failing to do their job can cause a compromise on this scale, then that implies that the institutional procedures are dangerously wrong. That, in turn, implies that there is already one person failing to do their job: The CEO, who failed to appoint a competent CIO, who, in turn, failed to ensure the correct procedures were in place.
      --
      sudo mod me up
      • (Score: 5, Insightful) by isostatic on Monday October 09 2017, @11:47AM (2 children)

        by isostatic (365) on Monday October 09 2017, @11:47AM (#579243) Journal

        If one person can screw up and accidentally destroy your company, imagine what 1 person who's out to actually do harm can do.

        • (Score: 2) by Gaaark on Monday October 09 2017, @04:09PM (1 child)

          by Gaaark (41) on Monday October 09 2017, @04:09PM (#579298) Journal

          "Equifax did not say in its statement what retirement packages the executives would receive."

          What? No jail time?
          REALLLLLLY feck with your customers, put a company into dire financial straits (haven't looked: just assuming) and.....drumroll.....you get a retirement package?

          Are they out of 'steel toe up the ass' boots?

          --
          --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
          • (Score: 4, Insightful) by Thexalon on Monday October 09 2017, @06:37PM

            by Thexalon (636) on Monday October 09 2017, @06:37PM (#579352)

            REALLLLLLY feck with your customers, put a company into dire financial straits (haven't looked: just assuming) and.....drumroll.....you get a retirement package?

            This is nothing new. For instance, Carly Fiorina ran HP into the ground, and HP paid her $40 million to go away.

            --
            The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 2) by EvilSS on Monday October 09 2017, @05:55PM (1 child)

        by EvilSS (1456) Subscriber Badge on Monday October 09 2017, @05:55PM (#579337)
        Well wouldn't it really be the fault of the shareholders, who voted for the board of directors, who hired the CEO, who hired the CIO, who hired the SR VP, who hired the VP, who hired the Sr Director, who hired the director, who hired the manager who oversaw the cyber security team, which had that one guy who didn't do his job, in the hole at the bottom of the sea?
        • (Score: 0) by Anonymous Coward on Monday October 09 2017, @06:50PM

          by Anonymous Coward on Monday October 09 2017, @06:50PM (#579356)

          Well, responsible or not, the shareholders are going to get shafted. How about them CxOs?

  • (Score: -1, Redundant) by Anonymous Coward on Monday October 09 2017, @10:09AM (2 children)

    by Anonymous Coward on Monday October 09 2017, @10:09AM (#579213)

    n/t

    • (Score: 0) by Anonymous Coward on Monday October 09 2017, @10:35AM (1 child)

      by Anonymous Coward on Monday October 09 2017, @10:35AM (#579221)

      Former Equifax CEO says breach boiled down to one person not doing their job. Who it was may surprise you.

      • (Score: 2) by isostatic on Monday October 09 2017, @11:31AM

        by isostatic (365) on Monday October 09 2017, @11:31AM (#579239) Journal

        Former Equifax CEO says breach boiled down to one person not doing their job. Who it was may surprise you.

        The only thing that would surprise me is if the CEO admitted it was him not doing the job

  • (Score: 1, Insightful) by Anonymous Coward on Monday October 09 2017, @12:13PM

    by Anonymous Coward on Monday October 09 2017, @12:13PM (#579248)

    You fucking peons need to shut the fuck up!

    Your betters decide what's best for you. And what's best for you is that your corporate owners take more money and security be damned.

    It's not like their information has been compromised. Just fucking losers like you.

    And you have some sort of idea that you matter? Give it up suckers. You were born to lose and you get what you deserve.

    and don't give me a line of shit like "muh privacee!" You don't rate. You are product. Nothing more.

    And you will do as you're told or they will become most annoyed. Which means you will be in a world of shit.

    So BOHICA motherfuckers!

  • (Score: 0) by Anonymous Coward on Monday October 09 2017, @12:38PM

    by Anonymous Coward on Monday October 09 2017, @12:38PM (#579252)

    I can't remember what the first story was, but the level of 'not very good' was about the same.
    The last story was 'don't worry, we are going to do an internal investigation and get to the bottom of this'.
    Today's story is 'we found the single guy responsible for this'.

    The series of stories might be laughable if they were not trying to explain a serious problem.

    If they did their job as well as they do their stories, then perhaps they are actually showing the problem.
    Simple incompetence.

  • (Score: 4, Insightful) by bradley13 on Monday October 09 2017, @01:35PM

    by bradley13 (3053) on Monday October 09 2017, @01:35PM (#579261) Homepage Journal

    This claim demonstrates two things:

    - The person speaking does not understand security, or security procedures.

    - They had no security procedures in place, because one of the purposes of such procedures is to prevent simple human error.

    In the meantime, we know that Equifax was apparently audited well before the security breach, and told that they had inadequate procedures in place [soylentnews.org]

    --
    Everyone is somebody else's weirdo.
  • (Score: 3, Insightful) by SomeGuy on Monday October 09 2017, @02:10PM (1 child)

    by SomeGuy (5632) on Monday October 09 2017, @02:10PM (#579269)

    I haven't delved in to the exact details of the breach, but what it all sounds like makes me think of a bank with no security.

    Imagine if the lock on the back door of your bank broke, no one noticed, and anyone could just waltz in and take all of the money!

    In reality, if the lock on a bank's back door broke, someone would probably be specifically assigned to check and notice such things in the first place. Even if that did go unnoticed or unfixed for a while, there would be other locked doors, one after another right up to a big honking metal bank vault door. And someone would have checked and locked all of those and may even still be sitting there waiting. If someone did walk in that back door even if they couldn't get any further, there would still be security cameras catching them in the act and security alarms. Any desks or cabinets right inside that door would be locked and otherwise secured, so at best an intruder might be able to make off with the stapler before an entire parade of police chase him down and unload a military sized can of whoop-ass on his butt.

    If none of that was in place at your bank and all the money vanished then whose fault is it? The janitor's fault for not getting that lock fixed in a timely manner?

    BULL FUCKING SHIT, NO!

    • (Score: 4, Insightful) by Thexalon on Monday October 09 2017, @06:49PM

      by Thexalon (636) on Monday October 09 2017, @06:49PM (#579355)

      In reality, if the lock on a bank's back door broke, someone would probably be specifically assigned to check and notice such things in the first place.

      Good security doesn't have 1 person who checks and notices such things. Good security has, say, the 10 employees who work at that branch noticing such things, because they all walked through that door when they came into work that day and all noticed something was wrong and immediately reported it to the branch manager (ideally, getting rewarded for their vigilance). And then the branch manager does something along the lines of hiring a locksmith to come in and take care of it immediately, and maybe ensure somebody jury-rigs a chain or something to keep that door shut until the locksmith can come.

      What happens in many IT organizations is that:
      - There is at most 1 peon assigned to look at that lock.
      - If that peon notices something wrong and reports it, the very best they can hope for is to be told that they need to work into the night for no extra pay to fix it immediately or lose their job.
      - No outside help is hired, in part because the lower-level manager actually handling the problem doesn't have the budget authority to do that, but also because nobody really cares.
      - While the problem still exists, upper management will insist that the door remain openable, and if there's no lock on it, so be it.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 3, Funny) by Anonymous Coward on Monday October 09 2017, @02:50PM

    by Anonymous Coward on Monday October 09 2017, @02:50PM (#579280)

    We know because the one guy that makes up the entire engineering staff, his five bosses all said so.

  • (Score: 3, Insightful) by srobert on Monday October 09 2017, @04:04PM

    by srobert (4803) on Monday October 09 2017, @04:04PM (#579296)

    ... then it should also be important to develop a methodology which makes failing to do it right nearly impossible. Low level employees can carry it out if it's been developed and they've been properly instructed. Mid-level employees can develop the methodology, but they lack the the authority to dictate that it be implemented across the board. The authority to see that such is developed AND implemented rests with those at the top of the hierarchy. So if there was just one person on whom the blame could be placed (which I doubt), then that person would be the CEO.

  • (Score: 2, Interesting) by Anonymous Coward on Monday October 09 2017, @05:02PM

    by Anonymous Coward on Monday October 09 2017, @05:02PM (#579312)

    i watched the hearing. while the quote in the summary is accurate, that whole verbal exchange was a cluster fuck. the reps didn't know what they were saying/asking and the ceo was nervous and so worried about using the right words he couldn't just explain it where they could understand.

    what the ceo really was trying to say is that there were two teams: the tech team(IT/LSA?/Web devs/devops) and the security team. the "one person" he's referring to is someone on the tech team. that person never told the security team that apache struts was even installed. that's why it never got patched. it wasn't on the list of installed shit. the security team also has some presumably proprietary shitware (probably gpl violating shit that uses nmap poorly) that is supposed to scan the network(s) looking for services that are accessible and identify vulns and tell the security team about it. it couldn't find apache struts even though it was obviously publicly available.

    so, to sum up. some devops dude spins up public servers whenever he wants but doesn't tell security team. security team is dependent on some shitware to find publicly accessible servers but it doesn't work for shit.

    hey, dumb ass companies, if your "security team" is a bunch of windows using dumb asses who can't find publicly accessible servers using nmap, then you're going to get "hacked".

  • (Score: 3, Insightful) by HiThere on Monday October 09 2017, @05:43PM (1 child)

    by HiThere (866) Subscriber Badge on Monday October 09 2017, @05:43PM (#579331) Journal

    So Wall Street investors were publicly told to flee the company, but the CEO blames someone not doing his job.

    The Wall Street investors were told that the company had no Computer Security plans, and insufficiently trained staff. The CEO blames someone not doing his job.

    I think that public notice should be a smoking gun to sue the management for incompetence, and possibly worse. Criminal charges don't seem implausible. Not that they'll happen to a management type unless he offends someone a lot more powerful.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
    • (Score: 2) by Thexalon on Monday October 09 2017, @07:18PM

      by Thexalon (636) on Monday October 09 2017, @07:18PM (#579370)

      Criminal charges don't seem implausible. Not that they'll happen to a management type unless he offends someone a lot more powerful.

      That's just it: Criminal charges won't be coming, because they never do for C-level executives of major companies regardless of what they do. Including killing people.

      I can tell you already exactly what the consequences of this will be when the dust settles:

      1. Equifax will eventually weather the storm of bad public relations, will continue to function as a business, and ultimately their stock will come back. Why? Because they're still getting business. They're still getting everybody's personal data. And people's memory is far from perfect, so they will eventually not notice "Wait, these guys gave away my personal details to identity thieves." I guarantee you their board is seeing this whole situation as a public relations problem, not a technical problem.

      2. The CEO, CIO, and peon who it's all been blamed on will be replaced with a new CEO, CIO, and peon.

      3. Mr. Smith will be forced to take his millions and spend the rest of his life relaxing in his extremely comfortable retirement. He might be occasionally forced to spend some of his vast sums of money to bribe away attorneys general and/or judges to prevent anyone from looking into what he did.

      4. The peon in question no longer has a career in IT. Guaranteed. Nobody with any kind of responsibility for securing anything would be willing to take on that kind of risk: Imagine if you hired that guy and there was a data breach to understand why that might be.

      5. Some people in the company will use the shakeup to hire their friends to do nothing useful.

      The end result will be that the only person who is punished for this entire debacle is one low-level IT guy.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 2) by DeathMonkey on Monday October 09 2017, @05:50PM (1 child)

    by DeathMonkey (1380) on Monday October 09 2017, @05:50PM (#579334) Journal

    Is this supposed to be a defense??

    Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.

    So, they were completely incompetent in 200-fucking-five, like nobody knew about security back in the stone age? And, they only started getting their act together in the last 3 years? Wow...fills me with confidence!

    • (Score: 1, Interesting) by Anonymous Coward on Monday October 09 2017, @07:29PM

      by Anonymous Coward on Monday October 09 2017, @07:29PM (#579374)

      "when he started with Equifax 12 years ago there was no one in cybersecurity."

      That puts us at 2005. Think about that for a minute. 2005...

      And no, they don't have a 225 man team doing infosec. They have maybe a twentyth of that, and a 200 man call center eating shit and trying to externalize liability for the fact that they, and most other big corporations have ignored their infosec staff for over a decade, resulting in the current security climate.

      But ultimately the problem was created by SCOTUS and Congress. It goes all the way back to the dictionary act of 1871. Individual security was subordinated by law to institutional security. The problem is that there is no such thing as institutional security, since institutions aren't persons. This results in security infrastructure being driven by a market impetus to violate civil rights, not preserve them.

      Congress and SCOTUS were the ones that destroyed the 4th amendment. This failure is the technical manifestation, of that crime against civil rights. So they can fix it. But they won't. How could they possibly? Who's going to fund their next campaign, if it isn't Equifax?

  • (Score: 0) by Anonymous Coward on Monday October 09 2017, @06:59PM

    by Anonymous Coward on Monday October 09 2017, @06:59PM (#579359)

    If Equifax is like some companies I know, that 1 person was probably consistently working over 40 hours a week because there were too many "important" tasks that all needed done, yesterday.  Despite being on a 225-person team, they were probably still understaffed by 25 percent.

    The people on that team were probably getting no support from their immediate management on setting reasonable expectations to the middle and upper management.  Their feedback to management on which processes were working and which were not, along with requests to fix broken security tools were probably ignored, in favor of management cover-our-butt actions of checking off boxes instead of actually securing the infrastructure.

  • (Score: 0) by Anonymous Coward on Monday October 09 2017, @11:54PM

    by Anonymous Coward on Monday October 09 2017, @11:54PM (#579509)

    "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.

    And that gives every single member of the security team, as well as many of the technical/development people, a <sarcasm>huge</sarcasm> amount of confidence they won't be thrown under the bus. A fairly large "bus" that involved exposing the confidential information for 145.5 Million people. I can only imagine how uneasy that group is after that statement was made. They must have been nervous before, now the anxiety level has to be maxed out.

    If they have any continuity in security staff and technical staff in 1-2 months, they will be lucky.

(1)