Thursday, August 20, 2009

Was Ameriprise Financial's web site pwned?

We don't know, and they don't either:

For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user's cookies, according to a web security expert.

The XSS, or cross-site scripting, flaws made it possible for phishers to send Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics. The holes could also allow criminals to steal browser cookies used to authenticate online accounts.

The chief PR flack there clearly has not read the A-B-Cs of responding to a pwnage situation:

Indeed, Benjamin Pratt, Ameriprise's vice president of public communications, played down the severity of the bugs brought to his attention, saying they affected only one portion of the company's site.

"It's an important point to note that none of client data can be exposed by this," he said shortly after being alerted to the bug. "There's no one at risk here. Like any other vulnerability, we're aware of it and we're moving as quickly as we can to repair it."

As a helpful tip to Mr. Pratt, let me give him the Cliff's Notes version of the A-B-Cs of responding to pwnage: It doesn't help your company if the A-B-C of security means "Anyone But Customers". The Bad Guys are said to be using your web site to feed up malware that pwned your customers when they went to your website.

So what are their plans? Bueller? Bueller?
He said Ameriprise officials have no way of verifying that the bugs were reported as long ago as March, but in any event he said that there are no plans to review any of the mechanisms the company may have in place to receive notifications from the public about website vulnerabilities.
Security Fail. Customer Service Fail. PR Fail.

Sigh. It's times like this that make me think that I'm going about security wrong. I've approached this from the strategy of improving the world's security by making better security products.

Maybe I should go to Law School, and sue these idiots within an inch of their lives. There's a Billion dollar class action case just waiting in this sort of thing. It's a target rich environment, too, so once you roll the first couple, the others roll over, too. The idiots at companies like Ameriprise will simply look at this as a cost of doing business, but it would actually change their calculus:

Right now, it's cheaper to ignore security. A couple hundred million dollars later, it'll be cheaper to build security in at the beginning.

Build a better security mousetrap, and the world won't beat a path to your door. Get some legal Darth Vadar types to put a financial force choke on a couple of corporate VPs, and you'll drive them to Do The Right Thing, yea with wailing and gnashing of teeth.

So if a partner at Vader LLC runs across this, call me. I know all the embarassing questions that they won't want to answer, up on that witness chair ...

No comments: