Re: banking - does it belong online? II conclusion

[Pawel Krawczyk <kravietz () aba krakow pl>]

On Mon, Jun 25, 2001 at 11:14:12PM -0500, Kelvin wrote:

> http://www.sec33.com/archives/2001/internet_banking/banking_does_it_belong_online_II.html

 From my experience in auditing FI it seems like they have great trust
in software vendors indeed and it's so big that it's sometimes very
difficult to convince them that something is really vulnerable, even if
you show them hardcopy from sniffer with logins and passwords.

We have been analyzing communications between main server and branch
offices in one FI and they were simply performed over TELNET protocol
with some GUI wrapper. The "encryption", mentioned by a trusted software
vendor, cited frequently by our customer came out to be EBCDIC encoding.
We could also easily observe whole SQL sessions with money transfers
performed over unprotected TCP to a machine with predictable serials.

Some managers at the office argued that there's no need to encrypt the
data because the LAN works on Cisco's switch and it's impossible to sniff
the data here, and over WAN. Impressing... Seems like the institutions
are more willing to spend thousands of dollars for equipment than for
several people with proper knowledge.

-- 
Paweł Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/>  *** fidonet: 2:486/23

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/