Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [WEB SECURITY] SSL does not = a secure website

from [Richard St John] Network Security [Permanent Link]
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Tue, 28 Mar 2006 08:32:53 -0600 
What about man in the middle devices such as proxies? I have several
devices on my network that encrypt and decrypt SSL on the fly and can be
used to monitor what is sent to and an ECommerce site.

The one device {BlueCoat} even has a specialized card for this so it
doesn't take from the central processor. We use it for forward proxy,
and also reverse proxy in front of our ECommerce site, so if I wanted to
I could read the actual packet payload in the clear without either end
knowing the data has been decrypted.

We also have several sniffers with cards in them to do the same thing,
after all, the sniffers and BlueCoat see the entire conversations so
know what the encryption is.



"Ryan Barnett" <rcbarnett@gmail.com> 03/27 7:40 PM >>>

I need some feedback from the lists.  Does any have any verifiable
proof
(new story, etc...) that documents where attackers successfully
sniffed
Credit Card data off of the Internet for an eCommerce site???  Every
story
that I have read about indicates that attackers mostly obtain this data
by
breaking into the back-end DB to steal the CC data rather than
sniffing.
Anyone with info to the contrary?

While I believe that we would all agree that the use of SSL for
eCommerce is
a good idea, I am interested in the actual THREAT.  It seems to me that
the
real threat to CC data is a vulnerable webapp/backend and not the use
of
SSL.  The PCI Data Security Standard document (
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf)
lists this as Requirement 4 -
*

Protect Cardholder Data
*

Requirement 3: Protect stored data

Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks

So, when an eCommerce website boasts "We are a secure website" - keep
in
mind that they are referring to Requirement 4.  Who knows what they
are
doing about Requirement 3...

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: AJAX and Web application scanners, Rogan Dawes
Next by Date:  RE: AJAX and Web application scanners, thomas.jones
Previous by Thread:  RE: [WEB SECURITY] SSL does not = a secure website, Sebastien Deleersnyder
Next by Thread:  Re: [WEB SECURITY] SSL does not = a secure website, Nick Owen
Indexes:  [Date] [Thread] [Top] [All Lists]