RE: Core Banking Applications

["Beauford, Jason" <jbeauford () EightInOnePet com>]

The very first thing that popped into my head is "I don't know anything
about banking systems."  Then I wondered how many people DO know about
the kinds of systems working within a bank environment and how they
interact.  I answered "Probably not too many."

> From a security point of view, I tend to think the fact that such
information is "relatively" unknown is a good thing.  From a Social
Engineering / Phishing standpoint, if I wanted to know what systems were
running at what Bank I could go through the archives of the posts and
look for email addresses relating to @citibank.com or @HSBC.com or what
have you.  Then I could read about some poor schlep who can't get
"system a" to work with "system b" and hes getting "error code c".  Now
with that, I have a lot of information about what systems are running at
a particular bank and what problems they are having.  I could research
the error and find out that "error code c" is produced when some
application is running a particular level of code.  I could then
research the particular application and search for or create an exploit
for it.  

Now armed with all that, I can work on owning your bank systems.

I know the argument of security through obscurity has been debated
before, and in MOST cases shouldn't apply.  However with the increase of
Identity theft, and online DB's being hacked / stolen, I am thinking
that this kind of information, while it will certainly be useful where
applied, may fall into the wrong hands and be used improperly.

We can say the same for any of these kinds of lists.  The difference is,
while your Email Server or File Server or SQL Server may contain
sensitive data and those forums give out A LOT of personal-important
info, you probably don't work in a BANK or FINANCE INSTITUTION where the
primary job function is to process, store and distribute money.  My
money and your money.  When you get money involved, people go out of
there way to get some.  If you provide a repository for bank specific
security information, be sure that it will be monitored by an
unscrupulous bunch.

This is simply my first notion of the idea.  Personally, I'd like to
know more about banking infosec.  It's just that such information seems
quite sensitive considering its content.

Good Luck with it, and where can I sign up?

-JMB

        |   -----Original Message-----
        |   From: Lbuchalski () bankinfosecurity com 
        |   [mailto:Lbuchalski () bankinfosecurity com] 
        |   Sent: Tuesday, September 20, 2005 2:06 PM
        |   To: security-basics () securityfocus com
        |   Subject: Core Banking Applications
        |   
        |   Hello,
        |   
        |   I am considering creating a core application 
        |   security mailing list for the banking industry, and 
        |   wanted to know if others felt that it would be a 
        |   worthwhile endeavor. I have already submitted this 
        |   question to the pen-test list, however, I am 
        |   looking for some additional guidance.
        |   
        |   My name is Lila Buchalski, and I am the editor for 
        |   www.Bankinfosecurity.com (BIS). BIS is Banking 
        |   specific information security portal that features 
        |   technology and news updates, up-to-date event 
        |   calendars, webinar information, white papers, and more.
        |   
        |   Others in the industry have expressed interest in 
        |   both joining and moderating this list, but I am 
        |   looking for feedback in regard to its organization. 
        |   For example, should there be specific application 
        |   threads, etc. I want to know what others are 
        |   interested in seeing!
        |   
        |   Also, if would like to join, please send an e-mail 
        |   to CoreAppSecurity () Bankinfosecurity com.
        |   
        |   Thanks in advance.
        |   Lila B.
        |   lbuchalski () bankinfosecurity com
        |   
        |