Penetration Testing mailing list archives
Re: banking - does it belong online? II conclusion
From: Pawel Krawczyk <kravietz () aba krakow pl>
Date: Wed, 27 Jun 2001 11:10:58 +0200
On Mon, Jun 25, 2001 at 11:14:12PM -0500, Kelvin wrote:
http://www.sec33.com/archives/2001/internet_banking/banking_does_it_belong_online_II.html
From my experience in auditing FI it seems like they have great trust in software vendors indeed and it's so big that it's sometimes very difficult to convince them that something is really vulnerable, even if you show them hardcopy from sniffer with logins and passwords. We have been analyzing communications between main server and branch offices in one FI and they were simply performed over TELNET protocol with some GUI wrapper. The "encryption", mentioned by a trusted software vendor, cited frequently by our customer came out to be EBCDIC encoding. We could also easily observe whole SQL sessions with money transfers performed over unprotected TCP to a machine with predictable serials. Some managers at the office argued that there's no need to encrypt the data because the LAN works on Cisco's switch and it's impossible to sniff the data here, and over WAN. Impressing... Seems like the institutions are more willing to spend thousands of dollars for equipment than for several people with proper knowledge. -- Paweł Krawczyk *** home: <http://ceti.pl/~kravietz/> security: <http://ipsec.pl/> *** fidonet: 2:486/23 -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- banking - does it belong online? II conclusion Kelvin (Jun 26)
- Re: banking - does it belong online? II conclusion Pawel Krawczyk (Jun 27)