Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Domenico De Vitto <dom () DEVITTO DEMON CO UK>
Date: Thu, 7 Sep 2000 19:41:59 +0100

I agree, but still think, considering all the bad press e-security has
had recently, that it's small compared to non-IT related theft, like CC
fraud.  But I do respect and agree, 'whodunnit' is a big problem....

Dom
-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Meredith S
Sent: 01 September 2000 09:53
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING


        I would consider it a breach of security as well, considering you can
specify *not* to cache by setting a value it the page's header. in .asp this
is as trivial as adding <% Response.Expires = 0 %> to the beginning of this
page (i wouldn't know how to do it with anything else, as i'm not a web
developer).
        The resturant analogy isn't entirely accurate. If you go to a resturant and
hand the waitress your credit card, and she reappears wearing a mink or
never reappears at all, then you have some idea what happens. If a page is
recovered from cache in a publicly accessible environment, then there is no
way of backtracking. Or even telling where the page was recovered from
(there could be a proxy server somewhere on the network).




[snip]
Stuff like (encrypted) pages being stored in the cache, and so available
to any/all users of the same computer are often considered by the press
to be breaches in security, but fundamentally you must look at the
comparitive risk - do you use your credit card in resturants?
[snip]


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault