Re: Internet Bank Vulnerable!

[Curt Wilson <netw3 () netw3 com>]

I currently work at such a financial institution, a credit union.
Modifications to our home-banking product were frowned upon, partially
because the product vendor created such a touchy product that any
change might break things. They built a customized IIS 3 web server
that was vulnerable to the CGI double decode vulnerability (and
probably a lot of others) and Microsofts patch broke the system,
perhaps because they were running an ancient IIS 3. Well, this 
increased the heat on the vendor, in thanks partially to my
conversations with an engineering manager. Within two weeks they
had upgraded the system to IIS4, applied SP6a + post hotfixes
and other security patches. In that two week period, probably every
single institution (except ours) using their product was wide open. 

The intersting thing is that following the standard IIS security
guidelines locked the box down with little trouble. I revoked the
permissions to /winnt/system32/ for the IUSR account, which prevented
attackers from launching cmd, tftp, net, etc and other commands. I
also removed the Win NT challenge/response authentication method from
the webroot since this would then give attackers an opportunity to
brute force accounts through a password dialog box. And of course,
account lockout was not set by the vendor, along with EVERYONE
Full control on both C: and D: drives. My supervisor discouraged
me from making any change to the system for fear that it might
break. Thankfully, action was taken that blocked an attacker
that very night. Very, very sloppy on behalf of the vendor.

I suggested that the vendor undergo a code and security audit
before releasing it's products, as well as looking at some
products like eEyes SecureIIS app level firewall. The incident
spoken of here  lit a fire under them, which increased the speed
at which their QA and security committee began to take things
more seriously. However, no mention of this issue was to be
found at their recent annual users meeting. Brush it under
the rug perhaps?

A compromise of the NT/IIS server mentioned here would not give
attackers an easy means to actually perform funds transfer, 
but they could trojan the system through tftp, pilfer account
numbers from log files, and obtain a lot of data, including the
administrator and other high-level passwords from an
EVERYONE FULL CONTROL batch file that added administrator and
three hardware support accounts (one of the passwords was
"eatmeraw" which I found amusing, since their security
mechanisms did indeed suck). Very very sloppy........

> From discussion with others on this issue, I gather that many
internet banking sites are very exploitable. You would think
that something this sensitive would receive better attention,
but I suppose that security professionals have their work cut
out for them in the forseeable future.

Credit Unions in particular are coming under fire with a
new batch of National Credit Union Administration (NCUA)
regulations, including penetration testing, use of network
and host IDS, security audits, and compliance of outsourced
vendors to certain standards (such as standards covered by
something like the reputable TruSecure certification).
A welcome event, which is bringing more business to the
security community, as these institutions often don't have
the in-house expertise to stay abreast of the fast-paced
security landscape.

Curt Wilson
Formerly NetW3 Consulting, moving into a new, unknown venture
in the near future.......



At 11:03 PM 6/24/2001 -0500, H D Moore wrote:
> Over the last year I have pen-tested a couple dozen financial institutions, 
> at least three-quarters of them were running IIS web servers.  The reasoning 
> behind it is simple;  most of the on-line banking software vendors use
NT/IIS 
> as their platform.  The institutions which use this software are not allowed 
> to modify ANYTHING without voiding their support contracts.  So you have the 
> majority of the financial industry at the mercy of their vendors for 
> security, yet they are the ones which are liable if they get cracked.
Recent 
> regulations are forcing banks and credit unions to meet certain guidelines 
> for information security, failing to meet those guidelines can put them out 
> of business when they get audited.  This is putting some heavy pressure on 
> the IT staff of these organizations, most of which have no real internet 
> experience and have spent the last 10 years babysitting the mainframe.



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   Netw3 Consulting  *   www.netw3.com    |
|    Internet Security, Networking, PC tech,  WWW hosting     |
| Netw3 Security Reading Room : www.netw3.com/documents.html  |
|  Serving Southern Illinois locally and the world virtually  |  
|            netw3 () netw3 com     618-303-NET3                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=