Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Your opinions ... last request
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 1 Nov 2000 12:15:46 -0500

Jim Miller wrote:

The client side security is less than adequate, and the bank intends to
protect itself using legal stipulations in signed client contracts.  But
this obvious step will be pointless if the system we deploy to the customer
is easily hacked.  For the customer, physical security is a recommended control,
and necessary to prevent the obvious hack, theft of the hardware.

But if the certificate itself is easily removed from the client and can be
transported and installed on another PC, the client is even more easily hacked.
It would not do the bank any good to deploy the system to any customer if the
certificate is readily accessible by any employee with a fair technical knowledge.

This begs [the last and final] question:  can the certificate be exported to
another PC without re-issuance by the bank?  Where does the certificate reside
on the client?  How easily is it hacked, copied, transported, and / or re-installed?

And in one of your earlier posts you said:

Physical security of the client is a recognised issue.  The client can be
compromised any number of ways if accessible.  Again, not the issue under
consideration here.

I think your new question is even more pertinent than your old question.
If the computers are on the Internet, they're "accessible" to 300,000,000
people while if they're not physically secure, they're "accessible" to
whomever can physically visit the room. Granted the physical accessibility
guarantees complete vulnerability but because of the large number of people
able to access the machine remotely, their relative anonymity, and the
speed of access and compromise, this type of access needs to be considered
a top issue along with physical access.

If the client PC is compromised with something like a remote control
trojan, the certificate won't have to be moved. The intruder will simply
perform their actions through the compromised client. Your host system
will see a valid account login from a valid IP address.


Will these client computers be used for anything else? Will they be used
for general email or web access where something harmful may be inadvertently
loaded either through a mistake (clicking the wrong attachment or downloading
a cute screen saver) or through a bug (for example by any one of several
Outlook/IE bugs that enable specially formatted email to compromise a machine).
Will the machines be used by people who may desire other
shared folders, personal web servers, Internet radio, instant messaging,
peer file sharing servers (Napster, Scour, etc.), or online gaming with the
possible associated risk?

In other words, will this resemble a typical home computer where the family's
teenager downloads the latest, untested software and configuration one
minute and one of the parents uses the computer to perform online banking
the next?

P.S. I'd be interested in hearing the details regarding:

  "The client side security is less than adequate, and the bank intends to
   protect itself using legal stipulations in signed client contracts."

In particular, I'd be interested in how the customer is protected and to
what extent they're made aware of the risks and liabilities.

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]