IFF this http://www.creditinfojamaica.com/ is the official site, then it is a disaster waiting to happen. And yet it was passed by the BoJ... When will we start to take security seriously??
- bytes
IFF this http://www.creditinfojamaica.com/ is the official site, then it is a disaster waiting to happen. And yet it was passed by the BoJ... When will we start to take security seriously??
- bytes
What's wrong with the site again?
"The best software is the one that fits your needs." - A_A
Virus free since: date unknown
Anti-virus free since: August 2008
Let's try an open, ad-hoc security audit of that site right here? How do we go about it? What will be the layout of the presentation? We could try this: http://abacus.bates.edu/~ganderso/bi...Wsections.html.
We could also collaborate it on github. Who knows what we may create? Maybe another CERT or somewhere? I'll draft something soon (abstract or such).
Herd Mastodon with me:
https://linuxrocks.online/invite/ov3SKzQY
@A_A: There "seem" to be a number of issues. For starters the site leaks too much information. The kind of information that is useful to attackers. This information helps the attackers to tailor their attacks/research etc. The second thing is, how do you even know you are talking to the right site? This site will be serving up some very sensitive information to its subscribers. Yet it seems that authentication takes place over plain HTTP. They also seem to be doing (in)security through obscurity. The comments for example in the source of the pages are helpful.
So here is an attack scenario. The service will be used by merchants etc to determine your credit rating. An attacker could go to one of these establishments and simply sniff the traffic. He could also replace some of the scripts(.js) with his own malicious scripts. Several ways to attack this.
@Carey: You have to be careful with doing un-solicited audits. As you could land yourself in some real hot water so I wouldn't go down that road.
-bytes
Last edited by nullbytes; Aug 10, 2013 at 11:08 AM.
I guess I have no other choice but to construct my own personal boycott list of people, animals, places and things. Lavabit was a mail provider of mine. Take a look at what I saw after 4 days without being able to access mail: http://www.lavabit.com/This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Herd Mastodon with me:
https://linuxrocks.online/invite/ov3SKzQY