Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: [WEB SECURITY] SSL does not = a secure website

RE: [WEB SECURITY] SSL does not = a secure website

From: Jeremy Bellwood <Jeremy.Bellwood_at_serengetilaw.com>
Date: Tue, 28 Mar 2006 18:19:20 -0800

I think ING Direct has done a pretty good job at evaluating the security concerns making it difficult for keyloggers.
 
The question used for "Step 2" changes each page refresh. They also have a dynamically generated 10-key pad used in "Step 3" where a user either types the letters instead of the numbers OR click on the numbers.
 
Since both "Step 2" and "Step 3" are dynamically generated with each page refresh I think it makes it significantly more difficult get all the information needed to impersonate a valid user.
 
-Jeremy

________________________________

From: michaelslists_at_gmail.com [mailto:michaelslists_at_gmail.com]
Sent: Tue 3/28/2006 5:54 PM
To: Mark Mcdonald
Cc: James Strassburg; Sebastien Deleersnyder; Web Security; webappsec_at_securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not = a secure website

I hate this thing with a passion. I actually have to use it.

God help anyone that needs to use it in an office environment, anyone
walking past your "cube" could _easily_ see what password you are
typing in.

-- Michael

On 3/29/06, Mark Mcdonald <mmcdonald_at_staff.iinet.net.au> wrote:
> Westpac Bank in Australia has recently put an on-screen keyboard up.
> Check it out here:
>
> https://online.westpac.com.au/esis/Login/SrvPage
>
>
>
> -----Original Message-----
> From: James Strassburg [mailto:JStrassburg_at_directs.com]
> Sent: Wednesday, 29 March 2006 11:16 AM
> To: Sebastien Deleersnyder; Web Security; webappsec_at_securityfocus.com
> Subject: RE: [WEB SECURITY] SSL does not = a secure website
>
> There are additional countermeasures that a web application can
> implement. For example, the app could have the user enter his/her
> password by clicking an onscreen keyboard or ask the user for random
> characters from their password (enter the 2nd, 4th and 10th character of
> your password). I should state that while I've read about these I don't
> know of a web application that makes use of them.
>
> James Strassburg
>
> ________________________________
>
> From: Ryan Barnett [mailto:rcbarnett_at_gmail.com]
> Sent: Tuesday, March 28, 2006 8:10 AM
> To: Sebastien Deleersnyder
> Cc: Web Security; webappsec_at_securityfocus.com
> Subject: Re: [WEB SECURITY] SSL does not = a secure website
>
>
>
> On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder_at_ascure.com>
> wrote:
>
> Their is nothing that a website can do to prevent keyloggers on the
> user's machine.
>
> Well, now that I think about it, that is not entirely true... Websites
> could front-end their web apps with applications such as Sygate (
> http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
> <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
> which can check the user's computer for some forms of malware (including
> keyloggers) and then place the user into a Java virtual machine to help
> protect user credentials.
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
> -------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world
> examples of recent hacking methods such as: SQL Injection, Cross Site
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
> --------------------------------------------------------------------------
>
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 28 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos