[4276] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (David W. Morris)
Fri Feb 7 03:14:33 1997
Date: Thu, 6 Feb 1997 22:21:48 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: Jay Heiser <Jay@homecom.com>
cc: WWW-SECURITY@ns2.rutgers.edu
In-Reply-To: <32F9F482.5307@HomeCom.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 6 Feb 1997, Jay Heiser wrote:
> would get shut down once it was discovered as hostile. It would be
> difficult to create a site that attracted a lot of attention, but
> couldn't be traced back to an owner. Not impossible.
But unless the hack simply gave money away to random targets, one would
presume there would be tracks to where the money was sent. A bit like
the folks who stole my wife's credit card receipt slip and made a phone
order having the product shipped to them. Considering we had the mailed
confirmation and notified the authorities before the product could have
arrived, I can imagine they might have been suprised when the delivery
person was wearing blue rather than brown... all this to say that an
attack with widespread implications is likely to be pursured by the
applicable authorities.
> You've described case 3, and I think this offers the most potential for
> damage. If you want to get your attack code in front of as many people
> as possible, the way to do it is to place it in a high-traffic area.
>
> [ ... ]
>
> Assuming that attack code becomes a problem on the web, will all web
> site owners have to worry about being hacked and hit with a downstream
> liability suit?
It would take more than simply hacking into a site to create signed
software. The MS scheme doesn't simply ride on top of an SSL
authenticated site connection. I don't know the details but I can
at least postulate the ability to design a signature scheme where
the hacker could seed a web site with bogus software but could never
get access to the internal network with the private key needed to
actually sign the software.
Dave Morris
