[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] SSL does not = a secure website

From: Eoin <eoinkeary@xxxxxxxxx>
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Tue, 28 Mar 2006 16:05:29 +0100
------=_Part_2022_19363505.1143558329279
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Have you considered the wireless perspective, and the weakness in WEP.
crack Wep, use ethereal, sniff away.


On 28/03/06, Sebastien Deleersnyder <sebastien.deleersnyder@ascure.com>
wrote:
>
> Hi Ryan,
>
> What about a Trojan installed key logger?
> These sniff all keys typed on the keyboard and then filter out interestin=
g
> patterns, including credit card information and social security numbers t=
hat
> do follow strict patterns.
> The information is then sent to the attacker without the user knowing wha=
t
> is going on.
> I do not know the exact names of recent viruses or worms that do this, bu=
t
> I am certain there are some real-world examples.
> SSL itself will not be attacked, the weak end-points, the user system and
> the application on the web server, will be attacked.
>
> Regards,
>
> Sebastien
> OWASP Belgium Chapter Lead
>
> ________________________________________
> From: Ryan Barnett [mailto:rcbarnett@gmail.com]
> Sent: dinsdag 28 maart 2006 3:41
> To: Web Security; webappsec@securityfocus.com
> Subject: [WEB SECURITY] SSL does not =3D a secure website
>
> I need some feedback from the lists. Does any have any verifiable proof
> (new story, etc...) that documents where attackers successfully sniffed
> Credit Card data off of the Internet for an eCommerce site??? Every story
> that I have read about indicates that attackers mostly obtain this data b=
y
> breaking into the back-end DB to steal the CC data rather than sniffing.
> Anyone with info to the contrary?
>
> While I believe that we would all agree that the use of SSL for eCommerce
> is a good idea, I am interested in the actual THREAT. It seems to me that
> the real threat to CC data is a vulnerable webapp/backend and not the use=
 of
> SSL. The PCI Data Security Standard document (
> http://usa.visa.com/download/business/accepting_visa/ops_risk_management/=
cisp_PCI_Data_Security_Standard.pdf) lists this as Requirement 4 -
> Protect Cardholder Data
> Requirement 3: Protect stored data
> Requirement 4: Encrypt transmission of cardholder data and sensitive
> information across public networks
> So, when an eCommerce website boasts "We are a secure website" - keep in
> mind that they are referring to Requirement 4. Who knows what they are do=
ing
> about Requirement 3...
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
> ---- eMail Disclaimer ----
> This message may be confidential. It is also solely for the use of the
> individual or group to whom it is addressed. If you have received it
> by mistake, please let us know by e-mail reply. Ascure is not liable for
> any direct or indirect damage arising from errors, inaccuracies or
> any loss in the message, from unauthorized use, disclosure, copying or
> alteration of it.
> For the complete version or other languages of this disclaimer see
> http://www.ascure.com/disclaimer.html
>
> -------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world
> examples of recent hacking methods such as: SQL Injection, Cross Site
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=3D701300000003g=
Rl
> -------------------------------------------------------------------------=
-
>
>


--
Eoin Keary cissp

------=_Part_2022_19363505.1143558329279
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Have you considered the wireless perspective, and the weakness in WEP.<br>c=
rack Wep, use ethereal, sniff away.<br><br><br><div><span class=3D"gmail_qu=
ote">On 28/03/06, <b class=3D"gmail_sendername">Sebastien Deleersnyder</b> =
&lt;
<a href=3D"mailto:sebastien.deleersnyder@ascure.com";>sebastien.deleersnyder=
@ascure.com</a>&gt; wrote:</span><blockquote class=3D"gmail_quote" style=3D=
"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padd=
ing-left: 1ex;">
Hi Ryan,<br><br>What about a Trojan installed key logger?<br>These sniff al=
l keys typed on the keyboard and then filter out interesting patterns, incl=
uding credit card information and social security numbers that do follow st=
rict patterns.
<br>The information is then sent to the attacker without the user knowing w=
hat is going on.<br>I do not know the exact names of recent viruses or worm=
s that do this, but I am certain there are some real-world examples.<br>
SSL itself will not be attacked, the weak end-points, the user system and t=
he application on the web server, will be attacked.<br><br>Regards,<br><br>=
Sebastien<br>OWASP Belgium Chapter Lead<br><br>____________________________=
____________
<br>From: Ryan Barnett [mailto:<a href=3D"mailto:rcbarnett@gmail.com";>rcbar=
nett@gmail.com</a>]<br>Sent: dinsdag 28 maart 2006 3:41<br>To: Web Security=
; <a href=3D"mailto:webappsec@securityfocus.com";>webappsec@securityfocus.co=
m
</a><br>Subject: [WEB SECURITY] SSL does not =3D a secure website<br><br>I =
need some feedback from the lists. Does any have any verifiable proof (new =
story, etc...) that documents where attackers successfully sniffed Credit C=
ard data off of the Internet for an eCommerce site??? Every story that I ha=
ve read about indicates that attackers mostly obtain this data by breaking =
into the back-end DB to steal the CC data rather than sniffing. Anyone with=
 info to the contrary?
<br><br>While I believe that we would all agree that the use of SSL for eCo=
mmerce is a good idea, I am interested in the actual THREAT. It seems to me=
 that the real threat to CC data is a vulnerable webapp/backend and not the=
 use of SSL. The PCI Data Security Standard document (=20
<a href=3D"http://usa.visa.com/download/business/accepting_visa/ops_risk_ma=
nagement/cisp_PCI_Data_Security_Standard.pdf">http://usa.visa.com/download/=
business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard=
.pdf
</a> ) lists this as Requirement 4 -<br>Protect Cardholder Data<br>Requirem=
ent 3: Protect stored data<br>Requirement 4: Encrypt transmission of cardho=
lder data and sensitive information across public networks<br>So, when an e=
Commerce website boasts &quot;We are a secure website&quot; - keep in mind =
that they are referring to Requirement 4. Who knows what they are doing abo=
ut Requirement 3...
<br><br>--<br>Ryan C. Barnett<br>Web Application Security Consortium (WASC)=
 Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor: Securing A=
pache<br>GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attac=
ks with Apache
<br>---- eMail Disclaimer ----<br>This message may be confidential. It is a=
lso solely for the use of the individual or group to whom it is addressed. =
If you have received it<br>by mistake, please let us know by e-mail reply. =
Ascure is not liable for any direct or indirect damage arising from errors,=
 inaccuracies or
<br>any loss in the message, from unauthorized use, disclosure, copying or =
alteration of it.<br>For the complete version or other languages of this di=
sclaimer see <a href=3D"http://www.ascure.com/disclaimer.html";>http://www.a=
scure.com/disclaimer.html
</a><br><br>---------------------------------------------------------------=
----------<br>This List Sponsored by: SpiDynamics<br><br>ALERT: &quot;How A=
 Hacker Launches A Web Application Attack!&quot;<br>Step-by-Step - SPI Dyna=
mics White Paper
<br>Learn how to defend against Web Application Attacks with real-world<br>=
examples of recent hacking methods such as: SQL Injection, Cross Site<br>Sc=
ripting and Parameter Manipulation<br><br><a href=3D"https://download.spidy=
namics.com/1/ad/web.asp?Campaign_ID=3D701300000003gRl">
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=3D701300000003gRl=
</a><br>-------------------------------------------------------------------=
-------<br><br></blockquote></div><br><br clear=3D"all"><br>-- <br>Eoin Kea=
ry cissp

------=_Part_2022_19363505.1143558329279--
References:
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: Sebastien Deleersnyder
Prev by Date: RE: [WEB SECURITY] SSL does not = a secure website
Next by Date: RE: [WEB SECURITY] SSL does not = a secure website
Previous by thread: RE: [WEB SECURITY] SSL does not = a secure website
Next by thread: Re: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org