Results 1 to 6 of 6

Thread: CreditInfo Jamaica

  1. #1
    Join Date
    May 2013
    Posts
    4
    Rep Power
    0

    Default CreditInfo Jamaica

    IFF this http://www.creditinfojamaica.com/ is the official site, then it is a disaster waiting to happen. And yet it was passed by the BoJ... When will we start to take security seriously??

    - bytes

  2. #2
    Join Date
    Apr 2003
    Posts
    13,269
    Rep Power
    34

    Default

    What's wrong with the site again?
    "The best software is the one that fits your needs." - A_A

    Virus free since: date unknown
    Anti-virus free since: August 2008

  3. #3
    Join Date
    Jul 2002
    Posts
    1,395
    Rep Power
    0

    Default

    Let's try an open, ad-hoc security audit of that site right here? How do we go about it? What will be the layout of the presentation? We could try this: http://abacus.bates.edu/~ganderso/bi...Wsections.html.

    We could also collaborate it on github. Who knows what we may create? Maybe another CERT or somewhere? I'll draft something soon (abstract or such).

  4. #4
    Join Date
    May 2013
    Posts
    4
    Rep Power
    0

    Default

    @A_A: There "seem" to be a number of issues. For starters the site leaks too much information. The kind of information that is useful to attackers. This information helps the attackers to tailor their attacks/research etc. The second thing is, how do you even know you are talking to the right site? This site will be serving up some very sensitive information to its subscribers. Yet it seems that authentication takes place over plain HTTP. They also seem to be doing (in)security through obscurity. The comments for example in the source of the pages are helpful.

    So here is an attack scenario. The service will be used by merchants etc to determine your credit rating. An attacker could go to one of these establishments and simply sniff the traffic. He could also replace some of the scripts(.js) with his own malicious scripts. Several ways to attack this.

    @Carey: You have to be careful with doing un-solicited audits. As you could land yourself in some real hot water so I wouldn't go down that road.
    -bytes
    Last edited by nullbytes; Aug 10, 2013 at 11:08 AM.

  5. #5
    Join Date
    Jul 2002
    Posts
    1,395
    Rep Power
    0

    Default

    I guess I have no other choice but to construct my own personal boycott list of people, animals, places and things. Lavabit was a mail provider of mine. Take a look at what I saw after 4 days without being able to access mail: http://www.lavabit.com/
    This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

  6. #6
    Join Date
    Apr 2003
    Posts
    13,269
    Rep Power
    34

    Default

    Quote Originally Posted by nullbytes View Post
    @A_A: There "seem" to be a number of issues. For starters the site leaks too much information. The kind of information that is useful to attackers. This information helps the attackers to tailor their attacks/research etc. The second thing is, how do you even know you are talking to the right site? This site will be serving up some very sensitive information to its subscribers. Yet it seems that authentication takes place over plain HTTP. They also seem to be doing (in)security through obscurity. The comments for example in the source of the pages are helpful.

    So here is an attack scenario. The service will be used by merchants etc to determine your credit rating. An attacker could go to one of these establishments and simply sniff the traffic. He could also replace some of the scripts(.js) with his own malicious scripts. Several ways to attack this.
    Have you passed this info on to them? They have an email address listed on their site.
    "The best software is the one that fits your needs." - A_A

    Virus free since: date unknown
    Anti-virus free since: August 2008

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •