Re: [PEN-TEST] Home-Banking PEN-TESTING

[Domenico De Vitto <dom () DEVITTO DEMON CO UK>]

I agree, but still think, considering all the bad press e-security has
had recently, that it's small compared to non-IT related theft, like CC
fraud.  But I do respect and agree, 'whodunnit' is a big problem....

Dom
-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Meredith S
Sent: 01 September 2000 09:53
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING


        I would consider it a breach of security as well, considering you can
specify *not* to cache by setting a value it the page's header. in .asp this
is as trivial as adding <% Response.Expires = 0 %> to the beginning of this
page (i wouldn't know how to do it with anything else, as i'm not a web
developer).
        The resturant analogy isn't entirely accurate. If you go to a resturant and
hand the waitress your credit card, and she reappears wearing a mink or
never reappears at all, then you have some idea what happens. If a page is
recovered from cache in a publicly accessible environment, then there is no
way of backtracking. Or even telling where the page was recovered from
(there could be a proxy server somewhere on the network).




[snip]
> Stuff like (encrypted) pages being stored in the cache, and so available
> to any/all users of the same computer are often considered by the press
> to be breaches in security, but fundamentally you must look at the
> comparitive risk - do you use your credit card in resturants?
[snip]