Equifax Part 2
-
Equifax employee systems in Argentina were publicly-facing and wide-open:
Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
It gets worse.
Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.
However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.
It gets worse.
A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name.
It gets-
But wait, it gets worse.
From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.
The portal was taken offline by Equifax after Krebs contacted them.
Shortly after receiving details about this epic security weakness from Hold Security, I reached out to Equifax and soon after heard from a Washington, D.C.-based law firm that represents the credit bureau.
I briefly described what I’d been shown by Hold Security, and attorneys for Equifax said they’d get back to me after they validated the claims. They later confirmed that the Veraz portal was disabled and that Equifax is investigating how this may have happened.
-
An example needs to be made of Equifax to give these companies incentive to lock their shit down.
-
Inb4 another discussion on how SSN/SINs are supposed to be unique identifiers and not secrets and how we should use a new system
-
@bb36e inB4 a reply saying they're not even unique
-
Predictably, security researchers have smelled blood in the water and are going for the kill.
You know what's the worst part? EVERYTHING is like this. All the big companies, big projects, big institutions.
Equifax just happens to be the current whipping boy.
-
@bb36e said in Equifax Part 2:
They later confirmed that the Veraz portal was disabled and that Equifax is investigating how this may have happened.
Complete and total incompetence? That would be my guess.
-
@cartman82 said in Equifax Part 2:
You know what's the worst part? EVERYTHING is like this. All the big companies, big projects, big institutions.
You would not believe how many times we have went in for a consult with a small business and there is a Post-It note on the computer monitor with the password for the domain administrator on it. Another time we consulted with a business and found out they had a spreadsheet that was open to anyone in the entire company to view that had the names, SSNs, addresses, DLNs and tons of other information. All right out there in the open for anyone to copy to a USB drive. Thousands of lines of it.
-
@polygeekery said in Equifax Part 2:
Post-It note on the computer monitor with the password for the domain administrator on it.
At least it's safe from remote attack
-
@hungrier
"Hello, this is Mujbar from Microsoft. We detected a virus on your computer, to assist with the cleanup, please read the contents of all the post-it notes near your computer monitor."
-
@cartman82 said in Equifax Part 2:
You know what's the worst part? EVERYTHING is like this. All the big companies, big projects, big institutions.
Equifax just happens to be the current whipping boy.Maybe the big ones, especially in Communist Euro-stan where you live.
But what really pisses me off is when the small 75-person company I've worked in spent like 30% of our time working on security issues, doing audits, etc. They get bought out and unceremoniously shut down while moron companies like Equifax are out there shitting personal information everywhere.
Yet another example of why IT is the fucking worst industry in the world.
-
@blakeyrat said in Equifax Part 2:
Maybe the big ones, especially in Communist Euro-stan where you live.
Joke's on you, our companies and institutions don't even know what are computers.
-
@cartman82 said in Equifax Part 2:
@blakeyrat said in Equifax Part 2:
Maybe the big ones, especially in Communist Euro-stan where you live.
Joke's on you, our companies and institutions don't even know what are computers.
Yeah, here in Poland we store all of our data in binary on abaci.
-
@polygeekery said in Equifax Part 2:
there is a Post-It note on the computer monitor with the password for the domain administrator on it
Unless it says "admin:admin" that is still way more secure than Equifax though.
-
@jaloopa said in Equifax Part 2:
@bb36e inB4 a reply saying they're not even unique
But DNI numbers are.
-
@blakeyrat said in Equifax Part 2:
But what really pisses me off is when the small 75-person company I've worked in spent like 30% of our time working on security issues, doing audits, etc. They get bought out and unceremoniously shut down while moron companies like Equifax are out there shitting personal information everywhere.
The free market has spoken. Security is not worth it.
-
-
@anonymous234 said in Equifax Part 2:
The free market has spoken. Security is not worth it.
Yeah. Sweden blazes the trail here, by outsourcing confidential national databases directly to Russian hackers. Not only does the Swedish government save money on security (and salaries!), but the Russians save money by not having to hire competent hackers. Now, if we only could cut IBM out of the loop...
-
@cvi said in Equifax Part 2:
Now, if we only could cut IBM out of the loop...
I hear that Oracle have some ideas that they could suggest as part of a consulting arrangement…
-
@dkf said in Equifax Part 2:
@cvi said in Equifax Part 2:
Now, if we only could cut IBM out of the loop...
I hear that Oracle have some ideas that they could suggest as part of a consulting arrangement…
Might be able to get SAP on board too. :-/
-
@polygeekery said in Equifax Part 2:
Complete and total incompetence? That would be my guess.
Nah. I'm going with "We'll implement that for $200k" and pocketing the $200k.
-
@kt_ said in Equifax Part 2:
@cartman82 said in Equifax Part 2:
@blakeyrat said in Equifax Part 2:
Maybe the big ones, especially in Communist Euro-stan where you live.
Joke's on you, our companies and institutions don't even know what are computers.
Yeah, here in Poland we store all of our data in binary on abaci.
Not true. We've upgraded to floppy disks in 2008.
-
@anonymous234 said in Equifax Part 2:
@jaloopa said in Equifax Part 2:
@bb36e inB4 a reply saying they're not even unique
But DNI numbers are.
Polish PESEL numbers are also unique. Unless some bureaucrat fucked something up, which was surprisingly common in the 90s before every city got equipped with computers.
-
@cartman82 said in Equifax Part 2:
You know what's the worst part? EVERYTHING is like this. All the big companies, big projects, big institutions.
That's not true. The projects that aren't like this just don't get put in a spotlight.
-
@blakeyrat said in Equifax Part 2:
Maybe the big ones, especially in Communist Euro-stan where you live.
Pretty funny, considering laissez-faire capitalism directly leads to this. Security is just a cost center. And fuck the people who are affected by a breach, they're not Equifax's customer anyway.
Will they learn from this? Unless in the end it will cost them more in damages than doing security right would have cost them, and that's pretty unlikely, they'll learn that yes, they did everything correctly to maximize profit.
-
@topspin said in Equifax Part 2:
@blakeyrat said in Equifax Part 2:
Maybe the big ones, especially in Communist Euro-stan where you live.
Pretty funny, considering laissez-faire capitalism directly leads to this. Security is just a cost center. And fuck the people who are affected by a breach, they're not Equifax's customer anyway.
Will they learn from this? Unless in the end it will cost them more in damages than doing security right would have cost them, and that's pretty unlikely, they'll learn that yes, they did everything correctly to maximize profit.
Guess what? This happened DESPITE regulations. Equifax is in DEEP trouble with the regulatory bodies for their incompetence.
-
@anonymous234 Actually DNI numbers aren't unique. Before DNI numbers there were two national documents: one for men and another for women. These were unified later, but the old numbers were kept, so for old people you could have one man and one woman with the same number. And even after unification there are still cases of two people with the same DNI, either due to system errors or evil people doing shady stuff (the government is very corrupt).
-
@the_quiet_one said in Equifax Part 2:
Guess what? This happened DESPITE regulations. Equifax is in DEEP trouble with the regulatory bodies for their incompetence.
Big companies balance potential fines against the cost of doing it right. If the fines or probability of getting caught are low enough, ignoring the regulations is the "smart" business move
-
@gąska said in Equifax Part 2:
Not true. We've upgraded to floppy disks in 2008.
A 3.5-inch discotheque?
ZUS ogłasza przetarg na 130 tysięcy dyskietek 3,5" (1,44 MB)
-
This post is deleted!
-
-
@gurth said in Equifax Part 2:
@gąska said in Equifax Part 2:
Not true. We've upgraded to floppy disks in 2008.
A 3.5-inch discotheque?
Better dicotheque than hajlékonylemez.
-
@gąska
Does that make for floppies with Hungarian notation?
-
@polygeekery said in Equifax Part 2:
@bb36e said in Equifax Part 2:
They later confirmed that the Veraz portal was disabled and that Equifax is investigating how this may have happened.
Complete and total incompetence? That would be my guess.
My vote's on laziness. The people who set this up are probably competent; they just couldn't be bothered when there were more urgent priorities at hand, like making moar money moar quickly.
-
@jaloopa said in Equifax Part 2:
Big companies balance potential fines against the cost of doing it right. If the fines or probability of getting caught are low enough, ignoring the regulations is the "smart" business move
Which is why we need a Crime Does Not Pay Law: any business found to be making money off of illegal dealings is subject to a mandatory fine of, at minimum, 100% of all gross revenue brought in by the illegal dealings. This makes it so that it will never be profitable to just accept the fine as "cost of doing business."
-
@masonwheeler In NL, criminal profits can be seized independent of the actual punishment. However, it is very difficult to prove criminal profits in practice.
-
@pleegwat said in Equifax Part 2:
@masonwheeler In NL, criminal profits can be seized independent of the actual punishment. However, it is very difficult to prove criminal profits in practice.
We have something similar in the USA, except it's not difficult to do, and it's extremely problematic and widely abused. I don't believe in legal punishments being doled out before the person being punished has been proven guilty in a court of law.
-
@masonwheeler I see two issues with that.
- It's rarely that cut and dry. If my illegal operations helped to get a client worth £1,000,000 but we had a fairly good chance of hooking them anyway, is the company liable for the whole million or some percentage based on an assessment of the likelihood of getting the business anyway?
- If the chance of being caught is less than 100%, which it almost certainly would be, there's still a value calculation to be made against the probability of being caught
-
@jaloopa said in Equifax Part 2:
It's rarely that cut and dry. If my illegal operations helped to get a client worth £1,000,000 but we had a fairly good chance of hooking them anyway, is the company liable for the whole million or some percentage based on an assessment of the likelihood of getting the business anyway?
Not only that but it could be abused. "You made $1,000,000 doing your service, but while you were at the client's location you parked too close to a fire hydrant. All your profits are belong to us."
-
@hungrier said in Equifax Part 2:
@jaloopa said in Equifax Part 2:
It's rarely that cut and dry. If my illegal operations helped to get a client worth £1,000,000 but we had a fairly good chance of hooking them anyway, is the company liable for the whole million or some percentage based on an assessment of the likelihood of getting the business anyway?
Not only that but it could be abused. "You made $1,000,000 doing your service, but while you were at the client's location you parked too close to a fire hydrant. All your profits are belong to us."
Wouldn't fly - parking location isn't the reason they made the million dollars.
-
@pie_flavor Doesn't matter. Prosecutors here will -- and do -- make the argument that the client work was "part of the same criminal transaction" as the parking violation and thus the assets are just as tainted as if the parking violation was a direct cause.
-
-
Not just once, even. Tim tweeted that link 7 times.
Nick Sweeting, the web developer who created the dummy website Sept. 8, messaged me over Twitter that it only took him 20 minutes to make the clone. “It's in everyone's interest to get Equifax to change this site to a reputable domain. … I can guarantee there are real malicious phishing versions already out there.”
Sweeting only found out Wednesday morning that Equifax had been tweeting out his site, which he claims has been visited 78,653 times as of noon Eastern on Wednesday.
Asked about his reaction to the blunder, he responded, “Honestly I'm not really surprised.”
-
@gurth said in Equifax Part 2:
@gąska said in Equifax Part 2:
Not true. We've upgraded to floppy disks in 2008.
A 3.5-inch discotheque?
ZUS ogłasza przetarg na 130 tysięcy dyskietek 3,5" (1,44 MB)
You know what they say, if it ain’t broken don’t try to fix it.
-
@topspin said in Equifax Part 2:
Pretty funny, considering laissez-faire capitalism directly leads to this.
Eh...people lead to this. People are lazy. Security is a pain in the ass and never any fun to deal with. People also like to break laws when it's convenient to them.
-
Fucking hell.
You ever have those days where it starts with a nightmare mistake you realize you made, and in your attempts to correct the mistake or at least do some damage control, you end up making the problem worse? Half the time it ends with you waking up in a cold sweat at 4am.
Equifax has managed to surpass Trump in the "Who is worse at Twitter?" contest.
-
@kt_ said in Equifax Part 2:
@gurth said in Equifax Part 2:
@gąska said in Equifax Part 2:
Not true. We've upgraded to floppy disks in 2008.
A 3.5-inch discotheque?
ZUS ogłasza przetarg na 130 tysięcy dyskietek 3,5" (1,44 MB)
You know what they say, if it ain’t broken don’t try to fix it.
If it ain't broke, break it.
- George Carlin
-
@luhmann Ugh, for some reason I read that as "Shaq Fu" and winced.
-
@pie_flavor said in Equifax Part 2:
If it ain't broke, break it.
- George CarlinI thought that was Facebook's motto...
-
@pie_flavor said in Equifax Part 2:
@kt_ said in Equifax Part 2:
@gurth said in Equifax Part 2:
@gąska said in Equifax Part 2:
Not true. We've upgraded to floppy disks in 2008.
A 3.5-inch discotheque?
ZUS ogłasza przetarg na 130 tysięcy dyskietek 3,5" (1,44 MB)
You know what they say, if it ain’t broken don’t try to fix it.
If it ain't broke, break it.
- George CarlinIf it ain't broke, you're not trying hard enough.
-
@raceprouk said in Equifax Part 2:
@pie_flavor said in Equifax Part 2:
@kt_ said in Equifax Part 2:
You know what they say, if it ain’t broken don’t try to fix it.
If it ain't broke, break it.
- George CarlinIf it ain't broke, you're not trying hard enough.
If they ain't broke, tack on more handling fees.