Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator. The New York Times reported that the technique allowed the hackers to …
Taking candy from a baby
Maybe they wouldn't have had such a glaring vulnerability if they submitted themselves to the same PCI compliance extortion they inflict on my small vendor clients
@pj3090 you seem confused.
PCI compliance is really watered down of what should be in place.
You can still be PCI compliant and still leak like a sieve.
Not that I disagree with your sentiment.
Reply to post: @pj3090 you seem confused.
Yes, and conversely you can have a secure setup that doesn't meet PCI complicance rules, which I think is what pj3090 was getting at.
There are a number of things that are taken as gospel requirements by PCI vetting people with no real knowledge of why or if they are in fact such a good idea. Such gems as blocking all ICMP packets (every wonder why PMTUD doesn't work?), NAT=secure (no it doesn't) - the list is endless.
Seriously. One Qualys scan would've detected this...
Seriously. One Qualys scan would've detected this...
When a pointy haired management type decides to go for the lowest cost consultant or the off shore resource (uhm they call it global sourcing these days...) One has to wonder if they calculated the costs and loss of good will when someone doesn't do their jobs and secure the site?
Just a curious question about expectations of top notch software from sub par developers. Doesn't that mean that the management chain is also sub par?
Not sure about the analogy...
“Think of it as a mansion with a high-tech security system – that the front door wasn't locked tight,”
Given that a valid login session was required, I think it might be better described as given a new resident the keys to their house, which happens to fit every other lock in the city if they care to go and try!
However you describe it, it's a pitifully bad way of securing any website, let alone a financial one!
re: Not sure about the analogy
Dear anonymous mod troll, what was wrong with the above comment?
Re: re: Not sure about the analogy
I have no idea, I notice even the most innocent comment can attracts down votes on here.
I probably upset someone on here and they now have some kind of petty down voting vengeance going on! Oh well, if it keeps them off the streets. :-)
Thanks for coming to my defence though :-)
Welcome to the club.
Testing is not part of the...
developers contract, obviously - along with competence and project management.
What you get when you buy the cheapest-written-in-elbonia software.
The cheapest point to fix vulnerabilities
is in dev, before go-live. A few quid on pen testing now saves a million in fines later. Why is it so difficult to convince people of this simple risk mitigation? I have to say a big thanks to Citi as, thanks to this glaring example, it will now be much easier to make the case for testing.
The article is wrong too
The problem here is not that the account numbers were unencrypted - after all, account numbers are public knowledge once you write a cheque or do a bank transfer. The problem is that the account details could be requested by an unauthenticated person. This is gobsmackingly, unbelievably stupid.
@Naich.. Public Knowledge?
I don't think you quite understand what is meant by public knowledge.
Public knowledge refers to something that is available to all of the public or easily obtained information that one could obtain publicly.
When you do a transfer or transaction only the parties involved in the transaction know your account numbers. Unencrypted account numbers *is* a problem.
You are correct that the ability of anyone to be able to query the back end database about any other information also a major problem.
Either problem is a critical flaw, and neither would be a violation of the PCI spec.
FT changed their article
The Financial Times article referenced here has been changed to remove any reference to Java or Oracle. Wonder if they were asked to remove it or it was inaccurate. Certainly would help explain how full account numbers were captured if it is true.
Things just don't change
I remember the same basic mistakes being made repeatedly in UART (and their discrete predecessors) drivers, especially in the handling of multiple interrupts on noisy RS232 lines and XON/XOFF handling.
DecSystem10, RSX-11M, Olivetti's S6000 mini, Unix Sys V.....
It was clear that knowledge about this was kicking around, but the people who wrote the next OS were a set of new college grads without this previous experience.
Seems we have the same lack of knowledge transfer to the people who Really Count today. Quelle surprise.
Citibank is listed on OWASP's list of big name adopters.
flaw in the Java framework?
> the Citi hackers also took advantage of a flaw in the Java programming framework to access information stored in an Oracle database maintained by the bank ..
What flaw? (I preemptively mod me down first)
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Analysis Who is the mystery sixth member of LulzSec?
- Nine-year-old Opportunity Mars rover sets NASA distance record
- Prankster 'Superhero' takes on robot traffic warden AND WINS
- Comment Congress: It's not the Glass that's scary - It's the GOOGLE