Further evidence has emerged regarding the insecurity of Equifax s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax s security header configuration1. The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency.
Equifax s security header configuration
Many of the headers are more about addressing the basics, but as a site that serves over HTTPS they should really have features like HSTS and CSP enabled to offer their visitors a higher level of protection, Helme told El Reg.
The current misconfiguration that is present on the site with duplicated headers and conflicting values just raises questions about why the basics aren t being done properly. Earlier this week, Equifax admitted2 that hackers exploited an Apache Struts vulnerability (CVE-2017-5638) to break into its systems . The flaw had been patchable since March 7 but Equifax had failed to patch promptly . The intrusion but was only detected more than two months later.
Criminals gained access to names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of millions of Americans as well as the credit card numbers of 209,000 US consumers . The whole sorry mess raises a number of important questions. Three top Equifax executives, including its chief financial officer, sold a combined $1.8m worth of stock in the consumer credit reporting agency after the breach was detected but before it was made public .
Equifax said4 that the executives had had no knowledge that an intrusion had occurred at the time they sold their shares. US data privacy watchdogs at the Federal Trade Commission have taken the unusual step of confirming5 they had launched an investigation into the Equifax breach. Equifax chief exec Richard Smith has been called6 to testify before congressional lawmakers at the beginning of October .
Smith is due to appear before the House Energy and Commerce Committee on October 3.
Another security researcher reported7 that he d begun receiving spam emails at a single-use email address he d used uniquely to register with Equifax years earlier, but we ve not seen widespread evidence that data has escaped into the wild yet.
If you have any info you d like to share, drop us a line
A sex offender headbutted the dock, branded a sheriff a specky **** then brawled with court security officers when he was told he was going to prison. Kyle Leonard, 20, had been handed a community-based sentence at Dundee Sheriff Court after he admitted having sex with three underage girls but was arrested and hauled back to court last November facing further charges. Those charges ended up being dropped but he was locked up for breaching his earlier orders.
When Sheriff George Way then told him he was being remanded in custody to await further proceedings, Leonard flipped. Leonard appeared back in the same dock where he had lashed out at the lawman facing a threatening and abusive behaviour charge the second time he has been convicted of abusing a sheriff in identical circumstances. Fiscal depute Joanne Smith told the court: Sheriff Way decided to remand him in custody and the accused was clearly unhappy and began to shout and swear.
He shouted at the sheriff: Are you ******* joking you specky **** This is a ******* joke I m going to lose everything .
He was handcuffed to a G4S officer and was making his way to the stairs shouting: I don t ******* believe this .
Without warning he punched and headbutted the glass surrounding the dock.
Another G4S officer attended to assist and he was put to the ground to try to subdue him . Eventually he was restrained and taken to the cells.
Witnesses including the sheriff were shocked and alarmed at his actions. Leonard, a prisoner at Polmont, pleaded guilty on summary complaint to a charge of behaving in a threatening or abusive manner at Dundee Sheriff Court on November 23 last year.
Defence solicitor Douglas McConnell said Leonard is due to be released from jail on his earlier sentence later this month. He said: He has a tendency to lash out and he s been working on that whilst in custody. Sheriff Derek Reekie deferred sentence for three months for Leonard to be of good behaviour on his release from custody.
Leonard was last year convicted of hurling abuse at Sheriff Elizabeth Munro during a court appearance.
A security firm worker was called out to help protect a home.. . but his van ended up rolling down a neighbour s drive and crashing into a garage and gas pipes. The man, from ADT Fire and Security, had been sent to Layton Close, Offerton, at around 9pm on Monday when it’s believed a burglar alarm went off. But his van rolled down the slope and knocked down the front of a garage also damaging gas pipes.
Joe Graham, who the garage belonged to, was left shocked when his quiet night in front of the TV was interrupted by a loud explosion .
Joe Graham was sitting watching TV when he heard someone smash into his garage
The 34-year-old, whose birthday it was the following day, said: I heard an explosion and thought the boiler had blown up.
I came outside and saw an ADT van and a man saying, I have crashed into your garage do you want to have a look? .
It was hard to process but if it had ripped the gas pipes rather than bent them it could have been a lot worse . I ve not been able to go to work today. Gas workers were called and, with assistance from crews from Offerton Fire Station, isolated the supply to Joe s house. Joe, who works for pensions firm Royal London and lives with his girlfriend, was not injured in the incident.
Luckily nobody was hurt, despite the van damaging gas pipes outside the house
Firefighters were at the scene for just over an hour after being called by the gas company. Steve Johnstone, watch manager at Offerton station, said: We have had a couple of incidents like this you would be surprised how many people crash into buildings.
The main thing was that no one was hurt and there was no gas explosion . They were a bit shaken and shocked but philosophical about it.
In a statement, ADT Fire and Security, based in Manchester, said: We are aware of this incident . Our Engineer followed our health and safety reporting procedure and notified us, and the police, at the time.
“We take the Health, Safety and Welfare of our employees and the public very seriously and also work hard to ensure that any works are carried out with no damage to property.
“We are grateful that there were no serious injuries as a result of this incident and we are investigating fully the circumstances surrounding it . We apologise for any inconvenience and damage caused.