Submitted via IRC for Fnord666_
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
Related Stories
Submitted via IRC for SoyCow1937
There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.
The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.
[...] Optionsbleed, by contrast [to Heartbleed], doesn't pose as big a threat, but its effects can still be damaging. The risk is highest for server hosts that allow more than one customer to share a single machine. That's because Optionsbleed allows customers to exploit the flaw in a way that exposes secret data from other customers' hosts on the same system. On the Internet at large, the threat is less serious.
[...] Interestingly, the bug was first identified in 2014. Why it's only now being patched is unclear.
[Note: I checked with TheMightyBuzzard, and was informed that, though SoylentNews does run Apache, our systems are configured in such a way as to not expose OPTIONS. In other words, it is believed that we are not susceptible. --martyb]
(Score: 5, Informative) by Anonymous Coward on Monday October 09 2017, @09:28AM (10 children)
If you have over 200 people and still it is possible for one person to fuck up the whole thing, you really have to re-evaluate your process diagrams!!
"trust but verify"
This is nothing but a CEO covering his ass. Criminal negligence on part of the execs and perhaps negligence on part of the one guy as well.
(Score: 0) by Anonymous Coward on Monday October 09 2017, @10:25AM
Not just 1 person, but a person who's job remit included forwarding emails.
I.e. a secretarial assistant.
You can't get the minimum wage staff these days. That's why the company failed.
(Score: 5, Touché) by zocalo on Monday October 09 2017, @11:01AM (2 children)
None of which absolves Richard Smith from *his* responsibility as CEO to make sure that the CIO and other C-level staff were doing their jobs, of course. Something he apparently completely failed to do by his own admission to Congress where he stated that he did not request any update on the matter for several weeks, by which point it was already too late.
UNIX? They're not even circumcised! Savages!
(Score: 2) by Gaaark on Monday October 09 2017, @04:04PM
Yes, it is the Captain's...errr the CEO's responsibility. Just ask Kirk.
Aside, maybe they left Jenn Barber in charge, while Roy and Moss were busy playing "catch the golf ball in your mouth" in their (under)pants.
Just wondering...
Sounds like Richard Smith is one of those CEO's who yell at their computer because he's told there is speech recognition/voice activation software on it, lol.
"Hello computer... computer... hello... HEllo.... HELLO computer.... HELLO!... HELLO!!... COMPUTER!! HELLO!!!"
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Monday October 09 2017, @05:02PM
How dare you throw a cisgendered woman, a superior being, under the bus! This is why there are no cisfemale programmers! See how horrible you misogynerds are!
Haha.... It sounds like Ms. Mauldin ran her department exactly the same way the women here do. It's always just one person at fault. That one person gets fired. Then after a year or so, shit hits the fan all over again, and yet again, it's this one person who fucked up! All their fault! Fire them! Then after a year... well, you get the picture.
Process? Procedure? QA? A second set of eyes, at least, for the important stuff? What the fuck is that? That just stupid crap that assigned males do, and we know how awful those inferior, incomplete beings are.
Next stop: now if only the IT department had been 100% womyn-born-womyn, then, obviously, it wouldn't have happened, because, as superior and complete beings, womyn-born-womyn are infallible!
(Score: 5, Insightful) by TheRaven on Monday October 09 2017, @11:13AM (5 children)
sudo mod me up
(Score: 5, Insightful) by isostatic on Monday October 09 2017, @11:47AM (2 children)
If one person can screw up and accidentally destroy your company, imagine what 1 person who's out to actually do harm can do.
(Score: 2) by Gaaark on Monday October 09 2017, @04:09PM (1 child)
"Equifax did not say in its statement what retirement packages the executives would receive."
What? No jail time?
REALLLLLLY feck with your customers, put a company into dire financial straits (haven't looked: just assuming) and.....drumroll.....you get a retirement package?
Are they out of 'steel toe up the ass' boots?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 4, Insightful) by Thexalon on Monday October 09 2017, @06:37PM
This is nothing new. For instance, Carly Fiorina ran HP into the ground, and HP paid her $40 million to go away.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by EvilSS on Monday October 09 2017, @05:55PM (1 child)
(Score: 0) by Anonymous Coward on Monday October 09 2017, @06:50PM
Well, responsible or not, the shareholders are going to get shafted. How about them CxOs?
(Score: -1, Redundant) by Anonymous Coward on Monday October 09 2017, @10:09AM (2 children)
n/t
(Score: 0) by Anonymous Coward on Monday October 09 2017, @10:35AM (1 child)
Former Equifax CEO says breach boiled down to one person not doing their job. Who it was may surprise you.
(Score: 2) by isostatic on Monday October 09 2017, @11:31AM
The only thing that would surprise me is if the CEO admitted it was him not doing the job
(Score: 1, Insightful) by Anonymous Coward on Monday October 09 2017, @12:13PM
You fucking peons need to shut the fuck up!
Your betters decide what's best for you. And what's best for you is that your corporate owners take more money and security be damned.
It's not like their information has been compromised. Just fucking losers like you.
And you have some sort of idea that you matter? Give it up suckers. You were born to lose and you get what you deserve.
and don't give me a line of shit like "muh privacee!" You don't rate. You are product. Nothing more.
And you will do as you're told or they will become most annoyed. Which means you will be in a world of shit.
So BOHICA motherfuckers!
(Score: 0) by Anonymous Coward on Monday October 09 2017, @12:38PM
I can't remember what the first story was, but the level of 'not very good' was about the same.
The last story was 'don't worry, we are going to do an internal investigation and get to the bottom of this'.
Today's story is 'we found the single guy responsible for this'.
The series of stories might be laughable if they were not trying to explain a serious problem.
If they did their job as well as they do their stories, then perhaps they are actually showing the problem.
Simple incompetence.
(Score: 4, Insightful) by bradley13 on Monday October 09 2017, @01:35PM
This claim demonstrates two things:
- The person speaking does not understand security, or security procedures.
- They had no security procedures in place, because one of the purposes of such procedures is to prevent simple human error.
In the meantime, we know that Equifax was apparently audited well before the security breach, and told that they had inadequate procedures in place [soylentnews.org]
Everyone is somebody else's weirdo.
(Score: 3, Insightful) by SomeGuy on Monday October 09 2017, @02:10PM (1 child)
I haven't delved in to the exact details of the breach, but what it all sounds like makes me think of a bank with no security.
Imagine if the lock on the back door of your bank broke, no one noticed, and anyone could just waltz in and take all of the money!
In reality, if the lock on a bank's back door broke, someone would probably be specifically assigned to check and notice such things in the first place. Even if that did go unnoticed or unfixed for a while, there would be other locked doors, one after another right up to a big honking metal bank vault door. And someone would have checked and locked all of those and may even still be sitting there waiting. If someone did walk in that back door even if they couldn't get any further, there would still be security cameras catching them in the act and security alarms. Any desks or cabinets right inside that door would be locked and otherwise secured, so at best an intruder might be able to make off with the stapler before an entire parade of police chase him down and unload a military sized can of whoop-ass on his butt.
If none of that was in place at your bank and all the money vanished then whose fault is it? The janitor's fault for not getting that lock fixed in a timely manner?
BULL FUCKING SHIT, NO!
(Score: 4, Insightful) by Thexalon on Monday October 09 2017, @06:49PM
Good security doesn't have 1 person who checks and notices such things. Good security has, say, the 10 employees who work at that branch noticing such things, because they all walked through that door when they came into work that day and all noticed something was wrong and immediately reported it to the branch manager (ideally, getting rewarded for their vigilance). And then the branch manager does something along the lines of hiring a locksmith to come in and take care of it immediately, and maybe ensure somebody jury-rigs a chain or something to keep that door shut until the locksmith can come.
What happens in many IT organizations is that:
- There is at most 1 peon assigned to look at that lock.
- If that peon notices something wrong and reports it, the very best they can hope for is to be told that they need to work into the night for no extra pay to fix it immediately or lose their job.
- No outside help is hired, in part because the lower-level manager actually handling the problem doesn't have the budget authority to do that, but also because nobody really cares.
- While the problem still exists, upper management will insist that the door remain openable, and if there's no lock on it, so be it.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Funny) by Anonymous Coward on Monday October 09 2017, @02:50PM
We know because the one guy that makes up the entire engineering staff, his five bosses all said so.
(Score: 3, Insightful) by srobert on Monday October 09 2017, @04:04PM
... then it should also be important to develop a methodology which makes failing to do it right nearly impossible. Low level employees can carry it out if it's been developed and they've been properly instructed. Mid-level employees can develop the methodology, but they lack the the authority to dictate that it be implemented across the board. The authority to see that such is developed AND implemented rests with those at the top of the hierarchy. So if there was just one person on whom the blame could be placed (which I doubt), then that person would be the CEO.
(Score: 2, Interesting) by Anonymous Coward on Monday October 09 2017, @05:02PM
i watched the hearing. while the quote in the summary is accurate, that whole verbal exchange was a cluster fuck. the reps didn't know what they were saying/asking and the ceo was nervous and so worried about using the right words he couldn't just explain it where they could understand.
what the ceo really was trying to say is that there were two teams: the tech team(IT/LSA?/Web devs/devops) and the security team. the "one person" he's referring to is someone on the tech team. that person never told the security team that apache struts was even installed. that's why it never got patched. it wasn't on the list of installed shit. the security team also has some presumably proprietary shitware (probably gpl violating shit that uses nmap poorly) that is supposed to scan the network(s) looking for services that are accessible and identify vulns and tell the security team about it. it couldn't find apache struts even though it was obviously publicly available.
so, to sum up. some devops dude spins up public servers whenever he wants but doesn't tell security team. security team is dependent on some shitware to find publicly accessible servers but it doesn't work for shit.
hey, dumb ass companies, if your "security team" is a bunch of windows using dumb asses who can't find publicly accessible servers using nmap, then you're going to get "hacked".
(Score: 3, Insightful) by HiThere on Monday October 09 2017, @05:43PM (1 child)
So Wall Street investors were publicly told to flee the company, but the CEO blames someone not doing his job.
The Wall Street investors were told that the company had no Computer Security plans, and insufficiently trained staff. The CEO blames someone not doing his job.
I think that public notice should be a smoking gun to sue the management for incompetence, and possibly worse. Criminal charges don't seem implausible. Not that they'll happen to a management type unless he offends someone a lot more powerful.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Thexalon on Monday October 09 2017, @07:18PM
That's just it: Criminal charges won't be coming, because they never do for C-level executives of major companies regardless of what they do. Including killing people.
I can tell you already exactly what the consequences of this will be when the dust settles:
1. Equifax will eventually weather the storm of bad public relations, will continue to function as a business, and ultimately their stock will come back. Why? Because they're still getting business. They're still getting everybody's personal data. And people's memory is far from perfect, so they will eventually not notice "Wait, these guys gave away my personal details to identity thieves." I guarantee you their board is seeing this whole situation as a public relations problem, not a technical problem.
2. The CEO, CIO, and peon who it's all been blamed on will be replaced with a new CEO, CIO, and peon.
3. Mr. Smith will be forced to take his millions and spend the rest of his life relaxing in his extremely comfortable retirement. He might be occasionally forced to spend some of his vast sums of money to bribe away attorneys general and/or judges to prevent anyone from looking into what he did.
4. The peon in question no longer has a career in IT. Guaranteed. Nobody with any kind of responsibility for securing anything would be willing to take on that kind of risk: Imagine if you hired that guy and there was a data breach to understand why that might be.
5. Some people in the company will use the shakeup to hire their friends to do nothing useful.
The end result will be that the only person who is punished for this entire debacle is one low-level IT guy.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by DeathMonkey on Monday October 09 2017, @05:50PM (1 child)
Is this supposed to be a defense??
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
So, they were completely incompetent in 200-fucking-five, like nobody knew about security back in the stone age? And, they only started getting their act together in the last 3 years? Wow...fills me with confidence!
(Score: 1, Interesting) by Anonymous Coward on Monday October 09 2017, @07:29PM
"when he started with Equifax 12 years ago there was no one in cybersecurity."
That puts us at 2005. Think about that for a minute. 2005...
And no, they don't have a 225 man team doing infosec. They have maybe a twentyth of that, and a 200 man call center eating shit and trying to externalize liability for the fact that they, and most other big corporations have ignored their infosec staff for over a decade, resulting in the current security climate.
But ultimately the problem was created by SCOTUS and Congress. It goes all the way back to the dictionary act of 1871. Individual security was subordinated by law to institutional security. The problem is that there is no such thing as institutional security, since institutions aren't persons. This results in security infrastructure being driven by a market impetus to violate civil rights, not preserve them.
Congress and SCOTUS were the ones that destroyed the 4th amendment. This failure is the technical manifestation, of that crime against civil rights. So they can fix it. But they won't. How could they possibly? Who's going to fund their next campaign, if it isn't Equifax?
(Score: 0) by Anonymous Coward on Monday October 09 2017, @06:59PM
If Equifax is like some companies I know, that 1 person was probably consistently working over 40 hours a week because there were too many "important" tasks that all needed done, yesterday. Despite being on a 225-person team, they were probably still understaffed by 25 percent.
The people on that team were probably getting no support from their immediate management on setting reasonable expectations to the middle and upper management. Their feedback to management on which processes were working and which were not, along with requests to fix broken security tools were probably ignored, in favor of management cover-our-butt actions of checking off boxes instead of actually securing the infrastructure.
(Score: 0) by Anonymous Coward on Monday October 09 2017, @11:54PM
And that gives every single member of the security team, as well as many of the technical/development people, a <sarcasm>huge</sarcasm> amount of confidence they won't be thrown under the bus. A fairly large "bus" that involved exposing the confidential information for 145.5 Million people. I can only imagine how uneasy that group is after that statement was made. They must have been nervous before, now the anxiety level has to be maxed out.
If they have any continuity in security staff and technical staff in 1-2 months, they will be lucky.