Via LiquidMatrix, a demonstration on some vulnerabilties have been disclosed against RBS WorldPay over on the rather sobering unu1234567 blog. This brings up a couple comments:
1. If a breach occurs and no one notices it, is it a real breach? (I mean this sarcastically and rhetorically; of course it is a real breach, but it illustrates something that blows my mind: vulns that linger for weeks, months, *years!* and then get discovered. And how long have we had this hole in the ass of our pants and not known it?)
2. I hope RBS WorldPay is going over their logs to make sure their databases haven’t been siphoned off already. And good luck trying to find all the permutations…it would be fun to take such logs and start carving them up, kicking out obviously valid calls, and collating items of interest for manual review. And if they don’t have reasonable logs saved, fail.
3. I don’t care if RBS WorldPay will say this is a development box. It’s externally accessible. It contains valid logins. As Heartland will attest, even satellite, non-critical apps/servers can act as a launching pad for deeper attacks. Unless you purposely hang a box (honeypot) out there to be attacked, there is no such thing as a valueless target for an attacker.
4. Clearly, this system either has never had any security review of the app, or their external assessments are failing to detect that this was externally accessible, or their change control sucks to let this system get configured to be external in the first place. Lots of fail here, really. Lots of head in the sand issues no matter what the story.
4. Congrats on the free security lesson, RBS WorldPay.