k8ek8e at gmail.com
Wed Sep 27 20:07:20 UTC 2017
I actually tried helping coordinate one of the new bugs that someone found
and wanted to report to Equifax. Unfortunately, before they had time to
even look up from their current conflagration, eyebrows still singed, a
reporter published it.
At this instant, even one bug report, while completely helpful in the
micro-sense, is process-wise another tax on the resources they have working
on the big breach. It still has to go into the queue of their existing
technical debt in a long mission of what they are already clearly
Not to say don't report it - definitely do and I can help if that's the
issue. But that is very different than recommending a bug bounty to them
But a homeowner currently putting out a fire on their house shouldn't be
simultaneously setting up a bug bounty program to pay for folks to point
out that each blade of dry grass on their lawn is also flammable and could
cause another fire.
On Wed, Sep 27, 2017 at 11:06 AM, Kristian Erik Hermansen <
kristian.hermansen at gmail.com> wrote:
> But clearly Equifax didn't know ALL public facing attack surfaces
> controlled by Equifax which were affected by that vulnerability. A bug
> bounty likely would have surfaced those missing attack surfaces. Internal
> folks always make assumptions about their own network, which is biased and
> almost never reality.
> From the Equifax blog post:
> - Based on the company's investigation, Equifax believes the
> unauthorized accesses to certain files containing personal information
> occurred from May 13 through July 30, 2017.
> - The particular vulnerability in Apache Struts was identified and
> disclosed by U.S. CERT in early March 2017.
> - Equifax's Security organization was aware of this vulnerability at
> that time, and took efforts to identify and to patch any vulnerable systems
> in the company's IT infrastructure.
> - While Equifax fully understands the intense focus on patching
> efforts, the company's review of the facts is still ongoing. The company
> will release additional information when available.
> There is also no mention of the other International systems that had
> "admin/admin" as the portal credentials to some customer data.
> Just like when Yahoo was affected by HeartBleed in 2014 and went on to
> write a blog post about "all systems being fully patched and heartbleed no
> longer being on the Yahoo network" (months later) I disclosed numerous
> additional systems that Yahoo operated that were still unpatched and
> leaking private data. It's hard to identify ALL attack surfaces. And even
> if Equifax thought they were well patched, maybe they forgot to reload the
> application / libraries or reboot the systems.
> Anyone that has run a full entity Internet facing penetration test knows
> that there is the list that you get from the client that they THINK is the
> attack surface...and that list is almost always incomplete. It's the duty
> of a pentester to fill in those gaps, validate if the list is complete, and
> suggest additional targets for inclusion if appropriate. External attackers
> don't have that internal organizational bias and that's why you should
> consult wide external expertise for something so important.
> I still stand by the claimed benefits of such a bug bounty system. It's
> clear that Equifax hadn't patched enough systems quickly enough...well into
> March and beyond. What if I told you Equifax still has at least one
> publicly facing system still vulnerable to that March Struts bug? Would
> that change your mind?
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dailydave