Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [WEB SECURITY] SSL does not = a secure website

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: [WEB SECURITY] SSL does not = a secure website
Date: Wed, 29 Mar 2006 19:54:52 +1100 
See http://www.dotsec.com/onBank.html for an old flaw that directly affects
this.

Lyal


-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj@greebo.net] 
Sent: Wednesday, 29 March 2006 1:14 PM
To: Mark Mcdonald
Cc: James Strassburg; Sebastien Deleersnyder; Web Security;
webappsec@securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not = a secure website


If you look carefully about how it's implemented, it cannot help if a  
Trojan is onboard gathering the requisite login information, such as  
a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123",  
the value submitted to the website is the same every time. This  
virtual keyboard implementation is not robust against anything but  
keylogging trojans. Therefore it's security theatre. As a Westpac  
customer, I find this frustrating as I have to use this "feature" in  
public places frequently, and I'm more concerned about shoulder  
surfing in those places.

An example Trojan which is close to breaking the new virtual keyboard:
http://www.symantec.com/avcenter/venc/data/pwsteal.bancos.q.html

These virtual keyboards violate accessibility requirements (which are  
required to be accessible by law here), and do not fix the primary  
issue - phishing.

There's little value in getting into any particular user's Internet  
Banking session. The value to the phisher is to conduct transactions,  
particularly to move funds out of the country. The only way to reduce  
the risk of that today is transaction signing. There are many  
different ways of doing this. As a Westpac customer, I'd prefer it  
they didn't spend good money on useless toys, but on real ways to  
reduce fraud and risk to me.

Andrew

On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:


Westpac Bank in Australia has recently put an on-screen keyboard up. 
Check it out here:

https://online.westpac.com.au/esis/Login/SrvPage




-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [WEB SECURITY] SSL does not = a secure website, PPowenski
Next by Date:  Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Stephen de Vries
Previous by Thread:  Re: [WEB SECURITY] SSL does not = a secure website, Andrew van der Stock
Next by Thread:  Re: [WEB SECURITY] SSL does not = a secure website, Ryan Barnett
Indexes:  [Date] [Thread] [Top] [All Lists]