No subject
Fri Jan 31 06:23:24 EST 2014
>From suter Sun Sep 23 12:24:09 2001
Return-Path: <owner-general at lists.humbug.org.au>
Received: from diadora.client.uq.net.au (IDENT:root at diadora-2 [10.0.1.2])
by zwitterion.humbug.org.au (8.12.0/8.12.0/Debian -2) with ESMTP id f8N2O8Mc006795
for <suter at zwitterion.humbug.org.au>; Sun, 23 Sep 2001 12:24:09 +1000
Received: from caliburn.humbug.org.au (caliburn.humbug.org.au [203.15.51.6])
by diadora.client.uq.net.au (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) with ESMTP id f8N2O8r9003212
for <suter at zwitterion.humbug.org.au>; Sun, 23 Sep 2001 12:24:08 +1000
Received: from mdlishum by caliburn.humbug.org.au with local (Exim 3.03 #1)
id 15kyXu-000IWX-00
for general-outgoing at lists.humbug.org.au; Sun, 23 Sep 2001 11:59:02 +1000
Received: from smtp012.mail.yahoo.com ([216.136.173.32])
by caliburn.humbug.org.au with smtp (Exim 3.03 #1)
id 15kyXp-000IWS-00
for general at lists.humbug.org.au; Sun, 23 Sep 2001 11:58:57 +1000
Received: from 164.brs0203.brs.iprimus.net.au (HELO matthewlaptop.yahoo.co.uk) (203.134.41.164)
by smtp.mail.vip.sc5.yahoo.com with SMTP; 23 Sep 2001 01:54:23 -0000
X-Apparently-From: <bmatthewtaylor at yahoo.co.uk>
Message-Id: <5.0.2.1.0.20010923105111.02e20090 at pop.mail.yahoo.co.uk>
X-Sender: bmatthewtaylor at pop.mail.yahoo.co.uk
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Sun, 23 Sep 2001 12:01:41 +1000
To: general at lists.humbug.org.au
From: "bmatthewtaylor at yahoo.co.uk" <bmatthewtaylor at yahoo.co.uk>
Subject: [H-GEN] Internet Banking - hidden url's > potential security breaches.
In-Reply-To: <5.0.2.1.0.20010922100535.024e78b0 at pop.mail.yahoo.co.uk>
References: <20010919065828.546D1106F9D at ripper>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-general at lists.humbug.org.au
Precedence: bulk
Reply-To: general at lists.humbug.org.au
X-Loop: general at lists.humbug.org.au
List-Help: <mailto:majordomo at lists.humbug.org.au?subject=help>
List-Post: <mailto:general at lists.humbug.org.au>
List-Subscribe: <mailto: general-request at lists.humbug.org.au?subject=subscribe>
List-Id: semi-serious discussions about Humbug and Unix-related topics <general at lists.humbug.org.au>
List-Unsubscribe: <mailto: general-request at lists.humbug.org.au?subject=unsubscribe>
List-Archive: <http://archive.humbug.org.au/humbug-general/>
Status: RO
Content-Length: 4264
Lines: 95
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
ah well, good to hear some Banks are being sensible.
two issues to follow through on.
1. potential security breaches
2. what OS is that internet bank running and security/uptime reliability?
1. potential security breaches
extending this topic, my Suncorp netbanking has shown a disturbing trend
that I have noticed with other internet sites > hiding url's by using
javascript popup windows ie:
javascript:OpenWindowFullScreen('page_name.ext','label');
I suspect they do this to maximize the screen area, but it hides the url
and unless users have set their browser preferences appropriately most
users will not be able to confirm they are on https or http.
I have noticed a number of other banks doing similar things, tho anz,
stGeorge and Colonial first State stick with displaying the url and padlock
icons.
So what I'm wondering is, would this result in a potential security for
exploitation?
ie: say a small ISP, internet Cafe etc.. has a 'modified' dns table,
redirecting calls to www.mybank.com to their own server, running a clone
of the real banks homepage.
User goes to the logon screen (which is a
javascript:OpenWindowFullScreen(blah), thus hiding the url) and is taken to
some fake site made up by the hackers. (say www.mypiratebank.com), this
could even have an authenticated https certificate that does not flag any
warnings in the clients browser. Pirate site then collects user names /
passwords, maybe even does some screen stripping on www.mybank.com to
verify the password, and then redirects the client to the real banking
site. (or just give the user a message 'service temporarily unavailable,
please call 1800-fake-number' )
I dont know enough about dns servers if this type of breach could be
achieved via the weakness pointed out for www.anz.com on this list last week.
hrm... I'm pretty sure I'm not being paranoid [1], but also pretty sure my
bank will put the spin doctors onto denying any security risk before they
actually address the technical issue.
2.what OS is that internet bank running and security/uptime reliability?
looking at netcraft.com > 'whats that site running' I noticed
www.suncorpmetway.com is running Microsoft-IIS/4.0 on NetBSD/OpenBSD. ??[2]
www.anz.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98.
www.westpac.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98
www.colonialfirststate.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98
www.commbank.com.au is running Microsoft-IIS/4.0 on NT4/Windows 98
hrm... I was starting to wonder if these bank sites might be misreported or
'freaking' responses to hide the real OS/webserver being operated. so I had
a look at good old faithful,
www.uq.edu.au is running Apache/1.3.14 (Unix) PHP/4.0.4pl1 PHP/3.0.18
mod_perl/1.24_01 mod_ssl/2.7.1 OpenSSL/0.9.6 on Solaris 8.
I noticed a newspaper report a while ago of substantial differences in
service uptime between major Australian banks, can't remember the url or
results. (most were >98% uptime with 2 < 95%, pretty poor really)
I'm wondering why the banks have (mostly) gone for a non *nix solution? I'm
no security expert but cautioned by the recurring hacks into IIS sites
exploiting vulnerabilities that seem to be much more frequent than those on
Solaris/*nix systems.
I've not been following securityfocus.com closely, anyone able to compare
the number of security breaches on *nix to *NT/IIS? [a wide open question
if there ever was one]
Matthew.
[1] : not trusting the default click through interface I use the https url
as my starting point.
[2] running IIS on BSD? what gives? why would anyone bother, or is this
being misreported? I wonder what hardware these systems are running, using
clusters?
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list