Why Hackers Found Easy Targets At IMF, Citigroup

  /     /     /  
Publicated : 22/11/2024   Category : security


Why Hackers Found Easy Targets At IMF, Citigroup


Security experts say simple tactics succeeded in breaching major organizations in recent weeks because companies failed to conduct their own penetration testing.



(click image for larger view)
Slideshow: 10 Massive Security Breaches
How are attackers exploiting major organizations? RSA said it was felled by an advanced persistent threat (APT). More recently, news accounts have said that the International Monetary Fund and Citigroup were exploited by sophisticated attacks.
But security experts say that at least by todays standards, most of these attacks were
far from advanced
, except perhaps in their simplicity.
For starters, statistically speaking, thats because few attacks pass the sophistication threshold. According to the
2011 Data Breach Investigations Report
from Verizon, only 8% of data breaches represented a high attack difficulty, said Rob Rachwald, director of security strategy for Imperva, in a
blog post
.
Furthermore, looking closely at recent attacks, most involved spear phishing (RSA, IMF) or URL hacking (Citigroup), neither of which is very sophisticated. In terms of spear phishing, that goes for state-sponsored attacks that target specific victims--Rachwalds definition of an APT--as well as automated attacks launched en masse and aimed at a lowest common denominator, such as using an email purporting to offer the image of a dead Bin Laden.
With APT, they are more of a one off tailor-made nature, while in automation it is a one size fits all approach, he said. The APT attitude costs much more--which makes it only relevant for very motivated parties. But make no mistake: It isnt very sophisticated.
Lack of sophistication also featured in the Citigroup breach. For that exploit, attackers leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browsers address bar, an
unnamed security expert
told
The New York Times
.
In other words, attackers took advantage of the fact that the Citi Card website failed to hide actual account numbers in the URL string. It would have been hard to prepare for this type of vulnerability, said the security expert, whos familiar with the investigation.
In fact, it would have been easy to prepare for this type of vulnerability, known as Insecure Direct Object References, which is so widespread that it ranks as the fourth most dangerous vulnerability on the Open Web Application Security Project top 10 list of
Web application vulnerabilities
.
Perhaps Citigroups developers and automated code-scanning tools failed to spot the use of real account-related information in URL strings. But thats where penetration testing is supposed to fill in, and its obvious from numerous recent breaches, involving Citigroup, Sony, and almost any site
exploited by LulzSec
, that pen testing wasnt employed.
When you look at how the breaches are occurring, its like penetration testing 101--ethical hackers are taught to test computer security on the good guy side, Alex Cox, principal research analyst at NetWitness, said in an interview last month. (NetWitness, which was acquired by RSA in April, doesnt offer penetration testing.)
So, a lot of times people arent applying the idea of, lets hire someone to break in and see if he can do something realistically. But if youve got a good pen-test team, thats a really good way to understand where your vulnerabilities are, he said.
Or to reverse Coxs advice, by not conducting penetration testing on their Web applications, businesses wont know where all of their vulnerabilities are, and thus
wont be prepared
to repel attackers. Which, like recent attacks, doesnt seem very sophisticated.
Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas.
Find out more and register
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Why Hackers Found Easy Targets At IMF, Citigroup