[WEB SECURITY] SSL does not = a secure website

Sebastien Deleersnyder sebastien.deleersnyder at ascure.com
Tue Mar 28 03:27:53 EST 2006


Hi Ryan,

What about a Trojan installed key logger? 
These sniff all keys typed on the keyboard and then filter out interesting patterns, including credit card information and social security numbers that do follow strict patterns. 
The information is then sent to the attacker without the user knowing what is going on. 
I do not know the exact names of recent viruses or worms that do this, but I am certain there are some real-world examples.
SSL itself will not be attacked, the weak end-points, the user system and the application on the web server, will be attacked.

Regards,

Sebastien
OWASP Belgium Chapter Lead

________________________________________
From: Ryan Barnett [mailto:rcbarnett at gmail.com] 
Sent: dinsdag 28 maart 2006 3:41
To: Web Security; webappsec at securityfocus.com
Subject: [WEB SECURITY] SSL does not = a secure website

I need some feedback from the lists.  Does any have any verifiable proof (new story, etc...) that documents where attackers successfully sniffed Credit Card data off of the Internet for an eCommerce site???  Every story that I have read about indicates that attackers mostly obtain this data by breaking into the back-end DB to steal the CC data rather than sniffing.  Anyone with info to the contrary? 
 
While I believe that we would all agree that the use of SSL for eCommerce is a good idea, I am interested in the actual THREAT.  It seems to me that the real threat to CC data is a vulnerable webapp/backend and not the use of SSL.  The PCI Data Security Standard document ( http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf ) lists this as Requirement 4 -
Protect Cardholder Data
Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
So, when an eCommerce website boasts "We are a secure website" - keep in mind that they are referring to Requirement 4.  Who knows what they are doing about Requirement 3... 

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache 
---- eMail Disclaimer ----
This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If you have received it 
by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from errors, inaccuracies or 
any loss in the message, from unauthorized use, disclosure, copying or alteration of it.
For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.html

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list