Primitive Persistent Threat

It's time to party like it's 1999...

According to The New York Times, "sophisticated attackers" stole large quantities of customer data from Citi, using computers.

You can read the article here.

We know the attackers used computers, because they typed an account number into a URL bar, and computers have URL bars. Computers are sophisticated, and anyone who uses them is, apparently, "especially ingenious". Just read the article.

But the quote that really got me was this one: "[The attackers] leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar."

The report quoted a security expert familiar with the investigation as saying "it would have been hard to prepare for this type of vulnerability" and this attack is only one of a "wave of more and more sophisticated breaches by hi-tech thieves".

Now I've tested a few Web apps in my time as an information security consultant, so I guess I am moderately sophisticated with these here com-putars by the standards of The New York Times, but as far as I can tell the OWASP Top 10 Number 4: "Insecure Direct Object Reference" is a fancy way of saying "herp a derp, lets put the account number in the URL bar, and just hope no one increments it".

So lets just come right out and say it: If this NYTimes piece is correct, these are not sophisticated attacks.

Sony getting SQL injected? Not sophisticated. Citi account-in-the-URLbar? Not ingenious.

The sad thing is nearly every in the wild, for actual profit cyber-crime is carried out using bog-standard, basic flaws that have been well understood, documented, taxonomised, discussed, weaponised and used in the wild for years.

Anyone from a 13 year old kid to the Russian mafia can and will break into almost anything in minutes using common garden flaws that even the slightest attempt at planning an approach to the foothills of the snowy, cloud-lost peaks of Mt Best Practice would have spotted.

If, as per the reports, Citi got 200,000 customer records stolen through changing the account number in the URL string, then it's almost certain it never got that Web site tested for security.

Can we all just say that out loud? It's possible that the world's largest financial services network didn't get this system tested for security.

The NYT breaks it down for mom-n-pop: "Think of it as a mansion with a high-tech security system -- but the front door wasn’t locked tight."

No: They. Didn't. Test. It.

Hell, even if you fired an automated webappsec tool at something like that, you'd find it. Same as with all Sony's SQL injection. These are not "high-tech security systems" that aren't "locked tight". If the NYT report is accurate, this is straight out negligence.

In Maine last week, the judge in the case of Patco vs Ocean Bank concluded "the law does not require the bank to implement the 'best' security measures available and that the bank is clear to customers when they sign up about the level of security it provides".

Sure, perhaps expecting diamond-studded RSA tokens when you sign up for Internet banking is a bit much, but how about basic security testing?

Companies like Citi aren't the only class of sinners. Recently a large, name-brand software vendor admitted to our mutual customer that it, too, had never actually commissioned external penetration testing of its security focused product.

The product is marketed as an enabler of robust multi-tenanted security boundaries. The software maker had never tested it: "Nope, not at all, why do you ask?"

One of the bugs involved just typing the name of another customer into an input box, instead of clicking your own from a list.

Or perhaps you'd like more irony? How about arbitrary file read via ../../../ in the URL bar in Trend Micro's "Data Loss Prevention Virtual Appliance"?

Your bank gets owned because computers are sophisticated. Computers are hard. Building, deploying and maintaining secure business computer systems is fiendishly hard.

But, NYTimes, don't tell me that Citi lost 200,000 customers worth of information because of a sophisticated attacker. Tell me the truth: it lost the information because it failed to test its systems. It failed to take even what limited basic options we as an infosec industry can offer -- the OWASP Top 10, some basic Web app penetration testing, and perhaps hiring a security consultant who might better prepare the company against an earth-shatteringly sophisticated attack involving the alteration of an account number in the URL bar.

TL;DR Typed account number into browser, owned bank.

Editor's note: The funny thing is we hear good things about Citi's in-house pentesters. Either the NYTimes article is incorrect, or somehow this bug just slipped through to the keeper. We have no idea. It's hardly the point: Even if Citi didn't get owned this way, plenty of others do and it makes us all very sad pandas at Risky Business HQ. :'(