Penetration Testing mailing list archives

RE: Internet Bank Vulnerable!

From: "Kevin Timm" <ktimm () stingrey com>
Date: Mon, 25 Jun 2001 21:24:58 -0500

I've found some of the same problems.  It seems most of the big boys use
some form of *Nix and possibly multiple layers of firewalls and are pretty
safe. The smaller banks may have firewalls and IDS units but thier servers
are often open to some form of attack. They seem to gravitate toward IIS
(probably because developers push them that way) . The real problem seems to
be most Windows Admins seem to have no clue on how to secure IIS. I have
even had admins proclaim they should be pretty secure because they have all
the updates only to find 5-10 IIS holes when testing. Updates can't keep you
from installing sample scripts etc. It really seems to be poor hiring
decisions at some of the smaller banks. I however can see how it is
difficult for a non security person to evauluate security personel.
Enough rambling
K

-----Original Message-----
From: Kelvin [mailto:kelvin () sec33 com]
Sent: Saturday, June 23, 2001 8:26 PM
To: pen-test () securityfocus com
Subject: Internet Bank Vulnerable!


This is highly interesting.

I have discovered several Internet Banks that are vulnerable to many
standard IIS vulnerabilities. Many of the exploits are quite old. Well for
obvious reasons I notified the Bank and the vendor of the Internet Banking
solution. I waited until today, which is 48 hours since the email and
telephone notification and the Bank is still vulnerable. It amazes me every
time something like this happens, it might not be so bad if it were cookies
on a cooking website but it really is financial information on the website
of a respected bank, it freaks me out even more.

As a test, I ran a search string on the file system looking for various
combinations such as: "$1,1", "0.12", "1,1"

Amazingly enough I came up with entire listings of transactions and account
data. The records included names, phone, numbers, credit cards, and the
like. No socials.. That I felt good about.

Has anyone else had a scenario as serious as this? I am wondering if there
is a lesson someone here needs to learn! - Like maybe an associated press
lesson. If the newspaper were to find out that a bank was vulnerable - Wow,
they would eat that up, besides the problem I am sure would get fixed.

Any thoughts?

You can see the findings and the article at:
http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on
line.html

Kelvin.

Current thread:

Internet Bank Vulnerable! Kelvin (Jun 24)
- Re: Internet Bank Vulnerable! H D Moore (Jun 24)
  - Re: Internet Bank Vulnerable! Curt Wilson (Jun 25)
    - Re: Internet Bank Vulnerable! Kelvin (Jun 25)
- RE: Internet Bank Vulnerable! Kevin Timm (Jun 26)
- <Possible follow-ups>
- RE: Internet Bank Vulnerable! Thomas Ray (Jun 26)