Friday, September 18, 2009

HSBC's user friendly security measures :)

Here I came across a very funny article regarding the security implementation of HSBC Canada bank website..very funny indeed! Not only they are using easy to guess Personal Identification Question, but also they are implementing very restricted password choosing option that can be easily brute forced. Moreover they might be storing the user credentials in encrypted form--

"Since the bank is performing character matches on the password entered, there is no way that they are using a one-way hash algorithm to store the password. If they were, they would be able to match the whole thing or nothing at all. Instead, they have chosen to be able to retrieve the password and play with it. I can only hope that it isn’t stored in clear text"

More here

http://eternallyoptimistic.com/2009/08/24/so-funny-i-forgot-to-laugh/

Enjoy!
Posted by at No comments:

Tuesday, September 15, 2009

Web Services Security Model

With evolution of web 2.0, web services has become an integral part of the business hence the security of Web Services (WS) has become more critical.
Although there's no single set of WS standards has been agreed on the industry is continuallly developing and evaluating specifications.
The W3C working group is currently working on three basic specifications for Web Services:
  • XML Signature: For verifying the integrity of data sent via web services and validating the sender.
  • XML Encryption:for encoding the XML message
  • XKMS:For using PKI in web services
In 2002 Microsoft,IBM and Verisign announced Web Services Security Specification (WSS ) that proposed for addressing security in web services.
Organization for Advancement of Structured Information Standards came up with following:
  • SOAP Message Security 1.0
  • The Web Services Security Token Profile 1.0
  • The Web Services Security X.509 certificate token profile 1.0
The OASIS WSS message- security model has three main components:
  • security token
  • digital signature
  • claim
Posted by at No comments:

Thursday, September 10, 2009

Open Redirection Vulnerability

An open redirect is a vulnerability that exists when a script allows redirection
to an external site by directly calling a specific URL in an unfiltered,unmanaged fashion, which could be used to redirect victims to unintended,malicious web sites.

An open redirect is a very simple vulnerability to exploit.

Consider the following example:
http://www.trustedbank.com/page.redir?target=http://www.anygovtsite.gov/

This is a well-intended URL that takes users to any other trusted site.

But this can be abused in one of the following ways:


The URL can be used for Phishing attack-

http://www.trustedbank.com/page.redir?target=http://www.duplicatesite.com/
The user visiting the trusted bank website will get redirected to the phishing site/malware site.
This can hurt the reputation of organization causing business loss.


This can be further escalated by mal-forming the link. Something like

the following can be used to cause the Denial of Service Attack:

http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=
http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=
http://www.trustedbank.com/page.redir?target=http://www.trustedbank.com/page.redir?target=......
http://www.trustedbank.com/page.redir?target=http://anymalicioussite.com


Now although the previous link does not perform a DOS, similar trick can practically perform a DOS attack, causing the client to endlessly wait for the reply.

Prevention:

To prevent phishing attacks, or redirection to browser attackers and malware hosts, site
administrators must lock down their redirects.
Again, if site operators must absolutely use redirection, the use of intermediary pages advising
users of the redirection is imperative.
Alternatively, allow redirection only to specifically white-listed sites. For example, administrators could limit linking to external sites only when a user actually clicks on the link while on the main site, thus preventing links in e-mail or instant messages from working.

Few times before Google Image Search was susceptible to this was exploited by phishers.
Cisco web site is also susceptible to this vulnerability.

Posted by at No comments:
Subscribe to: Posts (Atom)