Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Internet Bank Vulnerable!

Re: Internet Bank Vulnerable!

From: Chris Trudeau <chris_at_trudeau.org>
Date: Fri, 6 Jul 2001 08:42:33 -0400

Kelvin,

this looks very familiar to the "probing" you were doing. I guess the FBI
and S1 didn't take kindly to the probe...very possibly a result of your
disclosure.

http://www.securityfocus.com/templates/article.html?id=222

CT
----- Original Message -----
From: "Kelvin" <kelvin_at_sec33.com>
To: <pen-test_at_securityfocus.com>
Sent: Saturday, June 23, 2001 9:25 PM
Subject: Internet Bank Vulnerable!

> This is highly interesting.
>
> I have discovered several Internet Banks that are vulnerable to many
> standard IIS vulnerabilities. Many of the exploits are quite old. Well for
> obvious reasons I notified the Bank and the vendor of the Internet Banking
> solution. I waited until today, which is 48 hours since the email and
> telephone notification and the Bank is still vulnerable. It amazes me
every
> time something like this happens, it might not be so bad if it were
cookies
> on a cooking website but it really is financial information on the website
> of a respected bank, it freaks me out even more.
>
> As a test, I ran a search string on the file system looking for various
> combinations such as: "$1,1", "0.12", "1,1"
>
> Amazingly enough I came up with entire listings of transactions and
account
> data. The records included names, phone, numbers, credit cards, and the
> like. No socials.. That I felt good about.
>
> Has anyone else had a scenario as serious as this? I am wondering if there
> is a lesson someone here needs to learn! - Like maybe an associated press
> lesson. If the newspaper were to find out that a bank was vulnerable -
Wow,
> they would eat that up, besides the problem I am sure would get fixed.
>
> Any thoughts?
>
> You can see the findings and the article at:
>
http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on
> line.html
>
> Kelvin.
>

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/
Received on Jul 06 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos