What can we learn from Equifax?
by John Browne, on Sep 13, 2017 4:35:04 PM
Assuming you didn't just arrive from Mars, you will have heard about the recent data breach at credit-monitoring company Equifax that affects 143,000,000 people, mostly Americans, which by my back-of-the-envelope calculation is basically everyone. And by everyone I mean every adult resident of the USofA who has ever had a job, had a credit card, bank account, electric bill, apartment, car loan, boat loan, or mortgage.
Like I said, everyone.
It's not like data breaches are new or rare (the Wikipedia list is truly depressing). Some of the more astounding ones: Adobe: 152M, Anthem: 80M, AOL: 92M, 20M, 2.4M, Apple: 12M, Ashley Madison: 32M...ok, that's enough and I didn't even make it past "A". If I had gone on long enough, I would have hit the king of all: Yahoo at 1.5B. Yeah, billion with a "B". Finally they got to first place at something.
Most of the major breaches have some common aspects. I think we can see what they are by looking at the back story on Equifax, as discerned from various reportings recently.
In 2016 Equifax was hacked in the following way: they sell a service whereby the employees of companies can access their Federal W-2 forms electronically ("W2Express"). The way people access their account is through a PIN--the default of which is 8 digits: the last four of your SSN and the year of your birth. Apparently they didn't require people to change this access code immediately, so hackers were able to access as many as 431K employee accounts belonging to grocery-conglomerate Kroger. Putting super-private info (earnings, SSN, etc) behind such a easy-to-hack PIN is just lazy.
Following the Kroger hack, a suit was brought against Equifax for damages, which they sought to have thrown out of court. The case was eventually dropped on the condition that Equifax fix the underlying problem with PINs.
But did they?
Well, not in Argentina they didn't. Krebs on Security is reporting that Hold Security LLC has discovered that Equifax's Argentinian employee portal had a number of significant security holes, including administrative access behind the classic "admin/admin" challenge response pair (like your $100 WiFi router, but more important).
Getting into that account let anyone see employee usernames in plain text, with masked passwords--except the "masked" passwords were stored in plain text in the underlying HTML. And, to rub salt into the wounds, the portal contained--again in plain text--the Argentinian equivalent of our SSN (their national ID number, or DNI) of as many as 14,000 Argentine citizens who had filed consumer complaints.
And--let's torture this horse's corpse--Equifax's response to the US hack was to get their PR firm to throw up a crap Wordpress website for people to check to see if they were impacted (see Webster under "Everyone") and it failed every kind of basic security standard, showcased best by requiring you to enter six of your nine SSN digits to get in.
Not the recommended three digits, nor even four.
There's so much more to this story but I don't have time, space, or frankly the intestinal fortitude to recount it all. Google is your friend if you can stand to learn just how bad it is. So let's move on to item 3:
White-hat hackers have been looking closely at Equifax's public-facing presence, and what they've found is a shocking bunch of truly ancient bits and pieces. According to Forbes, Kenneth White found a link to Netscape (remember Netscape?), and UK security expert Kevin Beaumont pointed out that their underlying code was like "stepping back in time a decade."
Let me say this as clearly as I can: old IT is dangerous. Old code is dangerous. Legacy apps are dangerous. As a famous Las Vegas duo found out, just because your tiger hasn't bit you yet doesn't mean it won't. And when it does, it will hurt.
Equifax says they are going to really really seriously no-kidding improve their security. I expect they will, just as I'm pretty sure CEO Richard Smith's appearance on Oct 3 before a subcommittee at the US House of Representatives will bring out a rare demonstration of bi-partisanship as members compete to see who can beat him the most brutally.
Just as I'm pretty sure that Equifax will be tied up in lawsuits for years.
Just as I'm pretty sure this will cost them billions in penalties, judgments, legal fees, damage control, and more.
Just as I'm pretty sure that many senior execs at Equifax, both in and out of IT, have just ended their careers--and possibly are headed for a long vacation with three hots and a cot.
Wells Fargo, VW, and now Equifax. Any reasonable non-mentally-impaired executive could have predicted that the defecation would inevitably hit the ventilation.
Sooner or later, the snake will escape
When my kid was little, he wanted a pet snake. I personally don't like snakes and question the sanity of anyone who actually does, but that's beside the point. He's maybe 9 years old and loves his snake, names it Jake the Snake, and has to show it to all the neighborhood kids. We stressed not taking the snake out of the cage or opening the door to the cage because the snake might get out of the cage.
So of course the snake got out. And so did its replacement. Which was the end of snakes as pets in my household.
See, the problem is the snake only needed one lapse to get out. And if you've ever had a runaway snake in your house (if not, good on you) you know: you will never find them until they croak. They will get into places you didn't believe you had. So the snake security has to be 100%. 99.999% isn't quite good enough to keep the snake in the cage.
The only real way to prevent the snake from getting out of the cage is: no snake.
The only way to prevent your legacy code from hurting you is:
No legacy code.
This really is the crux of the matter--code grows old, not so much because it atrophies, but because it remains static while everything around it progresses and changes. That 20-something hotshot dev you just hired out of school learned how to do app security reviews on Java or C#--not on ASP or VB6. She's never seen VB6 and doesn't want to sully her resume with a VB6 project. The VB6 dev who still maintains that old app was possibly self-taught and never had a class on cross-site scripting or SQL injection.
Nobody expects the Spanish Inquisition
Returning to that sad list on Wikipedia, how many of those CIOs expected to be hacked? I'm guessing none of them. Some hacks are pretty complicated and sophisticated--the Target hack and this one come to mind. Target has said its breach cost it over $200M and that was before they finalized the consumer class action lawsuit. But hacks like Equifax are often just exploits that are well known, easy to implement, and completely preventable.
How much would it have cost to prevent the hack? How much would it have cost Equifax (whose shareholders, at this writing, have lost over $7B in the last week. Oops.)?
Nobody expects to be hacked. And everyone who gets hacked faces huge financial consequences. And lots of companies with old tech, old code, old platforms get hacked. But they don't have to.