lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <99322464468.20040223103135@securescience.net>
Date: Mon, 23 Feb 2004 10:31:35 -0800
From: Lance James <lancej@...urescience.net>
To: bugtraq@...urityfocus.com
Subject: Re: Bank of America Contact


Hello bugtraq,

Hi bugtraq,

I'd like to thank everyone for their replies, suggestions, and contact
information.  No two people provided the same information.  This suggests
to us that Bank of America does not have a central contact for security
risks.

We received about a half-dozen Bank of America contacts and we will be
following up with 2-3 of them shortly.

I'd also like to thank the 0-day social engineers for their variety of
approaches used to attempt to gain access to this exploit.  We received
responses ranging from fraudulent "Bank of America" employees to phone
calls from people claiming to be from Bank of America's IT Security.  (One
caller claimed to be from Bank of America's IT Security but didn't know
what PGP is and then said he couldn't give his PGP key due to security
restrictions.  And when we asked him to provide information so we could
verify the contact, he said he would call back but never did.  To this
caller: Yes, your social engineering failed and your caller-id spoofing was
almost perfect.  Emphasis on "almost".)


To summarize, we seem to have identified 3 risks.
The first is a minor issue that we are attempting to report to Bank of
America.
The second is a lack of official central contact for reporting security
risks to Bank of America.
The third is the plethora of 0-day social engineers that appear to jump on
security risks and represent themselves as the affected company in order to
gain access to the privileged information.  A warning to people reporting
security risks: beware of who you talk to.  

-- 
Best regards,
 Lance James
www.securescience.net                          mailto:lancej@...urescience.net
Secure Science Corporation



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ