Tag Archives: log analysis

Citigroup attack highlights insufficient authorization error

via Citigroup attack highlights insufficient authorization error:

Hackers logged onto a site reserved for credit card customers then inserted various account numbers into a string of text located in the browser’s address bar, according to a report in the New York Times, which cited anonymous sources close to the investigation. The cybercriminals repeated their actions, capturing the names, account numbers, email addresses and transaction histories of more than 200,000 Citigroup customers.

A client of mine had nearly that exact same vulnerability, except in this case, it allowed the user to log in through a URL with the last four digits of their social security number.  So by merely crafting a URL with a random 4-digit number, a hacker could gain authenticated access to untold numbers of accounts.

Happily, we discovered it before anyone else did, as far as we know.

Citigroup likely detected the flaw in its own analytics engine. A person monitoring analytics tools would see different spikes of anomalous user activity. An individual sending in 200,000 server requests should generate an alert, Grossman said. Further inspection of the logs would show that a person is conducting an attack by tweaking the URL.

Saved by the logs and SIEM!

Citigroup Credit Card Portal Breach Compromises 200,000 Customers

Here’s an exciting story:  Citigroup Credit Card Portal Breach Compromises 200,000 Customers – Security – News & Reviews – eWeek.com.

Cyber-attackers have breached financial giant Citigroup’s Web portal and gained access to customer credit card information. The company said the most sensitive information remained safe.

The perpetrators broke into Citi Account Online and viewed customer names, account numbers and some contact information such as email addresses, Citigroup said in a statement June 9. Social Security numbers, birth dates, card expiration dates and the security codes generally found on the back of the credit cards were not compromised as they are stored elsewhere.

Now they know real customers’ contact info, and can phish away, if not fabricate new identities from it.

While 200,000 sounds “kind of small” when compared to what happened in recent breaches, such Sony’s 100 million, the number of records compromised is “not the important  thing here,” Anup Ghosh, founder and chief scientist of Invincea told eWEEK. “It’s the loss of faith in the institution’s ability to protect us,” Ghosh said.

Financial institutions are “principal” targets for cyber-criminals, according to Brendan Hannigan, CEO of Q1 Labs. “Security trust means more than just making sure you’re in compliance with regulations,” Hannigan told eWEEK.

I’d sincerely hope Citibank is PCI DSS compliant, but as they said, it’s a baseline, not an ultimate goal.

Citi discovered the hacking incidents in early May during routine monitoring, according to The Financial Times, which broke the story June 9. Citigroup likely had spent the time trying to “quantify what was touched and what had happened,” Ghosh said.

Watch those logs!

Citigroup global enterprise payments head Paul Galant, who previously ran the bank’s credit card unit, told Reuters in April that security breaches are a fact of life for financial institutions. However, companies need to be “thinking like hackers do,” Mark Hatton, president and CEO of Core Security, told eWEEK, noting that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.”

Businesse (sic) are relying on defense mechanisms that were “developed in the last century” and have not changed since then, while attackers are creating new threats and “evolving every day,” said Ghosh.

Coincidentally, Martin covered this very idea in a recent post: Fundamental flaw in thinking: We’re responsible.

NitroSecurity Provides SIEM Analysis for Real-Time Security Intelligence

Sounds like a handy tool for SIEM to solve a key problem:

IT managers are collecting all network and application data for security and compliance reasons, but the sheer volume of the data makes it difficult to detect problems in a timely manner or correlate events, Jerry Skurla, executive vice-president of marketing at NitroSecurity, told eWEEK. Many log-management tools are not effective or efficient, and can’t test analyze all collected data, he said. He cited a 2010 data breach survey conducted by the Verizon RISK team in conjunction with the United States Secret Service that found 86 percent of data-breach victims had evidence of the breach in their logs but they hadn’t been able to find the information in time.

But the key, as always:

“You tell us what is important to you, and we will show you the relevant information,” Skurla said.

If you don’t know what to watch for, you’ll still miss it.

via NitroSecurity Provides SIEM Analysis for Real-Time Security Intelligence – Security – News & Reviews – eWeek.com.

Anton Chuvakin Blog – “Security Warrior”: PCI_Log_Review

Dr. Chuvakin nobly provides a multi-part series on PCI DSS log review procedures. Follow along for fun and profit!

Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. As I am preparing to handle more of such engagements (including ones not focused on PCI DSS, but covering other compliance or purely security log reviews), I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged “PCI_Log_Review.”  It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and  log analysis (a key requirement for this project – guidance was to be useful to such people) in order to enable them to do the job and then grow their skills. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation (or without any compliance flavor – of course!)

This is the first post in the long, long series… prepare to see lots of process flow charts

via Anton Chuvakin Blog – “Security Warrior”: PCI_Log_Review.

Pathetic Analytics Epiphany!

Some years ago, I read that the next big shift in web development would be from hand-coding HTML (and everything that goes with webpages) to WYSIWYG editors doing all the coding behind the scenes.

Although that hasn’t fully been realized, can WYSIWYG-easy log analysis tools be on the horizon?

Further, yesterday I was trying to explain the state of the art of log analysis to a client (who looks to use his cool new technology for log analysis and SIEM), and I felt embarrassed to admit that, yes, “search” and “rules” are indeed the state of the art.

In other words, most of the analysis burden is on the tool USER BRAIN, not on the TOOL. They looked at me like I just wasted 10 years of my life, writing regexes and otherwise being a stupid monkey. Even things like profiling/baselining (example) or simple – and I mean SIMPLE – data mining (example, details) mostly stay on research drawing boards for ages.

via Anton Chuvakin Blog – “Security Warrior”: Pathetic Analytics Epiphany!.