Thursday, June 16, 2011

CitiBank hacked – dumb developers, dumber security consultants

In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
As if insecure direct object references aren’t bad enough, it’s the quotes from the security “expert” that really rankle;

It would have been hard to prepare for this type of vulnerability.
Bullshit. Utter bullshit. If, as the NY Times reports, it was a simple matter of changing URLs once you had a login it would not be hard to prepare for this. This should have been caught in even the simplest automated review. This was not sophisticated or ingenious, as reported, this was boringly simple. It does however point to an industry wide failure in developer education. OWASP has had Insecure Direct Object references on it’s Top 10 list for years. It’s in the SDL Threat Modeling tool. Any security firm worth its salt checks for this, and I’d guess CitiBank employ a few. So why aren’t developers mitigating what are, to me, obvious faults. Why do we still suffer SQL injection? Cross Site Scripting? And what the hell can we do about it?

Read more: idunno.org
Read more: NewYork times