Just to point out the obvious - Citi are FS, ie. they are heavily regulated. This is not optional or something that an Exec might choose to bother with. It's absolutely mandatory and explicitly defined and they would have a large Information Security team, a governance and/or compliance team and an internal audit team, along with a regulator. On top of that, it may be in PCI scope for card data. In the UK, this would mean the FSA as the regulator, the ICO and Visa/Mastercard for PCI. In the US, the FRBNY, etc. ... the list goes on. It almost needs to be an act of sabotage to be this bad and slip through un-noticed for any period of time! a
________________________________ From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: 15 June 2011 15:46 To: NT System Admin Issues Subject: RE: [OT] Citibank worse at security than Sony Probably. But some executive sponsor will ask "is it secure? Did it pass the security review?" Some PM, who knows nothing about IT, will answer "yes" Some people, in the security group, who are expected to know everything about every app (even though they might be experts with FWs and SIEMs and AV, don't know anything about .NET / JSP etc) reviewed it and agreed And some poor shmuck developed this thing 10 years ago when this wasn't an issue. Or they needed to pass some data between disparate systems but couldn't find a good way to do it, so they went the easy way. Again, not excusing it - it's really poor form, and so easy to protect against. That said, maintaining session state "out of process" was expensive 10 years ago. If that's when the app was developed, the programmers probably didn't know better, and the solutions for scalability were expensive. Quoting OWASP is fine (well, even that wasn't really that well known 10 years ago), but unless you do App Dev in an enterprise, you just can't know how difficult it is to get anything done. What was "state of the art" in security 12 months ago when you started the project is obsolete by the time it's installed, and completely out-of-date by the time the next refresh project is entering kick-off meetings. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Wednesday, 15 June 2011 9:48 PM To: NT System Admin Issues Subject: Re: [OT] Citibank worse at security than Sony Thou speakest truth... My comment about shareholder value is aimed more at the fact that the people that should be concerned about whether or not these things are happening properly are not concerned enough to even ask those questions, relative to any questions that would result in revenue potentially going up... ASB (Professional Bio <http://about.me/Andrew.S.Baker/bio> ) Harnessing the Advantages of Technology for the SMB market... On Wed, Jun 15, 2011 at 7:39 AM, Ken Schaefer <k...@adopenstatic.com> wrote: Hmm - at the individual application development level, in a large org, no one cares about shareholder value. The problem with large organisations is the huge amount of effort required to get anything implemented. The application development was probably outsourced, the infrastructure is handled by some other company, the security review was done at the architectural level, and the annual pen test might not have picked it up. And the auditors generally don't know how anything actually works, and just require ticks in the boxes (like hiding your server OS in the HTTP headers, rather than actually trying to attack your application) Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Wednesday, 15 June 2011 7:31 PM To: NT System Admin Issues Subject: Re: [OT] Citibank worse at security than Sony >>As with Sony, one has to wonder where their priorities are with data protection .. It's all about shareholder value, and the shareholders value profits and dividends... Plus, no one expects to be caught, or exposed, so it's not a problem until it's a problem. Until they suffer some real penalties (huge SEC fine, real government oversight, significant loss of customers, jail time for someone in senior management), there will be little change. ASB (Professional Bio <http://about.me/Andrew.S.Baker/bio> ) Harnessing the Advantages of Technology for the SMB market... On Wed, Jun 15, 2011 at 5:31 AM, Alan Davies <adav...@cls-services.com> wrote: What floors me is how sophisticated they are saying the attack is! Honestly, this article makes me so angry! http://www.nytimes.com/2011/06/14/technology/14security.html?_r=3 This is basic s**t! It's not APT. It's not sophisticated. It's complete lack of good governance and due diligence. It's a high profile web app with PII data that should be having significant PT work done at a MINIMUM of quarterly. As with Sony, one has to wonder where their priorities are with data protection .. a -----Original Message----- From: Matthew B Ames [mailto:matthew.a...@qinetiq.com] Sent: 15 June 2011 07:24 To: NT System Admin Issues Subject: RE: [OT] Citibank worse at security than Sony As a software engineer I would feel rather guilty to develop a system that was that poor. I used to have a Citi credit card..... I had better check it is no long active. -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: 15 June 2011 04:36 To: NT System Admin Issues Subject: [OT] Citibank worse at security than Sony So... 200,000 or so Citigroup customers have had their person info stolen. Someone logged in to one account properly, then changed the account number in the URL to someone else, and the site happily served up that account instead. I hesitate to even call the first party an "attacker". Is it really an attack if the bank just leaves a pile of money sitting on the sidewalk and someone takes it? http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-br oke-door-using-banks-website.html <http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-b r%0d%0aoke-door-using-banks-website.html> Some banker fat cats need to go to jail for this. This is incompetence of the highest order. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin