Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar. The hackers' code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
The method is seemingly simple, but the fact that the thieves knew to focus
on this particular vulnerability marks the Citigroup attack as especially
ingenious, security experts said.
New York Times
with an interesting definition of "ingenious"
But some RSA customers say they still don't have enough information from RSA to determine whether they are actually at risk. RSA still hasn't come clean with all of the details on what the bad guys stole. If the seeds were compromised, for instance, then SecurID customers who replace their tokens might have to do so again at another time.
"Customers need to ask RSA why new tokens matter. Does getting a new token
mean I'm more secure? That's the question that needs to be asked," says
Marcus Carey, a security researcher with Rapid7. "Companies need to know
that this isn't a 'token' gesture."
One thing should be noted; the attacks against Sony are not coordinated,
nor are they advanced. Sony has demonstrated they have not implemented what
any rational administrator or security professional would consider "the
absolute basics". Storing millions of customer's personal details and
passwords without using any form of encryption is reckless and
ridiculous. Even security books from the '80s were adamant about encrypting
passwords at the very least. Several of Sony's sites have been compromised
as a result of basic SQL injection attacks, nothing elaborate or complex.
" in "A concise history of recent Sony hacks"
We've created a culture of self-perpetuating paranoia in
military-industrial data security by building systems that are deliberately
compromised then arguing that draconian measures are required to defend
these holes we've made ourselves. This helps the unquestioned three-letter
agencies maintain political power, doing little or nothing to increase
national security, while at the same time compromising
for all of us.
to post comments)