How did the Equifax breach happen?
Free, open-source software may be at root of hack, despite being safer than off-the-shelf programs
SAN FRANCISCO— How could this happen? Other than how to protect themselves, that’s the question on everyone’s mind about a security breach that could put as many as 143 million Americans at financial risk for the rest of their lives.
On Tuesday, credit reporting company Equifax told USA Today the breach was due to an Apache Struts vulnerability. Apache Struts is free, open-source software used to create Java web applications.
Several vulnerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach.
If it was due to an older vulnerability, may experts believe Equifax should have been aware of it and patched the flaw, as such patches are quickly made available.
If it was a new and unknown flaw, it was what is known in the security world as a zero-day, a confusing term that stems from a count of how long a vulnerability has been known and how long the vendor has had to correct it.
A zero-day means it’s zero days from when anyone knew about it, so no one’s fixed it.
“Security controls should have existed at many points along the way to stop such a catastrophic outcome.”
BORIS CHEN TCELL VICE-PRESIDENT OF ENGINEERING
Zero-days are worth a large amount of money and can be sold to hackers, to governments and to the companies whose software they are based on.
There is an entire ecosystem of zero-day brokers who buy and sell them. Prices range from $20,000 (U.S.) to as much as $1 million. It’s impossible to know how much the vulnerability used in the Equifax breach would be worth without knowing what, exactly, it was.
But using a zero-day to get into Equifax seems “an unlikely scenario,” according to Weston Henry, lead security analyst at SiteLock, a website security company.
And as a side note, while it might seem odd that a large corporation would run on “free, open-source” software, it’s actually very common and considered safe.
Open-source software is worked on publicly by a community of programmers, in the case of Apache through the highly-regarded Apache Foundation. In many ways, such software is considered safer than offthe-shelf software because users can inspect the source code and make sure it’s secure, said Gretchen Ruck, head of the cybersecurity practice at AlixPartners, a New York consulting firm.
But even if Equifax had been breached due to an Apache Struts vulnerability, that’s no excuse, said Boris Chen, vice-president of engineering at tCell, a company that does web application security. Equifax, by the nature of its business as one of the top arbiters of consumers’ creditworthiness, should be a trusted guardian of prized identity information such as social security and drivers’ licence numbers.
“A single vulnerability in a web component should not result in millions of highly sensitive records being exfiltrated,” he said.
“Security controls should have existed at many points along the way to stop such a catastrophic outcome.”
It’s unclear whether Equifax used a standard security technique of segmenting networks, so even if hackers do get in, they can only gain access to a limited amount of data.
“You would think that somebody like Equifax would go above and beyond the standard security precautions, simply because it’s sitting on such valuable pieces of data and is such an attractive target for hackers,” said Rahul Telang, a professor of information systems at Carnegie Mellon University.
Figuring out who was behind the breach may prove difficult, or even impossible, to ascertain.
There are many ways to ensure that things done online cannot be tied to a specific group.
That includes making an attack look like it came from a completely different location in the world, using files containing other languages, setting erroneous time stamps and deliberately employing malicious code known to be used by certain hacking groups.
“Without direct, first-hand knowledge of an attack, these aspects alone make attribution difficult,” said James Carder, chief information security officer as LogRhythm, a security intelligence company.
The reason the hackers wanted the data is likely financial — to sell it to other criminals — or it could have been the work of a country looking for data to use for intelligence purposes.
Another question swirling about is how the hackers got all that data out without anyone noticing. Siphoning information about 143 million consumers out of a network is hard to miss.
“Someone should have said ‘This server’s load is incredibly high right now, what’s going on?’ What kind of business doesn’t watch for that?” said Itzik Kotler, chief technology officer at SafeBreach, a company that develops breach and remediation scenarios.