Kristian Erik Hermansen
kristian.hermansen at gmail.com
Wed Sep 27 18:06:39 UTC 2017
But clearly Equifax didn't know ALL public facing attack surfaces
controlled by Equifax which were affected by that vulnerability. A bug
bounty likely would have surfaced those missing attack surfaces. Internal
folks always make assumptions about their own network, which is biased and
almost never reality.
>From the Equifax blog post:
- Based on the company's investigation, Equifax believes the
unauthorized accesses to certain files containing personal information
occurred from May 13 through July 30, 2017.
- The particular vulnerability in Apache Struts was identified and
disclosed by U.S. CERT in early March 2017.
- Equifax's Security organization was aware of this vulnerability at
that time, and took efforts to identify and to patch any vulnerable systems
in the company's IT infrastructure.
- While Equifax fully understands the intense focus on patching efforts,
the company's review of the facts is still ongoing. The company will
release additional information when available.
There is also no mention of the other International systems that had
"admin/admin" as the portal credentials to some customer data.
Just like when Yahoo was affected by HeartBleed in 2014 and went on to
write a blog post about "all systems being fully patched and heartbleed no
longer being on the Yahoo network" (months later) I disclosed numerous
additional systems that Yahoo operated that were still unpatched and
leaking private data. It's hard to identify ALL attack surfaces. And even
if Equifax thought they were well patched, maybe they forgot to reload the
application / libraries or reboot the systems.
Anyone that has run a full entity Internet facing penetration test knows
that there is the list that you get from the client that they THINK is the
attack surface...and that list is almost always incomplete. It's the duty
of a pentester to fill in those gaps, validate if the list is complete, and
suggest additional targets for inclusion if appropriate. External attackers
don't have that internal organizational bias and that's why you should
consult wide external expertise for something so important.
I still stand by the claimed benefits of such a bug bounty system. It's
clear that Equifax hadn't patched enough systems quickly enough...well into
March and beyond. What if I told you Equifax still has at least one
publicly facing system still vulnerable to that March Struts bug? Would
that change your mind?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dailydave