Kelvin, this looks very familiar to the "probing" you were doing. I guess the FBI and S1 didn't take kindly to the probe...very possibly a result of your disclosure. http://www.securityfocus.com/templates/article.html?id=222 CT ----- Original Message ----- From: "Kelvin" <kelvinat_private> To: <pen-testat_private> Sent: Saturday, June 23, 2001 9:25 PM Subject: Internet Bank Vulnerable! > This is highly interesting. > > I have discovered several Internet Banks that are vulnerable to many > standard IIS vulnerabilities. Many of the exploits are quite old. Well for > obvious reasons I notified the Bank and the vendor of the Internet Banking > solution. I waited until today, which is 48 hours since the email and > telephone notification and the Bank is still vulnerable. It amazes me every > time something like this happens, it might not be so bad if it were cookies > on a cooking website but it really is financial information on the website > of a respected bank, it freaks me out even more. > > As a test, I ran a search string on the file system looking for various > combinations such as: "$1,1", "0.12", "1,1" > > Amazingly enough I came up with entire listings of transactions and account > data. The records included names, phone, numbers, credit cards, and the > like. No socials.. That I felt good about. > > Has anyone else had a scenario as serious as this? I am wondering if there > is a lesson someone here needs to learn! - Like maybe an associated press > lesson. If the newspaper were to find out that a bank was vulnerable - Wow, > they would eat that up, besides the problem I am sure would get fixed. > > Any thoughts? > > You can see the findings and the article at: > http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on > line.html > > Kelvin. > -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 08:33:42 PDT