Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internet Bank Vulnerable!

From: "Chris Trudeau" <chris () trudeau org>
Date: Fri, 6 Jul 2001 08:42:33 -0400
Kelvin,

this looks very familiar to the "probing" you were doing.  I guess the FBI
and S1 didn't take kindly to the probe...very possibly a result of your
disclosure.

http://www.securityfocus.com/templates/article.html?id=222


CT
----- Original Message -----
From: "Kelvin" <kelvin () sec33 com>
To: <pen-test () securityfocus com>
Sent: Saturday, June 23, 2001 9:25 PM
Subject: Internet Bank Vulnerable!



This is highly interesting.

I have discovered several Internet Banks that are vulnerable to many
standard IIS vulnerabilities. Many of the exploits are quite old. Well for
obvious reasons I notified the Bank and the vendor of the Internet Banking
solution. I waited until today, which is 48 hours since the email and
telephone notification and the Bank is still vulnerable. It amazes me

every

time something like this happens, it might not be so bad if it were

cookies

on a cooking website but it really is financial information on the website
of a respected bank, it freaks me out even more.

As a test, I ran a search string on the file system looking for various
combinations such as: "$1,1", "0.12", "1,1"

Amazingly enough I came up with entire listings of transactions and

account

data. The records included names, phone, numbers, credit cards, and the
like. No socials.. That I felt good about.

Has anyone else had a scenario as serious as this? I am wondering if there
is a lesson someone here needs to learn! - Like maybe an associated press
lesson. If the newspaper were to find out that a bank was vulnerable -

Wow,

they would eat that up, besides the problem I am sure would get fixed.

Any thoughts?

You can see the findings and the article at:


http://www.sec33.com/archives/2001/internet_baking/banking_does_it_belong_on

line.html

Kelvin.




--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: