[Message Prev][Message
Next][Thread Prev][Thread Next][Message
Index][Thread Index]
Re: Re: [OT] Urgent question about https
> In my experience, probably not.
>
> Commercial site design these days means that all the _large_ etailers
> are running 3 tier servers, with customer-specific information only
> held in the database tier. That means that even if the webheads are
> compromised (which could show the logs),
In this instance the logs are all we need as they'll have the Cardnumbers
in clear text.
then there's still a firewall
> to compromise to get to the application tier, and yet another firewall
> to compromise before you get to the database.
Why go that far ? We hack the first tier and use that as a blunt hacking
tool to go futher... Poor coding at tier 1 is one of the best hacking
tools available.
> Obviously, the vast bulk of my experience is with very large etailers,
> who are spending an awful lot on site security. If the etailer in
> question was small, then it's possible that everything just runs on a
> single server.... in which case the compomising of that server trashes
> everything :-(
Don't go there - I'm currently involved in Securing Tier 1 code of an
Internet Bank (not the recently publicised one) - anything you can do at
Tier 5 can be done easier by going for it via Tier 1.
Loopholes and potential hacks can be found in any codebase that is big :
The bigger the better in my experience and most of these banks have coding
flaws.
Spending day in day out looking at sh** code and astounded by some of the
potential flaws at the moment but don't worry you can trust us with your
money ;) < ? >
So it's not really about hacking Tiers or boxes but tricking code units to
do things that they were not designed to do.
Help me ! Anyone have a coding job for me in London ?
Shaf
UKHA_D Main Index |
UKHA_D Thread Index |
UKHA_D Home |
Archives Home
|