Equifax mega-breach: Security bod flags header config conflict

Help wanted at Equifax. Badly

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration.

The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency.

Equifax’s security header configuration

“Many of the headers are more about addressing the basics, but as a site that serves over HTTPS they should really have features like HSTS and CSP enabled to offer their visitors a higher level of protection,” Helme told El Reg.

“The current misconfiguration that is present on the site with duplicated headers and conflicting values just raises questions about why the basics aren’t being done properly.”

Earlier this week, Equifax admitted that hackers exploited an Apache Struts vulnerability (CVE-2017-5638) to break into its systems. The flaw had been patchable since March 7 but Equifax had failed to patch promptly. The intrusion but was only detected more than two months later.

The breach – which began in mid-May, was discovered in late July, but was disclosed only last week – affected 143 million US consumers and an as-yet undisclosed number of Brits and Canadians.

Criminals gained access to names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of millions of Americans – as well as the credit card numbers of 209,000 US consumers. The whole sorry mess raises a number of important questions.

Three top Equifax executives, including its chief financial officer, sold a combined $1.8m worth of stock in the consumer credit reporting agency after the breach was detected but before it was made public. Equifax said that the executives had had “no knowledge that an intrusion had occurred at the time they sold their shares.”

US data privacy watchdogs at the Federal Trade Commission have taken the unusual step of confirming they had launched an investigation into the Equifax breach.

Equifax chief exec Richard Smith has been called to testify before congressional lawmakers at the beginning of October. Smith is due to appear before the House Energy and Commerce Committee on October 3. ®

Bootnote

Another security researcher reported that he’d begun receiving spam emails at a single-use email address he’d used uniquely to register with Equifax years earlier, but we’ve not seen widespread evidence that data has escaped into the wild yet.

If you have any info you’d like to share, drop us a line here.


Biting the hand that feeds IT © 1998–2017