Re: [PEN-TEST] Your opinions ... last request

[Gary Flynn <flynngn () JMU EDU>]

Jim Miller wrote:
> The client side security is less than adequate, and the bank intends to
> protect itself using legal stipulations in signed client contracts.  But
> this obvious step will be pointless if the system we deploy to the customer
> is easily hacked.  For the customer, physical security is a recommended control,
> and necessary to prevent the obvious hack, theft of the hardware.
>
> But if the certificate itself is easily removed from the client and can be
> transported and installed on another PC, the client is even more easily hacked.
> It would not do the bank any good to deploy the system to any customer if the
> certificate is readily accessible by any employee with a fair technical knowledge.
>
> This begs [the last and final] question:  can the certificate be exported to
> another PC without re-issuance by the bank?  Where does the certificate reside
> on the client?  How easily is it hacked, copied, transported, and / or re-installed?

And in one of your earlier posts you said:

> Physical security of the client is a recognised issue.  The client can be
> compromised any number of ways if accessible.  Again, not the issue under
> consideration here.

I think your new question is even more pertinent than your old question.
If the computers are on the Internet, they're "accessible" to 300,000,000
people while if they're not physically secure, they're "accessible" to
whomever can physically visit the room. Granted the physical accessibility
guarantees complete vulnerability but because of the large number of people
able to access the machine remotely, their relative anonymity, and the
potential
speed of access and compromise, this type of access needs to be considered
a top issue along with physical access.

If the client PC is compromised with something like a remote control
trojan, the certificate won't have to be moved. The intruder will simply
perform their actions through the compromised client. Your host system
will see a valid account login from a valid IP address.

http://www.jmu.edu/computing/info-security/engineering/issues/remote.shtml

Will these client computers be used for anything else? Will they be used
for general email or web access where something harmful may be inadvertently
loaded either through a mistake (clicking the wrong attachment or downloading
a cute screen saver) or through a bug (for example by any one of several
Outlook/IE bugs that enable specially formatted email to compromise a machine).
Will the machines be used by people who may desire other
functionality...perhaps
shared folders, personal web servers, Internet radio, instant messaging,
peer file sharing servers (Napster, Scour, etc.), or online gaming with the
possible associated risk?

In other words, will this resemble a typical home computer where the family's
teenager downloads the latest, untested software and configuration one
minute and one of the parents uses the computer to perform online banking
the next?

P.S. I'd be interested in hearing the details regarding:

  "The client side security is less than adequate, and the bank intends to
   protect itself using legal stipulations in signed client contracts."

In particular, I'd be interested in how the customer is protected and to
what extent they're made aware of the risks and liabilities.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/protecting_yourself.shtml