RE: Internet Bank Vulnerable!

[Thomas Ray <thomas.ray () tcud state tx us>]

Kelvin,et al-
   I am an IT Examiner for the State of Texas. They have recently hired me
to start doing this kind of work (they've never had this position before)
and this is exactly the kind of stuff I will be looking for. Unfortunately,
I am the ONLY IT Examiner and have to account for over 250 credit unions
(not banks, just cu's only). I won't be doing pen-tests, just doing audits
to make sure they have appropriate security,etc, in place.  The plan is to
check each credit union once per year......you do the math, 250 credit
unions vs 250 working days in a year...........
   As you can no doubt guess, since I am also the first IT Examiner they
have ever had, we are on a steep learning curve figuring out requirements.
Unfortunately, I can't just make blanket requirements since it is
effectively rules that have to be passed by the Agency Board. And you know
how slowly government moves....
   I commend you for taking the time to notify the institutions involved.
Might I also suggest that at the same time you notify the appropriate state
regulatory agencies? In Texas, that would be the Texas Credit Union
Department (www.tcud.state.tx.us), the Department of Banking
(www.banking.state.tx.us), and the Texas Savings and Loan Department
(www.tsld.state.tx.us). That will light a fire under them when the agency
calls and asks "Why is the data unsecure?"
    Other states will have their own departments that may or may not be
combined into one or more agencies.

Thanks for helping keep your data secure.

Tom Ray
IT Examiner, Texas Credit Union Department



> -----Original Message-----
> From: Kelvin [mailto:kelvin () sec33 com]
> Sent: Saturday, June 23, 2001 8:26 PM
> To: pen-test () securityfocus com
> Subject: Internet Bank Vulnerable!
>
>
> This is highly interesting.
>
> I have discovered several Internet Banks that are vulnerable to many
> standard IIS vulnerabilities. Many of the exploits are quite 
> old. Well for
> obvious reasons I notified the Bank and the vendor of the 
> Internet Banking
> solution. I waited until today, which is 48 hours since the email and
> telephone notification and the Bank is still vulnerable. It 
> amazes me every
> time something like this happens, it might not be so bad if it 
> were cookies
> on a cooking website but it really is financial information on 
> the website
> of a respected bank, it freaks me out even more.
>
> As a test, I ran a search string on the file system looking for various
> combinations such as: "$1,1", "0.12", "1,1"
>
> Amazingly enough I came up with entire listings of 
> transactions and account
> data. The records included names, phone, numbers, credit cards, and the
> like. No socials.. That I felt good about.
>
> Has anyone else had a scenario as serious as this? I am 
> wondering if there
> is a lesson someone here needs to learn! - Like maybe an 
> associated press
> lesson. If the newspaper were to find out that a bank was 
> vulnerable - Wow,
> they would eat that up, besides the problem I am sure would get fixed.
>
> Any thoughts?
>
> You can see the findings and the article at:
> http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_o
nline.html

Kelvin.