Re: Internet Bank Vulnerable!

["Kelvin" <kelvin () sec33 com>]

I have been working with this information for sometime now, it looks like
they notified several hundred FI's and thousands of consumers were affected
by the security incident.

It turns out that the hack with this vendor (Q UP) might have been related
to a BigBrother installation on a linux/unix platform. Besides, it was for
this reason I chose not to publish anything confidential nor any information
that could lead you to which vendor had security issues.

I was working with Kevin Poulsen (Securityfocus.com) a little on this story
while he was investigating it. I think the story was very well written.

Thanks.

./Kelvin

----- Original Message -----
From: "Chris Trudeau" <chris () trudeau org>
To: "Kelvin" <kelvin () sec33 com>; <pen-test () securityfocus com>
Sent: Friday, July 06, 2001 7:42 AM
Subject: Re: Internet Bank Vulnerable!


> Kelvin,
>
> this looks very familiar to the "probing" you were doing.  I guess the FBI
> and S1 didn't take kindly to the probe...very possibly a result of your
> disclosure.
>
> http://www.securityfocus.com/templates/article.html?id=222
>
>
> CT
> ----- Original Message -----
> From: "Kelvin" <kelvin () sec33 com>
> To: <pen-test () securityfocus com>
> Sent: Saturday, June 23, 2001 9:25 PM
> Subject: Internet Bank Vulnerable!
>
>
> > This is highly interesting.
> >
> > I have discovered several Internet Banks that are vulnerable to many
> > standard IIS vulnerabilities. Many of the exploits are quite old. Well
for
> > obvious reasons I notified the Bank and the vendor of the Internet
Banking
> > solution. I waited until today, which is 48 hours since the email and
> > telephone notification and the Bank is still vulnerable. It amazes me
> every
> > time something like this happens, it might not be so bad if it were
> cookies
> > on a cooking website but it really is financial information on the
website
> > of a respected bank, it freaks me out even more.
> >
> > As a test, I ran a search string on the file system looking for various
> > combinations such as: "$1,1", "0.12", "1,1"
> >
> > Amazingly enough I came up with entire listings of transactions and
> account
> > data. The records included names, phone, numbers, credit cards, and the
> > like. No socials.. That I felt good about.
> >
> > Has anyone else had a scenario as serious as this? I am wondering if
there
> > is a lesson someone here needs to learn! - Like maybe an associated
press
> > lesson. If the newspaper were to find out that a bank was vulnerable -
> Wow,
> > they would eat that up, besides the problem I am sure would get fixed.
> >
> > Any thoughts?
> >
> > You can see the findings and the article at:
http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on
> > line.html
> >
> > Kelvin.


--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/