Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search


Equifaxis is hackers' first to fall victim

Hackers “Strut” in Again… And Equifax (and 143 million customers) is probably just the first to fall victim

Here we go again: Yet another major breach exploiting a well-known vulnerability to which a patch was available long before the attack!

Criminals who potentially gained access to the personal data of up to 143 million Equifax costumers, exploited an Apache Struts CVE-2017-5638vulnerability. The stolen data may include Social Security numbers, birth dates, driver’s licenses, addresses and 209,000 credit card numbers – all of which may now be putting these folks at identity theft risk for the rest of their lives.

Apache Struts is a widely used open source component - a framework for Web servers - used by companies in commercial and in-house systems to take in and serve up data. The use case of this open-source component makes it a prime target for cyberattacks.

The suspected vulnerability was disclosed on March 7 and the patch was available at the SAME time. But this is not a novelty. In fact, the availability of patches at the time of disclosure of vulnerabilities is a very common. According to Flexera Vulnerability Review 2017, patches were available at the time of disclosure for 81 percent of the vulnerabilities on 2016.

The real problem is that it takes users much longer to patch vulnerabilities than it takes hackers to start exploiting them. This is not an isolated case. Just remember the consequences of the WannaCry attacks back in May. These examples show that organizations continue to leave a wide-open window of opportunity for hackers to take advantage of.

The cause of this problem is that organizations aren’t prepared to act timely on vulnerabilities – and this is the important point which is probably being forgotten while the Equifax breach makes headlines: Equifax has already identified the breach and is taking care of it, but they are probably just the first known victims.

“Equifax is probably just the first known victim,” said Jeff Luszcz, Vice President of Product Management at Flexera.” Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities. We should expect a long tail of incidents and breaches in the months – and potentially years – to come. As we still see attacks targeting Heartbleed, a vulnerability more than three years old.”

This episode is an important reminder for business leaders that it’s urgent to radically rethink the organization’s vision of cybersecurity. The incidents we see day-in, day-out in the news reveal that it’s the neglection of basic security best practices and poor integration of security policies into operations processes that makes it easy for hackers to be successful in their attacks – and makes it hard for security professionals to stop the attacks.

“Patching this type of vulnerability is certainly not as simple as patching a desktop application,” said Kasper Lindgaard, Senior Director of Secunia Research at Flexera. “When it comes to vulnerabilities affecting the software supply chain, it’s important to align software design and engineering, operational and security requirements. This isn’t an easy task. However, the time frames of initial disclosure of the vulnerability and its patch on March 7 – up to two months before the first reported unauthorized access at Equifax, and the further delay of the actual detection of the breach on July 29 – currently indicates that the vulnerability was not handled with the priority that it should have. This is a common issue across industries that business leaders need to address rather sooner than later.”

This attack highlights the need for organizations to identify their risk windows and implement strategies to reduce the risks of a breach like the one affecting Equifax.

Flexera is uniquely positioned to help organizations, software suppliers and buyers address the challenges that give hackers these large windows of opportunity. The company enables them track the open source components in their systems, and provides timely vulnerability intelligence for understanding risk and prioritization – with tools to simply the processes of remediation.


© Scoop Media

Business Headlines | Sci-Tech Headlines


Air New Zealand: Capital Raise Deferred

Air New Zealand has decided to defer its planned capital raise to later in 2021 allowing more time to assess the impacts of recent developments on the airline’s path to recovery. 'We’ve seen some clearing of COVID-19 clouds recently, with ... More>>

Commerce Commission: Cartel Conduct Now Punishable By Up To 7 Years’ Jail Time

Cartel conduct can now be punished with a term of imprisonment of up to 7 years, after the Commerce (Criminalisation of Cartels) Amendment Act 2019 came into effect today. Cartel conduct includes price fixing, market allocation and bid rigging (see ... More>>

Stats NZ: Auckland Population May Hit 2 Million In Early 2030s

Auckland’s population may rise from about 1.7 million currently to 2 million by early next decade, Stats NZ said today. “Auckland will likely have the highest average annual growth of New Zealand’s 16 regions over the next 30 years, from ... More>>

Air New Zealand: Business Travellers Return To The Skies In Record Numbers

After a year of talking to a computer, Kiwis are leaving the office to re-connect with their clients, suppliers, and staff. New figures released by Air New Zealand show domestic business and corporate travel has defied global trends by returning ... More>>

PwC: Outcome Of Review Into Air New Zealand Gas Turbines Business

Air New Zealand has received the report into its Gas Turbines business from independent external advisers PwC. Air New Zealand Chairman Dame Therese Walsh says the report identified a range of effective controls in the Gas Turbines revenue contracting ... More>>

LPG Association: Renewable LPG Achieves Emissions Budgets With No Need To Ban New LPG Connections

Renewable LPG can supply New Zealand’s LPG needs and achieve the emissions reductions proposed by the Climate Commission without the need to ban new connections, a new study shows. The investigation, by leading consultancy Worley, was prepared for the ... More>>

Commerce: House Values Continue To Climb As New Government Measures Announced

The Government’s new initiatives to quell the rocketing housing market were announced last week, just as house prices hit a new high for the end of March. The average value increased 7.8% nationally over the past three-month period, up from the 6.8% ... More>>