September 2017
Security is a System Property (1 September 2017)
Preliminary Thoughts on The Equifax Hack (16 September 2017)
Update on Equifax (18 September 2017)
Yet Another Update on Equifax (20 September 2017)

Update on Equifax

18 September 2017

A news report today claims that Equifax was hacked twice, once in March (which is very soon after the Struts vulnerability was disclosed) and once in mid-May. The news article does not say if the same vulnerability was exploited; it does, however, say that their sources claim that "the breaches involve the same intruders".

If it was the same exploit, it suggests to me one of the possibilities I mentioned two days ago: that the company lacked an comprehensive software inventory. After all, if you know there’s a hole in some package and you know that you’re being targeted by attackers who know of it and have used it against you, you have very strong incentive to fix all instances immediately. That Equifax did not do so would seem to indicate that they were unaware that they were still vulnerable. In fact, the real question might be why it took the attackers so long to return. Maybe they couldn’t believe that that door would still be open…

On another note, several people have sent me notes pointing out that Susan Mauldin, the former CSO at Equifax, graduated with degrees in music, not computer science. I was aware of that and regard it as quite irrelevant. As I and others have pointed out, gender bias seems to be a more likely explanation for the complaints. And remember that being a CSO is a thankless job.

Update: based on later information, disregard the first two paragrphs of this.