How hack­ers broke into Equifax’s credit files

Breach was caused by a vul­ner­a­bil­ity in free, open-source soft­ware

USA TODAY International Edition - - MONEY - Elizabeth Weise @eweise

While it might seem odd that a large cor­po­ra­tion would run on open-source soft­ware such as Apache Struts, it’s ac­tu­ally com­mon and con­sid­ered safe.

How could this SAN FRANCISCO hap­pen?

Other than how to pro­tect them­selves, that’s the ques­tion on ev­ery­one’s mind about a se­cu­rity breach that could put as many as 143 mil­lion Amer­i­cans at fi­nan­cial risk for the rest of their lives.

On Tues­day, credit re­port­ing com­pany Equifax told USA TO­DAY the breach was due to an Apache Struts vul­ner­a­bil­ity. Apache Struts is free, open­source soft­ware used to cre­ate Java Web ap­pli­ca­tions. Sev­eral vul- ner­a­bil­i­ties have been re­ported, all since patched, but Equifax has not said which one was in­volved in this breach.

If it was due to an older vul­ner­a­bil­ity, many ex­perts be­lieve Equifax should have been aware of it and patched the flaw, as such patches are quickly made avail­able.

If it was a new and un­known flaw, it was what is known in the se­cu­rity world as a zero-day, a con­fus­ing term that stems from a count of how long a vul­ner­a­bil­ity has been known and how long the ven­dor has had to cor­rect it. A zero-day means it’s zero days from when any­one knew about it, so no one has fixed it.

Zero-days are worth a large amount of money and can be sold to hack­ers, gov­ern­ments and the com­pa­nies whose soft­ware they are based on. There is an en­tire ecosys­tem of zero-day bro­kers who buy and sell them. Prices range from $20,000 to as much as $1 mil­lion. It’s im­pos­si­ble to know how much the vul­ner­a­bil­ity used in the Equifax breach would be worth with­out know­ing what, ex­actly, it was.

But us­ing a zero-day to get into Equifax seems “an un­likely sce­nario,” said We­ston Henry, lead se­cu­rity an­a­lyst at SiteLock, a web­site se­cu­rity com­pany.

And as a side note, while it might seem odd that a large cor­po­ra­tion would run on “free, open-source” soft­ware, it’s ac­tu­ally very com­mon and con­sid­ered safe.

Open-source soft­ware is worked on pub­licly by a com­mu­nity of pro­gram­mers, in the case of Apache through the highly-re­garded Apache Foun­da­tion. In many ways, such soft­ware is con­sid­ered safer than off-the-shelf soft­ware be­cause users can in­spect the source code and make sure it’s se­cure, said Gretchen Ruck, head of the cy­ber­se­cu­rity prac­tice at Alix Part­ners, a New York con­sult­ing firm.

But even if Equifax had been breached be­cause of an Apache Struts vul­ner­a­bil­ity, that’s no ex­cuse, said Boris Chen, vice pres­i­dent of en­gi­neer­ing at tCell, a com­pany that does Web ap­pli­ca­tion se­cu­rity. Equifax, by the na­ture of its busi­ness as one of the top ar­biters of con­sumers’ cred­it­wor­thi­ness, should be a trusted guardian of prized iden­tity in­for­ma­tion such as So­cial Se­cu­rity and driver’s li­cense num­bers.

“A sin­gle vul­ner­a­bil­ity in a Web com­po­nent should not re­sult in mil­lions of highly sen­si­tive records be­ing ex­fil­trated. Se­cu­rity con­trols should have ex­isted at many points along the way to stop such a cat­a­strophic out­come,” he said.

It’s un­clear whether Equifax used a stan­dard se­cu­rity tech­nique of seg­ment­ing net­works, so even if hack­ers do get in, they can only gain ac­cess to a lim­ited amount of data. “You would think that some­body like Equifax would go above and be­yond the stan­dard se­cu­rity pre­cau­tions, sim­ply be­cause it’s sit­ting on such valu­able pieces of data and is such an at­trac­tive tar­get for hack­ers,” said Rahul Te­lang, a pro­fes­sor of In­for­ma­tion sys­tems at Carnegie Mel­lon Univer­sity.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.