WebApp Sec mailing list archives
RE: Web security breach changes the lives of 119 people
From: roger.franks () middleeastadvertising com
Date: Sun, 13 Mar 2005 21:39:07 +0000
This breach makes so much sense now...Take a look at the excellent paper by the folks at ebanking security "Why eBanking is Bad for your Bank Balance: http://www.ebankingsecurity.com/ebanking_bad_for_your_bank_balance.pdf Basically they talk about PINS and Passwords, and conclude how useless the authentication methods are if you assume the client machine has already been compromised. Roger Franks, Security Manager Middle East Advertising - AlClick | http://www.middleeastadvertising.com Dubai, United Arab Emirates | Tel:(9714) 319 7575, Fax: (9714) 319 7573 -----Original Message----- From: Kim Dyer [mailto:dyer () msu edu] Sent: Thursday, March 10, 2005 3:19 PM To: webappsec () securityfocus com Subject: RE: Web security breach changes the lives of 119 people
Chances are that nobody at Harvard Business School or ApplyYourself Inc. bothered to contemplate the most obvious scenario: that somebody other than the 119 accused, or their friends and family, was responsible for the majority of (or all of) the attempts to access application records.
Actually, every report I've heard on this incident says that they Specifically DID consider that.
What information of a personal nature would have been required in order to access the pending application?
Passwords and or PINs from what I've been reading.
Perhaps it was possible to browse any one of the pending applications once one had penetrated the ApplyYourself Inc. security perimeter.
The reports I've seen said that you could only see the one application if you saw anything. I guess the majority just got a blank screen.
This is more likely than is the scenario as it has been depicted.
You don't think it likely people would want to sneak a peek if they thought they could? That's pretty much just human nature. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Current thread:
- Web security breach changes the lives of 119 people Richard M. Smith (Mar 09)
- Re: Web security breach changes the lives of 119 people christopher (Mar 09)
- Re: Web security breach changes the lives of 119 people Jason Coombs (Mar 09)
- RE: Web security breach changes the lives of 119 people Kim Dyer (Mar 13)
- <Possible follow-ups>
- RE: Web security breach changes the lives of 119 people Altheide, Cory B. (IARC) (Mar 09)
- RE: Web security breach changes the lives of 119 people Griffiths, Ian (Mar 13)
- RE: Web security breach changes the lives of 119 people Bill Nichols (Mar 13)
- Re: Web security breach changes the lives of 119 people El C0chin0 (Mar 18)
- Re: Web security breach changes the lives of 119 people Jeff Williams (Mar 20)
- RE: Web security breach changes the lives of 119 people roger . franks (Mar 18)
- Re: Web security breach changes the lives of 119 people ed . tracy (Mar 22)
- Re: Web security breach changes the lives of 119 people Peter Conrad (Mar 23)
- Message not available
- Re: Web security breach changes the lives of 119 people Ed Tracy @ Aspect Security (Mar 29)
- Re: Web security breach changes the lives of 119 people Cory Foy (Mar 29)
- Message not available
- Message not available
- Re: Web security breach changes the lives of 119 people Michael Silk (Mar 29)