Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
I don’t know who these “security experts” are, but judging from the Times’ description of the attack, this non-security expert who’s actually written more than a few web applications calls this a heaping helping of bullshit. The Citi attack like a variant on the SQL injection attack, which is a well-know class of vulnerability (here’s a list of commonly-used attacks).
Citibank is just the latest in a series of web sites where budget cutting or general incompetence has led to massive breaches. Another good, recent example is the wholesale pwnage of various Sony units, some because Sony’s gross negligence of failing to install updated versions of web server software.
The group that was responsible for one of the Sony hacks, Lulz, has been merrily posting torrents of data they’ve taken from various sites. Their most recent victim is the US Senate. With all due respect to the skills of the Lulz boat (warning: music), their work is made much easier by the general lack of attention to security by the organizations they’re targeting.
Rommie
Seriously, some “security expert” trotted out Hoocoodanode? as an answer? My professor would’ve pimp-slapped me thru the Internet tubes if I had trotted out that answer in my Risk Management class.
So many companies will frog-march ex-employees out the door the nanosecond they are ex-employees, and yet think the Jedi Mind Trick is all the security they need on their networks. And are shocked, shocked when the big guy in the black armor is in their base, stealing their dudes and information.
It’s not quite that bad at most places, of course, but it only takes one slip-up to get looted. It’s like umpiring, people only notice the network security guys for the bad stuff.
alwhite
I work in IT security & one of the hardest jobs I have is convincing clients that most attacks happen using well-known exploits. It is rare to find intrusions that took esoteric knowledge or great skill to reproduce. Many times the people who originally found the exploit really were very smart & clever. The people who follow along using those tricks can be easily stopped just as soon as companies understand 2 things:
There is no “box” they can buy that will secure them, its a process and hard work.
Security has to be integrated into every aspect, particularly the applications, from the beginning.
Lysana
I used to test e-commerce websites. Hacking the URL to try to get to back-end material was normal security precaution-level work, and we didn’t even store people’s credit card info. WTF, Citi?
kdaug
Srsly. Hey Citibank, what’s the I in FIRE stand for?
Dumbasses.
MikeJ
While I appreciate the attention lulzsec has drawn to shitty web security, putting up torrents of account info is pretty uncool.
WereBear
@alwhite: Yes, but that costs money.
Companies these days flatter themselves they are “in business” when they are simply con artists, cloaked. Taking care of employees OR customers just gets in the way.
Lee
Just wanted to chime, as others have, that unless the budget cutting reduced the security team to zero it is general incompetence.
Where is our free market security now?
The Raven
LulzSec Love, article. Cringely article.
Croak!
Gin & Tonic
“Especially ingenious”?? Mistermix is completely correct, this is lame-ass script-kiddie stuff. I sure hope somebody has been fired at Citi, and I mean some C-level dude. In 2011 there is no excuse for allowing this.
Yevgraf (fka Michael)
I wonder if the answer to this is moar better payment of IT employees, pleasant working environments and job security guarantees that will prevent white hats from donning black hats?
Tuttle
There’s a perfectly good excuse for allowing this, especially in 2011. It’s cheaper to be hacked than it is to pay your IT staff decent money.
jrg
Checking input parameters to server-side code isn’t even security 101… You’d be hard pressed to find an introductory web programming book where this is not mentioned in the first few pages.
That’s fucking pathetic. Maybe if they did not pay their CEO a $23.2m retention award this year, they could afford a 13-year-old script kiddie to run their security team.
Rick Taylor
__
Not that Sony doesn’t deserve some blame, but the story their web server software was out of date was BS.
Whiskey Screams from a Guy With No Short-Term Memory
Fucking point me to one security expert who said that this was “ingenious”. I’ll have him stripped of every credential he has. That’s not ingenious. A five-year old child could have done it.
Mother-of-God, they were running financial data on a system with that kind of vulnerability.
lee
@Rick Taylor:
Read the comments, the story might not be totally BS. It looks like some of the servers were up to date, but not all of them.
someguy
@Lee:
So you want the government to step up and run this? Really?
Whiskey Screams from a Guy With No Short-Term Memory
@someguy: Not how I read it. The problem here is that we have “free market security”. The issue that most of us are peeved about is that the companies getting what they so richly deserve haven’t been, and will continue not to, pay the price for their lack of interest in keeping their data secure.
Instead, the cost of that insecurity gets dumped on their customers and they walk away with all the money.
“Free market security” is working out great for everyone save the customers, who have nowhere to turn and whose only alternative is to cancel all their credit and debit cards, turn off their computers forever, and start paying their bills in cash again.
jrg
@Whiskey Screams from a Guy With No Short-Term Memory:
Not if you want any kind of credit score.
I got dinged last year on my credit because I did not have a credit card… Which to me sounds a lot like not selling someone liquor because they don’t smell like they’ve been drinking.
It’s a huge scam. They rig the system to where you need to borrow money if you ever want to get a mortgage, then they fail to take even the most basic measures to secure your information and your identity.
Villago Delenda Est
@Gin & Tonic:
I believe we have established earlier that “C-level dudes” are NEVER thrown out of the club, no matter how utterly incompetent or negligent they prove to be. Once you’re in, you’re golden. There are always lower level minions who can be ritually sacrificed.
Even if the “C-level dude” is forced to leave that particular gig, there’s another outfit more than willing to hire this “experienced individual” to be their new C-whatsit. Or, they’ll run for public office (see Meg Whitman).
Yevgraf (fka Michael)
@Whiskey Screams from a Guy With No Short-Term Memory:
They did pay their staff lawyers a middling sort of salary to write provisions that I’m certain absolve them from liability for security breaches in their cardmember agreements.
At what point do Our Conservative Jurists recognize that there may be some moral hazards associated with all this liability chucking?
burnspbesq
I continue to not understand the mindset of the people who pull this shit. Do they think they are above the law? Do they think they won’t ever get caught? Is this a perverse way of applying for a job as a security consultant?
Villago Delenda Est
@burnspbesq:
Enron. Goldman Sachs. George W. Bush.
I believe your question has been answered.
The Ferengi are very obviously above the law. That’s why these hits just keep on coming.
pseudonymous in nc
And that teenage wannabe haxx0rs can download Windows apps these days that run, at the push of a button, every known SQL injection exploit against a site in five minutes flat. Sanitize your fucking inputs, people.
(This presumably means that the credit and identity theft monitors get another windfall as Citi will need to give every account holder a free sub.)
The problem here is that data protection regime in the US is a fucking joke.
Corner Stone
@Villago Delenda Est:
As usual, burnsy was more concerned about the people attacking Citi and how awful they are. He wasn’t asking why shouldn’t Citi be held accountable for their egregious security lapse. He was asking about the audacious temerity of anyone even contemplating hurting poor Citi’s feelings.
Monkey Business
Information Security departments are notoriously understaffed, underpaid, underrespected, and underfunded. The guys I work with are smart as hell, and can solve pretty much any problem, but there’s so few of us that we just physically can’t solve everything right now.
Give me another ten analysts and I’d make this place a fortress.
Corner Stone
C’mon everyone, we all know why this attack is being fluffed as a special one. Because 99.9% of the people who read the article do not know any better to judge the level of risk involved.
And if Citi were attacked by an “especially routine child level script attack”, that would make them sound like the clowns they actually are.
So writing it up as the most evilly ingenious and diabolical attack gives Citi a layer of CYA with the public at large.
Whiskey Screams from a Guy With No Short-Term Memory
@jrg: Any gambler who you catch in a moment of honesty will tell you that the only way to win is not to play.
jrg
@burnspbesq:
That’s kind of the point. No, many hackers won’t get caught, unless proper security procedures are followed.
This situation is analogous to a housekeeper that does not lock your door when you’re out of town. Criminals do what criminals do. It’s always been that way… But if you’re paying a housekeeper (or a credit card company), you expect them not to be completely incompetent.
Whiskey Screams from a Guy With No Short-Term Memory
@burnspbesq: It’s how you prove that you’re smarter than everyone else in the room. You, as a lawyer, should understand that.
They think the law is irrelevant. I have been dealing with legal issues as an IT/forensics consultant. They are correct.
No. They know they will never get caught. They are also correct about this.
I would hire one in a second. Does that answer your question?
polyorchnid octopunch
@Corner Stone: ding ding ding. That is all.
Villago Delenda Est
I recall hearing a story about a computer guy, back in the the times of stone knives and bear skins, who created, ala Office Space, a few lines of code to take a few cents off of every transaction and put it in a special account.
He got caught.
But the bank didn’t prosecute. They took him off the job, forced the repayment of the “penny account”, but did not prosecute, because that would undermine their reputation with the public…the last thing they needed undermining their rep for being a rock-solid place to store your money.
burnspbesq
@Whiskey Screams from a Guy With No Short-Term Memory:
Thank you. I appreciate that you answered the questions I asked, unlike some people who used my questions as a pretext for predictably childish behavior.
greylocks
I don’t know about Citibank specifically, but from my long experience in software development, I will say that most big companies don’t know how to manage their IT departments. The problem starts at the top, with executives who are both ignorant of the technology and hostile towards and suspicious of the IT culture.
I wish I had a dollar for every time some management type, when I was explaining a proposal, would say, “How hard can it be to…?” or “I don’t see why this should take so long,” or “We need this up and running by ____ [even though this date was pulled from our collective asses and means nothing]”. I also wish I had a dollar for every time one of these clowns would promise customers or other departments a new software product or feature without even asking someone in IT if it was feasible, let alone how long it would take or how much it would cost.
Like I said, I don’t now about Citi specifically, but IME this ignorance and suspicion is pervasive in corporate suites. It leads directly or indirectly to all the other problems that their IT departments have.
Whiskey Screams from a Guy With No Short-Term Memory
@burnspbesq: You are welcome. I did not intend for one of my main missions in life to be the education of the legal profession about IT issues, but that is what I find myself doing these days. You folks didn’t go into law because you were interested in computers, but they have been thrust upon you and sooner or later you will have to learn a great number of things about how they work, as they are already the instrument via which most criminal and civil evidence will be gleaned, and will only become more important in the future.
I hope that you find the information useful and if you have further questions, you can hit me up on any thread here. I post here frequently, as you well know.
LurkerAbove
A-fracking-men. I guess I fall under the category of security expert, as its my bread and butter and I have a certification or two.
I am sick to death of continually having the fight of when an vulnerability is found the first response is “nuh-uh! show me the exploit.” Some are easy to show, while others require precious time that you don’t have when working a multitude of projects. Of course, the hackers have plenty of time to work the vulnerability into an exploit. More likely, the vulnerability eventually turns into an exploit as more functionality is added to the solution.
Which just goes to show that these twits don’t know the difference between vulnerability and exploit. So then, when you show them the exploit they’re like “no one would want to do that”
I personally feel that sycophantic corporate culture is more responsible for security exploits than almost any technology.
So while I’m on a rant, I’ll also bitch about security “experts” that don’t know dick about code. Fuck them with a rake.
mantis
With all due respect to the skills of the Lulz boat (warning: music), their work is made much easier by the general lack of attention to security by the organizations they’re targeting.
Sure, but the real point is they target those sites precisely because they are vulnerable. They don’t choose a target and do whatever it takes to hack it. That would take more motivation and purpose than they are willing to put forth. They find vulnerable sites and decide those should be targets.
Skimp on your IT, and the assholes will take advantage. It’s kind of like leaving your car window open in your driveway overnight and then being surprised when whatever was inside is gone in the morning. It’s a crime of opportunity. To quote Gunnery Sergeant Hartman, “If it wasn’t for dickheads like you, there wouldn’t be any thievery in this world, would there?”
bjacques
I think a massive point is being missed here and in the news in general.
I read elsewhere the real crown jewels–company secrets, HR data, etc.–are secured more tightly. In most companies the real goodies will be on different servers from those holding customer data, if not at a different datacenter entirely.
Sony, Citibank and others don’t really give a shit about securing their customers’ data because, as someone mentioned upthread, they’re pretty much absolved of any real blame. They fire anyone who can spell “IT” and, if customer details get thrown out on the street from time to time, it’s already figured into the business plan.
They’ll only take notice when the real goods get sprayed all over the intertubes, but that’s usually by inside actors, such as whistleblowers, for the reason given above.
Wieldling
At least we now have this: http://www.youtube.com/watch?v=qPoIXwVVp6Q
^music w/ some 4 letter words
Mike G
I’ll bet dollars to donuts there was someone in the IT department who knew the problem long ago, and was either told to STFU when they brought it up, or understood enough about which way the wind blows to keep their mouth shut to avoid retaliation.
Corporate America has made the choice to outsource IT to India, to by-the-numbers contractors who will do exactly what they are contracted to do and nothing more, who do cheap, mediocre work. Which is fine if you treat IT as a commodity like electricity, and the executives who design the contracts are omnipotent.
That is not the way to maintain and secure a network.
You need people in-house with the motivatioon and environment to be proactively looking out for problems and threats. But that would require executives treating underlings like human beings instead of interchangeable chess pieces, and actually listening to IT staff based on their knowledge rather than their heirarchical position.
A know-nothing executive would rather cut his arm off than admit that an underling knows more about a subject than they do, because that raises the question of why they are paid so much more. IT is a field where you can’t bullshit your way through with handshakes and smiles, you have to really know your stuff.
If your organization is stacked with careerist, arrogant political-games-player exectives obsessed with cost-cutting, then you get Bush Administration-style royal screwups like this followed by hoocoodanode ass-covering.
Nutella
And I’ll bet serious money that that ‘someone’ who tried to blow the whistle will be the only one fired for this screwup. The managers who mismanaged IT will be protected and promoted.
Xof
I’m sorry, but did I actually read that they were able to just replace the account number on a successful login URL with a different account number, and thus gain access to that account with *no other authentication required*?
That’s what one of the largest banks in the world thinks of as web security?
I’m sorry to come to this late, but I’m a bit slack-jawed in amazement.
Douglas
@Xof:
Yes, and if that’s really how it went down, that’s even worse than an SQL injection.
SQL Injections are an extremely well-known vulnerability, and should be guarded against – it’s kinda like using a lock well known for being pickable by anyone – and I mean anyone – that wants to, they just have make a quick trip to the public library and look it up, and who also have a reputation of being picked by the thousands each day.
This, OTOH, is more like owning a giant apartment house with more than 200,000 apartments in it and having a lock for the front door (and keys for all inhabitants), but then trusting that noone ever thought of just wandering into someone else’s apartment.
Morbo
Looks like they have DDoS’ed Minecraft’s servers; just like that the internet goes from loving them to hating them.
Xof
@Douglas:
No kidding. An SQL injection is at least vaguely a *hack*; this is “speak friend and enter” level security.
Ab_Normal
Ob Bobby Tables link