Back to the articleUnauthorised usage.. #
Posted Tuesday 29th April 2008 11:39 GMT
so does this explain the unauthorised usages on the missuss credit card then?
No, this time its not a joke!! any other JLP card holders had similar?
HSBC plugs hole that exposed site directory
Err... #
Posted Tuesday 29th April 2008 12:09 GMT
"Great if you were planning a phishing attack and wanted to get a complete site layout and set of assets"
wget ?
Sorry, where's the security problem? #
Posted Tuesday 29th April 2008 12:09 GMT
I'm somewhat confused. Why would `leaking' the directory structure of your site be considered a security flaw? As an analogy, one would never consider `leaking' the layout of a building as a security risk*.
* Unless you are the developer of Terminal 5 and for some reason believe this information is top secret... Possibly under the assumption that no one will ever walk around the building....
building #
Posted Tuesday 29th April 2008 12:31 GMT
leaking the layout of a building may be an asset to burglars.
Live SQL Injection #
Posted Tuesday 29th April 2008 12:53 GMT
http://www.hbeu1.hsbc.com/ukservices/branchlocator/town.asp?town=0%20OR%201=1&type=
Need I say any more?
@Mr Smin #
Posted Tuesday 29th April 2008 12:53 GMT
Yes indeed, but it is security by obscurity, which we know does not work.
@Pink Duck #
Posted Tuesday 29th April 2008 15:22 GMT
I'm interested if you can change some details....
Re: Sorry, where's the security problem? #
Posted Tuesday 29th April 2008 15:22 GMT
(1) Access to directory listings of the web site can reveal pages that are not linked in. Perhaps the document with the turnover figures that will be released at noon. Perhaps ini files or server side include files with configuration or authorisation details.
(2) Access to directory listings shows that their system build, configuration and testing process is flawed. If they missed and obvious thing like directory listing what else did they miss.
@AC re:security by obscurity #
Posted Tuesday 29th April 2008 15:59 GMT
depends on your definition of "work". It means any flaws are hard to find. This is a good thing. It gives you more time to find and fix flaws, and means some flaws might never be discovered by baddies at all.
What it is NOT is a substiture for fixing and finding flaws. It's a barrier that will keep out rifraff and cause more determined attackers to take more time and possibly be more noticable. These are all good things.
The "security by obscurity" mantra only really applies where people use attempted obfuscation INSTEAD of other methods. and in some fields (cryptography) it is much more beneficial to expose your alogrithm to scrutiny to hammer out the bugs - but you still hide your key, don't you? ;)
Popular Whitepapers
- 10 Strategies for Choosing a Midmarket ERP Solution
Find out how to use the changing ERP market to your advantage - Enterprise PBX buyer's guide
Access to expert research on all aspects of the IP PBX market - The top 5 server monitoring battles
And how you can win them - Productive high performance computing for upstream petroleum
IBM Cluster solution powered by the Intel Xeon Processor 5500 Series - Straight Talk with Dell: Sending out an SaaS
On Demand Webcast - Enabling the Agile Data Center
On-Demand: Audio Only
