The 2017 Equifax data breach is in the news again because of the recent indictment of four Chinese government hackers for committing the break-in. How did they pull off such a feat? From China? As it turns out, Equifax’s defenses were so pathetic that a couple of bright nerd wise guys anywhere could have done it.
By contrast, the Equifax hacking could not possibly happen at a car dealership – unless the dealership were run by government and corporate cybersecurity experts. Understanding why that’s so tells you everything you need to know about the expertise of the experts.
The 2017 Equifax hack
First, a quick – VERY quick – review of the Equifax hack. Equifax has websites. One of them is just for people who want to dispute their credit rating. This particular site was run on a computer with software that had a serious flaw, allowing a skilled person to get past the normal consumer web pages and run other programs on the computer. The flaw had a fix that could easily have been installed, but because of a series of bungling and delays, the fix wasn’t installed for months.
The flawed software on the Equifax site was widely used. The fact of the flaw and the fix for it were publicly available. Anyone could have read about it and fired off a search for websites on which the patch correcting the flaw had not been installed. Someone found the Equifax site had the issue, exploited the flaw, and ran a couple programs without doing much else.
More than a month later, the flaw still unpatched, someone got into the Equifax server again and started “looking around.” They found an unencrypted file with names and passwords. They used the information to log in and got access to a series of databases that had Equifax customer information. For 76 days, they used the databases like any authorized user would, and issued queries that returned a great deal of customer information, which they stored in files. They encrypted the files and used standard programs to ship the files out of Equifax, presumably to themselves.
Hacking the Equifax-run car dealership
Suppose someone had tried the equivalent of the Equifax hack at a car dealership. The hacker would have physically walked in the service entrance, along with the other existing customers. The hacker knew that many doors had a security flaw in their lock that had not been fixed. The exact nature of the flaw had been publicized, and any reasonably skilled person who knew about doors and locks could exploit it. Once inside the customer service area of the dealership, the hacker looked for the “employees only” door, and quickly saw that it had not been fixed. The hacker walked up to the door, fiddled with it for a couple minutes, opened it and walked in. In a real car dealership, the employees would have immediately noticed a strange person and challenged him, politely showing him out. In the Equifax-run car dealership, the intruder is ignored.
Once in the employee section of the dealership, the hacker wanders around, poking into lots of things. Finally he walks into the finance department and wanders some more, again unchallenged. He notices a row of file cabinets against the wall, and figures there must be valuable information in there about customers and cars, with all sorts of details like names, addresses, driver’s licenses and who knows what else. But he sees the cabinets are locked. Darn! So he looks around some more and spots some keys sitting on someone’s desk. Even though it’s daytime and people are working at the desks, on the phone, etc., no one says a word when the intruder picks up the keys, walks over to the file cabinets, and tries one key after another until finding the one that works. He opens the cabinet, takes out a handful of folders, walks over to the copy machine, and makes a copy of every document in the handful of files. He then goes back to the file cabinet, returns the originals, puts the keys back on the desk, and walks out of the building the way he came, holding a big pile of copied pages in his arms. Unchallenged.
The next day, the hacker returns to the Equifax car dealership and goes through the same drill – goes into the employee-only section, then the finance department, uses the keys to open another drawer, makes copies and walks out, all without a single one of the many employees working there saying a thing. He does this day after day for 76 days.
Finally, someone notices that there’s supposed to be a guard by the employee entrance checking everyone – there always used to be one! So a guard is put there again. The guard notices that the daily visitor carrying lots of paper doesn’t look like everyone else – he’s carrying big piles of paper! The guard doesn’t stop the visitor, but reports to his boss; meanwhile, the visitor notices the guard, figures the jig is up, and stops coming.
More than a month later, the Equifax-run car dealership’s bosses finally let the word out that they had been hacked.
The Equifax breach vs. the car dealership
You already know that nothing even vaguely like the Equifax breach could have taken place in a car dealership. In the dealership, people have common sense and are dealing with physical things, while at Equifax, everything important happens on computers that are in locked rooms, with software that is invisible to nearly everyone, doing things that most experts barely understand, managed by people who have no real knowledge of software using management methods taught in business schools by professors who are ignorant of software, and following rules and regulations written by lawyers and bureaucrats. What can you expect but madness and chaos??
What went wrong at Equifax
Equifax’s cybersecurity methods followed regulations and industry-standard practices, with all required certifications. The result of these methods, when executed perfectly, is security that is worse than that of retail stores or libraries. In the end, Equifax made exactly two mistakes – but each mistake mattered because of further bungling and the failure of ordinary follow-up checks.
- The web server patch, the start of the trouble. The patch was announced on March 7, 2017.
- What they did: On March 9, administrators were told to apply the patch. They didn’t. On March 15 a scan was run that was supposed to detect unpatched systems. It didn’t work. It wasn’t run again or fixed. Result: the patch wasn’t applied until August or later.
- The bad traffic detection box. A great deal of web traffic is encrypted. Equifax had installed a box at the “edge” of their system to stop all incoming encrypted traffic, unencrypt it, make sure nothing “funny” is going on, report suspicious activity, and re-encrypt and send along each message. It’s like a traffic stop for incoming traffic.
- What they did: encryption works with keys, and keys expire periodically. The key used by the box expired 10 months before the hack started. Equifax failed to renew the key, and the traffic-stop box was set up to let all traffic through without checking unless it had a valid key. No one noticed until July 29, 2017, when the certificate was finally renewed. When the traffic stops started again, an administrator noticed suspicious activity, and sounded alarms bells.
I’m going to add this fact, just because I find it amusing: the Chief Security Officer was a music major, Susan Mauldin. She had degrees from U Georgia in music composition. Her background was scrubbed from the internet as soon as the scandal broke. Of course, you don’t need a college diploma to be excellent at software, IMHO. But in this case…
What car dealership management would do at Equifax
People who run car dealerships aren’t usually thought of as geniuses, but part of succeeding in business is protecting your customer records, and everyone involved takes care to do that and do it well. All that was required for Equifax to have avoided being hacked was to do the software equivalent of what every sensible car dealer employee would do. Obviously, such common sense is beyond the ken of the high-paid professionals and certified experts at large places like Equifax. Here are the main things that would be done if car dealer people replaced Equifax management.
- Recall/repair notice.
- The second a car dealer hears about a recall/repair issue for cars, they jump on it. Similarly, just exercising common sense, if they learn that the restricted entry system to the employees-only area has a fixable flaw, they would get it fixed immediately. No excuses. Car dealer management would have seen to it that the flaw was patched, and checked.
- Guard duty.
- At the car dealership, there is extra security around the finance department, which holds all customer data. During working hours, there is always someone alert to the door, challenging anyone entering who shouldn’t be there. Off-hours, there are deadbolts on the metal doors, along with an alarm system that has motion detectors and cameras, which gives an immediate alert on any sign of trouble. If the alarm system drops its constant, real-time communication with the monitored center, electronic alerts are sent, so the problem can be immediately fixed. The room and its data are NEVER left unprotected.
- With car dealership management, the encryption key on the traffic checker wouldn’t have been allowed to expire. Instead of setting up the traffic checker to stop checking unless it had a valid key, car management would have made it set off alarms so it could be fixed right away.
- When car dealership management learned that only incoming traffic was being checked, they would have pitched a fit. What? You’re just letting anyone waltz out with anything?? They would have installed a system to stop and check outbound data traffic before letting it out.
- Keys
- Car dealership management would never allow the file cabinet keys (user names and passwords) to be lying around for anyone to pick up.
- Employee behavior monitoring.
- Car dealership management would make sure anyone opening a file cabinet was a person authorized to do so, and that their actions were reasonable. When they found out that anyone could open a drawer and pull out and copy ALL the files in that drawer, they would have been enraged. They would have immediately put a software system in place to ring a bell and prevent anyone from taking more than a single file.
- While at Equifax the only real checks were with people as they were coming in, after which they could do anything without being checked, car dealership management and employees know that everyone has roles and acts in certain ways – and that everyone is responsible for noticing unusual behavior and questioning it. With car dealership people in charge, the software equivalent of such monitoring for “normal” behavior would have been implemented and strictly enforced, with immediate shut-down of a user if they stepped outside the bounds of their normal actions.
- Car dealership management understands that audits need to be done, and that auditors need broad access to customer files. This is the ONLY time mass access to customer files would be permitted, and ONLY under the watchful, suspicious eyes of multiple dealership managers, who would ASSURE that all files would be replaced WITHOUT BEING COPIED.
Expert recommendations for Equifax
The “experts” have had a wide-ranging set of advice for Equifax. Equifax has spent over $1.4 billion dollars making largely useless “improvements” to its security. I haven’t read ANYWHERE recommendations of the kind of changes any sensible car dealership would make, as described above.
Here are some of the leading recommendations of what Equifax should do to improve their cybersecurity:
- Change management reporting, processes and procedures.
- I love this one. It’s a commonly-recommended “cure” for cybersecurity ills.
- Encrypt all customer data
- This is a favorite, and widely recommended. It is USELESS. It would NOT have prevented the Equifax hack!! Why? Easy: once the hackers were in and were using employee user names, they just issued SQL queries against the database. If the data on the disk, the database un-encrypts the disk blocks, processes the SQL query, and returns UN-encrypted data. Otherwise, the data can’t be used!
- Encrypting data on disk is like having locked, strong metal file cabinets. But authorized people still need access. Therefore, file cabinets have drawers and keys. When you open the drawer, the data is easily accessed. Encrypting data “at rest,” as they say, protects only against the hackers who somehow get close to the cabinet and drill into it from the side or bottom. Who would do that? It’s easier to steal the keys or break the lock!
- Create more silos
- The nice-sounding theory is that breaking everything into silos would limit a break into just one silo. But far from being a solution, silos were actually part of the problem at Equifax – applying the delayed software patch required writing memos and asking multiple people to do things, when in a uniform environment, a single script could have updated everything.
- Change the reporting structure
- Because when you change who reports to whom, everything changes, right? In Equifax’s case, the Chief Security Officer reported to the Chief Legal Officer, while the Chief Information Officer reported to the CEO. “That’s the cause of the breach!” shrieked an amazing number of pundits!
- What there should probably be is two Security Officers:
- A CSRO, Chief Security Regulation Officer, who reports to the Chief Legal Officer. This person is in charge of the massive, ever-changing, lawyer-created body of regulations that are supposed to assure Security. There are severe penalties if you fail to conform to the regulations, which require loads of reports, processes, documents, etc. But they have little to do with real security.
- A CRSO, Chief Real Security Officer, who reports to the Chief Technology Officer. This person is in charge of making sure that real security is performed, in spite of the regulations.
Conclusion
Computer software and systems are hard to understand, a problem made worse by the fact that they’re literally invisible. You'd think that would be OK, since for example even fewer people understand quantum physics and we’re OK in physics. The trouble is, the people doing physics really do understand it, while the people doing software in general, and cybersecurity in particular, are faking it – without even suspecting, in spite of the mountain of evidence to the contrary, that they’re faking it.
The result is that government agencies, powerful consultants and weighty experts recommend more of the same medicine that created the problem, without a shred of recognition that it was their own rank stupidity that caused the problems to begin with.
For more perspective on this subject, see these posts.
Note: this post first appeared at Forbes.
Comments