RE: [WEB SECURITY] SSL does not = a secure website

["Sebastien Deleersnyder" <sebastien.deleersnyder () ascure com>]

Hi Ryan,

What about a Trojan installed key logger? 
These sniff all keys typed on the keyboard and then filter out interesting patterns, including credit card information 
and social security numbers that do follow strict patterns. 
The information is then sent to the attacker without the user knowing what is going on. 
I do not know the exact names of recent viruses or worms that do this, but I am certain there are some real-world 
examples.
SSL itself will not be attacked, the weak end-points, the user system and the application on the web server, will be 
attacked.

Regards,

Sebastien
OWASP Belgium Chapter Lead

________________________________________
From: Ryan Barnett [mailto:rcbarnett () gmail com] 
Sent: dinsdag 28 maart 2006 3:41
To: Web Security; webappsec () securityfocus com
Subject: [WEB SECURITY] SSL does not = a secure website

I need some feedback from the lists.  Does any have any verifiable proof (new story, etc...) that documents where 
attackers successfully sniffed Credit Card data off of the Internet for an eCommerce site???  Every story that I have 
read about indicates that attackers mostly obtain this data by breaking into the back-end DB to steal the CC data 
rather than sniffing.  Anyone with info to the contrary? 
 
While I believe that we would all agree that the use of SSL for eCommerce is a good idea, I am interested in the actual 
THREAT.  It seems to me that the real threat to CC data is a vulnerable webapp/backend and not the use of SSL.  The PCI 
Data Security Standard document ( 
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf ) lists 
this as Requirement 4 -
Protect Cardholder Data
Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
So, when an eCommerce website boasts "We are a secure website" - keep in mind that they are referring to Requirement 4. 
 Who knows what they are doing about Requirement 3... 

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache 
---- eMail Disclaimer ----
This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If 
you have received it 
by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from 
errors, inaccuracies or 
any loss in the message, from unauthorized use, disclosure, copying or alteration of it.
For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.html

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------