Earlier this week, Rob O’Hara argued that hackers, in spite of the publicity they get, aren’t necessarily sophisticated at all.
Details of the Citigroup hack prove it.
Basically, somebody figured out that if they logged into a Citigroup account, their account number was in the URL. And if you rewrote the URL to put a different account number in, you were able to jump to another person’s account, without knowing anything else about the owner of that second account.
The bank wasn’t checking credentials. As long as you had access to one account, they’d grant you access to any other account. It would be just like me walking in to Costco, flashing my card, then telling the cashier my name was Bill Gates and the cashier charging it to his account without checking any further.
Whoever discovered the vulnerability was either clever or lucky. I’m not sure which. But the attack required less sophistication than what someone I knew in college used to do. Back in the ’90s, my school put all of its student web pages on a big (for the time) Unix cluster. When we made web pages, we were supposed to create a www directory inside our home directory, then do a chmod 755 or, better yet, a chmod 644 on our www directory to make our web pages accessible to the world.
Well, some students got lazy and did a chmod 777 on their www directory, making it writeable to all comers. Some did it on their home directory, which was even worse. So curious students could do a little bit of hocus-pocus with ls commands, perhaps in concert with grep, to find which students had left their pages completely open, then go march in and change those students’ web pages at will.
At least that hack required someone to know what switches to feed to the Unix ls command, plus a lot of patience. Or the knowledge of what switches to feed to ls, how to pipe it to grep, and how to write a filter for grep to pick out the vulnerable directories.
Some people are asking whether we’re in a golden age of hacking. I don’t agree with that at all. We’re still in the dark ages of security, and we didn’t realize it until somebody got mad enough at Sony to start poking around at it to see if it was possible to break in and embarrass them. And then when they did, some other bored attention seekers decided to see if any other disliked companies or organizations had similarly bad security practices. Citigroup isn’t as hated as Sony, perhaps, but I’ve never met anyone who had a particularly good experience doing business with them. I’ve met lots of people who were glad to stop doing business with them, as I was when I closed my Citibank card in 1996.
Companies that are paying attention should be hiring penetration testers as quickly as they can find and–more importantly–vet them, and put them to work immediately to find these weaknesses in their web sites and networks before activist hackers do. If companies are smart, and want to come out of the dark ages of security, penetration testing will be a hot career field for the next couple of years. The less popular a company is, the more it needs these types of people.
So why now?
Probably some of these vulnerabilities have existed a long time now. The push to add more functionality via the web undoubtedly introduced some more. But I think the biggest thing is that people are motivated to look. Unemployment is still high, including in the technical fields. Consumers feel abused. If large companies are feeling the same pinches that the rest of society feels, it’s not showing in the headlines: Executive pay is up 18 percent even though inflation was only 1.6 percent, and unemployment is only down 1 percent.
It started out with a few people unhappy that Sony removed the ability for them to run Linux on their Playstation 3s, and even more people getting even more unhappy with Sony’s actions against the people who modified the Playstation 3 to put that ability back in. Sony got hacked by a group seeking revenge, and soon copycat groups were doing it too. Some seem to have been after attention as much as they were after revenge. And since many people tend to re-use passwords, passwords plundered from Sony proved useful for hacking other things. Which led to more breaches, more attention, more copycats, and the cycle continues.
If this had started happening in 2007 when people were generally happier and had better things to do (such as working and engaging in conspicuous consumption), it might not have gotten this out of hand. But it didn’t, so here we are.
If you’re interested in computers but aren’t working in the field, or would like to get a higher-paying job, I suggest you start learning everything you can about penetration testing. And no matter who you are, if you haven’t changed your Ebay, Paypal, Amazon, and other online passwords in a while, it would be an extremely good idea to do so now. And don’t use the same one anywhere.
Forgive me. This is off topic but I thought this might interest you.
The world’s largest model train collection (photos)
That is one of the more famous layouts in existence today. Cnet provides more photos of it than most of the writeups I’ve seen though. Thanks.
Back inn the early days of cable internet a smb scan of you ip block would reveal everyone without a router (most people) who also had windows file sharing turned on. Always a few of those and a simple matter to punch their ip into windows explorer and sit down to lunch at their table so to speak. I wouldn’t even call it cracking since nothing was being cracked absent any and all security. Curiosity satisfied I moved on.
The thing to remember is the internet not being designed with security in mind at inception. It was designed to be resilient and robust with security a matter of physical access that few people outside the military/industrial complex and select academic institutions had. Over time this changed and DARPA walked away knowing the internet was not, nor would be, able to support their own growing security requirement with all and sundry gifted to the public sector which didn’t particularly care. Not initially.
As a conduit for information the internet was and is unparalleled having grown popular and now nearly omnipresent, both business and industry early adopters because such connectivity being comparatively cheap. Along the way our government, its various agencies and our military seemed to forget the reasoning of DARPA years prior.
Standing in the here and now while remember then, I am left somewhat amused even in light of our Veterans Administration losing all the personal information they had collected on me and a few million others but for allowing their people to download this information onto their laptops to be taken home weekends. Seriously, what did they think was going to happen? Of course there is no need for that now as users can simply log in remotely for access and next time the system is breached will have the audacity to act surprised.
In my Navy days I had a top secret security clearance but that didn’t mean I could access any and all material with that rating. Security was compartmentalized and I only had access on a need to know basis. In other words, my area of expertise and none other unless there was a need with approvals granted. Contrast this with the Wikileaks fiasco subsequent where it was decided that inter-agency information at the secret level would be shared wholesale among 250,000 people. Once again, what did they think was going to happen?
I mention this because Government is jumping up as though they are now tasked with fixing internet security when they can’t even fix themselves nor remember why DARPA moved on to develop something else. Open and secure is a tough combination.
Perhaps not impossible, people will always be the achilles heal but Citi is an example of pure negligence. One among many, not even unique and certainly not new. Sony is another even after a months downtime for an audit prior to a network restart.
Of many sobering thoughts is realization that we are not immune from data theft in all its ramifications even when completely unplugged and how many data silos contain our informations all the while a growing myriad of entities continue to ask us for more.
I’ve consulted for companies that have divisions working on defense contracts, so I’ve been told to not visit Wikileaks and, ideally, not even read much about it. But I note that the criticism in 2001 was that there wasn’t enough inter-service, inter-agency information sharing. Now we’ve seen the good things and bad things that can happen from more sharing: Within a year, we got Bin Laden, and classified information was published in foreign newspapers.
Cringely wrote about the government and security in recent weeks. His theory is that the government doesn’t want security, as it makes spying more difficult. But something about his analysis just didn’t feel right after I read it, though I couldn’t really pinpoint what was wrong. Maybe it’s just that the subject is so complex. Sure, maybe IPv6 will make things better since it has built-in authentication, but IPv6 doesn’t help the Citi and Sony situations because they failed to do basic authentication and/or encryption. That makes me wonder how many other rush-job corporate web sites exist that have similar problems, but frankly, fear of litigation ought to be enough to get those fixed. That isn’t the government’s issue to solve, at least not entirely. The government’s own security issues are, presumably, more complex than that. The stakes certainly are higher.