There are a whole bunch of questions to ask about the Equifax hack, as we’ve been pointing out the past week or so. An important one, which comes with the news that the company’s chief security officer and chief information officer are out, is this: What did Equifax know and when did it know it?
Lily Hay Newman is a security reporter at Wired magazine, where she’s covering Equifax. Kai Ryssdal spoke with Newman about the Equifax hack and what we know so far. Below is an edited transcript of their conversation.
Kai Ryssdal: I need you to tell me what this thing called Apache Struts is.
Lily Hay Newman: Yeah, so Apache Struts is a sort of framework that’s used for web applications and then also is running on servers that use those web applications. So in the case of Equifax, probably what happened is they had a server, a few servers, that were running a program, you know, that utilizes Apache Struts, and it wasn’t patched. So that allowed an attacker to exploit this known vulnerability and get onto that server. And, you know, go who knows where from there.
Ryssdal: And here we get to the nub of the thing, because apparently Apache Struts sent out a notice in March that there was a vulnerability: “Here’s your patch. All you companies who use us, update your stuff.” And Equifax did not do it.
Newman: Correct. They say that they were aware of the bug and the patch and that they had taken steps to patch their systems elsewhere. But they admit that they had had some oversights and there turned out to be places that needed the patch that hadn’t received it.
Ryssdal: Was this a technically difficult hack to make, do you think?
Newman: No. The initial exploitation of this vulnerability would have been pretty easy. I think the hardest thing would have been finding, you know, the vulnerable system in the first place. But that might not even have been that difficult. You know, we really don’t have a lot of technical details yet about what was going on all that time that the breach was happening. It’s pretty typical for an attacker to kind of lie in wait or sort of have a reconnaissance period. But, yeah, I mean, they could have detected it sooner and started remediation sooner, and that would have been productive.
Ryssdal: You know what’s funny is you’re talking about it almost in terms that makes one think that it’s a person who’s in there hacking around in the system. And I guess it is, you know, operating the keyboard thing. But it’s an actual living thing inside Equifax’s systems, I guess is the point.
Newman: Yeah. I mean there’s a brains behind the operation. This is going to get even more wild if it’s not.
Ryssdal: So that goes to the point of: Could there still be something lurking inside of Equifax’s systems that they don’t know about.
Newman: It is possible. Certainly there are people claiming to be the attackers, you know, speaking to reporters on the dark web who say we’re still in Equifax’s system. None of them have been validated. There are stories about so-called advanced persistent threats — APTs — where firms like Mandiant, the firm that’s reported to be working with Equifax, spend weeks in sort of all-out war with hackers, where every time they get a system back to the good guys, the attackers compromise a new system on the network. And, you know, it just is a cat and mouse [game].
Ryssdal: A necessary caveat here: As distressing as this is, this is not going to be the last time this happens.
Newman: And this wasn’t the first time it happened. You know, it fits into a steady stream of breaches and possible breaches over the past decades. Not to mention the past five years or something. This is a huge one though. You know, there’s no parallel so far.