Language Selection

English French German Italian Portuguese Spanish

Apache Mounts Strong Defense, Equifax Retreats

Filed under
Security

One of the largest financial data breaches in U.S. history, it exposed names, addresses, Social Security Numbers, birth dates, driver's license numbers and other sensitive information belonging to 143 million U.S. consumers, as well as data belonging to an undisclosed number of UK and Canadian consumers.

The attackers also accessed credit card data for about 209,000 consumers and credit dispute information for about 182,000 consumers, Equifax said.

[...]

However, with respect to the possibility that it resulted from an exploitation of a vulnerability in the Apache Struts Web Framework, it was not clear which vulnerability could have been utilized, Gielen said.

One assumption connected the breach to CVE-2017-2805, one of several patches Apache announced on Sept. 4.

"However, the security breach was already detected in July, which means that the attackers either used an earlier announced vulnerabiity on an unpatched Equifax server or exploited a vulnerability not known at this point in time -- a so called Zero Day Exploit," Gielen noted.

The committee members have put enormous effort into "securing and hardening the software we produce," he added, and they fix problems that come to their attention.

There's a distinction between the existence of an unknown flaw in the wild for nine years and failing to address a known flaw for nine years, said Gielen, emphasizing that the committee just learned about this flaw.

The has not had any contact with anyone using the @equifax domain on any Apache list in more than two years, said Apache spokesperson Sally Khudairi.

"To be clear, whilst we haven't had contact with anyone using the @equifax domain -- official or otherwise -- that is not to say there isn't a chance that someone from their team may have done so using an alternate channel," she told LinuxInsider.

Read more

More in Tux Machines

GPL Violations: Grsecurity Carries on Bullying Bruce Perens, Israel Complies with AGPL, Xiaomi Violates GPL

  • Linux's Grsecurity dev team takes blog 'libel' fight to higher court
    Open Source Security, Inc., the maker of the Grsecurity Linux kernel patches, suffered a setback last month when San Francisco magistrate judge Laurel Beeler granted a motion by defendant Bruce Perens to dismiss the company's defamation claim, with the proviso that the tossed legal challenge could be amended. The code biz and its president Brad Spengler sued Perens over a blog post in June in which Perens said that using the firm's Grsecurity software could expose customers to a contributory infringement claim under the terms of the Linux kernel's GPLv2 license. Open Source Security contends that statement has damaged its business.
  • Israel’s Information and Communications Technology Authority Bows to Pressure to Comply with Affero GPL
    Under pressure from open source advocates, the Israeli Information and Communications Technology (ICT) Authority recently shared its first open source software, extensions made by the ICT Authority to the CKAN data portal platform to help make the platform usable in Hebrew. The CKAN software is an open source data portal platform used since 2016 by the ICT Authority to make Israeli government data open and available on its government database website. The CKAN software is licensed under the GNU AGPL Version 3 license, an “ultra-strong” open source license that requires users of modified versions of CKAN software to offer its source code, even in the absence of distribution, to users interacting with software over the Internet.
  • Xiaomi Violating GPL 2.0 License With Mi A1 Kernel Sources
    Xiaomi is in violation of the GPL 2.0 license of the Linux Kernel project by still not releasing the kernel sources for the Mi A1 Android One and has been publicly criticized on the matter by established Android developer Francisco Franco earlier this week. While the smartphone was released in September and the Chinese consumer electronics manufacturer’s official policy is to publicize kernel sources for its devices within three months of their market launch, the Android One edition of the Mi A1 remains undetailed in this regard. Mr. Franco — best known for his work on the Franco Kernel, one of the most popular custom OS cores in the Android ecosystem — had some harsh words for the company on Twitter, calling its laidback approach to publicizing the kernel sources for the Mi A1 “an embarrassment” for the open source community and the type of software it allows it to create its commercial devices in the first place.

Security: Updates, Secure Contexts, EFF, Google, Fedora

today's howtos

Introducing my new friend: a Slimbook

I have been following Slimbook for some time now. As you probably know, they ship a KDE laptop that is very cool, with KDE Neon pre-installed. They have attended to a couple of events I have attended to so I have been able to test their laptops, get feedback from buyers and ask them questions directly. The fact that they are a Spanish company was a beautiful surprise, We do not have that many hardware integrators and vendors in Spain. But what definitely caught my attention was the fact that they pay a lot of attention to the software. They ship the laptops with Linux pre-installed. Ok, that is not new any more. But they do pre-install several different distros. Now, that’s uncommon. But news do not stop there. Read more