Sunday, October 8, 2017

How I ended up with the keys to Scotiabank

So, in a chain of events that doesn't surprise me in the least, I have pointed the CCIRC (the cybersecurity bit of the RCMP) at a public GitHub repository that contains a security breach for Scotiabank, originating at one of it's partners South of the US. 

In short, I was researching a YouTube video for Cyber-Security Awareness Month, and knowing that all big banks in Canada have a problem with leaking code into GitHub, went to look for a common example of Scotiabank's continual leaks.  

Like the TCS leak back in summer, I found more than I was bargaining for, and immediately had to notify the authorities.

To summarise the situation:

  • The AES and TripleDES keys to talk to the back end of the bank are public.
  • Windows software that is supposed to be used for security work within the bank is public.
  • The client security library described in the 2016 breach is now public.
  • The XSD's for the com.bns.soa API are public.
  • All the mock requests and responses for the API are public, along with documentation on how the service works.
  • Somebody wrote the username/password in plain text and stored that in a text file.
As you can guess, it turned out that when I looked at the library, it's not been protected either, so anyone can reverse the binary back to source in less than a second second.  That same library was used by the Windows software that was leaked in its Visual Studio source-code form...

Oh, and this has all been wide open since November 2015

The big question while I wait for the CCIRC to clean up this mess is how Scotiabank can prove that nobody else has been going in for two years.

Anyway, more details in the vlog about this...