On Mon, Jun 25, 2001 at 11:14:12PM -0500, Kelvin wrote: > http://www.sec33.com/archives/2001/internet_banking/banking_does_it_belong_online_II.html From my experience in auditing FI it seems like they have great trust in software vendors indeed and it's so big that it's sometimes very difficult to convince them that something is really vulnerable, even if you show them hardcopy from sniffer with logins and passwords. We have been analyzing communications between main server and branch offices in one FI and they were simply performed over TELNET protocol with some GUI wrapper. The "encryption", mentioned by a trusted software vendor, cited frequently by our customer came out to be EBCDIC encoding. We could also easily observe whole SQL sessions with money transfers performed over unprotected TCP to a machine with predictable serials. Some managers at the office argued that there's no need to encrypt the data because the LAN works on Cisco's switch and it's impossible to sniff the data here, and over WAN. Impressing... Seems like the institutions are more willing to spend thousands of dollars for equipment than for several people with proper knowledge. -- Pawe³ Krawczyk *** home: <http://ceti.pl/~kravietz/> security: <http://ipsec.pl/> *** fidonet: 2:486/23 -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:38:38 PDT