Comment Re:The "Expert" (Score 2) 371
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.
IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.
Give some benefit of the doubt. Keep in mind this is a New York Times article -- it is written in way that they feel should be understandable to any 8th grader in the country. Add onto that, that the reporter is almost certainly not understanding anything this guy has to say. Add onto that, this guy is actively working on the investigation, and he might not be willing or able to divulge any actual information. Add onto that that the New York Times readers (staff included) are generally outraged at the banking industry, so there is no doubt a bias to roast a big player in that industry.
Some questions: Is this guy the original source? What does "security expert" mean? CISSP? Manager of the "security department" that is running the investigation? Outside consultant? Who knows, if the article contained this information it did a bad job of conveying it.
The way I read it, it seems to me that this guy is probably referring to the criminals. When I first read it, he was conveying to me, "The last place criminals will look for an entry point is the front door. When they found it, they seemed prepared with a sophisticated and fast way to drain as much info as they could prior to detection." It's almost as if he is suggesting that it was an inside job without coming out and saying it. Correct me if I'm wrong, but there is nothing that suggests that the account numbers were in the url in plaintext. Perhaps they were ROT13ed or similar, or perhaps the key was in a script on the client, or perhaps the key was the remote ip address or something equally dumb. This would still be unforgivable from an architecture point of view, but it easy to see how something like this could escape notice during day-to-day code reviews. "What's that string for?" "Oh, that's our session id."
There are a million contexts and situations where what this guy said could make good sense. Why the New York Times is publishing truncated sound bites of opinion from anonymous sources is the baffling thing here. The New York Times might be able to corroborate facts from an insider, or otherwise trust the information, but in my mind they should not be printing opinion or speculation from an unnamed source with an obvious interest in the outcome.