How hackers broke into Equifax’s credit files
Breach was caused by a vulnerability in free, open-source software
While it might seem odd that a large corporation would run on open-source software such as Apache Struts, it’s actually common and considered safe.
How could this SAN FRANCISCO happen?
Other than how to protect themselves, that’s the question on everyone’s mind about a security breach that could put as many as 143 million Americans at financial risk for the rest of their lives.
On Tuesday, credit reporting company Equifax told USA TODAY the breach was due to an Apache Struts vulnerability. Apache Struts is free, opensource software used to create Java Web applications. Several vul- nerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach.
If it was due to an older vulnerability, many experts believe Equifax should have been aware of it and patched the flaw, as such patches are quickly made available.
If it was a new and unknown flaw, it was what is known in the security world as a zero-day, a confusing term that stems from a count of how long a vulnerability has been known and how long the vendor has had to correct it. A zero-day means it’s zero days from when anyone knew about it, so no one has fixed it.
Zero-days are worth a large amount of money and can be sold to hackers, governments and the companies whose software they are based on. There is an entire ecosystem of zero-day brokers who buy and sell them. Prices range from $20,000 to as much as $1 million. It’s impossible to know how much the vulnerability used in the Equifax breach would be worth without knowing what, exactly, it was.
But using a zero-day to get into Equifax seems “an unlikely scenario,” said Weston Henry, lead security analyst at SiteLock, a website security company.
And as a side note, while it might seem odd that a large corporation would run on “free, open-source” software, it’s actually very common and considered safe.
Open-source software is worked on publicly by a community of programmers, in the case of Apache through the highly-regarded Apache Foundation. In many ways, such software is considered safer than off-the-shelf software because users can inspect the source code and make sure it’s secure, said Gretchen Ruck, head of the cybersecurity practice at Alix Partners, a New York consulting firm.
But even if Equifax had been breached because of an Apache Struts vulnerability, that’s no excuse, said Boris Chen, vice president of engineering at tCell, a company that does Web application security. Equifax, by the nature of its business as one of the top arbiters of consumers’ creditworthiness, should be a trusted guardian of prized identity information such as Social Security and driver’s license numbers.
“A single vulnerability in a Web component should not result in millions of highly sensitive records being exfiltrated. Security controls should have existed at many points along the way to stop such a catastrophic outcome,” he said.
It’s unclear whether Equifax used a standard security technique of segmenting networks, so even if hackers do get in, they can only gain access to a limited amount of data. “You would think that somebody like Equifax would go above and beyond the standard security precautions, simply because it’s sitting on such valuable pieces of data and is such an attractive target for hackers,” said Rahul Telang, a professor of Information systems at Carnegie Mellon University.