Equifax’s Technology: What Happened?

by Jerry Stern, PC410.com

I’ve been asked many times “Can I be hacked?” The answer is “generally not without your help.” Hackers of low-value targets (any small business) are sending you links to malware and hoping you’ll click into something that installs software that will search and monitor your computer and online activity for email account logins and credit card numbers. That’s pretty-well blocked by good ‘antivirus’ software, unless you click to let it in. Hack attempts for high-value targets, like global companies and government angencies, are custom-tailored hack attempts, and they’re looking for network access to a lot more than an email account or credit card. Both of these situations are hack attempts at the level of a worker’s computer.

That’s not what happened at Equifax. They had unpatched software (“Apache Struts”) on a web server, open and available to the outside world through their set of web sites; Apache Struts was widely-installed, with a patch available on March 7th, but not installed at Equifax. Once the patch was announced by Apache, the hackers knew where the problem was on many servers, and some time later, found that issue at Equifax, and used it to gain access to Equifax servers.

Web sites are scanned by hackers continuously for known security gaps, and that’s what happened to Equifax. They didn’t monitor, patch, or detect the problem, the invasion, or the downloads in a way that any other company in financial services would have. If we were their customers, we would leave, and they would be gone. That’s not the case here. They sell their services to banks and other credit monitoring companies, not us. We are a commodity, not a client.

Put simply, Equifax profits from the breach. They are.offering free credit monitoring to anyone impacted by the breach. That credit monitoring won’t be free forever, although their sign-up page is not currently asking for any card numbers. BoingBoing.net estimates that if 1% of the free users continue their monitoring next year, Equifax will make an extra $200 million per year. Equifax will also receive millions from other credit monitoring companies that pay Equifax for credit reports, and from the Federal government, who pays Equifax as the exclusive provider of identification confirmation services. Here’s their analysis:
https://boingboing.net/2017/10/05/failing-up-and-up.html

What To Do

Andrew Bareham has listed the financial steps above. Remember that the stolen data doesn’t expire. Prevention is key; cleaning up after identity theft takes years. Freezes are less hassle than cleaning up later.

For better protection against hacks that happen on your own systems, there’s a one-page document from KnowBe4.com that summarizes what you need to know about social engineering. That’s the set of tricks used to convince you to click a fraudulent message.
https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf

Learning from Existing Code

Another question from a software developer:

What kind of things can you learn from a guy who only hacks existing code?
At my previous job I was the lead programmer and I worked with this guy who was a self-admitted hacker. We respected each other and had a great relationship. The company was much better off because we blended our talents.

I would tend to look for an elegant, graceful solution that we could add to our code library. He would tend to find, tweak, and fit some strange piece of code into a solution. One of the most valuable lessons I learned from him was you don’t always have to build the solution from scratch, there’s a ton of code out there you can borrow from.

What kind of things have you learned from a hacker?

Definition: By hacker I mean someone who for the most part, cannot create something from scratch. However they are very good at morphing code that others have written.

Well, I learned a lot of programming by hacking, in the old definition, as in someone who takes stuff apart and tries to make it do more stuff. In my case, I reverse-engineered file formats for program code for a programming language that no longer exists–that was Texas Instruments Extended BASIC for the TI/994a Home Computer, back in the 1980’s. Pulling that information apart and understanding the proprietary format allowed me to write programs that modified programs, mostly to make them easier to edit; there are still online copies of that around, if you search online for ‘MICROpendium Magazine’ and the program called ‘SubIndex’. It was great training.

Now, most companies specifically prohibit reverse-engineering of their products, so when it’s done, it doesn’t get published. What’s evolved since then has been more along the lines of code sample collections on the various crowd-sourced programming language how-to sites. There are work-arounds of just about any problem you can think of, and many, many of these cover topics that the official sites for the products involved won’t cover at all because they don’t want to endorse a solution that they haven’t tested in-house.

As a programming approach, I’ve always saved every chunk of code as a function or a subprogram. And then reuse code, over and over. And I pull code out of my web sites to use on my other sites just about every month. It saves time.

Yes, I’ve gone your way, and written elegant recursive code that did the impossible in one page. But that’s too much like work for most quick tasks. A quick assembly of saved parts and my prior projects is the preferred approach for me.

Jerry Stern
Chief Technology Officer, PC410.com