Re: [Full-disclosure] Wachovia Bank website sends confidential information
Wachovia Bank's Web Security people did phone me late yesterday to thank me for raising the security issue. They also stated that they were investigating why my initial contacts with Wachovia did not result in an appropriate response. They said that they also were working with their legal people to determine what notification to consumers, if any, was required due to the California data breach law and similar laws elsewhere. It was not made clear whether their phone call (and their correction of the web page) was directly due to my posting on the Full-disclosure list or because Steve Ragan saw my posting and contacted Wachovia. For those who questioned whether I made sufficient attempts to contact them, please note that I talked by phone both with customer support and web support people and then FAXed the details to the web support person who took my call. Note that I bothered with this at all as a courtesy to Wachovia. Nobody paid me for my time. For those who questioned whether I gave them sufficient time to react, I stated in my FAX to them, in effect, that all they had to do within 7 days was to respond to the FAX and ask for more time to deal with the problem. I then waited 15 days, not 7, before posting on FD after having received no response and seeing that the problem remained. For those who questioned my motives and suggested that I deliberately did not make sufficient effort to contact them, well, I detailed my 3 contacts above and then got no response for 15 days. For those who suggested I was motivated by fame, well, I already have that. I won't blow my horn here but anyone is welcome to do a Google search on me. Wachovia has fixed the problem. They are working to ensure that future advisories are handled properly. Thanks to all who responded. Shall we put this matter to bed? Bob Toxen, Horizon Network Security http://www.verysecurelinux.com [Network & Linux/Unix Security Consulting] http://www.realworldlinuxsecurity.com [Our 5* book: "Real World Linux Security"] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
Reconfirming time stamp(s) their policy pages was updated On 7/11/07, Bob Toxen <[EMAIL PROTECTED]> wrote: On Wed, Jul 11, 2007 at 12:38:54PM -0400, Steve Ragan wrote: It has comments with time-stamps of late yesterday, after I disclosed on the list: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
On Wed, Jul 11, 2007 at 12:38:54PM -0400, Steve Ragan wrote: > The link now redirects to an HTTPS page Thanks Steve. This proves the value of Full Disclosure. This seems to have changed within a few hours of my posting to Full Disclosure rather than in the several weeks after I first alerted it. Note that Wachovia still has not subsequently contacted me to thank me, acknowledge my work, or to threaten me. Yes, the page that consumers can get to by navigating Wachovia's web site (or in response to the paper mail Wachovia sent out) now is the following, which posts using https to provide strong encryption: https://www.wachovia.com/personal/forms/privacy_optout It has comments with time-stamps of late yesterday, after I disclosed on the list: I do note that the existing URL: http://www.wachovia.com/personal/forms/privacy_optout still exists and is accessible. That http page still appears to post the SSN, etc. unencrypted. Clearly, someone needs to delete the old page or only allow it as https. Of course, this is a very minor issue as there is no way for a consumer "trip over" this page accidentally. I wonder if Wachovia will follow the California state breach security policy. Bob > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bob Toxen > Sent: Tuesday, July 10, 2007 8:20 PM > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Wachovia Bank website sends confidential > information > > Wachovia Bank website sends confidential information (social security > numbers, phone number, address, etc.) over the Internet without encryption. > > Horizon Network Security Security Advisory 07/10/2007 > http://VerySecureLinux.com/ Jul 10, 2007 > > I. BACKGROUND > > Wachovia Bank's official web site offers the following URL to allow its > customers to change their privacy preferences: > > http://www.wachovia.com/privacy > > Wachovia also notified its customers by U.S. Mail that they can use that > same URL besides. > > That URL has a link to the following to actually change one's > preferences: > > http://www.wachovia.com/personal/forms/privacy_optout > > Unfortunately, that page appears to be an ordinary HTML form whose "filled > out data" then is transmitted via the "post" method to an http (not https) > URL. > > III. ANALYSIS > > We inspected the page's source via our Opera browser. (We did not sniff the > web traffic so we are not absolutely sure that there is not some hidden > encryption method, though there appears to be none.) > > IV. DETECTION > > It is trivial to inspect the page source or sniff the data to demonstrate > the problem. The problem has not been corrected. > > V. WORKAROUND > > Use a method other than their web site to exercise one's preferences. > > VI. VENDOR RESPONSE > > The vendor (Wachovia Bank) was notified via their customer service phone > number on June 25. We were transferred to "web support". The person > answering asked us to FAX the details to her and we did so, also on June 25. > We explained that we were reporting a severe security problem on their web > site. > > We stated that that if we did not hear back from them within 7 days and the > problem was not fixed by then that we would post the problem on the Full > Disclosure list, following accepted industry practice. > > To date we have received no response and the problem remains unfixed. > > VII. CVE INFORMATION > > There is no CVE number. > > VIII. DISCLOSURE TIMELINE > > 06/25/2007 Initial vendor notification > 06/25/2007 Vendor requested FAXed details > 06/25/2007 Details FAXed to vendor > > 07/20/2007 No vendor response > 07/20/2007 Public disclosure on this Full Disclosure list > > IX. CREDIT > > This problem was discovered by Bob Toxen, one of our engineers. > > X. LEGAL NOTICES > > Copyright C 2007 Horizon Network Security. All rights reserved. > > Permission is granted for the redistribution of this alert electronically. > It may not be edited without the express written consent of Horizon Network > Security. If you wish to reprint the whole or any part of this alert in any > other medium other than electronically, please e-mail > [EMAIL PROTECTED] for permission. > > Disclaimer: The information in the advisory is believed to be accurate at > the time of publishing, based on currently available information. Use of > the information constitutes acceptance for use in an AS IS condition and > waiving of the right to any action against Horizon Network Security or its > employees or contractors. > > There are no warranties with regard to this information. Neither the author > nor the publisher accepts any liability for any direct, indirect, or > consequential loss or damage arising from use of, or reliance on, this > information. > > We believe Wachovia Bank is obligated by California's security breach > disclosure laws to notify its California customers who may have used this > form
Re: [Full-disclosure] Wachovia Bank website sends confidential information
The link now redirects to an HTTPS page -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Toxen Sent: Tuesday, July 10, 2007 8:20 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Wachovia Bank website sends confidential information Wachovia Bank website sends confidential information (social security numbers, phone number, address, etc.) over the Internet without encryption. Horizon Network Security Security Advisory 07/10/2007 http://VerySecureLinux.com/ Jul 10, 2007 I. BACKGROUND Wachovia Bank's official web site offers the following URL to allow its customers to change their privacy preferences: http://www.wachovia.com/privacy Wachovia also notified its customers by U.S. Mail that they can use that same URL besides. That URL has a link to the following to actually change one's preferences: http://www.wachovia.com/personal/forms/privacy_optout Unfortunately, that page appears to be an ordinary HTML form whose "filled out data" then is transmitted via the "post" method to an http (not https) URL. III. ANALYSIS We inspected the page's source via our Opera browser. (We did not sniff the web traffic so we are not absolutely sure that there is not some hidden encryption method, though there appears to be none.) IV. DETECTION It is trivial to inspect the page source or sniff the data to demonstrate the problem. The problem has not been corrected. V. WORKAROUND Use a method other than their web site to exercise one's preferences. VI. VENDOR RESPONSE The vendor (Wachovia Bank) was notified via their customer service phone number on June 25. We were transferred to "web support". The person answering asked us to FAX the details to her and we did so, also on June 25. We explained that we were reporting a severe security problem on their web site. We stated that that if we did not hear back from them within 7 days and the problem was not fixed by then that we would post the problem on the Full Disclosure list, following accepted industry practice. To date we have received no response and the problem remains unfixed. VII. CVE INFORMATION There is no CVE number. VIII. DISCLOSURE TIMELINE 06/25/2007 Initial vendor notification 06/25/2007 Vendor requested FAXed details 06/25/2007 Details FAXed to vendor 07/20/2007 No vendor response 07/20/2007 Public disclosure on this Full Disclosure list IX. CREDIT This problem was discovered by Bob Toxen, one of our engineers. X. LEGAL NOTICES Copyright C 2007 Horizon Network Security. All rights reserved. Permission is granted for the redistribution of this alert electronically. It may not be edited without the express written consent of Horizon Network Security. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing, based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition and waiving of the right to any action against Horizon Network Security or its employees or contractors. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. We believe Wachovia Bank is obligated by California's security breach disclosure laws to notify its California customers who may have used this form and the State of California. Other jurisdictions also may have notification requirements. Bob Toxen, Horizon Network Security http://www.verysecurelinux.com [Network & Linux/Unix Security Consulting] http://www.realworldlinuxsecurity.com [Our 5* book: "Real World Linux Security"] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.10.2/893 - Release Date: 7/9/2007 5:22 PM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
Hi Jim, No, I did not "declare the whole of Wachovia technically challenged based on the one incident at a security conference.." What I was pointing out is that the current problem of their failure to put up a secure web and their failure to respond to notification about has another data point from 6 about months ago. In general enterprises send only a small group of people to any given conference, so no, the whole of Wachovia did not attend. Nevertheless, when you are the one attending, you are a representive of that enterprise. You seemed to have missed the point that I was adding to a discussion, not trying to create a new one. My point was in the dustbin, where it would have stayed, until the current discussion appeared. -- bob On Wed, 11 Jul 2007, Jim Popovitch wrote: > On Wed, 2007-07-11 at 12:03 -0400, Bob Bruen wrote: >> While it is true that lots of folk pick on vendors for a few minutes of >> fame, the Wachovia case is slightly different. >> >> They do have an attitude problem and are technically challenged. The basis >> for this is a law enforcement conference about six months ago. During a >> pressentation a Wachovia representative told a speaker to stop blaming the >> banks for problems. This was the third presentation this individual has >> listened to in which each speaker had blamed the banks for not doing >> enough and the frustration level was a bit high. > > So you declare the whole of Wachovia technically challenged based on the > one incident at a security conference (did all of Wachovia attend?) six > months ago? Come on. ;-) > > Wachovia, like every other large enterprise, has good, mediocre, and bad > employees. It's a fact of life, but not a news worthy story. I'm sure > that some days the best and brightest represent Wachovia at some > conference somewhere, and I am equally sure that some days the worst and > most deplorable represent Wachovia at some conference somewhere. It > happens. > > -Jim P. > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Dr. Robert Bruen Cold Rain Technologies http://coldrain.net +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
On Wed, 2007-07-11 at 12:03 -0400, Bob Bruen wrote: > While it is true that lots of folk pick on vendors for a few minutes of > fame, the Wachovia case is slightly different. > > They do have an attitude problem and are technically challenged. The basis > for this is a law enforcement conference about six months ago. During a > pressentation a Wachovia representative told a speaker to stop blaming the > banks for problems. This was the third presentation this individual has > listened to in which each speaker had blamed the banks for not doing > enough and the frustration level was a bit high. So you declare the whole of Wachovia technically challenged based on the one incident at a security conference (did all of Wachovia attend?) six months ago? Come on. ;-) Wachovia, like every other large enterprise, has good, mediocre, and bad employees. It's a fact of life, but not a news worthy story. I'm sure that some days the best and brightest represent Wachovia at some conference somewhere, and I am equally sure that some days the worst and most deplorable represent Wachovia at some conference somewhere. It happens. -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
Or hey, if you're not getting anywhere with him, talk to this guy! http://www.belkcollege.uncc.edu/jpfoley/ > Let me see: > wachovia security cissp "incident" +network via Google > > This looks interesting: > http://www.bryceporter.com/ > > I would have contacted someone on this level to put me in > touch with the right person. But hey, guess its more hip > to add stupid little tags next to your resume or webpage: > I broke $INSERT_VENDOR_HERE > -- Lasciate ogne speranza, voi ch'intrate ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
Bob Bruen wrote: While it is true that lots of folk pick on vendors for a few minutes of fame, the Wachovia case is slightly different. They do have an attitude problem and are technically challenged. The basis for this is a law enforcement conference about six months ago. During a pressentation a Wachovia representative told a speaker to stop blaming the banks for problems. This was the third presentation this individual has listened to in which each speaker had blamed the banks for not doing enough and the frustration level was a bit high. This only comes up because of the current Wachovia web site issue. It shows that there is an internal problem, worse than most, endind with the current situation. And no I will not indentify any of the players. --bob Mechanisms of politrix... I was doing contract work from home for a HUGE-O-MONGOUS tech company I won't name (NDA) and was assigned to do fw administration, configuration for a bank that outsource it to this HUGE-O-MONGOUS monster. When we needed to implement a change these were the steps: "Uh oh.. We're seeing attacks from network X" ... 1) Call manager 2) Manager calls his manager in another state 3) That manager calls sales rep 4) Sales rep called the bank's contact 5) Bank's contact called his security team 6) Hey security team, you need to speak with your contractors 7) Security team to bank's contact ok make a conference call 8) Bank's contact to the sales rep - ok make a conference call 9) bank sales rep to HUGE-O-MONGOUS' sales rep - ok make a conference call 10) manager to manager - hey we're going to do a conference call 11) No wait... My contractor is tied up... Can we re-schedule? In essence, when we needed to do things, it wasn't as cut and dry as I thought it would be. In fact it was downright frustrating. Here you are Rainwall open, NSM open about to fire off changes but have to wait for at minimum 4 business days hoping no one up the food chain was unavailable to make a mission critical change. Long story short, while at HUGE-O-MONGOUS I was surprised I was even given the opportunity to be there - but hey contractors liabilities, etc., legal foobarfoo wording exculpated HUGE-O-MONGOUS company from the whole shmoo (compsec historians know the HIStory), anyhow, I got frustrated working for them. I felt as if it was such a dead end. Mind you I was making about $80.00 per hour to roll out of bed and do work pretty much whenever I wanted. Sometimes, things aren't as clear cut as one may think they are. To me the initial "Oh noes! Wachovia is evil" post was nothing more than someone itching for their Andy Warhol 15 minutes. With that said... Off to lunch... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
While it is true that lots of folk pick on vendors for a few minutes of fame, the Wachovia case is slightly different. They do have an attitude problem and are technically challenged. The basis for this is a law enforcement conference about six months ago. During a pressentation a Wachovia representative told a speaker to stop blaming the banks for problems. This was the third presentation this individual has listened to in which each speaker had blamed the banks for not doing enough and the frustration level was a bit high. This only comes up because of the current Wachovia web site issue. It shows that there is an internal problem, worse than most, endind with the current situation. And no I will not indentify any of the players. --bob On Wed, 11 Jul 2007, J. Oquendo wrote: > [EMAIL PROTECTED] wrote: >> On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said: >> >> >>> 7 days? "industry practice"? Come on Bob I know you know that large >>> corporations can't feed a cat in 7 days let alone make unscheduled >>> website changes that fast. Change control approvals alone would include >>> 14 or more days in most enterprises. Why the rush to "say so"? >>> >> >> On the other hand, I think that they *could* manage at least a "Wow d00dz, >> we >> really *do* have a hole there" reply and at least give a handwaving about >> when they'd fix it. Of course, actually *fixing* a design flaw that big >> is going to take them *months*. >> > > Driver walks into a dealer and speaks to customer service: > > "These brake pads are extremely vulnerable to slipping during X > conditions on a 90 degree slalom" says the driver. Puzzled and > not knowing squat about slaloms, or the breaking system, the > customer service rep send the driver to a mechanic. > > "These brake pads are extremely vulnerable to slipping during X > conditions on a 90 degree slalom. Someone will die!" says the > driver to the mechanic... Not being able to change the auto's > design nor engineering, the mechanic is puzzled and offers to > take the information although he is even more puzzled on who > this should be directed to. > > Two days later driver rambles on news stations nationwide: > "Their arrogance will get people killed. I warned them repeatedly" > People moan and grumble, etc., recalls, fixes... > > This Wachovia thread is pointless. I see no mention or posting > to perhaps any security list (and I'm on many both public and > private) saying: "Hey is there anyone who can put me in touch > with someone in the know at Wachovia" on any list. All I see > is... "I called customer service". So what, if you're a security > professional you will know damn well you're getting nowhere > with them. "I spoke to their w3bm4ster". And? Either the poster > is looking for attention or a complete and utter idiot. If his > or her true intention was to provide a report of a security > woe concerning said business or product, he or she could have > easily jumped on any security mailing list and found the right > connection instead of rambling on "the sky is falling..." > > Let me see: > wachovia security cissp "incident" +network via Google > > This looks interesting: > http://www.bryceporter.com/ > > I would have contacted someone on this level to put me in > touch with the right person. But hey, guess its more hip > to add stupid little tags next to your resume or webpage: > I broke $INSERT_VENDOR_HERE > > > > > -- Dr. Robert Bruen Cold Rain Technologies http://coldrain.net +1.802.579.6288 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
I got you right? The one doing just for fun researches is in duty to find the correct person and not the company, making big buisness, in providing easy access to this person? Yes you are obviously right ^^ J. Oquendo wrote: > [EMAIL PROTECTED] wrote: >> On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said: >> >> >>> 7 days? "industry practice"? Come on Bob I know you know that large >>> corporations can't feed a cat in 7 days let alone make unscheduled >>> website changes that fast. Change control approvals alone would >>> include >>> 14 or more days in most enterprises. Why the rush to "say so"? >>> >> >> On the other hand, I think that they *could* manage at least a "Wow >> d00dz, we >> really *do* have a hole there" reply and at least give a handwaving >> about >> when they'd fix it. Of course, actually *fixing* a design flaw that big >> is going to take them *months*. >> > > Driver walks into a dealer and speaks to customer service: > > "These brake pads are extremely vulnerable to slipping during X > conditions on a 90 degree slalom" says the driver. Puzzled and > not knowing squat about slaloms, or the breaking system, the > customer service rep send the driver to a mechanic. > > "These brake pads are extremely vulnerable to slipping during X > conditions on a 90 degree slalom. Someone will die!" says the > driver to the mechanic... Not being able to change the auto's > design nor engineering, the mechanic is puzzled and offers to > take the information although he is even more puzzled on who > this should be directed to. > > Two days later driver rambles on news stations nationwide: > "Their arrogance will get people killed. I warned them repeatedly" > People moan and grumble, etc., recalls, fixes... > > This Wachovia thread is pointless. I see no mention or posting > to perhaps any security list (and I'm on many both public and > private) saying: "Hey is there anyone who can put me in touch > with someone in the know at Wachovia" on any list. All I see > is... "I called customer service". So what, if you're a security > professional you will know damn well you're getting nowhere > with them. "I spoke to their w3bm4ster". And? Either the poster > is looking for attention or a complete and utter idiot. If his > or her true intention was to provide a report of a security > woe concerning said business or product, he or she could have > easily jumped on any security mailing list and found the right > connection instead of rambling on "the sky is falling..." > > Let me see: > wachovia security cissp "incident" +network via Google > > This looks interesting: > http://www.bryceporter.com/ > > I would have contacted someone on this level to put me in > touch with the right person. But hey, guess its more hip > to add stupid little tags next to your resume or webpage: > I broke $INSERT_VENDOR_HERE > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- greets one must still have chaos in oneself to be able to give birth to a dancing star ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
[EMAIL PROTECTED] wrote: On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said: 7 days? "industry practice"? Come on Bob I know you know that large corporations can't feed a cat in 7 days let alone make unscheduled website changes that fast. Change control approvals alone would include 14 or more days in most enterprises. Why the rush to "say so"? On the other hand, I think that they *could* manage at least a "Wow d00dz, we really *do* have a hole there" reply and at least give a handwaving about when they'd fix it. Of course, actually *fixing* a design flaw that big is going to take them *months*. Driver walks into a dealer and speaks to customer service: "These brake pads are extremely vulnerable to slipping during X conditions on a 90 degree slalom" says the driver. Puzzled and not knowing squat about slaloms, or the breaking system, the customer service rep send the driver to a mechanic. "These brake pads are extremely vulnerable to slipping during X conditions on a 90 degree slalom. Someone will die!" says the driver to the mechanic... Not being able to change the auto's design nor engineering, the mechanic is puzzled and offers to take the information although he is even more puzzled on who this should be directed to. Two days later driver rambles on news stations nationwide: "Their arrogance will get people killed. I warned them repeatedly" People moan and grumble, etc., recalls, fixes... This Wachovia thread is pointless. I see no mention or posting to perhaps any security list (and I'm on many both public and private) saying: "Hey is there anyone who can put me in touch with someone in the know at Wachovia" on any list. All I see is... "I called customer service". So what, if you're a security professional you will know damn well you're getting nowhere with them. "I spoke to their w3bm4ster". And? Either the poster is looking for attention or a complete and utter idiot. If his or her true intention was to provide a report of a security woe concerning said business or product, he or she could have easily jumped on any security mailing list and found the right connection instead of rambling on "the sky is falling..." Let me see: wachovia security cissp "incident" +network via Google This looks interesting: http://www.bryceporter.com/ I would have contacted someone on this level to put me in touch with the right person. But hey, guess its more hip to add stupid little tags next to your resume or webpage: I broke $INSERT_VENDOR_HERE -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
On Tue, Jul 10, 2007 at 09:39:33PM -0400, Jim Popovitch wrote: > On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote: > > VI. VENDOR RESPONSE > > The vendor (Wachovia Bank) was notified via their customer service > > phone number on June 25. We were transferred to "web support". The > > person answering asked us to FAX the details to her and we did so, > > also on June 25. We explained that we were reporting a severe > > security problem on their web site. > Severe? All that seems to be leaked is a person's Name/Address/SSN > number and some other details. While this is too much info to leak, I'd > hardly say it's severe. That same info can be easily found in people's > mailboxes weekdays between noon and 4pm. Leaking a SSN is considered serious. My use of the term "severe" was to get their attention. > > We stated that that if we did not hear back from them within 7 days and > > the problem was not fixed by then that we would post the problem on the > > Full Disclosure list, following accepted industry practice. > 7 days? "industry practice"? Come on Bob I know you know that large > corporations can't feed a cat in 7 days let alone make unscheduled > website changes that fast. Change control approvals alone would include > 14 or more days in most enterprises. Why the rush to "say so"? Please read my posting more carefully. I stated that if I did not hear back within 7 days and the problem persisted then I would disclose it. All they had to do was to ask for more time and I would have granted any reasonable extension. Instead, it appears that they ignored my report; discouraging that is what Full Disclosure is all about, IMO. I think that that web page should have been shut down within the hour as any competent web person could have confirmed the leak with a few minutes' inspection of the page source. > -Jim P. Bob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
Jim Popovitch wrote: > 7 days? "industry practice"? Come on Bob I know you know that large > corporations can't feed a cat in 7 days let alone make unscheduled > website changes that fast. Change control approvals alone would include > 14 or more days in most enterprises. Why the rush to "say so"? Why should a security researcher waste their time with a vendor who can't even acknowledge the receipt of a security notification in 7 days? Even the OIS guidelines (which are pretty heavily vendor biased) suggest that vendors should respond to notifications no later than 7 days (3 days if the researchers asks for receipt confirmation) If Wachovia had responded with a receipt confirmation on the same day, and followed up in a few days with the results of an initial analysis and perhaps a case number from their bug tracking system, things might have been different. By the way, the privacy page is not the biggest issue on Wachovia's web site. On http://www.wachovia.com/ they have a online banking login form. The username and password are submitted to a HTTPS url, but the form itself is not protected. It's trivial to MITM the HTTP site and capture the data from the login form before it is submitted (or redirect it to a server of your choice). Of course they show a nice padlock image next to the login form, so it must be safe! It appears that MITM is just not part of Wachovia's threat model. Alex signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said: > 7 days? "industry practice"? Come on Bob I know you know that large > corporations can't feed a cat in 7 days let alone make unscheduled > website changes that fast. Change control approvals alone would include > 14 or more days in most enterprises. Why the rush to "say so"? On the other hand, I think that they *could* manage at least a "Wow d00dz, we really *do* have a hole there" reply and at least give a handwaving about when they'd fix it. Of course, actually *fixing* a design flaw that big is going to take them *months*. pgpmZBnZhDZmO.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
On 10-Jul-07, at 7:39 PM, Jim Popovitch wrote: > On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote: >> VI. VENDOR RESPONSE >> >> The vendor (Wachovia Bank) was notified via their customer service >> phone number on June 25. We were transferred to "web support". The >> person answering asked us to FAX the details to her and we did so, >> also on June 25. We explained that we were reporting a severe >> security problem on their web site. > > Severe? All that seems to be leaked is a person's Name/Address/SSN > number and some other details. While this is too much info to > leak, I'd > hardly say it's severe. That same info can be easily found in > people's > mailboxes weekdays between noon and 4pm. > Yeah, but that doesn't scale as well. --- Tremaine Lea Network Security Consultant Intrepid ACL "Paranoia for hire" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote: > VI. VENDOR RESPONSE > > The vendor (Wachovia Bank) was notified via their customer service > phone number on June 25. We were transferred to "web support". The > person answering asked us to FAX the details to her and we did so, > also on June 25. We explained that we were reporting a severe > security problem on their web site. Severe? All that seems to be leaked is a person's Name/Address/SSN number and some other details. While this is too much info to leak, I'd hardly say it's severe. That same info can be easily found in people's mailboxes weekdays between noon and 4pm. > We stated that that if we did not hear back from them within 7 days and > the problem was not fixed by then that we would post the problem on the > Full Disclosure list, following accepted industry practice. 7 days? "industry practice"? Come on Bob I know you know that large corporations can't feed a cat in 7 days let alone make unscheduled website changes that fast. Change control approvals alone would include 14 or more days in most enterprises. Why the rush to "say so"? -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wachovia Bank website sends confidential information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe that's why they have the focus of some phishing attacks recently. Easy to get the victims login,especially if they were redirected through another site first. MITM made easy 101? Regards, Scott Bob Toxen wrote: > Wachovia Bank website sends confidential information > (social security numbers, phone number, address, etc.) > over the Internet without encryption. > > Horizon Network Security Security Advisory 07/10/2007 > http://VerySecureLinux.com/ > Jul 10, 2007 > > I. BACKGROUND > > Wachovia Bank's official web site offers the following URL to allow > its customers to change their privacy preferences: > > http://www.wachovia.com/privacy > > Wachovia also notified its customers by U.S. Mail that they can use that > same URL besides. > > That URL has a link to the following to actually change one's > preferences: > > http://www.wachovia.com/personal/forms/privacy_optout > > Unfortunately, that page appears to be an ordinary HTML form whose > "filled out data" then is transmitted via the "post" method to an http > (not https) URL. > > III. ANALYSIS > > We inspected the page's source via our Opera browser. (We did not > sniff the web traffic so we are not absolutely sure that there is not > some hidden encryption method, though there appears to be none.) > > IV. DETECTION > > It is trivial to inspect the page source or sniff the data to > demonstrate the problem. The problem has not been corrected. > > V. WORKAROUND > > Use a method other than their web site to exercise one's preferences. > > VI. VENDOR RESPONSE > > The vendor (Wachovia Bank) was notified via their customer service > phone number on June 25. We were transferred to "web support". The > person answering asked us to FAX the details to her and we did so, > also on June 25. We explained that we were reporting a severe > security problem on their web site. > > We stated that that if we did not hear back from them within 7 days and > the problem was not fixed by then that we would post the problem on the > Full Disclosure list, following accepted industry practice. > > To date we have received no response and the problem remains unfixed. > > VII. CVE INFORMATION > > There is no CVE number. > > VIII. DISCLOSURE TIMELINE > > 06/25/2007 Initial vendor notification > 06/25/2007 Vendor requested FAXed details > 06/25/2007 Details FAXed to vendor > > 07/20/2007 No vendor response > 07/20/2007 Public disclosure on this Full Disclosure list > > IX. CREDIT > > This problem was discovered by Bob Toxen, one of our engineers. > > X. LEGAL NOTICES > > Copyright © 2007 Horizon Network Security. All rights reserved. > > Permission is granted for the redistribution of this alert electronically. > It may not be edited without the express written consent of Horizon > Network Security. If you wish to reprint the whole or any part of this > alert in any other medium other than electronically, please e-mail > [EMAIL PROTECTED] for permission. > > Disclaimer: The information in the advisory is believed to be accurate at > the time of publishing, based on currently available information. Use of > the information constitutes acceptance for use in an AS IS condition and > waiving of the right to any action against Horizon Network Security or > its employees or contractors. > > There are no warranties with regard to this information. Neither the > author nor the publisher accepts any liability for any direct, indirect, > or consequential loss or damage arising from use of, or reliance on, > this information. > > We believe Wachovia Bank is obligated by California's security breach > disclosure laws to notify its California customers who may have used > this form and the State of California. Other jurisdictions also may > have notification requirements. > > Bob Toxen, > Horizon Network Security > http://www.verysecurelinux.com [Network & Linux/Unix Security > Consulting] > http://www.realworldlinuxsecurity.com [Our 5* book: "Real World Linux > Security"] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlCkzelSgjADJQKsRAkmxAKCr4OkyXTU1GuUzoOJ2t+6CX47EUwCdHm/9 HhSRnZYhK/VA4+YZ/FBEflU= =crs5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
