Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: [WEB SECURITY] SSL does not = a secure website

RE: [WEB SECURITY] SSL does not = a secure website

From: Lyal Collins <lyal.collins_at_key2it.com.au>
Date: Wed, 29 Mar 2006 19:54:52 +1100

See http://www.dotsec.com/onBank.html for an old flaw that directly affects
this.

Lyal

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj_at_greebo.net]
Sent: Wednesday, 29 March 2006 1:14 PM
To: Mark Mcdonald
Cc: James Strassburg; Sebastien Deleersnyder; Web Security;
webappsec_at_securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not = a secure website

If you look carefully about how it's implemented, it cannot help if a
Trojan is onboard gathering the requisite login information, such as
a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123",
the value submitted to the website is the same every time. This
virtual keyboard implementation is not robust against anything but
keylogging trojans. Therefore it's security theatre. As a Westpac
customer, I find this frustrating as I have to use this "feature" in
public places frequently, and I'm more concerned about shoulder
surfing in those places.

An example Trojan which is close to breaking the new virtual keyboard:
http://www.symantec.com/avcenter/venc/data/pwsteal.bancos.q.html

These virtual keyboards violate accessibility requirements (which are
required to be accessible by law here), and do not fix the primary
issue - phishing.

There's little value in getting into any particular user's Internet
Banking session. The value to the phisher is to conduct transactions,
particularly to move funds out of the country. The only way to reduce
the risk of that today is transaction signing. There are many
different ways of doing this. As a Westpac customer, I'd prefer it
they didn't spend good money on useless toys, but on real ways to
reduce fraud and risk to me.

Andrew

On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:

> Westpac Bank in Australia has recently put an on-screen keyboard up.
> Check it out here:
>
> https://online.westpac.com.au/esis/Login/SrvPage
>

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 29 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos