Re: [PEN-TEST] Home-Banking PEN-TESTING

[H Carvey <keydet89 () YAHOO COM>]

I've dealt with similar situations, and those in which 
companies wanted to give their executives the ability to 
connect to the intranet from home.

In your case, the bank is NOT responsible for the security 
of the home machine...which is most definitely (as you 
pointed out) the weak link.  You don't have to go far for 
examples...Deutsch, formerly of the CIA, comes to mind.  

The bank knows to expect certain input from the user.  So 
they can have safeguards on their end.  However, if someone 
is able to compromise the client machine, regardless of 
_how_ it's done, then the potential exists for someone to 
connect to the bank, and become authenticated as that user.

I saw posts mentioning BO2K, etc...none of that's really 
important.  There are trojans that do live video streaming 
of the desktop, and keyboard captures.  To keep ahead of the 
a/v companies, some folks out there are going to keep 
modifying the source code of these little beauties.  

It wasn't too long ago that there were several articles in 
the press stating that with the explosion of the use of 
firewalls and IDS systems, the easiest targets were going to 
be the home systems...and every one of those articles were 
dead on!

Remember what happened in Feb. '00?  Only a couple of months 
before, the concept of DDoS had been addressed...in Nov '99, 
I believe.  Four months later...concept and theory become 
hard core reality!  Remember NETSEC's announcement of the 
"Badman/Serbian" trojan on 8 June '00, later backed up by 
iDefense?  Regardless of what you think about the whole 
issue surrounding the discovery and announcement, the fact 
remains that 2000+ home systems were infected by simply 
leaving the downloader trojan on a porn newsgroup, labeled 
as a movie.  

Carv