New CitiGroup hack shows security 'experts' preaching calm should cut it out

Quality of exploits isn't keeping up with expectations of experts, but quanity has a quality all its own

A division of CitiGroup in Japan announced hackers had stolen personal information on more than 92,000 customers, according to a story in Japan Times.

Citi Cards Japan, Inc. announced customer names, addresses and credit card numbers may have been taken, though the company is unsure of exactly what data the hackers were able to get. So far there have been no unauthorized uses of the account numbers.

Japan Times quoted an unnamed source as saying someone at a third-party service business Citi Cards hired to handle part of its transaction volume, took the information and sold it.

[Citigroup data breach shows why we need fed rules to protect personal data online and Will hackers have to step up their game to keep our attention?]

CitiGroup said the theft is unrelated to another hack in June in which hackers stole credit card numbers from its web site by playing with the content of URLs and managed to post fraudulent charges to the tune of about $2.7 million from 3,400 accounts. Information was taken from about 360,000 accounts.

The two attacks are dissimilar in that one involved a mysterious group of criminal masterminds who figured out how to make their browsers go up one level in the file hierarchy on Citi's servers and then started guessing at account numbers. The other involved some guy copying off a bunch of data from his work computer and walking off with it.

Neither was The Thomas Crown Affair.

Neither was some ape throwing a brick through a window to grab whatever was on the other side, either.

Both jobs required a slightly higher order of primate – a computer-literate grifter, of which there are many, not a genius hacker, of which there are few.

Fears that our Matrix is under attack and on the verge of collapse under pressure from an army of brilliant anarchist hackers are definitely overblown – as Kaspersky Labs and Symantec researchers claimed Friday as a way to minimize the visibility direct competitor McAfee got from a report painting a dour picture of global cyberspying.

The report mapped a global espionage network McAfee nicknamed Operation Shady Rat that engineered attacks on 72 organizations in 14 countries over five years, in a patternthat may or may not be coordinated attacks sponsored by the government of a major country that may or may not be China (it may).

The volume, severity and success (especially against U.S. military sites) is unique, alarming and a strong indicator that global politics has become a mix of diplomacy, trade and shameless digital espionage, the McAfee report concluded.

Also true. Countries ill always swipe information from each other when it's possible to do so with relative safety.

Individual people (or small gangs of them will do the same thing if given the chance (as at least two groups were in the case of CitiGroup and nearly everyone with a keyboard was in the case of Sony).

Security experts like Bruce Schneier have tried to calm people down about their fears that the attacks by LulzSec, Anonymous and a host of little-known East European hacking consortia.

The rate, level of innovation and impact of the attacks has not risen by enough to cause the kind of angst it is already causing, Schenier told and other news outlets during LulzSec's heyday in June.

It may be true that the exploits aren't any smarter or more effective than they used to be.

In fact, they're lot simpler and a lot studper.

The tools needed to crack most servers, or bering them down with DDOS attacks, just isn't that difficult anymore. You don't have to be a genius hacker to download a bunch of automated penetration-testing tools, set them up in rented digs on Amazon and run them against everything in site.

No matter how badly you do it, you're going to find a few you can crack, if only because the patches and security configurations are not up to date.

That's the real danger, and the real warning of Operation Shady Rat and LulzSec's 50 Days of Lulz and Anonymous' Anti-Sec campaign and a thousand low-profile DDOS and penetration attacks on any server on the Internet with any chance of holding valuable data or being of use to attackers.

We don't have to fear Neo and his supernatural powers of scripted special effects.

We have to fear people with criminal intentions and a chip on their shoulders who, five or 10 years ago would never have had the skill to make a decent attack or the patience to learn.

Effective hacking has come downmarket to become available to people who, already pissed off before spending years trying to learn Unix commands and subroutines to be able to crack others, have the choice of sitting in the comfort of their own houses while still vandalizing the property of someone they hate or envy or just believe they should have the right to screw with other people just because it's funny.

A lot will make that choice just because it's easier to run an automated hack than to go all the way down to the hardware store to buy a bunch of spray paint to tag the bastard's wall properly.

Not all of them will be able to crack CiitGroup. Not all will even be able to snatch information from the Elks' club.

But there are a lot of them, and most of them have computers. And a lot of bandwidth to download hacking tools and still have some decent success because most – not a few, most – servers on the Web are unprepared with serious software and security products to keep complete tyros from crashing their way into someone else's servers.

Crime has always been a little downmarket – except the high-finance, international trading variety that creates generations of aristocrats from activities as varied s farming, piracy and slave-trading.

So, right, our security situation is isn't getting any worse if you're judging by the quality of the exploits being used.

But it's not getting any better, either, especially as the range of tools grows and the number of people will to use them without really understanding what they do grows as well.

It's just a matter of matching the right brick to the right window.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon