Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Disclosure of vulns and its legal aspects...
From: cwright () bdosyd com au
Date: 31 May 2007 09:27:38 -0000

Nothing. You are legally covered if your money goes missing. The bank loses; they are the ones who make the write-off. 
They may bitch, but they are liable and have to pay. In many western countries your funds are covered by state 

So basically, it is not your problem.

Westpac (a Bank) in Australia code the obscuration for their mouse clicks using Java script in the logon page. The fact 
that the captured java could be used in a Trojan was reported and they responded by restricting the access to the page 
source. Of course with WebScarab an attacker can still get this, likewise it does nothing to stop an attacker making a 
Trojan to exploit it. Same problem, perception fixed, security the same.

I still bank with them. If my account is compromised, they have to bear the loss. I do not care how much they lose; 
they can go bankrupt for all I care. If they do, the government has guaranteed my money. So as far as your example, you 
do nothing. They understand loss. If they lose too much – they react. Simple.

The cost of using 2 factor for the general population is too great and the general public are adverse to it.


In reply to <<
What about a situation when I find a serious mistakes in logic concept of the page(authorization process)? I find some 
in 2 EU financial institution.One of them was my own bank. It was reported and fixed.If I didn't reacted I might be a 
victim of their mistake.There was no scanning or exploiting- only a scenario which obligate them to react. What about 
this situation?

Peter Brzyski
University of Szczecin

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]