[4393] in WWW Security List Archive
Re: ActiveX Bank-Quicken Exploit
daemon@ATHENA.MIT.EDU (David Kennedy)
Thu Feb 13 00:24:43 1997
Date: 12 Feb 97 20:37:44 EST
From: David Kennedy <76702.3557@compuserve.com>
To: "\"Phillip M Hallam-Baker\"" <hallam@ai.mit.edu>,
WWW Security List <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
>> They have in the past worked with financial institutions > to
>reveal vulnerabilities with what at least appear to be nobel
>motives.
>I've yet to find a financial services company that admits to
>hiring known hackers and I'm in a position to be told the real
>story. They may claim that this is the case but it doesn't make
>it so. even if they have been hired they might well not have
>been if their employer knew they had form.
I no longer recall the details, but about six months ago, one of the CCC members
was over here at a conference we co-sponsor. He gave a talk where he described
trying to work with a German bank on an EFT vulnerability and when they were
stonewalled, they took the issue to the German press whereupon the bank fixed
the problem. This is very similar to the ActiveX/Quicken exploit they now have
publicized.
>From the description at the site these people have no redeeming
>values.
You won't find me defending hackers. I will note when a hacker or group have
claimed to do something, by all available evidence the claim is true, and then
they later claim to have done something similar.
The initial comments were quite sceptical and I do not think they should be
dismissed lightly.
___________________
Dave Kennedy CISSP
Protect what you connect
Look both ways before crossing the Net
National Computer Security Assoc
