08 September, 2017

Equifax Breach: Why I am not surprised

Equifax Breach: Why I am not surprised
Jason Gillam
Author: Jason Gillam
Share:

The Equifax breach, announced in September 2017, is said to potentially impact some 143 million Americans.  At this point in time Equifax has not shared many details about the breach except the numbers and that the information was extracted through a web application vulnerability.  Despite the lack of details, we can make some educated guesses on how this may have happened. We’ll follow up with what you can do about it.

How did it happen?

We don’t have enough details to know for certain how this happened, but what we have been told is that due to a web application vulnerability the attackers were able to extract data from certain files on the file system. If you are familiar with the OWASP Top 10, this type of attack implies a web app vulnerability categorized as A4 – Insecure Direct Object Reference.   In a general sense, what this means is that due to some flaw in the application an attacker could access files from the file system that were not intended to be accessed directly by a user of the application. This is made possible by a failure in authorization, such as a missing authorization check or badly configured permissions. Insecure Direct Object Reference flaws are quite common. Some of them can be detected through automated scans but many of them can only be discovered manually, such as through a web application penetration test.

Another possible angle for the attack is related to the fact that Equifax appears to be a Java shop. According to Wappalyzer (a Chrome and Firefox plugin), the main Equifax website runs on the Java-based Liferay CRM.  Another public facing application, the one that consumers log into, also appears to be Java based. We don’t know which application was attacked during this breach, but it seems there is a good chance it was a Java application. We also know that there have been many critical Java vulnerabilities in recent years, in particular several that fall into a category called Java Deserialization vulnerabilities. These types of vulnerabilities may allow an attacker to run commands on the operating system on which the application is running, which is sufficient control to pull off this kind of breach.

Update: According to the report issued by Baird Equity Research , the issue was due to an  Apache Struts flaw. Apache Struts is a Model-View-Controller (MVC) framework for Java web applications and for which several significant vulnerabilities have been discovered over the past couple of years. Some of these would be classified as Java Deserialization issues as they are exploited by creating a malicious object payload that gets executed when it is received and deserialized by the Struts framework.

Let’s be clear: we aren’t saying that a Java Deserialization flaw was responsible for this breach, because we don’t have those details and we don’t know if any Equifax applications even use Java Deserialization features.  What we are saying is that given what little we do know, and the current vulnerability trends, a Java Deserialization flaw is a likely candidate.

Time to face the music

If you are under the assumption that your SSN was not already compromised before September 7, then you have not been paying attention. According to Equifax, the current theory is that the breach occurred sometime back in May – coincidentally(?) around the same time Equifax announced another fraud event with the TALX Payroll Division. But even if this wasn’t three months later, your SSN was very likely compromised in some other breach reported in the past few years or possibly in some other unreported breach. Let’s face it. Your SSN, like every other SSN in America, is probably not super-secret data. The reality is your healthcare data is worth more on the black market than your SSN. So if you have not yet come to this conclusion on your own, let me save you the trouble of trying  to get the Equifax security breach check to work: Your SSN has been compromised… probably along with your name, contact information, and perhaps even some other financial details such as credit card numbers.  Now move on.

So… what do I do now?

So your SSN has been compromised, what can you do to protect yourself and your loved ones from would-be identity thieves? Well the conventional solution is to buy some kind of identity theft and/or credit monitoring service. But those solutions don’t really “protect” you, so much as notify you so you know when to start spending hours, days, or even months putting your life back together. Let’s be clear: I’m not advocating for people to skip using a monitoring service. I’m just saying that you should not stop with just monitoring and alerts when there is one more thing you can do to outright prevent some types of attacks.

Ironically it is a low-cost (sometimes free) service provided by the credit bureaus (Equifax, Experian, and Transunion). You can go to each of the credit bureau websites and invoke a credit freeze or lock. I’m not going to go through the details here because it is covered in detail on ftc.gov. The quick summary: just go do it. You will be inconvenienced next time you apply for credit because you will have to log back in and temporarily remove the freeze, but other than that it is a good thing to do because it prevents an attacker from using your stolen SSN to establish new fraudulent credit and, in some cases, it can prevent an identity theft from passing a background check in your name.

About that monitoring…

To circle back on monitoring – remember that a credit freeze only prevents an attacker from using your stolen SSN. You still need to monitor bank accounts, credit history, and healthcare insurance activity closely for suspicious activity because an identity thief may be using other tactics that don’t necessity the use of your SSN.  Now, Equifax is providing one year of free monitoring to those who may have been impacted, but let’s be real: Your SSN and any other data that was stolen is not going to magically become secure at the end of your free year.  It is a good idea to research and obtain some kind of monitoring regardless of whether or not your name has come up in a breach.  In addition, make sure you pay attention to the fine print when you sign up for free credit monitoring because you may be waiving some rights related to litigation.

Join the professionally evil newsletter

Related Resources