Thursday, June 16, 2011

Citigroup Left The Barn Door Open

A data breach at Citigroup may have compromised the personal information of more than 200,000 of the bank's credit card customers.

"During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online," a company spokesman, Sean Kevelighan, explained in a statement on June 9.

Citi is no stranger to embarrassing disclosures of its customers' personal information. In February, it mailed about 600,000 of its customers' tax documents with their social security numbers printed on the outside of the envelope.

Last week I blogged about the “80 / 20” rule and how 80 percent of cyber intrusions and exploits can be prevented by "best practices".

The recent Citigroup attack seems to fall into the 80% category. News reports have said that Citigroup was exploited by "sophisticated" attacks. But security experts say that at least by today's standards, most of these attacks were far from advanced, except perhaps in their simplicity.

To begin with, statistically speaking, very few attacks pass the sophistication threshold. According to the 2011 Data Breach Investigations Report from Verizon, "only 8% of data breaches represented a 'high' attack difficulty," said Rob Rachwald, director of security strategy for Imperva, in a blog post.

Citigroup seems to have fallen victim to basic URL hacking – which is far from sophisticated.

Attackers "leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar," an unnamed security expert told The New York Times.

In other words, attackers took advantage of the fact that the Citi Card website failed to hide actual account numbers in the URL string. "It would have been hard to prepare for this type of vulnerability," said the security expert, who's familiar with the investigation.

In fact, it would have been easy to prepare for this type of vulnerability, known as "Insecure Direct Object References," which is so widespread that it ranks as the fourth most dangerous vulnerability on the Open Web Application Security Project top 10 list of Web application vulnerabilities.

Perhaps Citigroup's developers and automated code-scanning tools failed to spot the use of real account-related information in URL strings. But that's where penetration testing is supposed to fill in, and it's obvious from numerous recent breaches, involving Citigroup, Sony, and others that "pen testing" wasn't employed.

"When you look at how the breaches are occurring, it's like penetration testing 101. Ethical hackers are taught to test computer security on the good guy side," Alex Cox, principal research analyst at NetWitness, said in an interview last month.

"So, a lot of times people aren't applying the idea of, let's hire someone to break in and see if he can do something realistically. But if you've got a good pen-test team, that's a really good way to understand where your vulnerabilities are," he said.

Or to reverse Cox's advice, by not conducting penetration testing on their Web applications, businesses won't know where all of their vulnerabilities are, and thus won't be prepared to repel attackers. Which, like recent attacks, doesn't seem very sophisticated.

In summary, an analogy seems appropriate.

Tom: How’s your health?

Henry: Fine.

Tom: How do you know?

Henry: Because I feel fine and I don’t think I have any issues.

Tom: Have you been to a doctor recently for a checkup?

Henry: No.

Tom: Then how can you really be sure how healthy you are?

Well the same goes for Citigroup. They might have thought their online system was healthy, but without having made the effort to get it checked they really didn’t know – and in this case they weren’t very healthy.

No comments: