I currently work at such a financial institution, a credit union. Modifications to our home-banking product were frowned upon, partially because the product vendor created such a touchy product that any change might break things. They built a customized IIS 3 web server that was vulnerable to the CGI double decode vulnerability (and probably a lot of others) and Microsofts patch broke the system, perhaps because they were running an ancient IIS 3. Well, this increased the heat on the vendor, in thanks partially to my conversations with an engineering manager. Within two weeks they had upgraded the system to IIS4, applied SP6a + post hotfixes and other security patches. In that two week period, probably every single institution (except ours) using their product was wide open. The intersting thing is that following the standard IIS security guidelines locked the box down with little trouble. I revoked the permissions to /winnt/system32/ for the IUSR account, which prevented attackers from launching cmd, tftp, net, etc and other commands. I also removed the Win NT challenge/response authentication method from the webroot since this would then give attackers an opportunity to brute force accounts through a password dialog box. And of course, account lockout was not set by the vendor, along with EVERYONE Full control on both C: and D: drives. My supervisor discouraged me from making any change to the system for fear that it might break. Thankfully, action was taken that blocked an attacker that very night. Very, very sloppy on behalf of the vendor. I suggested that the vendor undergo a code and security audit before releasing it's products, as well as looking at some products like eEyes SecureIIS app level firewall. The incident spoken of here lit a fire under them, which increased the speed at which their QA and security committee began to take things more seriously. However, no mention of this issue was to be found at their recent annual users meeting. Brush it under the rug perhaps? A compromise of the NT/IIS server mentioned here would not give attackers an easy means to actually perform funds transfer, but they could trojan the system through tftp, pilfer account numbers from log files, and obtain a lot of data, including the administrator and other high-level passwords from an EVERYONE FULL CONTROL batch file that added administrator and three hardware support accounts (one of the passwords was "eatmeraw" which I found amusing, since their security mechanisms did indeed suck). Very very sloppy........ From discussion with others on this issue, I gather that many internet banking sites are very exploitable. You would think that something this sensitive would receive better attention, but I suppose that security professionals have their work cut out for them in the forseeable future. Credit Unions in particular are coming under fire with a new batch of National Credit Union Administration (NCUA) regulations, including penetration testing, use of network and host IDS, security audits, and compliance of outsourced vendors to certain standards (such as standards covered by something like the reputable TruSecure certification). A welcome event, which is bringing more business to the security community, as these institutions often don't have the in-house expertise to stay abreast of the fast-paced security landscape. Curt Wilson Formerly NetW3 Consulting, moving into a new, unknown venture in the near future....... At 11:03 PM 6/24/2001 -0500, H D Moore wrote: > >Over the last year I have pen-tested a couple dozen financial institutions, >at least three-quarters of them were running IIS web servers. The reasoning >behind it is simple; most of the on-line banking software vendors use NT/IIS >as their platform. The institutions which use this software are not allowed >to modify ANYTHING without voiding their support contracts. So you have the >majority of the financial industry at the mercy of their vendors for >security, yet they are the ones which are liable if they get cracked. Recent >regulations are forcing banks and credit unions to meet certain guidelines >for information security, failing to meet those guidelines can put them out >of business when they get audited. This is putting some heavy pressure on >the IT staff of these organizations, most of which have no real internet >experience and have spent the last 10 years babysitting the mainframe. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3at_private 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 06:12:00 PDT