Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... last request
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 1 Nov 2000 12:15:46 -0500
Jim Miller wrote:
The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in signed client contracts. But this obvious step will be pointless if the system we deploy to the customer is easily hacked. For the customer, physical security is a recommended control, and necessary to prevent the obvious hack, theft of the hardware. But if the certificate itself is easily removed from the client and can be transported and installed on another PC, the client is even more easily hacked. It would not do the bank any good to deploy the system to any customer if the certificate is readily accessible by any employee with a fair technical knowledge. This begs [the last and final] question: can the certificate be exported to another PC without re-issuance by the bank? Where does the certificate reside on the client? How easily is it hacked, copied, transported, and / or re-installed?
And in one of your earlier posts you said:
Physical security of the client is a recognised issue. The client can be compromised any number of ways if accessible. Again, not the issue under consideration here.
I think your new question is even more pertinent than your old question. If the computers are on the Internet, they're "accessible" to 300,000,000 people while if they're not physically secure, they're "accessible" to whomever can physically visit the room. Granted the physical accessibility guarantees complete vulnerability but because of the large number of people able to access the machine remotely, their relative anonymity, and the potential speed of access and compromise, this type of access needs to be considered a top issue along with physical access. If the client PC is compromised with something like a remote control trojan, the certificate won't have to be moved. The intruder will simply perform their actions through the compromised client. Your host system will see a valid account login from a valid IP address. http://www.jmu.edu/computing/info-security/engineering/issues/remote.shtml Will these client computers be used for anything else? Will they be used for general email or web access where something harmful may be inadvertently loaded either through a mistake (clicking the wrong attachment or downloading a cute screen saver) or through a bug (for example by any one of several Outlook/IE bugs that enable specially formatted email to compromise a machine). Will the machines be used by people who may desire other functionality...perhaps shared folders, personal web servers, Internet radio, instant messaging, peer file sharing servers (Napster, Scour, etc.), or online gaming with the possible associated risk? In other words, will this resemble a typical home computer where the family's teenager downloads the latest, untested software and configuration one minute and one of the parents uses the computer to perform online banking the next? P.S. I'd be interested in hearing the details regarding: "The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in signed client contracts." In particular, I'd be interested in how the customer is protected and to what extent they're made aware of the risks and liabilities. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/info-security/engineering/protecting_yourself.shtml
Current thread:
- [PEN-TEST] Your opinions ... last request Jim Miller (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Gary Flynn (Nov 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... last request Eric Lauzon (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Frank Knobbe (Nov 03)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 03)