Updated: 1/16/09 See update below.
Perhaps, now that they're a Bank of America property, better web site security is in store for Merrill Lynch. In the meantime...here's where the trouble begins.
Prompted by headlines from December 21st stating that $1.6B Of Bank Bailout Went To Execs, I thought I'd take a look at the most egregious amongst those receiving a bailout courtesy of taxpayers.
I'd also like to explore what web app vulns mean to Sarbanes-Oxley (SOX) compliance; I've posed some questions below.
Here's all you really need to know:
John A. Thain, chief executive officer of Merrill Lynch, topped all corporate bank bosses with $83 million in earnings last year. Thain, a former chief operating officer for Goldman Sachs, took the reins of the company in December 2007, avoiding the blame for a year in which Merrill lost $7.8 billion. Since he began work late in the year, he earned $57,692 in salary, a $15 million signing bonus and an additional $68 million in stock options.
Like Goldman, Merrill Lynch received $10 billion from taxpayers on Oct. 28.
Too bad Merrill Lynch didn't spend just a wee small percentage of excessive salaries focusing on improving web application security on behalf of the customers paying for the extravagant lifestyles of their top execs.
But, that said, enough frustrated social commentary.
The Merrill Lynch OnLine Login page is vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF), leaving customers at risk for financial compromise via phishing or credential theft.
As always, I followed my terms of engagement, sending no less than three emails over a period of no less than two weeks, even allowing a couple of extra days for the holidays.
To date I have not received a single response, automated or otherwise.
The point is best driven home via video, but the details are simple enough.
A properly formed IFRAME fits neatly, front and center, on Merrill Lynch's OnLine login, embedding Morgan Stanley's ClientServ login page, just to prove the point.
Merrill Lynch OnLine before:
Merrill Lynch OnLine after:
Web application vulnerabilities and SOX compliance
It's obvious that vulnerabilities such as that described above indicate a clear break from PCI compliance.
But what about SOX? HP (formerly SPI Dynamics) offers an interesting perspective in an effort to promote product:
Sarbanes-Oxley Act compliance can be difficult because it was not written specifically with information technology or information security in mind; however, there are various sections within the act that directly affect these functions in today’s corporations. This includes how information is accessed, what leaves the corporate network and what information needs to be protected and retained over time. You should conduct web application security assessments for an initial SOX compliance risk assessment to understand your various internal controls.
Such a web application security assessment would certainly require that a company like Merrill Lynch "validate that web application inputs are properly validated and not vulnerable to command injection or cross-site scripting attacks."
If SOX Section 404: Assessment of internal control indicates that an enterprise must "evaluate controls designed to prevent or detect fraud", shouldn't web application vulnerabilities that lend greatly to phishing or credential theft (fraud to be sure) fall under established controls?
So, my compliance an auditor friends, who wants to take this one on?
Can a failed enterprise like Merrill Lynch, who received $10 billion in bailout funds, and compensated a top exec in extraordinary fashion, be called in to question with regard to SOX compliance for issues as described above?
I'm not certain, but it seems worthy of consideration and debate.
I look forward to your feedback.
The Merrill Lynch security team has responded in force and has conveyed that they "take security very seriously and now that we know about this are acting quickly."
As of 1/16/09 Merrill Lynch has indicated that the necessary fixes have been applied to their production environment.
They've also asked that, should anyone discover issues in the future, that they report them to abuse at ml.com.
del.icio.us | digg | Submit to Slashdot