Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later

blakeyrat

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit

Shockingly, once they'd fixed the certificate error that was preventing their intrusion detection software from working, they almost immediately noticed the breach.

Scarlet_Manuka

@blakeyrat Interesting. I wonder how many of us have expired or broken SSL certificates on internal systems, that are just ignored because it's not noticeably affecting operations and isn't seen to be worth the effort to get fixed?

Tsaukpaetra

@Scarlet_Manuka said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

I wonder how many of us have expired or broken SSL certificates on internal systems, that are just ignored because it's not noticeably affecting operations and isn't seen to be worth the effort to get fixed?

Literally nothing inside the office has real certificates because to set up a PKI. Chrome really loves this.

Scarlet_Manuka

@Tsaukpaetra Yeah, when I was writing that I had in mind some of our application servers that just use self-signed certs. Chrome complains whenever I connect to the application admin portal, and I click on Advanced and tell it to connect anyway. Nobody but a few of our staff should ever need to access that portal, so there's no incentive to get proper certs for them.

dcon

@Scarlet_Manuka said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

@Tsaukpaetra Yeah, when I was writing that I had in mind some of our application servers that just use self-signed certs. Chrome complains whenever I connect to the application admin portal, and I click on Advanced and tell it to connect anyway. Nobody but a few of our staff should ever need to access that portal, so there's no incentive to get proper certs for them.

That's our Jenkins server. On my old machine, I imported some cert to make that trusted. On my new machine... well ...

Tsaukpaetra

@dcon said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

@Scarlet_Manuka said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

@Tsaukpaetra Yeah, when I was writing that I had in mind some of our application servers that just use self-signed certs. Chrome complains whenever I connect to the application admin portal, and I click on Advanced and tell it to connect anyway. Nobody but a few of our staff should ever need to access that portal, so there's no incentive to get proper certs for them.

That's our Jenkins server. On my old machine, I imported some cert to make that trusted. On my new machine... well ...

It should only take about fourteen clicks to do the same in any new machine, assuming you have admin privileges.

dcon

@Tsaukpaetra said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

It should only take about fourteen clicks to do the same in any new machine

hence

assuming you have admin privileges.

Of course! I'm a Windows dev in a Mac-based company. They don't want to administer me!
Edit: I know I've posted this before... We don't need no steekin domain. Workgroups baby!

Lorne Kates

@blakeyrat said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

And let security kit fail for 10 months due to bad cert

So there's going to be jail time over this because of criminal negligence, right?

Right?

Oh wait I forgot it's America... where corporations are people... and corporations are rich... and rich people don't go to jail.

Lorne Kates

@Lorne-Kates said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

rich people don't go to jail.

In fact, how much do you want to bet that someone at the CIO level actually got a BONUS out of this, because the bonus's criteria is to go 10 months without any security alerts.

Tsaukpaetra

@dcon said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

We don't need no steekin domain. Workgroups baby!

When I came on, we were using Homegroup (somehow). Glad I moved us off of that, now we're in a domain and stuff is only kinda broken.

Still no idea why it's so hard to keep a networked-computer enumeration up to date in the Network view, but we don't directly access each other's machines all willy nilly anymore...

dcon

@Tsaukpaetra said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

but we don't directly access each other's machines all willy nilly anymore...

Here, we keep it simple. Sneaker-net. Well, Slack. Same thing. Almost.

Tsaukpaetra

@dcon said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

@Tsaukpaetra said in Equifax had intrusion prevention software installed at the time of their hack-- didn't bother checking to see if it was working until 10 months later:

but we don't directly access each other's machines all willy nilly anymore...

Here, we keep it simple. Sneaker-net. Well, Slack. Same thing. Almost.

I made it even simpler: Just remember that everything bob the builder builds is on the "bob" machine, so if you're looking for builds go to \\bob\builds . Stuff that's useful for everyone should be held by bob's shared folder (i.e. \\bob\shared ). Stuff that's system-critical goes to \\bob\critical . Other than that, use Bob the Builder ( http://bobthebuilder ) to direct your builds and whatnot to be delivered to people.

Bob (who is an actual server) is now doing his serverly duties properly instead of pretending on top of Windows 10. Of course, that means that it usually talks to itself a whole lot more, but that's fine, it's got lots of cores so it's not all that important.

Magus

@dcon Working with Slack does indeed make me instead walk around and talk to the actual humans I need to talk to more.

AlexMedia

@Magus

Yeah, Slack is awful.

El_Heffe

A gigantic fuckup, but still not as bad as Target, who had intrusion detection software running, and working, and sending out warnings.

And they ignored the warnings.

And then, there's this expert advice:

The Register on Twitter

Yes, that's right, my Social Security Number is 37c-15-E2$1.
You got a problem with that?
https://i.imgur.com/sHj1RR7.png