Penetration Testing mailing list archives
[PEN-TEST] Your opinions ... last request
From: Jim Miller <MillerJ () FABSSB COM>
Date: Wed, 1 Nov 2000 09:09:38 -0600
Thank you all for your elucidating responses. I have come to understand better the technology that my bank will deploy. I just have one last point to clarify, and would like to ask one more time for info on this specific point. The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in signed client contracts. But this obvious step will be pointless if the system we deploy to the customer is easily hacked. For the customer, physical security is a recommended control, and necessary to prevent the obvious hack, theft of the hardware. But if the certificate itself is easily removed from the client and can be transported and installed on another PC, the client is even more easily hacked. It would not do the bank any good to deploy the system to any customer if the certificate is readily accessible by any employee with a fair technical knowledge. This begs [the last and final] question: can the certificate be exported to another PC without re-issuance by the bank? Where does the certificate reside on the client? How easily is it hacked, copied, transported, and / or re-installed? Jim Miller, CISA, CDP VP & IS Audit Mgr First American Bank Texas Bryan, Texas 77805-8100 979/361-6515 801/835-5546 millerj () fabssb com
Current thread:
- [PEN-TEST] Your opinions ... last request Jim Miller (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Gary Flynn (Nov 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... last request Eric Lauzon (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Frank Knobbe (Nov 03)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 03)