Citibank Unable to Afford Secure Web Design

Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

Hijack A Facebook Account in One Click

(Image used under: Creative Commons 2.0 [SRC])

Ok so maybe not ONE click. But someone has put together a simple tool that you can use to take over the active sessions of anyone within wireless range of you. Hang out at the Starbucks free wi-fi and you'll be able to control the Facebook or other accounts of people nearby. It's an attack that was always simple to do for those who know how, but now any idiot can do it with a simple new interface.

By the way, they mention a few protections from this at the bottom of the article, but here's one more.

Tags: , ,

Beware of Hijacked Facebook Accounts

(Image used under: Creative Commons 2.0 [SRC])

Of course this isn't a problem limited only to Facebook, but the FBI issued a warning about the rise of hijacking scams. This is where a bad guy gets your login information through various means and then poses as you on your account. They'll send an urgent request for help or money to all your friends who may be fooled and comply (as in the case of Bryan Rutberg).

Remember to use good passwords and protect them especially the password for your e-mail account (which can be used to unlock all your other accounts).
Tags: , , , , , , ,

Sarah Palin’s Private E-mail Account Hacked

(Image is in the Public Domain)

Sarah Palin's Yahoo account has been broken into and e-mails found there posted to Wikileaks. I would say this was a pretty rotten thing to do, but the perpetrators claim they did it to prove that Palin has been using her private e-mail to circumvent recordkeeping laws about government business. If that's true, then perhaps this needed to happen.

Tags: , , , ,

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

Citizens Against Government Waste - CAGW
Consumers Against Supermarket Privacy Invasion And Numbering - CASPIAN
The Electronic Frontier Foundation - EFF
The American Civil Liberties Union - ACLU
Public Citizen
The Electronic Privacy Information Center - EPIC

... or check out any of my other guides and tutorials by clicking here!

Citizens Against Government Waste - CAGW

Citizens Against Government Waste - CAGW

[Click for full description]

Consumers Against Supermarket Privacy Invasion and Numbering - CASPIAN

Consumers Against Supermarket Privacy Invasion And Numbering - CASPIAN

[Click for full description]

The Electronic Frontier Foundation (EFF)

The Electronic Frontier Foundation (a.k.a. the EFF) - a nonprofit group of passionate people — lawyers, technologists, volunteers, and visionaries — working to protect your digital rights.

[Click for full description]

The American Civil Liberties Union - ACLU

The American Civil Liberties Union - ACLU

[Click for full description]

Public Citizen

Public Citizen - A group of non-profit lawyers specializing in freedom of speech and other basic American rights.

[Click for full description]

The Electronic Privacy Information Center - EPIC

The Electronic Privacy Information Center - EPIC

[Click for full description]