Penetration Testing mailing list archives
Re: Disclosure of vulns and its legal aspects...
From: cwright () bdosyd com au
Date: 31 May 2007 09:27:38 -0000
Hello, Nothing. You are legally covered if your money goes missing. The bank loses; they are the ones who make the write-off. They may bitch, but they are liable and have to pay. In many western countries your funds are covered by state guarantee. So basically, it is not your problem. Westpac (a Bank) in Australia code the obscuration for their mouse clicks using Java script in the logon page. The fact that the captured java could be used in a Trojan was reported and they responded by restricting the access to the page source. Of course with WebScarab an attacker can still get this, likewise it does nothing to stop an attacker making a Trojan to exploit it. Same problem, perception fixed, security the same. I still bank with them. If my account is compromised, they have to bear the loss. I do not care how much they lose; they can go bankrupt for all I care. If they do, the government has guaranteed my money. So as far as your example, you do nothing. They understand loss. If they lose too much they react. Simple. The cost of using 2 factor for the general population is too great and the general public are adverse to it. Regards, Craig
In reply to <<
What about a situation when I find a serious mistakes in logic concept of the page(authorization process)? I find some in 2 EU financial institution.One of them was my own bank. It was reported and fixed.If I didn't reacted I might be a victim of their mistake.There was no scanning or exploiting- only a scenario which obligate them to react. What about this situation? Peter Brzyski WCI University of Szczecin ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Disclosure of vulns and its legal aspects... Dark Cold Ice (May 29)
- RE: Disclosure of vulns and its legal aspects... James Wilburn (May 29)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- Re: Disclosure of vulns and its legal aspects... Steve Friedl (May 30)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- Re: Disclosure of vulns and its legal aspects... Lee Lawson (May 30)
- RE: Disclosure of vulns and its legal aspects... James Wilburn (May 29)
- Re: Disclosure of vulns and its legal aspects... Sat Jagat Singh (May 30)
- Re: Disclosure of vulns and its legal aspects... Morning Wood (May 30)
- <Possible follow-ups>
- Re: Disclosure of vulns and its legal aspects... krymson (May 30)
- Re: Disclosure of vulns and its legal aspects... cwright (May 31)