[WEB SECURITY] SSL does not = a secure website

Eoin eoinkeary at gmail.com
Tue Mar 28 10:05:29 EST 2006


Have you considered the wireless perspective, and the weakness in WEP.
crack Wep, use ethereal, sniff away.


On 28/03/06, Sebastien Deleersnyder <sebastien.deleersnyder at ascure.com>
wrote:
>
> Hi Ryan,
>
> What about a Trojan installed key logger?
> These sniff all keys typed on the keyboard and then filter out interesting
> patterns, including credit card information and social security numbers that
> do follow strict patterns.
> The information is then sent to the attacker without the user knowing what
> is going on.
> I do not know the exact names of recent viruses or worms that do this, but
> I am certain there are some real-world examples.
> SSL itself will not be attacked, the weak end-points, the user system and
> the application on the web server, will be attacked.
>
> Regards,
>
> Sebastien
> OWASP Belgium Chapter Lead
>
> ________________________________________
> From: Ryan Barnett [mailto:rcbarnett at gmail.com]
> Sent: dinsdag 28 maart 2006 3:41
> To: Web Security; webappsec at securityfocus.com
> Subject: [WEB SECURITY] SSL does not = a secure website
>
> I need some feedback from the lists. Does any have any verifiable proof
> (new story, etc...) that documents where attackers successfully sniffed
> Credit Card data off of the Internet for an eCommerce site??? Every story
> that I have read about indicates that attackers mostly obtain this data by
> breaking into the back-end DB to steal the CC data rather than sniffing.
> Anyone with info to the contrary?
>
> While I believe that we would all agree that the use of SSL for eCommerce
> is a good idea, I am interested in the actual THREAT. It seems to me that
> the real threat to CC data is a vulnerable webapp/backend and not the use of
> SSL. The PCI Data Security Standard document (
> http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf) lists this as Requirement 4 -
> Protect Cardholder Data
> Requirement 3: Protect stored data
> Requirement 4: Encrypt transmission of cardholder data and sensitive
> information across public networks
> So, when an eCommerce website boasts "We are a secure website" - keep in
> mind that they are referring to Requirement 4. Who knows what they are doing
> about Requirement 3...
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
> ---- eMail Disclaimer ----
> This message may be confidential. It is also solely for the use of the
> individual or group to whom it is addressed. If you have received it
> by mistake, please let us know by e-mail reply. Ascure is not liable for
> any direct or indirect damage arising from errors, inaccuracies or
> any loss in the message, from unauthorized use, disclosure, copying or
> alteration of it.
> For the complete version or other languages of this disclaimer see
> http://www.ascure.com/disclaimer.html
>
> -------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world
> examples of recent hacking methods such as: SQL Injection, Cross Site
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
> --------------------------------------------------------------------------
>
>


--
Eoin Keary cissp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060328/740b16dc/attachment.html>


More information about the websecurity mailing list