Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Domenico De Vitto <dom () DEVITTO DEMON CO UK>
Date: Thu, 7 Sep 2000 19:41:59 +0100
I agree, but still think, considering all the bad press e-security has had recently, that it's small compared to non-IT related theft, like CC fraud. But I do respect and agree, 'whodunnit' is a big problem.... Dom -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Meredith S Sent: 01 September 2000 09:53 To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING I would consider it a breach of security as well, considering you can specify *not* to cache by setting a value it the page's header. in .asp this is as trivial as adding <% Response.Expires = 0 %> to the beginning of this page (i wouldn't know how to do it with anything else, as i'm not a web developer). The resturant analogy isn't entirely accurate. If you go to a resturant and hand the waitress your credit card, and she reappears wearing a mink or never reappears at all, then you have some idea what happens. If a page is recovered from cache in a publicly accessible environment, then there is no way of backtracking. Or even telling where the page was recovered from (there could be a proxy server somewhere on the network). [snip]
Stuff like (encrypted) pages being stored in the cache, and so available to any/all users of the same computer are often considered by the press to be breaches in security, but fundamentally you must look at the comparitive risk - do you use your credit card in resturants?
[snip]
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Nexus (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Meredith S (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Sep 07)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Meredith S (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Nexus (Sep 01)