Hi Ryan,
What about a Trojan installed key logger?
These sniff all keys typed on the keyboard and then filter out interesting
patterns, including credit card information and social security numbers that do
follow strict patterns.
The information is then sent to the attacker without the user knowing what is
going on.
I do not know the exact names of recent viruses or worms that do this, but I am
certain there are some real-world examples.
SSL itself will not be attacked, the weak end-points, the user system and the
application on the web server, will be attacked.
Regards,
Sebastien
OWASP Belgium Chapter Lead
________________________________________
From: Ryan Barnett [mailto:rcbarnett@gmail.com]
Sent: dinsdag 28 maart 2006 3:41
To: Web Security; webappsec@securityfocus.com
Subject: [WEB SECURITY] SSL does not = a secure website
I need some feedback from the lists. Does any have any verifiable proof (new
story, etc...) that documents where attackers successfully sniffed Credit Card
data off of the Internet for an eCommerce site??? Every story that I have read
about indicates that attackers mostly obtain this data by breaking into the
back-end DB to steal the CC data rather than sniffing. Anyone with info to the
contrary?
While I believe that we would all agree that the use of SSL for eCommerce is a
good idea, I am interested in the actual THREAT. It seems to me that the real
threat to CC data is a vulnerable webapp/backend and not the use of SSL. The
PCI Data Security Standard document (
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf
) lists this as Requirement 4 -
Protect Cardholder Data
Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks
So, when an eCommerce website boasts "We are a secure website" - keep in mind
that they are referring to Requirement 4. Who knows what they are doing about
Requirement 3...
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
---- eMail Disclaimer ----
This message may be confidential. It is also solely for the use of the
individual or group to whom it is addressed. If you have received it
by mistake, please let us know by e-mail reply. Ascure is not liable for any
direct or indirect damage arising from errors, inaccuracies or
any loss in the message, from unauthorized use, disclosure, copying or
alteration of it.
For the complete version or other languages of this disclaimer see
http://www.ascure.com/disclaimer.html
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
