If you have an account, please:
Log in

Citibank Unable to Afford Secure Web Design

Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:


One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.


Tags: , , , ,

Best Western Loses Full Details of All Customers From 2008 in Data Breach

Data breaches are about negligence; every time
(Image is in the Public Domain)
Details of how to access the information - which included home addresses, place of employment and credit card details - were sold through an underground network operated by the Russian mafia.

And, again, if these companies would stop holding our credit card numbers far past the date that we used them, we wouldn't be having this problem.


Best Western is contradicting the story saying that it's exaggerated. More importantly this:
Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.

If this is true, then how did they lose anything? Did they? The details are unclear.

Tags: , ,

TJX Data Breach Up to 94 Million Victims

(Image used under: Creative Commons 2.0 [SRC][Mod])

If you've been following this breach, the key problem here is two part:

1) TJX is the parent company of several other companies including TJ Maxx. Each of those companies shared data with TJX creating a massive database (and a single target for the hackers).

2) TJX (and others) shouldn't have stored the credit card data in the first place and when they did, they should have used better security.

Though they'll blame "clever hackers" for the breach, the fault instead lies squarely with TJX who's business practice of storing credit cards against people's will along with negligent use of outdated wireless encryption (WEP) first created a giant target and then then left a gaping hole for the bad guys to be able to go and get it.

Tags: , , , , , , ,

Home Depot Sent Sex Offender to Single Woman’s Home

(Image used under: Creative Commons 2.0 [SRC])

How does a sex offender get hired to do contracting work that could put him in close personal contact with potential victims? Aren't they required to report that they're a sex offender?

It wasn't like this guy was a one-time offender either. The article states that he had an "extensive history of violent attacks".

Though Niki was in no way harmed, you gotta be careful who you open your door to, even if they're coming from a brand-name store
Tags: ,

Simple Attack Against Home Routers

(Image used under: Creative Commons 2.0 [SRC])

Schneier writes about a recent attack against home routers that takes advantage of the fact that most people never change the default passwords on their equipment.

One of his commenters said it best:

It has long been standard security practice that when logging in to a new system with a default password, the first required step is to have the user create a new password. If routers did this and refused to function until a customized password was set, none of these problems would occur.

Or more simply put, it's a problem that would never exist and would disappear tomorrow if router manufacturers would bother to make a simple and practically free programming change before shipping them out.

Tags: ,

Boeing Loses Data on Laptops… Yadda Yadda

Oops. Sorry about all your data gosh golly wilikers!
(Image is used under the Pixabay license)

Consumer Affairs writes:

A laptop containing the personal information of 328,000 current and former employees of Boeing was stolen in Chicago, according to the company. The laptop theft was the third to befall Boeing in the past twelve months. Boeing is contacting the affected employees by mail and has promised to set up free credit monitoring for them through the Experian credit bureau.
Tags: , , , ,

If you want to learn more about my professional background, click here to learn more. Otherwise, let’s get started - how can I help?

Online learning
On-site learning
Read my blog