WebApp Sec mailing list archives
RE: [WEB SECURITY] SSL does not = a secure website
From: "Sebastien Deleersnyder" <sebastien.deleersnyder () ascure com>
Date: Tue, 28 Mar 2006 10:27:53 +0200
Hi Ryan, What about a Trojan installed key logger? These sniff all keys typed on the keyboard and then filter out interesting patterns, including credit card information and social security numbers that do follow strict patterns. The information is then sent to the attacker without the user knowing what is going on. I do not know the exact names of recent viruses or worms that do this, but I am certain there are some real-world examples. SSL itself will not be attacked, the weak end-points, the user system and the application on the web server, will be attacked. Regards, Sebastien OWASP Belgium Chapter Lead ________________________________________ From: Ryan Barnett [mailto:rcbarnett () gmail com] Sent: dinsdag 28 maart 2006 3:41 To: Web Security; webappsec () securityfocus com Subject: [WEB SECURITY] SSL does not = a secure website I need some feedback from the lists. Does any have any verifiable proof (new story, etc...) that documents where attackers successfully sniffed Credit Card data off of the Internet for an eCommerce site??? Every story that I have read about indicates that attackers mostly obtain this data by breaking into the back-end DB to steal the CC data rather than sniffing. Anyone with info to the contrary? While I believe that we would all agree that the use of SSL for eCommerce is a good idea, I am interested in the actual THREAT. It seems to me that the real threat to CC data is a vulnerable webapp/backend and not the use of SSL. The PCI Data Security Standard document ( http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf ) lists this as Requirement 4 - Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks So, when an eCommerce website boasts "We are a secure website" - keep in mind that they are referring to Requirement 4. Who knows what they are doing about Requirement 3... -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache ---- eMail Disclaimer ---- This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If you have received it by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from errors, inaccuracies or any loss in the message, from unauthorized use, disclosure, copying or alteration of it. For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.html ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] SSL does not = a secure website Sebastien Deleersnyder (Mar 28)
- <Possible follow-ups>
- Re: [WEB SECURITY] SSL does not = a secure website Richard St John (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)