The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024


[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

Re: Re: [OT] Urgent question about https




> In my experience, probably not.
>
> Commercial site design these days means that all the _large_ etailers
> are running 3 tier servers, with customer-specific information only
> held in the database tier. That means that even if the webheads are
> compromised (which could show the logs),

In this instance the logs are all we need as they'll have the Cardnumbers
in clear text.

then there's still a firewall
> to compromise to get to the application tier, and yet another firewall
> to compromise before you get to the database.

Why go that far ? We hack the first tier and use that as a blunt hacking
tool to go futher... Poor coding at tier 1 is one of the best hacking
tools available.

> Obviously, the vast bulk of my experience is with very large etailers,
> who are spending an awful lot on site security. If the etailer in
> question was small, then it's possible that everything just runs on a
> single server.... in which case the compomising of that server trashes
> everything :-(

Don't go there - I'm currently involved in Securing Tier 1 code of an
Internet Bank (not the recently publicised one) - anything you can do at
Tier 5 can be done easier by going for it via Tier 1.

Loopholes and potential hacks can be found in any codebase that is big :
The bigger the better in my experience and most of these banks have coding
flaws.

Spending day in day out looking at sh** code and astounded by some of the
potential flaws at the moment but don't worry you can trust us with your
money ;) < ? >

So it's not really about hacking Tiers or boxes but tricking code units to
do things that they were not designed to do.

Help me ! Anyone have a coding job for me in London ?

Shaf





UKHA_D Main Index | UKHA_D Thread Index | UKHA_D Home | Archives Home

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.