Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: H Carvey <keydet89 () YAHOO COM>
Date: Wed, 23 Aug 2000 11:30:17 -0000
I've dealt with similar situations, and those in which companies wanted to give their executives the ability to connect to the intranet from home. In your case, the bank is NOT responsible for the security of the home machine...which is most definitely (as you pointed out) the weak link. You don't have to go far for examples...Deutsch, formerly of the CIA, comes to mind. The bank knows to expect certain input from the user. So they can have safeguards on their end. However, if someone is able to compromise the client machine, regardless of _how_ it's done, then the potential exists for someone to connect to the bank, and become authenticated as that user. I saw posts mentioning BO2K, etc...none of that's really important. There are trojans that do live video streaming of the desktop, and keyboard captures. To keep ahead of the a/v companies, some folks out there are going to keep modifying the source code of these little beauties. It wasn't too long ago that there were several articles in the press stating that with the explosion of the use of firewalls and IDS systems, the easiest targets were going to be the home systems...and every one of those articles were dead on! Remember what happened in Feb. '00? Only a couple of months before, the concept of DDoS had been addressed...in Nov '99, I believe. Four months later...concept and theory become hard core reality! Remember NETSEC's announcement of the "Badman/Serbian" trojan on 8 June '00, later backed up by iDefense? Regardless of what you think about the whole issue surrounding the discovery and announcement, the fact remains that 2000+ home systems were infected by simply leaving the downloader trojan on a porn newsgroup, labeled as a movie. Carv
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Pluto (Aug 26)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Aug 28)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)