NY Times Humiliates Itself on Citi Hack Story

It is really hard to believe that in 2011 two technology reporters for ‘the paper of record’ could humiliate themselves and their paper so completely by botching a simple technology story. I don’t think I’ve ever seen a story as screwed up as this one; literally. — They didn’t get a few facts wrong, they got the whole story wrong.

Ok, the topic is computer security -but before your eyes glaze over- TRUST ME a third grader could follow it. — As long as that third grader was not part of the layers and layers of fact checkers and editors at the New York Times.

And while I’ll explain the technology (in an easy way, honest) you don’t need to know a thing about computers to know the story is bogus simply because it is not internally consistent. They spend half the story telling us how easy the hack was the other half telling us how sophisticated the hack was. Which is it?

And I’m purposely leaving the byline of Nelson Schwartz and Eric Dash in the story because they should forever be tied to this steaming pile of dung. As a formatting convention, I’m underlining the parts of the story that are pure poppycock and I’ll bold the important parts.

Thieves Found Citigroup Site an Easy Entry

Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate
actual credit card holders, a team of sophisticated thieves cracked into the
bank’s vast reservoir of personal financial data, until they were detected in a
routine check in early May.

That allowed them to capture the names, account numbers, e-mail addresses and
transaction histories of more than 200,000 Citi customers, security experts
said, revealing for the first time details of one of the most brazen bank
hacking attacks
in recent years.

In the Citi breach, the data thieves were able to penetrate the bank’s
defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi
customers by inserting various account numbers into a string of text located in
the browser’s address bar
. The hackers’ code systems automatically repeated this
exercise tens of thousands of times — allowing them to capture the confidential
private data.

The method is seemingly simple, but the fact that the thieves knew to focus
on this particular vulnerability marks the Citigroup attack as especially
ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers
could have known to breach security by focusing on the vulnerability in the
browser. “It would have been hard to prepare for this type of vulnerability,
  [Complete bullshit -ED]    The security expert insisted on anonymity because the inquiry was at an
early stage.

The expertise behind the attack, according to law enforcement officials and
security experts, is a sign of what is likely to be a wave of more and more
sophisticated breache
s by high-tech thieves hungry for credit card numbers and
other confidential information.

So let’s review what these super elite ubber hackers did that was so impossible to prepare for… They saw their own credit card number in the URL in the address bar and they tried changing it out for another card number and BINGO the system coughed up information.

EEEEEW I hope you were impressed by their mad hacker high school skillz. — This really wasn’t even a hack, it was finding a big fat hairy bug that even no rookie programmer should have left.

Folks, this ain’t rocket science. You don’t put account numbers (or passwords etc) where people can see them. DUH! — You know that and you’re not a NYT expert.

It does not say what language they used on the site but I’ll give you an example in PHP (which is the most widely used programming language on the web) it is a simple as using a POST command instead of a GET command. They do the same thing but a GET puts the information in the address bar and a POST hides it.

And how many programming degrees from Ivy league schools do you need to learn this bit of esoteric computer security? Well if you learn beginning programming at Lynda.com they teach it at hour 3 of a 22 hour course. It’s one of the first things you learn as a programmer.

But maybe with the financial sector on the skids, Citi couldn’t spring for the 25 bucks a month for Lynda.com.. NO PROBLEM. Here’s a free video tutorial explaining it. Mind you this is a 22 minute video and you should watch the other 80 minutes first. So if you use the free site you should get to it about an hour and a half after you start to learn programming.

In other words, any moron who learned programming from youtube should have known this.

And the New York Times “expert’ who says there was no way the bank could have foreseen that? I just wonder which of the two authors asked his 8 year old to be an expert for him. No ‘expert’ in the world would say something so stupid. If I were their editor I WOULD ASK WHO THE EXPERT WAS. They did not interview an expert, they made the quote up themselves or similar.

I know that most people become reporters because they don’t have the skills to do anything else… but geeze you’d think two technology reports and their ‘expert’ would at least come close to getting it right…

But if you think that, you’d be expecting too much… These morons have no clue what they are talking about. QED

]]>< ![CDATA[Note: Other languages than PHP do it differently of course but in EVERY language,  not transmitting sensitive data like card number and passwords in the clear (unencrypted) is something you learn basically on day one.  No 'sophisticated teams' of hackers required.

The Old Girl's New Tricks, Part V
"Wingnut Debt Ceiling Demands"