Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Rafael Coninck Teigao <rafael () SAFECORE NET>
Date: Wed, 23 Aug 2000 10:47:34 -0300
Indeed, by next month I'm going to have a complete protocol to (IMHO) defeat this kind of attack, and I'm going to publish it so I can hear from other developers pros and cons of it. []'s, RCT. Peter Van Epp wrote:
The obvious one is insinuate BO2K on to the client machine. Security gone since the attacker can simulate the client (with sniffed real password from the client's machine). How would the bank differentiate this from the real client? Why would the bank take responsibility for the client's machine? I expect the card holder agreement holds the client liable for the security of their machine in the fine print. Now for publicity reasons they may eat this so as to not scare off other customers, and there isn't much useful that you can do (at least on the local version our banks run, ymmv). The one I expect to see the first big hit from is on line stock trading. The potential loss is likely to be too high for a brokarage to swallow and I expect the same thing applies i.e. the card holder agreement says if it was with your password/passphrase it is considered you (unless you can prove that the broker's end of the connection was compromised which no one in their right mind would try given an undefended client machine). If you know of a way to fix the client's machine in the general case, I (and I'm sure a lot of other worried security people) would like to hear about it. BO2K will defeat (with varying amounts of difficulty) even VPNs if you can get BO2K on to the client machine in the first place (preventing which is the only defence I'm aware of, and thats not trivial in a distributed case). Feel free to substitute Sub7 or any of the 30 or 40 other equivelent to BO packages floating around out there for BO2K in all instances here (because they are equivelent ...).
-- ------------------------------------------------------------------------------- And the Raven, never flitting, still is sitting, still is sitting On the pallid bust of Pallas just above my chamber door; And his eyes have all the seeming of a demon's that is dreaming, And the lamp - light o'er him streaming throws his shadow on the floor; And my soul from out that shadow that lies floating on the floor Shall be lifted - nevermore! E. A. Poe --> The Raven (c1845) -------------------------------------------------------------------------------
Current thread:
- [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Pluto (Aug 26)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Aug 28)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)