although it appears Equifax is claiming an older CVE struts issue (not patched) for the cause of their breach, Struts dev folks better start explaining cve-2017-9805 and the claims moving around the net that this vuln has been in Struts for past ~9yrs.

Shouldn't you post some SOURCE for those supposed claims?

If the vulnerability has been around (and known) for 9 years shouldn't someone be able to point to an old post that talks about it?

An entity like Equifax relying on FOSS without doing their own due diligence for software they implement can hardly blame the FOSS maker (especially if they're not paying for support). Equifax ought to be able to point to the exact vulnerability and lack of patch before they do this. In my view Equifax is just trying to avoid responsibility by casting aspersions on others.

Interesting to me is that after the reported hack I was able to freeze my credit on TransUnion and Experian online but Equifax told me I'd have to send them snail mail. Equifax should have immediately put all accounts on credit freeze once they discovered the hack. Instead they put up a thing that you have to agree NOT to sue them before they'll even tell you if you were affected.

Ex-Governor Roy Barnes has already announced a class action lawsuit against Equifax and based on what Equifax has done so far I'm apt to cheer him on:
-Had the hack May.
-Learned about it in July.
-Announced it just now in September.
-Trying to scare you into signing away your right to hold them accountable just to be told whether you were affected.
-Requiring snail mail to freeze your account.

@MensaWater

if you are asking then you are late to the party
https://www.theregister.co.uk/2017/0...ax_allegation/
https://qz.com/1073221/the-hackers-w...security-flaw/


i would not do anything with Equifax now, doing so will remove some of your rights, which is being challenged.
i also cannot ascertain if existing PIN numbers were breached. and from the info i have now you cannot change the PIN via phone or online, and snail mail will take weeks, possibly months. Equifax are such tards, the PIN # system is trivial !! they just recently changed it to a random() generator !! idiots from A-Z.

in my ~23yr professional security opinion, Equifax should be taken offline immediately, forever. if they wish to re-start selling everyones personal info (thats their biz btw) then they can do it via another company under new leadership.

Just a disaster waiting to happen more.

Some group or unfriendly country could create a financial sneak attack. If you were worried about connected electrical grid (except Texas) then you need to be worried about this.

The Equifax issue is ultimately a management issue.

Management didn't care.

Not that that is an unprecedented phenomenon.

I was asking for links that proved a 9 year old bug. The first link you posted specifically has Apache saying there is a difference between a 9 year old flaw that might have only been recently discovered and a bug that has been known for 9 years which was the point I was making.

It goes on to say that the people that originally suggested it was this 9 year old bug have now backtracked and admitted it might have been the March bug that Apache had patched before the May exploit.

None of that explains why Equifax didn't report until September when they say they discovered the issue in July.

I agree that Equifax is just making things worse for themselves by trying to insist that people affected sign away rights just to find out they were affected. As I suggested in my post they should at a minimum freeze all access to affected numbers until everyone has been notified.

I also think that this would be a very good time to start regulating credit reporting agencies, and creating a "credit holder's bill of rights" which includes, for example, a requirement that you must be notified of a negative report against your credit and be permitted to respond before it appears on your record. Likewise, that applying for credit, and other "ordinary" uses of credit, do not negatively affect your score. Credit agencies operate as though they were an impenetrable black box with the sovereign prerogative to do whatever they damn well please ... and not to update their software for nine years even though every other player in the financial industry updates their software and is usually legally required to do so.

If this incident "turned the baleful light of reform" onto the credit reporting industry, I think it would be a very, very good thing that is long, long overdue.

the backtracking is not about 9805 being a 9yr old bug, it's a backtrack on how Equifax was hacked. we appear to know it was Struts 5638 and not 9805, but that is from https://www.equifaxsecurity2017.com which i am not trusting as of yet.

the claim that 9805 is in code as far back as 9yrs ago still needs to be confirmed yes/no, etc.

but, if 9805 existed at the same time as 5638 then we need some good forensics to get clarity as to what the data floes actually were.

i am also not confident in any way that Equifax is currently secured, lots of things to do with those exploits, etc. who knows what is still inside that has yet to be found. permitted 'bad' egress HTTPS from a server that typically does egress HTTPS may go un-noticed for some time. i see it all too often, "permit tcp 10.10.10.156 any eq 443" !!!

@sundialsvcs - if the govt were involved would it be even worse? we cant even get secured govt systems, look at the mess we had with HIE related to ACA (aka Obama-Care).

not caring has years in jail, and, having known incompetence as a CISO means the board of directors may be facing jail time. i cant imagine anyone thinking its good to have a BA in Music Composition as the CISO !!

considering
"Equifax CEO Hired a Music Major as the Company's Chief Security Officer"
https://it.slashdot.org/story/17/09/...curity-officer
-- source
http://www.marketwatch.com/story/equ...cer-2017-09-15

and that she now "retired"
http://www.marketwatch.com/story/2-t...ach-2017-09-15

Equifax executives dump company stock at http://money.cnn.com/2017/09/08/inve...ach/index.html

posts #9 & #10 - will surely be investigated by the FBI.

I would pretty much hope that ANY flaw found in software has been there since that software was written (at least that part of it)
Nobody -in their right mind- deliberately ADDS flaws later (with one possible exception)

That exception is is a deliberate testing control in that a number of known bugs are introduced before quality testing so that the percentage NOT found will indicate roughly how many REAL bugs have also evaded detection.

Josh Marshall, a journalist whose diligence and thoughtfulness has earned my respect, though I don't necessarily agree with him on everything (there's only one person with whom I agree on everything, and he's typing these words) had a thoughtful article on Equifax and the implications of its (in)actions at his website. He focuses lessons to be learned about financial and business systems and how they (don't) work: http://talkingpointsmemo.com/edblog/...m-with-equifax

I commend it to your attention.

2 members found this post helpful.