lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <auto-000029611730@mailbe-2.llnl.gov>
Date: Thu, 18 Aug 2005 17:35:02 -0700
From: "Zow" Terry Brugger <zow@...l.gov>
To: "Jay D. Dyson" <jdyson@...achery.net>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
	Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Sensitive Information Disclosure
 Vulnerability in Kinetics Kiosk Product


>  	Especially considering that the IP address is within a Wells Fargo 
> Bank class B netblock.  It just gets curiouser and curiouser.

No, that actually explains a lot -- you know how you swipe your credit card 
at the kiosk so that it can retrieve your flight information? Well, it needs 
to map your CC number to a name, and whether your name is encoded on the mag 
stripe or not, it should go back to a bank to retrieve that information. I 
bet you one good cup of coffee (offer applies to Jason and Jay only) that 
that's why they're connecting to Wells Fargo.

Now then, one could debate the wisdom of transferring this information in the 
clear (http as opposed to https). I'm not going to try to connect to the 
server myself out of politeness, but I would hope that the connection is 
being tunneled through the Internet by a VPN, and that the server is 
otherwise inaccessible. If that is the case, I think the debate over whether 
it uses a public or private IP is academic.

The potential insecurities in the use of Win/IE for a public kiosk are worth 
considering, however I'm personally more concerned when my pilot tells us 
that we're going to be delayed from pushing back for a minute because they 
need to do the equivalent of a Control-Alt-Delete to the plane.

Cheers,
Terry

import StandardDisclaimer;


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ