lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <469479EF.8000901@determina.com>
Date: Tue, 10 Jul 2007 23:34:23 -0700
From: Alexander Sotirov <asotirov@...ermina.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Wachovia Bank website
	sends	confidential	information

Jim Popovitch wrote:
> 7 days?   "industry practice"?   Come on Bob I know you know that large
> corporations can't feed a cat in 7 days let alone make unscheduled
> website changes that fast.  Change control approvals alone would include
> 14 or more days in most enterprises.   Why the rush to "say so"?

Why should a security researcher waste their time with a vendor who can't even
acknowledge the receipt of a security notification in 7 days? Even the OIS
guidelines (which are pretty heavily vendor biased) suggest that vendors should
respond to notifications no later than 7 days (3 days if the researchers asks
for receipt confirmation)

If Wachovia had responded with a receipt confirmation on the same day, and
followed up in a few days with the results of an initial analysis and perhaps a
case number from their bug tracking system, things might have been different.

By the way, the privacy page is not the biggest issue on Wachovia's web site. On
http://www.wachovia.com/ they have a online banking login form. The username and
password are submitted to a HTTPS url, but the form itself is not protected.
It's trivial to MITM the HTTP site and capture the data from the login form
before it is submitted (or redirect it to a server of your choice). Of course
they show a nice padlock image next to the login form, so it must be safe!

It appears that MITM is just not part of Wachovia's threat model.

Alex


Download attachment "signature.asc" of type "application/pgp-signature" (250 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ