I thought this was cool. It may come in handy for Ham Radio.
Archives for : JAVA
I was asked some time ago to provide a list of things which may be considered when looking at Internet Banking.
Below is the list. It was just a brain dump and as such may not be complete.
Don’t underestimate the value of standards for your infrastructure, website configuration, database engine configuration/architecture,staging environment and development/QA environments.
Some thoughts:
- Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system vulnerable.
– And all the other things expected for a remote login session (forced password changes, aging, etc))
– Tools such as Brutus may be use to brute force hack authenticated sessions.
- Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.
– These may be server side, client side, cookie based, etc.
– Get someone to check the development methodologies and the code being used.
– Database query strings can be placed into test entry fields, allowing table dumps to browser.
– Check all pages served are secure and contain user authentication flags.
- Customer data may not be segregated, this needs to be checked.
- Customer data should not reside on the Web Server.
- Authentication databases / system data should not reside on the webserver.
- The databases should reside on a private/semi-private network.
– A different segment to the main banking system.
- Webserver should be dual homed or equivalent (some VLAN techniques are good)
– Separate private and public network cards, monitoring/backup/administration
– Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the network.
- At all data segregation points ensure rules are in place which appreciates the traffic though that point.
- All customer data where possible should be sourced from a secure back-end database.
– This may be a staging environment. i.e. no the main banking system.
– This usually allows for transactions to appear real time to the customer.
– Many transactions may be batched in reality. (internal or external to the bank)
- Ensure suitable rules have been set-up on firewalls.
– There should be inbound and outbound rules on firewalls and filtering routers.
- Don’t allow any infrastructure on the front end to allow remote administrative connections. (telnet, etc.)
– Use the serial console port to connect to a server or back-end terminal server.
- Look for the segregation / staging of online customer content from main banking systems
- Ensure that a separate development / QA / production environment system and suitable process is in place.
- Services not used by the system are active
– These should be disabled.
- Port scan of the supporting infrastructure (routers /switches) and server(s).
– Investigate the reasons for all open ports.
- Don’t use the main gateway for trusted partner access (clearing / RAS / etc.)
- Do all that standard IIS checks and NT checks (Sample scripts, change management, patching methodologies, etc.)
- Ensure denial of service precaution have been taken into account for all infrastructure and server equipment.
- Check the adequacy of the escalation procedures used.
– Look for real-time monitoring and alerting.
– Look for responsibility matrix.
– Look for ownership of issues.
- Consider upstream carrier(s) vulnerability (denial of service, IP spoofing, DNS hacking, etc)
- Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.
– Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).
- Use dynamic passwords where possible (SecureID, TACACS, etc.).
- Use encrypted tunnelling where needed (IPSec, Firewall 1, etc)
- Consider looking at other customer authentication methods to enhance existing methods.
– Digital cert, IP address locked to account, etc.
– Consider use of CVV or CVN for bank issued cards.
- Consider how passwords are distributed /changed for customers.
– Plain text email, telephone, etc.
– Can passwords be changed online?
- Is additional authentication used between sections of the services once authenticated?
- Consider what the customer has access to once authenticated.
– Look at SWIFT, RTGS, inter-bank transfers, access to credit cards, etc.
– If an attacker does get in, what can the do?
- Use techniques to ensure pages, customer details are not cached at ISP, or client system.
– These are flags that can be set within pages.
– Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
– Caching of SSL pages on the client system can be turned on on some browsers.
– May banks use a Java (or similar) applet for all customer interaction, restricting all caching issues.
- Ensure paper based and on-line liability clauses are available are address all effected areas.
- Ensure within the customer sign-up process banking liability is reduced.
– I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
– Not very customer focused, but that’s what their legal department recommended.
All of the above can effect the security and/or operation of an on-line banking system.
Other things to consider:
- External development and support of the application.
- Ownership and management of the hardware/applications
- Publishing points for new content (internal/private/trusted network or Internet)
- Topology of front end. i.e. Security Architecture document should be in place and managed appropriately.
- Are limited AP tests performed whenever changes are made to the environment? i.e. integrated AP into Change management process.
- Database access. Is it buffered or is it live to the core banking systems.
- What facilities are provided? Direct debit + Credit Card + SWIFT + ……. Consider different scenarios for your attack depending on the feature.
- What other services are shared within the network segment that the Internet Banking service is running. Can this be used to compromise the Internet Banking site. eg. different support/business/development organisations with differing security strategies/profiles.
- Consider all external supporting services within you AP. Look at internal/external DNS poisoning opportunities, mail relay, etc. What IPS’s do they use has the ISP any opportunity to access systems or supporting services which may affect Internet Banking.
- Depending on the size of the Bank, many organisation do not use the same support groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external support organisation to administer the infrastructure.
- Look at the business and user authentication methods and paths (client side certs, secure ID, SMART Card, etc). Consider two factor authentication and modern user identification methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
- See if the Internet Banking application sends email to users which may contain interesting information.
- Better access to the application can generally be gained after access to the system. i.e. get an legitimate account on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
- Consider social engineering the Help desk to have an account password reset.
When considering Mobile Banking security and the associated risks, an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered standards, supporting and surrounding the technologies and techniques used.
Here are some things to consider.
Security assessments generally focuses on two main things.
1/ Sensitivity of the data
What is being sent. eg. Pin, credit card numbers, account balance, home address, bank account number, etc.
Data may not be sensitive to the bank, but may be considered by the client as sensitive.
etc……….
2/ Opportunity to access the data.
What medium is being used?
Is it technology/technique easy or trivial to hack?
What encryption is being used?
Are all data paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………
Things to consider:
- Pin resets sent via SMS to client, should not be used as the only method of accessing accounts. An additional client specific (possibly static) pass word/phrase should be used in addition to a dynamically generated pin. SMS can be sniffed (depending on mode and location).
- If WAP is used, are all devices capable of encryption? If devices are not capable of encryption, do we deny access to these devices? If client side JAVA or intelligent device (win CE, etc), ensure this can not be compromised by a Trojan’s and other key logging techniques.
- Has the organisation considered client side certificates to verify the device prior to transactions being accepted? Consider multiple device and user identification methods (very solution dependant).
- Most mobile POS terminals encrypt the client entered Pin number, but do not encrypt everything within the transaction. If the transmission medium is compromised, we should consider if the encryption can be cracked and if unencrypted data is sensitive. Consider additional data encryption encapsulation i.e. use of all of message encryption (SSL, IPSEC) or use a terminal that utilises Derived Unique Key Per Transaction (DUKPT).
- Many banking applications have been affected by typical hacks such as session hijacking, SQL injection, non random session keys (client side and server side), etc… These typical hacks should be considered in your Secure SDLC and QA Processes once you are aware of the technology used and/or deployed.
- PBX systems and cabling distribution frames can have devices connected to collect transactions. Wireless devices are now being connected to these systems. The attacker sits in their car in the car park outside. This is often done in super markets.
- Wireless transaction gateways if not encrypted are easily collected by anyone within wireless range. 802.11 and other wireless/infra-red mediums are being used (assess the technology and medium being used).
- Has the organisation considered dynamic keys for mobile users? There are some very low cost SecureID type solutions available today, but customers need to have these devices on them when they want to do a transaction.
A blog posting on BoingBoing provides further discussion as to the
inappropriate deployment and of RFID chips within the existing payment
marketplace.
http://www.boingboing.net/2006/10/23/report_contactless_c.html
The underlying point of this article is, the card schemes and banks said they are using key rotating encryption of all data between the card and the acquirer/issuer, but this is clearly not the case in many situations.
Another interesting paper is ‘RFID Payment Card Vulnerabilities Technical Report’ located at:
http://www.nytimes.com/packages/pdf/business/20061023_CARD/techreport.pdf
I recently had a couple of complaints in regards to the new Website. It turns out the site looks OK in Firefox but does not seem to work very well with Internet Explorer.
I ran the W3C Validator located at http://validator.w3.org/
When executed against the site it found 11 errors. The files and fixes (highlighted in RED) are described below.
File: Header.php
Error: required attribute “type” not specified
<script type=”text/javascript” src=”<?php bloginfo(‘template_directory’); ?>/js/addEvent.js”></script>
<script type=”text/javascript” src=”<?php bloginfo(‘template_directory’); ?>/js/sweetTitles.js”></script>
I have also seen some other errors in Header.php, but they don´t seem to be a big problem.
Error: document type does not allow element “li” here; missing one of “ul”, “ol”, “menu”, “dir” start-tag.
Update
I finally worked out what was going on…
It was the mod_rewrite (RewriteEngine) in the .htaccess file.
I´m running WPSuperCache, so I thought this may have caused some issues.
As it turned out it was the WordPress section of the .htaccess which was causing the problems. I probably modified it at some stage…
Another Problem Found and Fixed
I have been having problems when placing graphics into a posting, where although the WYSIWYG editor shows the correct layout, the text below the image wraps around the graphic when the site is viewed.
After some looking around, I found a similar article written in relation to a different theme. As it turns out the fix for the DUST-317 Theme is the same.
Edit the DUST-317 Theme style.css located in the DUST-317 theme directory. Search for this line.
#content p img{float:left;border:none;margin-right:10px;margin-bottom:10px;}
Remove the float:left; for the above line, making it look like this.
#content p img{border:none;margin-right:10px;margin-bottom:10px;}
ThatÅ› it… now the text sits under the graphics OK.
http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html </a>
Check it Out…
How to Build a Low-Cost, Extended-Range RFID Skimmer
Also some of the supporting documents.
A Practical Relay Attack on ISO 14443 Proximity Cards
S4100 Multi-Function Reader Module Data Sheet
Security Analysis of a Cryptographically-Enabled RFID’s