The Apache Software Foundation this weekend responded to accusations that the massive data breach Equifax disclosed last week resulted from a flaw in Apache’s open source code.
One of the largest financial data breaches in U.S. history, it exposed names, addresses, Social Security Numbers, birth dates, driver’s license numbers and other sensitive information belonging to 143 million U.S. consumers, as well as data belonging to an undisclosed number of UK and Canadian consumers.
The attackers also accessed credit card data for about 209,000 consumers and credit dispute information for about 182,000 consumers, Equifax said.
The Apache organization was sorry to hear about the Equifax data breach, said Apache Struts Vice President Rene Gielen on behalf of the Apache Struts Project Management Committee.
However, with respect to the possibility that it resulted from an exploitation of a vulnerability in the Apache Struts Web Framework, it was not clear which vulnerability could have been utilized, Gielen said.
One assumption connected the breach to CVE-2017-2805, one of several patches Apache announced on Sept. 4.
“However, the security breach was already detected in July, which means that the attackers either used an earlier announced vulnerabiity on an unpatched Equifax server or exploited a vulnerability not known at this point in time — a so called Zero Day Exploit,” Gielen noted.
The committee members have put enormous effort into “securing and hardening the software we produce,” he added, and they fix problems that come to their attention.
There’s a distinction between the existence of an unknown flaw in the wild for nine years and failing to address a known flaw for nine years, said Gielen, emphasizing that the committee just learned about this flaw.
The has not had any contact with anyone using the @equifax domain on any Apache list in more than two years, said Apache spokesperson Sally Khudairi.
“To be clear, whilst we haven’t had contact with anyone using the @equifax domain — official or otherwise — that is not to say there isn’t a chance that someone from their team may have done so using an alternate channel,” she told LinuxInsider.
Somebody could have used a personal email account, for example, Khudairi said.
There currently isn’t enough data to draw any conclusion, said Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative.
“However, even if it were concluded that it was an Apache Struts vulnerability, there’s no data upon which the vulnerability was used,” he told LinuxInsider, “and even if Apache Struts was the root cause, it could just have easily been something from months, or even years ago.”
Equifax could have done a better job protecting a site with such critical consumer data, said Chris Morales, head of security analytics at Vectra.
“We believe that Equifax invests a significant amount of money and manpower to protect against cyberattacks,” he told LinuxInsider. “However, smaller organizations with less manpower and money have detected and responded to similar attacks quickly and prevented data loss.”
Equifax has taken tremendous heat over the breach — not only because of the gap between discovering the incident on July 29 and the public disclosure last week, but also due to reports that three company executives, including the CFO, may have sold shares of the company prior to the disclosure. Equifax shares fell sharply last week after the report.
Critics also have lashed out against the company because the website it set up to allow consumers to sign up for credit monitoring through the TrustedIDPremier service required anyone who checked their data to waive their right to sue the company. In addition, customers who signed up for the “free” offering after a period of time would be charged for the service.
Equifax revised its policies in the wake of the backlash.
“It is taking zero time to respond, which is also a telltale sign that it is not pinging a secure Social Security database with millions of records, ” noted Paul Teich, principal analyst at Tirias Research.
“This is worse than a bait and switch. Equifax is providing completely random answers without even looking up the last six digits of the Social field,” he told LinuxInsider.
Any consumers who base their responses on these answers are doing little more than following a random response generator, said Teich.
Actual breaches are not preventable, he noted, as a skilled hacker who wants to access your personal data will do so if they try hard enough — but that was not the problem in the Equifax case.
Storing consumer financial data of any kind in an unencrypted database is totally preventable, said Teich, and has nothing do with Apache or open source in general.
Equifax – It has to be someone else’s fault.