No subject


Fri Jan 31 06:23:24 EST 2014 

>From suter  Sun Sep 23 12:24:09 2001
Return-Path: <owner-general at lists.humbug.org.au>
Received: from diadora.client.uq.net.au (IDENT:root at diadora-2 [10.0.1.2])
	by zwitterion.humbug.org.au (8.12.0/8.12.0/Debian -2) with ESMTP id f8N2O8Mc006795
	for <suter at zwitterion.humbug.org.au>; Sun, 23 Sep 2001 12:24:09 +1000
Received: from caliburn.humbug.org.au (caliburn.humbug.org.au [203.15.51.6])
        by diadora.client.uq.net.au (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) with ESMTP id f8N2O8r9003212
        for <suter at zwitterion.humbug.org.au>; Sun, 23 Sep 2001 12:24:08 +1000
Received: from mdlishum by caliburn.humbug.org.au with local (Exim 3.03 #1)
	id 15kyXu-000IWX-00
	for general-outgoing at lists.humbug.org.au; Sun, 23 Sep 2001 11:59:02 +1000
Received: from smtp012.mail.yahoo.com ([216.136.173.32])
	by caliburn.humbug.org.au with smtp (Exim 3.03 #1)
	id 15kyXp-000IWS-00
	for general at lists.humbug.org.au; Sun, 23 Sep 2001 11:58:57 +1000
Received: from 164.brs0203.brs.iprimus.net.au (HELO matthewlaptop.yahoo.co.uk) (203.134.41.164)
  by smtp.mail.vip.sc5.yahoo.com with SMTP; 23 Sep 2001 01:54:23 -0000
X-Apparently-From: <bmatthewtaylor at yahoo.co.uk>
Message-Id: <5.0.2.1.0.20010923105111.02e20090 at pop.mail.yahoo.co.uk>
X-Sender: bmatthewtaylor at pop.mail.yahoo.co.uk
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Sun, 23 Sep 2001 12:01:41 +1000
To: general at lists.humbug.org.au
From: "bmatthewtaylor at yahoo.co.uk" <bmatthewtaylor at yahoo.co.uk>
Subject: [H-GEN] Internet Banking - hidden url's > potential security breaches.
In-Reply-To: <5.0.2.1.0.20010922100535.024e78b0 at pop.mail.yahoo.co.uk>
References: <20010919065828.546D1106F9D at ripper>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-general at lists.humbug.org.au
Precedence: bulk
Reply-To: general at lists.humbug.org.au
X-Loop: general at lists.humbug.org.au
List-Help: <mailto:majordomo at lists.humbug.org.au?subject=help>
List-Post: <mailto:general at lists.humbug.org.au>
List-Subscribe: <mailto: general-request at lists.humbug.org.au?subject=subscribe>
List-Id: semi-serious discussions about Humbug and Unix-related topics <general at lists.humbug.org.au>
List-Unsubscribe: <mailto: general-request at lists.humbug.org.au?subject=unsubscribe>
List-Archive: <http://archive.humbug.org.au/humbug-general/>
Status: RO
Content-Length: 4264
Lines: 95

[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

ah well, good to hear some Banks are being sensible.
two issues to follow through on.
1.	potential security breaches
2.	what OS is that internet bank running and security/uptime reliability?

1.	potential security breaches

extending this topic, my Suncorp netbanking has shown a disturbing trend 
that I have noticed with other internet sites > hiding url's by using 
javascript popup windows ie:

javascript:OpenWindowFullScreen('page_name.ext','label');

I suspect they do this to maximize the screen area, but it hides the url 
and unless users have set their browser preferences appropriately most 
users will not be able to confirm they are on https or http.
I have noticed a number of other banks doing similar things, tho anz, 
stGeorge and Colonial first State stick with displaying the url and padlock 
icons.

So what I'm wondering is, would this result in a potential security for 
exploitation?

ie: say a small ISP, internet Cafe etc.. has a 'modified' dns table, 
redirecting calls to www.mybank.com  to their own server, running a clone 
of the real banks homepage.
User goes to the logon screen (which is a 
javascript:OpenWindowFullScreen(blah), thus hiding the url) and is taken to 
some fake site made up by the hackers. (say www.mypiratebank.com), this 
could even have an authenticated https certificate that does not flag any 
warnings in the clients browser. Pirate site then collects user names / 
passwords, maybe even does some screen stripping on www.mybank.com to 
verify the password, and then redirects the client to the real banking 
site. (or just give the user a message 'service temporarily unavailable, 
please call 1800-fake-number' )

I dont know enough about dns servers if this type of breach could be 
achieved via the weakness pointed out for www.anz.com on this list last week.

hrm... I'm pretty sure I'm not being paranoid [1], but also pretty sure my 
bank will put the spin doctors onto denying any security risk before they 
actually address the technical issue.


2.what OS is that internet bank running and security/uptime reliability?

looking at netcraft.com > 'whats that site running' I noticed

www.suncorpmetway.com   is running Microsoft-IIS/4.0 on NetBSD/OpenBSD. ??[2]
  www.anz.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98.
  www.westpac.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98
  www.colonialfirststate.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98
  www.commbank.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98

hrm... I was starting to wonder if these bank sites might be misreported or 
'freaking' responses to hide the real OS/webserver being operated. so I had 
a look at good old faithful,
www.uq.edu.au is running Apache/1.3.14 (Unix) PHP/4.0.4pl1 PHP/3.0.18 
mod_perl/1.24_01 mod_ssl/2.7.1 OpenSSL/0.9.6 on Solaris 8.

I noticed a newspaper report a while ago of substantial differences in 
service uptime between major Australian banks, can't remember the url or 
results. (most were >98% uptime with 2 < 95%, pretty poor really)

I'm wondering why the banks have (mostly) gone for a non *nix solution? I'm 
no security expert but cautioned by the recurring hacks into IIS sites 
exploiting vulnerabilities that seem to be much more frequent than those on 
Solaris/*nix systems.

I've not been following securityfocus.com closely, anyone able to compare 
the number of security breaches on *nix to *NT/IIS?   [a wide open question 
if there ever was one]

Matthew.

[1] : not trusting the default click through interface I use the https url 
as my starting point.
[2] running IIS on BSD? what gives? why would anyone bother, or is this 
being misreported? I wonder what hardware these systems are running, using 
clusters?


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list