Cutter wrote on Sep 16, 2017, 13:37:
Bumpy wrote on Sep 16, 2017, 12:45:
Arts and music major with no IT or tech schooling, eh?
If true, that's a bit of a red flag I'd think. I see a bit more than wrist slapping about to go down.
I don't think that means anything. Loads of people come out with degrees they never use and go into other fields. I studied history and ended up working as a tech monkey and sales engineer in IT for over a decade. The rest of it's been hospitality. Neither of which my education would have applied to. With the exception of something really educationally specific like medicine or engineering anyone can learn anything on their own and go on to do that.
It MAY not mean anything. It depends on training, certs, experience, jobs worked since graduation. But it's a red flag unless all the rest is satisfactory.
Two other red flags.
She "retired" after the breach.
She (and perhaps Equifax) are trying to scrub her history and music major items from the intarwebs.
But the biggest issue? Everything we are learning about this points to incompetence in Equifax's security.
1) The admin/admin creds and plain text storage of Argentina's stuff, including creds and their equiv of SSN.
2) The fact that this current leak wasn't encrypted properly and access restricted to least permissions, else the hackers wouldn't have gotten away with anything but an encrypted DB that wouldn't have been a problem.
3) They waited two months to patch the apache struts issue (and they publically announced what vulnerability got them hacked, which is rather stupid of them, that two month issue will likely nail them at the class actions).
4) They were using current time/date as the unfreeze pins until someone pointed it out
5) they incorrectly configured the security certificate on the Equifaxbreach site, which popped upwarnings
6) they didn't host the Equifax breach site as a subdomain, which given the previous item, may lead some to doubt security and authenticity of the site
7) The breach site gives inconsistent results as to if your data was stolen, depending on if you access it through web, mobile, etc. Does it even look up anything at all? And it still hasn't emailed me back after signing up and it's been days.
8) they've had MULTIPLE previous breaches... only they bragged it didn't touch their core. Now it has
9) WTF were they storing credit card numbers for 6+ months, unencrypted for, that were able to be stolen by hackers? The 200k of them that got stolen.
10) They got hit with a zero day... that was tried after two months of not bothering to patch. No custom phishing, or custom malware, a bog standard vulnerability.
Their entire business is personal info, these guys should have some of the highest security spending and focus in the industry. They don't. This comment was edited on Sep 16, 2017, 15:04.