Resources Blog Struts One-Two Punch Knocks Out India

Struts One-Two Punch Knocks Out India

The social security system of India, AADHAAR, was just breached due to a Struts related vulnerability exploited on their website.   If you are not familiar with AADHAAR, it offers a 12-digit personal identification number to every citizen of India.  That's 1.3 billion numbers.

I first read of the story this evening here in the Huffington Post, but I remembered that it was not the first Struts related breach that I had heard of coming out of India.  In March 2018, a report of the India Post begin hacked due to a vulnerable Struts component had made headline news.

To be honest, the news of such sensitive information being stolen is sad.  It is sad for the people of India.  It is also sad that the people responsible for these systems did not take proper care to update their web applications to new, safer versions of Struts made available from the Apache project.

While it was a U.S. centric breach, I can't imagine that news of the breach at Equifax did not reach India -- especially with such a connected, tech-savvy population.  Did no one hear the calls?  If you missed Equifax in September 2017, did you also miss the breach of the India Post in March 2018?  It's hard to imagine that an organization who relies on Struts did not hear about these breaches and take action to investigate the security of their own systems.  

The President of Harvard once said, "If you think education is expensive, try ignorance."  

At this point in time, ignorance seems to be winning.  Citizens are losing.  And our adversaries are growing richer every day.

Even more alarming is the number of organizations still downloading and using vulnerable components on a daily basis.  There are thousands of them.  Thousands.

While I have detailed this behavior in previous blog posts, I also shared more information in my presentation, We Are All Equifax, at the RSA Conference in San Francisco two weeks ago.  You can watch that 30 minute presentation here.

Screen Shot 2018-05-02 at 8.00.49 PM

Are you using vulnerable versions of Struts?  Have you checked lately?  Let me help by offering you a free service that checks for any such vulnerabilities -- it works for Struts and millions of other open source components you might use.
Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.