Penetration Testing mailing list archives

Re: Internet Bank Vulnerable!

From: H D Moore <hdm () secureaustin com>
Date: Sun, 24 Jun 2001 23:03:19 -0500

On Saturday 23 June 2001 08:25 pm, Kelvin wrote:

As a test, I ran a search string on the file system looking for various
combinations such as: "$1,1", "0.12", "1,1"
Any thoughts?


<rant>
For starters, you just broke more laws then you have fingers and then 
advertised the fact on-line in a public forum.  I really hope you don't go 
after any AP-style press with this one, not just for your own sake, but for 
the sake of every network security professional out there.  If the general 
public sees security people being portrayed as "above the law" when it comes 
to doing research, it will give the already-ignorant-and-scared lawmakers 
even more incentive to start outlawing all of our tools.  In other words, 
please don't go around randomly breaking into banks and expect anything short 
of a knock on your door by a TLA.
</rant>

Over the last year I have pen-tested a couple dozen financial institutions, 
at least three-quarters of them were running IIS web servers.  The reasoning 
behind it is simple;  most of the on-line banking software vendors use NT/IIS 
as their platform.  The institutions which use this software are not allowed 
to modify ANYTHING without voiding their support contracts.  So you have the 
majority of the financial industry at the mercy of their vendors for 
security, yet they are the ones which are liable if they get cracked.  Recent 
regulations are forcing banks and credit unions to meet certain guidelines 
for information security, failing to meet those guidelines can put them out 
of business when they get audited.  This is putting some heavy pressure on 
the IT staff of these organizations, most of which have no real internet 
experience and have spent the last 10 years babysitting the mainframe.

To conclude.  Yes, most financial institutions are wide open.  There is only 
so much you can do besides letting them know.  Most of the administrators at 
these banks really have no idea how vulnerable they are and either consider 
themselves "not  a target" for some reason or believe their vendors that they 
aren't at risk if they use a certain product.

-HD

You can see the findings and the article at:
http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_o
n line.html



"internet_baking" ?  Yummy.

Current thread:

Internet Bank Vulnerable! Kelvin (Jun 24)
- Re: Internet Bank Vulnerable! H D Moore (Jun 24)
  - Re: Internet Bank Vulnerable! Curt Wilson (Jun 25)
    - Re: Internet Bank Vulnerable! Kelvin (Jun 25)
- RE: Internet Bank Vulnerable! Kevin Timm (Jun 26)
- <Possible follow-ups>
- RE: Internet Bank Vulnerable! Thomas Ray (Jun 26)