Equifax, Trans Union and the Software Supply Chain
One more time, Equifax is in the news – but they are not alone!
Users thought that Equifax had been hacked again because when customers went to a particular help page on their web site, they were redirected to a page directing them to download a malicious, fake, Adobe Flash update.
Hopefully, no one is running Flash anymore, so the request to update Flash could be safely ignored anyway.
Given the optics of the whole thing, Equifax immediately took that page offline.
The IRS, who has reputation optics problems of its own and who just renewed a $7 million no-bid contract to Equifax AFTER the first breach, immediately suspended the renewed Equifax contract, even though doing so removed some functionality from the IRS web site. Given the complexity of government contracting rules, the IRS is limited in what it can and cannot do, but that didn’t stop Congress-critters from trying to score points with their constituents by yelling at the IRS.
In the meantime, researchers discovered that Transunion’s web site for Central America was serving up the same, exact malware! Within a couple of hours, Transunion said that they had fixed the web site and were scanning their other web sites to see which ones were affected or infected.
It turns out, in this case, that neither Transunion nor Equifax had been breached.
The problem was, as I keep saying at every opportunity, a software supply chain problem.
The software supply chain problem comes from the fact that most web sites integrate some (or a lot of) third party code. That code can be infected and then infect the user’s of the company’s web site.
In this case, both Transunion and Equifax both used a company called Fireclick. Fireclick goes though a bunch of gyrations but eventually either displays a fake survey, fake Flash update or another exploit. Fireclick, part of the conglomerate Digital River, provides web site analytics. Or should be. But, apparently, they got compromised and likely compromised HUNDREDS if not THOUSANDS of web site that use their analytic software.
Fireclick, pulls in code from a Fourth party, Netflame.
So the question is – who’s fault is this?
I lay the fault at the feet of companies that use third (and fourth) party code. As soon as a company decides to do that, they “own” the problem that code causes. No one cares that Equifax and Transunion use a third or fourth party. They visited Equifax’s or Transunion’s web site and were served malicious content.
Equifax and Transunion deserve and get the black eye.
So if you develop software, pay others to develop software or use commercial or open source software (which should cover just about everyone with a computer), you need to understand this software supply chain problem and have a policy and procedures to deal with it.
Attackers have figured out time and time again that it is easier to attack your supply chain than to attack you.
AND, if the attackers are successful and your customers are compromised, they are going to come after you and the courts will, most likely, hold you liable.
So, two more things for your to-do list besides creating a software supply chain risk management program, are getting cyber insurance so that you are not left holding the financial bag when your vendors screw up (while you might, possibly, be able to sue them, even if you are successful, it will take you years to recover any money) and making sure that your contracts with third parties (assuming there are contracts and that you have some say over what is in them) hold those parties responsible and financially liable for damage that they cause to you. If there are no contracts or you can’t get the vendor to assume the liability of infecting you, you need to make sure that you address that risk in your risk management program.
Information for this post came from SC Magazine, Politico and Ars Technica.