By now everyone should already be aware that criminals attacked Equifax’s website, gaining access to nearly half of every American’s private information, including social security numbers, addresses and drivers’ licenses. Now Equifax are reporting that the intruders used a two-month old vulnerability in Apache Struts (CVE-2017-5638) that was left un-patched.
Everyone has a right to be mad at Equifax. Clearly they should have patched their systems. But doing so is difficult and time-intensive, as Dan Goodin reports on Ars Technica :
“As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.” – Dan Goodin
And even with fully patched systems, there are still zero-days yet to be discovered. These types of attacks will continue.
The question then is, what can be done to contain the damage from such leaks?
The best way to minimize the fallout from “cyber” attacks (I hate that word) would be if the Social Security Administration allowed people to change their social security numbers before their information was used fraudulently as a preventative measure. Currently, changing your social security number requires that you prove that you are the victim of ongoing identity theft.
According to the Social Security Administration you must provide proof that you are already the victim of identity theft in order to change your ssn:
We can assign a different number only if:
- Sequential numbers assigned to members of the same family are causing problems;
- More than one person is assigned or using the same number;
- A victim of identity theft continues to be disadvantaged by using the original number;
- There is a situation of harassment, abuse or life endangerment; or
- An individual has religious or cultural objections to certain numbers or digits in the original number. (We require written documentation in support of the objection from a religious group with which the number holder has an established relationship.)
Allowing everyone to change their number as they do their passwords at will would go a long way to mitigating the damage caused by the Equifax and similar hacks.