[WEB SECURITY] Online Bank Hacked...
Irene Abezgauz
irene.abezgauz at gmail.com
Tue Aug 30 14:19:55 EDT 2005
Ofer,
I think the answer to the dilemma lies in the separation of the problem
into two orthogonal issues:
The first - the problem. As a result of some action, be it
phishing or some other type of social eng. scam - information residing
behind a web application was compromised via the application. Hence the
way I see it it's an application security incident even though the weak
link here was the human factor and not the app itself.
The second - the solution. The solution lies in public
awareness, which at first does not seem as a web application issue, but
it is _web security_ awareness, making it application related.
I am however not sure at all this was a social engineering issue. It
seems like leverage of multiple vulnerabilities in online banking
application(s).
Just my 2cp
Irene
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com
-----Original Message-----
From: Ofer Shezaf [mailto:Ofer.Shezaf at breach.com]
Sent: Tuesday, August 30, 2005 11:01 AM
To: ofer at hacktics.com; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Online Bank Hacked...
Since I currently maintain the list of application security incidents on
the WASC site, this story brings up a major dilemma I often encounter.
I assume that the referenced story talks about some kind of social
engineering scam. It might be phishing, or something not technical at
all.
So, while an avid reminder of the dangers of publicly accessible
applications, is such a story a web application security issue? Maybe a
security issue, but not application related?
To be more practical: does it promote our goal of educating the masses
that web app sec is a big problem? Should I include it on the list?
~ Ofer
Ofer Shezaf
CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers at breach.com
http://www.breach.com
________________________________________
From: Ofer Maor [mailto:ofer.hacktics at gmail.com]
Sent: Friday, August 26, 2005 12:58 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Online Bank Hacked...
Brazil police arrested 85 people for online hacking... Interesting.
http://today.reuters.com/news/newsArticle.aspx?type=internetNews&storyID
=2005-08-25T203543Z_01_MCC574075_RTRIDST_0_NET-CRIME-BRAZIL-HACKERS-DC.X
ML
---
Ofer Maor
CTO
Hacktics Ltd.
Mobile: +972-54-6545406
Office: +972-9-9565840
Fax: +972-9-9500047
Web: www.hacktics.com
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.16/83 - Release Date:
8/26/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.16/83 - Release Date:
8/26/2005
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list