Comments
7 Takeaways From The Equifax Data Breach
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 1:11:19 PM
New Discoveries
Perhaps I am a broken record, but I am amazed at the NEW IT SECURITY PROTOCOL discoveries that are made after every epic event - Delta, Merck, Equifax.  Such concepts are stunning - wow, like nobody thought of education for your user base (email basics) ----- power backup batteries in the bottom of a 42U server rack and a generator farm outside if needed ..... having on and offsite backups that are tested ---  patching applications and patching operating systems.  And always the management view that IT is just JUST an expense line item, so fire all the techs who know something and farm it all out to outsourcing firms that ONLY care about THEIR INVOICING.  Incredible how we shoot ourselves in the feet every single time. 
lunny
50%
50%
lunny,
User Rank: Apprentice
9/20/2017 | 11:55:04 AM
Simplify the Mess
The app vulnerability was just the ingress point.  There are many open windows and unlocked doors that allowed the intruders to move about laterally and vertically throughout the environment.  We'll know more details eventually, as the litigation is sure to push much of the story into the public record.  The intruders got in, hid, obtained privileged credentials, and subsequently enjoyed free reign.  It wasn't hard.

We've got to stop treating servers like pets.  They are cattle.  They should all be standardized and we should build them all at the touch of a button from a single image that is fully patched.  You should be able to do this at any time and in just a few minutes.  It's called orchestration.  We're using orchestration to push out new code, but we are too timid to use it to bake security into the mix.  Despite all of the virtualization and cloud implementatinos, we're still patching servers as if they were all special and physical.  This is insane!  This is why companies cannot realistically patch all of their servers.  They are afraid it will be hard, complex, and things will break.  They're right.  Because every systems administrator, application owner, IT executive, business executive thinks their systems are special.  Well-designed network segmentation and a strong privileged access management regime is critical.

Equifax was simply whistling past the graveyard.  What will be written on their tombstone now?
mrgorle@yahoo.com
50%
50%
[email protected],
User Rank: Apprentice
9/13/2017 | 9:34:21 AM
Excellent and well written article
Excellent Article Jay.  content and quality of the material is worth spending time eventhough 8 times clicking the clicking the arrow....


What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14084
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for MKCB, an Ethereum token. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell().
CVE-2018-14085
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for UserWallet 0x0a7bca9FB7AfF26c6ED8029BB6f0F5D291587c42, an Ethereum token. First, suppose that the owner adds the evil contract address to his sweepers. The evil contract looks like this: contract Exploit { uint public start; function swe...
CVE-2018-14086
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell(...
CVE-2018-14087
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for EUC (EUC), an Ethereum token. The contract has an integer overflow. If the owner sets the value of buyPrice to a large number in setPrices() then the "msg.value * buyPrice" will cause an integer overflow in the fallback functio...
CVE-2018-14088
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for STeX White List (STE(WL)), an Ethereum token. The contract has an integer overflow. If the owner sets the value of amount to a large number then the "amount * 1000000000000000" will cause an integer overflow in withdrawToFounde...