Whether someone goes to Jail or not is up to the courts to decide, and who is legally liable.
I agree most don't know the in's and outs of every site and system they are supposed to be responsible for. As for the web application attack, it was a trivial input validation issue, which is covered on the OWASP TOP 10 web application vulnerabilities and underscores how bad web applications are still coded to these days, when a simple parameter attack which can be done quite easily with Burp Suite Professional to fuzz the web application and find its flaws. ( XSS, SQLI, Input validation) and the attackers have the time and the tools, to keep beating on the doors until they gain access. But putting the account numbers as part of a dynamic SQL string is a pretty poor practice ( no encoding etc etc), which leads me to believe there are probably other SQL injection attacks that are probably possible against the site to gain even more information, and possibly even the CC numbers and pins. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project I would say sections A1, A6, A7, A8 are a big problem with this web application. ( Again how this got past the IT Group, the Security Group which should have been responsible for reviewing and testing the web application before it was put to the public for these types of flaws) and the business that should have been advised of the issues and the risk and either agreed to take the risk ( with signatures) or the code should have been fixed). Again it happens a lot more than you see in the headlines, Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, June 15, 2011 12:20 AM To: NT System Admin Issues Subject: RE: [OT] Citibank worse at security than Sony I doubt any fat cat bankers signed off, knowingly, on an insecure site. People going to jail would be the IT folks who should have known better. That said, do you know the ins and outs of every single system you've got control over? Cheers Ken -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Wednesday, 15 June 2011 11:36 AM To: NT System Admin Issues Subject: [OT] Citibank worse at security than Sony So... 200,000 or so Citigroup customers have had their person info stolen. Someone logged in to one account properly, then changed the account number in the URL to someone else, and the site happily served up that account instead. I hesitate to even call the first party an "attacker". Is it really an attack if the bank just leaves a pile of money sitting on the sidewalk and someone takes it? http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-br oke-door-using-banks-website.html Some banker fat cats need to go to jail for this. This is incompetence of the highest order. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
