Application (In)Security in the Citi

Last Updated on June 14, 2011

Today some more details about the Citi breach were revealed and it looks like it is not connected with the RSA breach.

The investigation is still in place, but data collected so far show the kind of attack performed is pretty much more “traditional” then a SecureID clonation: the attackers were able to bypass the perimeter security systems by logging on the site reserved for credit card customers (but no one has explained so far how) were they were able to exploit some vulnerabilities on the Home Banking Web Site.

Probably they performed an SQL Injection or XSS attacks, (Interesting the non-technical description by NYT):

Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

It looks like application and database security is a curse and a bless for the infosec arena. Although not fully mature in my opinion, it is one of the most promising sectors (in which there are grand maneuvers under way by the vendors), but in the same way, application in(security) has been the indirect reasons for several events this year: Sony (in some of the suffered breaches) and Epsilon have been victims of SQL Injection, and if for a moment we forget the breaches (real leading actors of this 2011) and pass to consider malware, we must necessarily mention LizaMoon which has flooded an impressive number of databases all over the world with SQL Injection, infecting more than 1,500,000 URLs.

Unfortunately these kinds of attacks are not simple exercises in style but are often the first stage of more complex Cybercrime operations. If the stolen Data immediately usable (such as Credit Card Numbers and corresponding CVV codes), they are sold in the Black Market Bazaar. In other circumstances, when the stole information is not enough to gain immediate profit, the targets become victims of tailored spear-phishing campaigns (which could potentially last for several years) aimed to gain the missing pieces of the puzzle (read information) necessary to perform the malicious actions.

That is the reasons why, if not already done, Enterprises need to make application security a key foundation for the development of secure business application and services: educating the developers with secure development guidelines, implementing adequate countermeasures with Web Application/Database Firewall, periodically probing the security level of the infrastructure with Vulnerability Assessment and Penetration Test and, last but not least, performing a constant patching.

This corresponds to implement an application oriented modern form of the Deming Cycle, more poetically summarized by the expression “performing Application Housekeeping”.