Citigroup hackers used trivial technique

Post #343,746 by jay 6/15/11 9:43:10 AM Reply	Citigroup hackers used trivial technique http://www.dailymail...anks-website.html Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers. Really, that is all it took? I've know a lot of high school students who could break that security. That is the sort of security that holds up only because the average criminal trying to break into a high security zone isn't going to bother trying the front door first in the off chance they left it unlocked. One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.' Expert in PR not computer security. Jay
Post #343,748 by malraux 6/15/11 10:34:00 AM Reply	Are you kidding me? Substituting things like account details is one of the first things they try in an ethical hack test. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #343,749 by Another Scott 6/15/11 10:41:58 AM Reply	Nobody could have predicted an SQL Injection attack. http://www.balloon-j...14/the-lulz-boat/ :-/ Cheers, Scott.
Post #343,751 by malraux 6/15/11 11:29:24 AM Reply	Re: Nobody could have predicted an SQL Injection attack. https://www.owasp.or...P_Top_Ten_Project Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #343,752 by Another Scott 6/15/11 11:39:42 AM 6/15/11 11:44:16 AM Reply	Hmmm.... Thanks for the link. I hope it gets more visibility. I chuckled, though, when I saw this: Users and Adopters The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process (DIACAP). In the commercial market, the Payment Card Industry (PCI) standard has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: A.G. Edwards Bank of Newport Best Software British Telecom Bureau of Alcohol, Tobacco, and Firearms (ATF) Citibank [...] Hmmm. [edit:] TheReg has more - http://www.theregist...site_hack_simple/ (via the OWASP News page) Cheers, Scott. Edited by Another Scott June 15, 2011, 11:44:16 AM EDT Expand All History
Post #343,753 by malraux 6/15/11 11:41:30 AM Reply	There is a difference... ... between management thinking they are using it, and the developers actually living it. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #343,754 by Another Scott 6/15/11 11:47:08 AM Reply	Could be they only used it in some places. E.g. they might use it for CC transactions but not on the web interface for personal retail banking. As others have commented, they're no doubt much more careful in their CEO's personnel records and the CDS business security than they apparently are in dealing with their lowly customers' info... :-/ Cheers, Scott.
Post #343,755 by jay 6/15/11 1:12:44 PM Reply	Calling this SQL injection implies too much skill SQL injection might be somewhat of an equivalent, but it isn't really the same thing. SQL injection is a much more sophisticated attack that requires a fair amount of computer knowledge, something only an actual programmer could create. This URL hack is something any reasonably bright person might come up with. Jay
Post #343,767 by malraux 6/15/11 3:35:44 PM Reply	No, they did that too. There was a SQL injection attack as well as the URL substitution one. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #343,794 by Steve Lowe 6/16/11 2:09:17 AM Reply	Hogwash (responding to the subject line.) Anyone running a webapp that has any sort of credit card data with any sort of SQL backend MUST be actively checking for SQL injection opportunities (among many other things). Like Greg said, some PCI auditor's ass is on the line for this (among others, certainly.). And, the rest of us who are doing it right will pay for this in increased scrutiny by those who rarely understand the technologies they're auditing and new rules in scanning databases, and new PCI requirements. IOW, cost of compliance in the credit card arena just went up a few ticks.
Post #343,813 by Another Scott 6/16/11 10:15:02 AM Reply	Understood. The Subject was a bit of snark on my part, a takeoff on Condi's famous line - http://www.salon.com...2005/09/14/planes Cheers, Scott.
Post #343,838 by Steve Lowe 6/16/11 8:34:22 PM Reply	:)
Post #343,778 by folkert 6/15/11 8:11:42 PM Reply	I'd hate to be the PCI Auditors That "tested" that web application.
Post #343,798 by static 6/16/11 5:12:48 AM Reply	Oooh... good point. Static Scribblings http://staticsan.blogspot.com/
Post #343,865 by Ashton 6/17/11 4:53:23 AM Reply	Interesting comment to the legal folk (along with several snide quips upon the general ignorance/ineptness of CIEIOs and their relationship to IT -- as pretty much echoes many comments read here, across the eons) http://www.balloon-j.../#comment-2630332 Whiskey Screams from a Guy With No Short-Term Memory - June 14, 2011 \| 11:57 am · Link @burnspbesq: You are welcome. I did not intend for one of my main missions in life to be the education of the legal profession about IT issues, but that is what I find myself doing these days. You folks didnÂt go into law because you were interested in computers, but they have been thrust upon you and sooner or later you will have to learn a great number of things about how they work, as they are already the instrument via which most criminal and civil evidence will be gleaned, and will only become more important in the future. I hope that you find the information useful and if you have further questions, you can hit me up on any thread here. I post here frequently, as you well know. Amongst other commenters, it does seem that the more knowledgeable the poster [content of their post], the more [-] they are, about their (own) company-experience. One wonders.. is there any area left, wherein Murican bizness competence (at top echelons) could be rated Excellent (or even, 'very good') ? For all the Reactionary folks' deification of their 'free enterprise' fantasy model -VS- Anything-govt: I know of, at least several government workers who have done Excellent jobs, as in: [cliche alert] 'innovative' solutions to complex problems. Excellent means: 'beyond normal expectations for the position'. So then, are there any actually-ept CIEIOS who come to mind? In context ==> 'not completely IT-illiterate', either.

Welcome to IWETHEY!