Earlier this week, Rob O’Hara argued that hackers, in spite of the publicity they get, aren’t necessarily sophisticated at all.
Details of the Citigroup hack prove it.
Basically, somebody figured out that if they logged into a Citigroup account, their account number was in the URL. And if you rewrote the URL to put a different account number in, you were able to jump to another person’s account, without knowing anything else about the owner of that second account.
The bank wasn’t checking credentials. As long as you had access to one account, they’d grant you access to any other account. It would be just like me walking in to Costco, flashing my card, then telling the cashier my name was Bill Gates and the cashier charging it to his account without checking any further.
Whoever discovered the vulnerability was either clever or lucky. I’m not sure which. But the attack required less sophistication than what someone I knew in college used to do. Back in the ’90s, my school put all of its student web pages on a big (for the time) Unix cluster. When we made web pages, we were supposed to create a www directory inside our home directory, then do a chmod 755 or, better yet, a chmod 644 on our www directory to make our web pages accessible to the world.
Well, some students got lazy and did a chmod 777 on their www directory, making it writeable to all comers. Some did it on their home directory, which was even worse. So curious students could do a little bit of hocus-pocus with ls commands, perhaps in concert with grep, to find which students had left their pages completely open, then go march in and change those students’ web pages at will.
At least that hack required someone to know what switches to feed to the Unix ls command, plus a lot of patience. Or the knowledge of what switches to feed to ls, how to pipe it to grep, and how to write a filter for grep to pick out the vulnerable directories.
Some people are asking whether we’re in a golden age of hacking. I don’t agree with that at all. We’re still in the dark ages of security, and we didn’t realize it until somebody got mad enough at Sony to start poking around at it to see if it was possible to break in and embarrass them. And then when they did, some other bored attention seekers decided to see if any other disliked companies or organizations had similarly bad security practices. Citigroup isn’t as hated as Sony, perhaps, but I’ve never met anyone who had a particularly good experience doing business with them. I’ve met lots of people who were glad to stop doing business with them, as I was when I closed my Citibank card in 1996.
Companies that are paying attention should be hiring penetration testers as quickly as they can find and–more importantly–vet them, and put them to work immediately to find these weaknesses in their web sites and networks before activist hackers do. If companies are smart, and want to come out of the dark ages of security, penetration testing will be a hot career field for the next couple of years. The less popular a company is, the more it needs these types of people.
So why now?
Probably some of these vulnerabilities have existed a long time now. The push to add more functionality via the web undoubtedly introduced some more. But I think the biggest thing is that people are motivated to look. Unemployment is still high, including in the technical fields. Consumers feel abused. If large companies are feeling the same pinches that the rest of society feels, it’s not showing in the headlines: Executive pay is up 18 percent even though inflation was only 1.6 percent, and unemployment is only down 1 percent.
It started out with a few people unhappy that Sony removed the ability for them to run Linux on their Playstation 3s, and even more people getting even more unhappy with Sony’s actions against the people who modified the Playstation 3 to put that ability back in. Sony got hacked by a group seeking revenge, and soon copycat groups were doing it too. Some seem to have been after attention as much as they were after revenge. And since many people tend to re-use passwords, passwords plundered from Sony proved useful for hacking other things. Which led to more breaches, more attention, more copycats, and the cycle continues.
If this had started happening in 2007 when people were generally happier and had better things to do (such as working and engaging in conspicuous consumption), it might not have gotten this out of hand. But it didn’t, so here we are.
If you’re interested in computers but aren’t working in the field, or would like to get a higher-paying job, I suggest you start learning everything you can about penetration testing. And no matter who you are, if you haven’t changed your Ebay, Paypal, Amazon, and other online passwords in a while, it would be an extremely good idea to do so now. And don’t use the same one anywhere.