Date:
02 September 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.
Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.
Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.
References:
