Jump to content

Equifax Hack Explained Finally

Jtalk4456
By Jtalk4456
in Tech News
 Share
Posted

So after a full year, we finally have some more info on the Equifax hack!

https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/?ftag=CAD090e536&bhid=26384760423862042702584112156863

So here's a vague diagram:

Quote

image.png.2edac1e4da8d1818104295ac59578310.png

pretty vague but oh well, here's the meat:

Quote

 

The attack process started on March 10, 2017, when hackers searched the web for any servers with vulnerabilities that the US-CERT warned about just two days earlier. Two months later, on May 13, they hit the jackpot with Equifax's dispute portal, where people could go to argue about claims.

There, hackers used an Apache Struts vulnerability, a months-old issue that Equifax knew about but failed to fix, and gained access to login credentials for three servers. They found that those credentials allowed them to access another 48 servers containing personal information.

The thieves spent 76 days within Equifax's network before they were detected. According to the report, the hackers stole the data piece by piece from 51 databases so they wouldn't raise any alarms.

Equifax didn't know about the attack until July 29, more than two months later, and cut off access to the thieves on July 30.

 

so the worst financial data breach in the US was as simple as they didn't patch when they knew there was a vulnerability. No facepalm memes will suffice....

A few other highlights:

Quote

Since then, Equifax said that it's implemented a new management system to handle vulnerability updates and to verify that the patch has been issued.

Still not trusting you again (not that I have a choice)

Quote

 

While the Bureau of Consumer Financial Protection and the Federal Trade Commission have opened investigations into Equifax's breach, neither of them have taken any actions.

Warren and Cummings said they've sent a letter to both agencies asking if they "intend to hold Equifax accountable."

 

WHY hasn't the government done anything yet? Isn't this what the consumer protection bureau is for?

Quote

Equifax argues that it's going through a complete shift to make sure a breach like 2017's never happens again. An Equifax spokesperson said the company has spent $200 million on cybersecurity over the last year. Its new CISO, Jamil Farshchi, has had experience cleaning up messes: He was called in after Home Depot suffered its own major breach in 2014.  

That's great and I'm glad they are working on it now. But they screwed up then and there should be repercussions.

Overall we've got vague promises they are better, just like wells fargo. The difference? We can't opt out of this one. Credit reporting is unavoidable so all we can do is ask the government to do their job and hold equifax accountable, which looks like it isn't going to happen

 

Side note: there's some more fun stuff going on at wells fargo...

 

Spoiler

https://money.cnn.com/2018/09/07/news/companies/wells-fargo-scandal-two-years/index.html

 

Insanity is not the absence of sanity, but the willingness to ignore it for a purpose. Chaos is the result of this choice. I relish in both.

Link to comment
https://linustechtips.com/topic/969522-equifax-hack-explained-finally/
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, SC2Mitch said:

Don't you guys folks have other credit reporting agencies to switch to or isn't it that simple. 

They collect data on you regardless. It isn't an opt in sorta deal. They just have access to your information 

Link to post
Share on other sites
Posted
1 hour ago, Brooksie359 said:

They collect data on you regardless. It isn't an opt in sorta deal. They just have access to your information 

Which should be a crime in and of itself. Anyone who okay'ed this should be brought up on charges of willful criminal negligence.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to post
Share on other sites
Posted

And the US government is still giving them a ton of money. Goes to show they don't care.

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB RAM: Corsair Vengeance LPX 2x16GB DDR4-3200
MOBO: MSI B450m Gaming Plus NVME: Corsair MP510 240GB / Case: TT Core v21 PSU: Seasonic 750W / OS: Bazzite

Link to post
Share on other sites
Posted
1 hour ago, TetraSky said:

And the US government is still giving them a ton of money. Goes to show they don't care.

Agreed.

 

Once again, corporate personhood proves itself to be a mistake.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to post
Share on other sites
Posted

i honestly would hope this would entice people to work for them to improve the security situation. 

whether or not they are willing to pay for it is another question.

"If a Lobster is a fish because it moves by jumping, then a kangaroo is a bird" - Admiral Paulo de Castro Moreira da Silva

"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.6 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Link to post
Share on other sites
Posted
  • Author
17 hours ago, SC2Mitch said:

Don't you guys folks have other credit reporting agencies to switch to or isn't it that simple. 

so there's three of these agencies, and the companies who need to check your credit report to determine whether to lend to you or not have their choice between the 3. The problem is if you want that loan you don't choose who they're using, so you're in the system if you want to get any credit cards, financing, any kind of loan or credit. you as the user don't really get a choice

Insanity is not the absence of sanity, but the willingness to ignore it for a purpose. Chaos is the result of this choice. I relish in both.

Link to post
Share on other sites
Posted
20 hours ago, Trik'Stari said:

Which should be a crime in and of itself. Anyone who okay'ed this should be brought up on charges of willful criminal negligence.

Honestly it makes no sense that they just give companies access to this info even though most of them are super incompetent. 

Link to post
Share on other sites
Posted
2 hours ago, Brooksie359 said:

Honestly it makes no sense that they just give companies access to this info even though most of them are super incompetent. 

 

2 hours ago, valdyrgramr said:

Wasn't the point of the government giving them more money to protect stolen SSNs since the government doesn't seem to be doing anything about that themselves?

The correct answer for this crap, is to make then entirely financially responsible for safeguarding that information.

 

Not that they'd have to pay the government a fine, but that they would need to pay any and ALL financial damages to those affected, directly. No lawyers, no bullshit, no bankruptcy horseshit where the shareholders pull out and get away with the money and the company has nothing to give. 100% recompense for damages, no exceptions.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to post
Share on other sites
Posted

This honestly doesn't surprise me in the slightest.

Work Desktop: Dell Precision 5810 | Intel Xeon E5-1607 v4 | 8GB 2400 MHz ECC DDR4 | AMD FirePro w5100 4GB GDDR5

Laptop: MacBook Pro 15" | Intel i7-4870HQ | 16GB 1600 MHz DDR3 | Nividia GeForce GT 750M 2GB GDDR5

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×