Apache Struts is an open-source package that runs on servers to help Java web developers. Translation: If you don’t understand, you don’t need to worr
[See the full post at: Looks like the bad guys may have broken into Equifax using a known hole in Apache Struts]
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
Looks like the bad guys may have broken into Equifax using a known hole in Apache Struts
- This topic has 8 replies, 6 voices, and was last updated 7 years, 6 months ago.
AuthorViewing 5 reply threadsAuthor-
-
I’m of the opinion that web development is seat-of-the-pants, as compared with real software engineering.
To think that security critical to the foundations of economy can be breached because of the (lack of) quality of web development work is downright scary!
The question then becomes: What do you do? Move to the woods and take up farming? You can hardly get by without credit cards and hope to participate in modern society.
-Noel
-
I guess companies are still going for the lowest bidder when it comes to awarding web development contracts. Many of us who have worked for big companies or specifically government know that contract winners often sub contract the work and that can lead to not getting competent and experienced web developers.
I was surprised to see that Equifax went for a WordPress unsecured web site to offer the hack checker tool. This company is cheap – they should have gone for a sub-domain off their main site with a valid certificate. Their web guys should get pink slips over this entire debacle and so should their management. If a contractor is involved, they should get named and shamed.
The woods are looking a lot safer than the concrete jungle right now.
4 users thanked author for this post.
-
It is even worse than you think. You can type in any last name plus any fictitious last six digits of a SSN and the web page will produce the same message. In other words, the whole page is bogus in terms of whether or not you get a correct response as to whether or not you are affected by this security breach. And of course, Equifax then presents you with a web page which says that you can complete your enrollment for their “free” credit monitoring program which they are offering as a free service to all of their customers. When can you do this? That date is September 15 — exactly the same day that the hackers have threatened to publicly publish all of the stolen data. What a remarkable coincidence!
Moreover, I have strong reasons to suspect that more than one hacker group breached Equifax and that the $2.8 million ransom demand is from just one of them. It is also conceivable that, if two or more independent hacker groups were involved, then one of them wasn’t very good at hiding their tracks such that Equifax and its independent security auditors at this point are only aware of one of them. I say this because there have been a couple of episodes of identity theft of friends which I know, and a recent phone call to me (around two weeks ago) in which the “credit agency” caller claimed that I owed State back taxes. I knew that I did not, yet they persisted in trying to get the last four digits of my SSN. Worse, they had info about all of my previous addresses, and somehow knew my new home phone number which is unpublished. Yet of course my downloaded credit reports do not show any suspicious “pulls” by third parties for advertising and marketing purposes, such as to mail me credit card offers. IN OTHER WORDS, suspicious phone calls combined with the lack of authentic “pulls” by legitimate sources IS YOUR POTENTIAL INDICATOR that your identity has been compromised!
To make matters worse, I tried twice on Equifax to freeze my credit report, yet I was informed that I would have to mail in documents to them in order to freeze my credit info since they couldn’t “verify” my identity. But guess what? Equifax charged me $10 on my credit card twice! One would think that Equifax would only charge me once they had successfully put a freeze on my credit report since that, after all, is what I was paying for. That there is another potential class action lawsuit.
I was stupid to try to put a freeze on my credit report through Equifax. Next, I went to annualcreditreport.com since they are the only free credit report service which is authorized by federal law, and I downloaded my credit reports from the big three credit bureaus. Then I went to TransUnion’s web site to freeze my credit report. It was painless and easy, they charged me only $3, and as a courtesy they also sent my confirmed freeze information to the other credit bureaus as well. I deliberately chose the freeze for 90 days since TransUnion also has an arbitration clause if you choose a longer freeze. In other words, don’t trust any of the credit bureaus as far as you could throw a dead horse. Read the fine print of their Terms Of Service Agreements!!!
Regardless of Equifax’s new claims (due to mounting public outcries) that the data breach does not prevent customers from either filing or joining class action lawsuits against Equifax, keep in mind that some prominent attorneys have chimed in that Equifax’s arbitration clause is very broad and may yet have legal teeth — especially if you are aware of the breech and subsequently decide to take Equifax’s offer for a year of “free” credit monitoring. Thus this brings us right back to my first paragraph. If on September 15 you complete Equifax’s sign-up process for their “free” offer for 1 year of credit monitoring, you potentially could end up excluding yourself from being able to join any class action lawsuit against Equifax. So far, I am aware of two separate class action lawsuits which have been filed against Equifax.
Behind the curtain …
In March 2013 criminals stole credit reports from AnnualCreditReport.com, giving them access to potentially 200 million Americans’ credit reports.Note: Equifax, Experian and TransUnion, jointly operate AnnualCreditReport.com
The 2013 hack: Equifax said “Our initial investigation shows the perpetrators were able to pass the required authentication measures in place”.
1 user thanked author for this post.
Equifax blames breach on a server flaw it should’ve patched
https://www.engadget.com/2017/09/13/equifax-apache-argentina/
Great. Now that I know all that, what do I do? Where do I go to get my identity back?
I’m saying, it will do no one any good to freeze credit data which is already floating around out there, unencrypted. Ever try to change your Social Security Number? Or your Date of Birth? And are you going to move, to change your Home Addresses for the past two years?
I was not aware of the FreeAnnualCreditReport 2013 breach. That would have had almost the same effect as this Equifax data security breach, and would have affected many more people. Was the leaked database also unencrypted?
-- rc primak
1 user thanked author for this post.
Viewing 5 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Finding Microsoft Office 2021 product key
by 2 hours, 30 minutes ago
-
Over-the-Top solves it!
by 3 hours, 13 minutes ago
-
To Susan – Woody Leonhard, the “Lionhearted”
by 10 hours, 14 minutes ago
-
Extracting Data From All Sheets
by 11 hours, 50 minutes ago
-
Use wushowhide in Windows 11 24H2?
by 11 hours, 58 minutes ago
-
Hacktool:Win32/Winring0
by 11 hours, 45 minutes ago
-
Microsoft Defender as Primary Security Question
by 12 hours, 25 minutes ago
-
USB printers might print random text with the January 2025 preview update
by 14 hours, 28 minutes ago
-
Google’s 10-year-old Chromecast is busted, but a fix is coming
by 1 day ago
-
Expand the taskbar?
by 23 hours, 55 minutes ago
-
Gregory Forrest “Woody” Leonhard (1951-2025)
by 2 hours, 41 minutes ago
-
March 2025 updates are out
by 1 hour, 7 minutes ago
-
Windows 11 Insider Preview build 26120.3380 released to DEV and BETA
by 1 day, 17 hours ago
-
Update Firefox to prevent add-ons issues from root certificate expiration
by 2 days ago
-
Latest Firefox requires Password on start up
by 1 day, 19 hours ago
-
Resolved : AutoCAD 2022 might not open after updating to 24H2
by 2 days, 13 hours ago
-
Missing api-ms-win-core-libraryloader-11-2-1.dll
by 1 day, 12 hours ago
-
How Much Daylight have YOU Saved?
by 1 day, 15 hours ago
-
A brief history of Windows Settings
by 1 day, 9 hours ago
-
Thunderbolt is not just for monitors
by 1 day, 7 hours ago
-
Password Generators — Your first line of defense
by 1 day, 13 hours ago
-
AskWoody at the computer museum
by 12 hours, 54 minutes ago
-
Planning for the unexpected
by 1 day, 14 hours ago
-
Which printer type is the better one to buy?
by 2 days, 15 hours ago
-
Upgrading the web server
by 2 days, 13 hours ago
-
New Windows 11 24H2 Setup – Initial Win Update prevention settings?
by 3 days, 8 hours ago
-
Creating a Google account
by 3 days, 7 hours ago
-
Undocumented “backdoor” found in Bluetooth chip used by a billion devices
by 3 days, 14 hours ago
-
Microsoft Considering AI Models to Replace OpenAI’s in Copilot
by 4 days, 1 hour ago
-
AI *emergent misalignment*
by 4 days, 2 hours ago
Remembering Woody
