For many people, the recent Equifax data breach was caused by two vulnerabilities in the open-source software package Apache Struts used by a large number of organizations including over 65% of the Fortune 100 companies.
That is if you are going by this report by William Baird & Co.
But the Apache Struts Project Management Committee (PMC) while commenting on a blog post says that “it is not clear at this point which Struts vulnerability would have been utilized” since the vulnerability ( CVE-2017-9805) was patched when it was publicly announced on 2017-09-04 while the security breach was detected in July.
According to them, “if the breach was caused by exploiting CVE-2017-9805, it should be considered a zero-day-exploit”.
A zero-day vulnerability is a flaw or rather an unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.
It can also be described as an exploit that occurs on the same day a weakness is discovered in software.
Once a patch is written and used, the exploit is no longer called a zero-day exploit.
Apache Struts programming framework is normally use for building web applications in Java and the bug specifically affects a popular plugin called REST, which developers use to handle web requests, like data sent to a server from a form a user has filled out.
It exploited the Java feature that allows definition and execution of dynamic code from JVM bytecodes in the struts “rest” plugin via the XStream object serializer/deserializer.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited or once a hacker gain remote code execution, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
He or she can then access to all the data because Java server apps mostly runs as a single JVM process without further isolation.
Security experts says that the exploit could have entirely been avoided by using statically compiled programs (native code) with NoExecute segment bits support from the OS/loader plus per-request address space isolation.
Apache Struts Project Management Committee said that while the nine year old security flaw was only detected recently, it was not known before then and thus wasn’t fixed. And when attention was drawn to the fact that a certain piece of code can be misused, the team fixed it as soon as possible.
Most recent patch is available here.
Equifax has been heavily criticized for the way it has handled the breach (described as a “colossal disaster” by experts) which included:
- not saying how it was breached.
- senior executives dumping shares worth almost $1.8 million in the days after the company discovered a security breach
- executives/board delaying release of information until after CFO sells stock “off schedule”/insider trading
- employing temporary workers hired from temp agencies to manage sensitive documents.
- forcing people to fax over photocopies of IDs that anyone can grab when folks want to discuss their situation
didn’t notify people who had credit monitoring despite contractual obligations to do so.
- having a CSO (Chief Security Office) who may not have known anything about enterprise security as he has BFA/MFA in music.
- claiming that arbitration applies only to the monitoring service and not the breech.
If you have ever bought a house, a car, rented virtually anything, opened a bank account or applied for certain jobs, then you have probably dealt with these companies.
Lenders, employers, government agencies, and retail stores often send consumer credit information to the bureaus, for free, and Experian then compile it into reports on individual consumers.
The hack included “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers” as well as “credit card numbers for approximately 209,000 consumers.”
The company added that 182,000 credit-dispute documents, which contain personal information, were also stolen.
Against the backdrop of the Equifax hack, online users has been advised to watch out for phishing scams via emails or phone calls that offers to check if they are affected by the leak once they have handed over their social security number.
If you are concern that your data might have been stolen, you may want to contact Equifax at 866-447-7559.
- Stay alert: If you have been part of a data breach, the breached company may send you a notice. Retain all documents and consider any suggestions they may have. Also, pay attention to and retain any mail you receive that is unfamiliar to you, such as notices from the IRS regarding your taxes or any bills from unknown lenders.
- Initiate a fraud alert: You can set a fraud alert with Experian. When you request a fraud alert be added with any of the three major credit bureaus, the bureau you contacted will notify the other two and alerts will be added with those bureaus as well. A fraud alert or initial security alert will warn lenders that you may have been a fraud victim. This extra precaution will notify the potential lender that they should contact you before granting any new line of credit in your name. This fraud alert will stay on your credit report for 90 days. You can renew the fraud alert when it expires.
- Monitor your financial accounts: Visit your online bank and financial accounts, and set up any alert features they may have, if you have not already done so. This could help save some time and keep you notified of any unusual events when they occur.
- Monitor your credit reports: You can check your credit report for free once every twelve months by visiting AnnualCreditReport.com. Checking your credit report can help you identify any unusual activity, such as new accounts, new personal information or inquiries. Experian free credit report members can check their Experian credit report for free every 30 days on sign in.
Freeze or lock your credit file: You may consider adding a security freeze. Security freeze is designed to prevent credit, loans and services from being approved in your name without your consent.
You can also freeze your credit reports with Equifax and TransUnion®. A security freeze will prevent potential lenders from accessing your credit report. Your credit report will only be accessible by unfreezing the account. If you are planning on applying for new credit in the near future, you could consider postponing the security freeze. Fees and requirements for adding and removing a freeze vary by state. Also, if you are already a member of Experian IdentityWorks™, you can lock and unlock your Experian credit report at any time.
Apache Software Foundation offered a general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:
- understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
- establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
- any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
- establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
- establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.
- and if your system runs on Linux, try SELinux. SELinux is a security enhancement to Linux which allows users and administrators more control over access control and probably could have prevented this from happening.