The Equifax Initial Vector - Are We Strutin' The Wrong Stuff?

Equifax Initial Vector - Are We Strutin' The Wrong Stuff_.jpg

By Scott Scheferman

First, let's talk about The Cyber so we can get that out of the way. Then let's talk about Equifax and what you can do. Then let's recommend some best practices for we humans to follow in the year 2017.



What do we know about the initial vector?  Everyone is saying ‘Apache Struts’…and while that is a possible—and perhaps even a likely vector given the large number of still un-patched systems accessible to any hacker with a browser—it is still not confirmed. In fact, everyone saying it was a Struts exploit seems to point back to a single source (note: link opens a PDF): an equity research report from Baird.

And, while I have written an email to one of the authors to ask them how they’ve surmised this information, I don’t know that their answer matters. The point is: how is it that the entire media, industry and Internet at large have latched on to this one ambiguous statement and are completely running with it?

“Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw.”

It is true a lot of organizations use Struts. Apache's own wiki even lists some of them outright, including the California DMV website. We've also learned that as many as 65 percent of the Fortune 500 are running Apache Struts, according to Fintan Ryan, an industry analyst at Redmonk that based the figure on Fortune 100 usage stats. You can even find over 4,000 struts servers running Apache Struts still in development mode with this simple Google search.

I find it interesting that Apache themselves don't even know if it was a Struts vulnerability that led to the breach:

"At this point in time it is not clear which Struts vulnerability would have been utilized, if any." -Apache Foundation

You would think that by now that the vendor would be in the loop if it actually was a Struts vulnerability, right?

In the absence of any real information, we as an industry have fallen hook, line and sinker into what may be part of a larger (albeit horribly amateur) diversionary tactic to lay blame on an open source software developer, instead of on the due diligence of the organization curating the data.

It all fits into an as-yet unfolding story, as we further learn that Equifax lobbied Congress to the tune of over $500,000 in the first half of the year to, in part, limit their legal liability from data breaches, and that several executives sold shares just prior to announcing the breach. They've even fought against a bill that urged the industry to firm up their authentication practices in order to lower the odds of a breach. I've also managed to pay them $10 to freeze my credit since the breach. And the pin they generated correlated to the date and time I hit 'submit' on the prior form. (edit: it appears they have since fixed this). And, if I had chosen to sign up for their credit monitoring service, I would have gone through a site with an XSS vulnerability. And if I really want to right now...I can even sign up via the Do Not Pay Bot to file in my state-level small claims court. Or I might end up being a part of any number of these 23 class action lawsuits already filed.

And you can do the same, too...but it doesn't matter. The truth that most don't understand, is that all of your information stolen from Equifax is probably already out there. And, it really isn't "yours" to begin with. It is just information collated by Equifax from dozens (hundreds) of other sources. And while you might feel like you are a consumer of Equifax services, you really aren't.  You're the product; the entity, the humanoid micro-machine whose output is simply confidence.

So yeah, go ahead and freeze your credit, and then post all about this breach on your social media sites so that other micro-machines can sell those metrics and trends too. It's a party in here, and this Equifax breach is just the latest spike in the punch bowl.

Now, if you decide you're not quite willing to throw in the towel just yet, here are some of the things I'd recommend doing as a human in 2017:

  • Use Multi-Factor authentication, and use it on every single website and application you possibly can. This can look like a Google Auth Code, or even just your fingerprint on your phone. Whatever the case may be, use multiple factors to authenticate whenever possible, SS7 vulnerabilities be damned.
  • Choose User ID's creatively instead of just using your email address, name, or phone number as a UserID
  • Always use LIES as answers to your Security Questions. Remember, the truth is on the side of the bad guys.
  • Use 2FA to authenticate to EVERY email address you have; if it is not supported by your ISP's email domain, then move away from that email address entirely. Delete everything in your inbox over 1 month old, and make sure to delete your deleted emails, too. Your inbox and trash end up being solid gold for identity thieves, but also, for those that might leverage extortion by threatening to expose your data publicly—which itself ends up jeopardizing your personally identifiable information (PII) a second time.
  • Keep your credit frozen; be slightly less attractive to the bad guys, bots and big data
  • Never remember anything more than one password; in other words, use a password manager that randomly generates complex passwords for you. You should never be able to remember your passwords in 2017.

Want to join the conversation?
You can jump in via this LinkedIn thread:

About Scott Scheferman

As Director of Consulting for Cylance, Mr. Scheferman oversees the delivery of Cylance Consulting services ranging from compromise assessments and penetration testing to incident response to ensure timely and effective delivery. He also performs additional roles within Cylance such as public speaking and sharing intelligence with partners.

More about Scott