Quote from that article: "The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. "It would have been hard to prepare for this type of vulnerability," he said. The security expert insisted on anonymity because the inquiry was at an early stage." I like the use of the words *especially ingenious*. It is hardly a browser vulnerability, it a design and implementation issue. It should have been picked up at multiple levels (design, coding, testing, etc). The security expert did not want his name listed incase he sounded like a wally :-) -----Original Message----- From: Alan Davies [mailto:adav...@cls-services.com] Sent: 15 June 2011 10:31 To: NT System Admin Issues Subject: RE: [OT] Citibank worse at security than Sony What floors me is how sophisticated they are saying the attack is! Honestly, this article makes me so angry! http://www.nytimes.com/2011/06/14/technology/14security.html?_r=3 This is basic s**t! It's not APT. It's not sophisticated. It's complete lack of good governance and due diligence. It's a high profile web app with PII data that should be having significant PT work done at a MINIMUM of quarterly. As with Sony, one has to wonder where their priorities are with data protection .. a -----Original Message----- From: Matthew B Ames [mailto:matthew.a...@qinetiq.com] Sent: 15 June 2011 07:24 To: NT System Admin Issues Subject: RE: [OT] Citibank worse at security than Sony As a software engineer I would feel rather guilty to develop a system that was that poor. I used to have a Citi credit card..... I had better check it is no long active. -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: 15 June 2011 04:36 To: NT System Admin Issues Subject: [OT] Citibank worse at security than Sony So... 200,000 or so Citigroup customers have had their person info stolen. Someone logged in to one account properly, then changed the account number in the URL to someone else, and the site happily served up that account instead. I hesitate to even call the first party an "attacker". Is it really an attack if the bank just leaves a pile of money sitting on the sidewalk and someone takes it? http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-br oke-door-using-banks-website.html Some banker fat cats need to go to jail for this. This is incompetence of the highest order. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin