Re: Internet Bank Vulnerable!

From: Chris Trudeau (chrisat_private)
Date: Fri Jul 06 2001 - 05:42:33 PDT

Next message: Kelvin: "Re: Internet Bank Vulnerable!"

Previous message: Alex Butcher: "Re: win2000"
Next in thread: Kelvin: "Re: Internet Bank Vulnerable!"
Reply: Kelvin: "Re: Internet Bank Vulnerable!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kelvin,

this looks very familiar to the "probing" you were doing.  I guess the FBI
and S1 didn't take kindly to the probe...very possibly a result of your
disclosure.

http://www.securityfocus.com/templates/article.html?id=222


CT
----- Original Message -----
From: "Kelvin" <kelvinat_private>
To: <pen-testat_private>
Sent: Saturday, June 23, 2001 9:25 PM
Subject: Internet Bank Vulnerable!


> This is highly interesting.
>
> I have discovered several Internet Banks that are vulnerable to many
> standard IIS vulnerabilities. Many of the exploits are quite old. Well for
> obvious reasons I notified the Bank and the vendor of the Internet Banking
> solution. I waited until today, which is 48 hours since the email and
> telephone notification and the Bank is still vulnerable. It amazes me
every
> time something like this happens, it might not be so bad if it were
cookies
> on a cooking website but it really is financial information on the website
> of a respected bank, it freaks me out even more.
>
> As a test, I ran a search string on the file system looking for various
> combinations such as: "$1,1", "0.12", "1,1"
>
> Amazingly enough I came up with entire listings of transactions and
account
> data. The records included names, phone, numbers, credit cards, and the
> like. No socials.. That I felt good about.
>
> Has anyone else had a scenario as serious as this? I am wondering if there
> is a lesson someone here needs to learn! - Like maybe an associated press
> lesson. If the newspaper were to find out that a bank was vulnerable -
Wow,
> they would eat that up, besides the problem I am sure would get fixed.
>
> Any thoughts?
>
> You can see the findings and the article at:
>
http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on
> line.html
>
> Kelvin.
>


--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/

Next message: Kelvin: "Re: Internet Bank Vulnerable!"
Previous message: Alex Butcher: "Re: win2000"
Next in thread: Kelvin: "Re: Internet Bank Vulnerable!"
Reply: Kelvin: "Re: Internet Bank Vulnerable!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 08:33:42 PDT