20121015

Is it OK to hold credit card numbers in cookies?

Is it OK to hold credit card numbers in cookies? Santander?
From: auto62098873 () hushmail com
Date: Sun, 14 Oct 2012 16:15:05 +0100
Santander are a joke when it comes to security. Fed up of two years of battling with them to fix issues any other bank 
would have fixed in seconds, things like XSS on login pages etc. Time to hit full disclosure with some of these issues 
in the hope they'll change their game and start to take their customers security seriously:



*Advisory Information*


 Title: Sensitive Data In Cookies 
 Date published: 2012-03-31 08:16:26 PM
 upSploit Ref: UPS-2012-0004
 
 *Advisory Summary*
 Santander's online banking stores a sensitive, including full credit card numbers, in its cookies putting this 
information at risk.
 
 
*Vendor*
 Santander (UK)
 
*Affected Software*
 Online Banking
 
 https://retail.santander.co.uk
(confirmed for personal online banking)



*Description of Issue*
 Santander online banking unnecessarily stores sensitive information within cookies. Depending on which areas of online 
banking the user visits this information may include the following:
* Full name
* PAN (Credit card number)
* Bank account number and sort code
* Alias
* UserID


Of particular concern is the full PAN, which PCI DSS states should be rendered unreadable anywhere it is stored.


Within Santander's "Security & Privacy" section they state that: "Santander's site-tracking cookies don’t contain name 
or address information". The use of cookies is therefore not in line with this policy.


It should be noted that the HTTPOnly flag is not used on any cookies exposing them to increased greater risk of 
exposure (for example through XSS) - such as the XSS which was present on the login page for ~1 year before being 
inadvertently fixed!!.


Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout. This mean any user 
who does not close their browser, even if they log out correctly, will still have these cookies present until they 
close their browser. Thus increasing the window for exposure.


 
 *PoC*
 The cookies holding the most sensitive information include:
* rinfo
* NewUniversalCookie


On browsing to the "Credit Cards" section and selecting a credit card a cookie such as the following is set (credit 
card number obscured):


rinfo=/EBAN_Cards_ENS/BtoChannelDriver.ssobto?dse_operationName=viewRecentTransactions&cardSelected=5***************


The sensitive information in the NewUniversalCookie is base64 encoded, when decoded it is of the format shown below 
(sensitive data has been stripped):


NewUserPasswordCookie***************
http://tinyurl.com/santander-dpa Santanders Cookie Policy stating "cookies do not contain personal information, and cannot be used to identify you" http://tinyurl.com/santanderCookies PCI DSS v2.0: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
No comments:

20121012

How much do cats actually kill

All started as a comic, but researchers find is not a good comedy: they're doing it for fun:





No comments:

20120914

Atomic disaster in Fukushima

English version in this link De como el informe sobre el accidente de Fukushima se basa en falacias y de como un espaƱol pudo demostrarlo...Sorry about the faulty translation

My grandmother always told me: Lies have very short legs.

And if it's true, but companies which are lying as NISA (the agency that is like our CSN but in a Japanese version), TEPCO (Tokyo Electric Company), the Japanese government and the powerful IAEA (International Atomic Energy Agency) I have been investigating since February.

In those cold months it appeared any doubts about the lack of network videos of the explosion of reactor 4 of Fukushima. This made me investigate the matter thoroughly. Trust me, if I say that I have read and viewing thousands of technique pages regarding the matter. And it has turned out very good results.

We're talking about economics, ECONOMY in style in the countries energy is like blood in people ... it is everything. And lies that we have believed are , truly, enormous, and people should know the truth ... after each draw their own conclusions do not judge here whether nuclear power is good or bad ... I just want that they don't lie anymore.

I have just ruined the official version, the report of the NISA and all the lies they have told about the explosion of reactor 4.


The investigation is here.

In the official report or powerpoint of NISA (the equivalent of our Spanish CSN) clearly state that hydrogen was channeled from the reactor 3 to 4 and that the pool of reactor 4 was unable to produce hydrogen as it was in good condition .. . said NISA report what you have here:

http://www.nisa.meti.go.jp/english/files/en20120605.pdf


On page 4 we can see this chart ...


In more detail ... they speak of an enormous amount of hydrogen has entered the system SGTS ... a small pipe system inside the reactor.


The SGTS is the reserve system gas treatment (Standby Gas Treatment System). This system "unreinforced" gas discharge containment reactor vessel including ... is an active system, the other the "hardened vent" or hardened vent is a passive system, remember that the reactor 4 had stopped and vacuum more than three months and therefore would not be the SGTS far enabled ... since it involves the release radioactive gases into the atmosphere ...

In the official report that you can download here we read:
(4) Fukushima Dai-ichi NPS, Unit 4

"... The cause of the blast at the reactor building has not been Clearly Identified Because of various Limitations for confirmation at the field ..."

"... On the other hand, at the adjacent Unit 3, It Is Assumed That a large amount of hydrogen was generated as a result of the core damage, and a part of it was released by the PCV vent line ... "," ... the exhaust duct of the PCV vent line is connected at the exhaust duct of Unit 4 before the exhaust pipe, and a stop valve to Prevent reverse flow is not installed at the emergency gas treatment facility. THEREFORE, That it is thought by venting the hydrogen discharged at Unit 3 May have flowed in ... "

"... As Mentioned above, the results of analyzing nuclides from the spent fuel pool and visual inspections have Revealed That Unit 4's spent fuel pool nearly undamaged Remains ..."

On p. 97 of that report back to remove the hydrogen flow diagrams, here is clearer.





In short, that the pool of reactor 4 is perfect and the hydrogen came through link sharing SGTS at the junction of the chimney vent (go fudge indeed , which recognize no check valve available: tragatochos ... and stayed as peaceful as possible.

I have disprove his alibi


In this interesting image that still has not produced the explosion in reactor 4 can be seen above the ventilation system of reserves, and given the great resolution of this picture we can look...



We find that the SGTS pipe leading from the reactor 3 with 4 ...
was already broken ... kaput ... inoperative!



HOW CAN MOVE hydrogen by a broken pipe, GENTLEMEN OF NISA, TEPCO, IAEA, JAPANESE GOVERNMENT AND OTHER liars?

Why they forgot mention in the official report SGTS pipe was already broken before the explosion in the reactor 4 There is definitely a small detail ...: roto2: It This is a basic detail that invalidates any subsequent assumption and demonstrates that the analysis has not been objective. You can skip looking so relevant.

Well, I think the mission of research has paid off ... now we just need someone with courage to echo this and forward it to the population.

The last photo which shows that the vent pipe on the reserve of reactor 3 is completely broken from another point of view. These photos and videos we show always reactor 4 destroyed as a silent witness ... until now



extracted from a video of RT:



Another perspective:



For those not yet located the pipes ...

I recognize that I'm used to interpret technical drawings and diagrams and is easy for me to locate them within the facility ...

We'll show you three pictures to see if you understand:



I would like to point out that the items 1 and 2 are the walls of the reactor 4. Three is the vent tower shared between reactors 3 and 4. The item 4 is SGTS tubing toward the reactor 3.



As you see in this picture came a suspicious smoke the pipe, the smoke as we can see by the photo below could only come from the reactor 4 ...



... because as I've shown the SGTS tube was broken after the explosion of reactor 3.

This last picture shows a comparison of the junction of SGTS of units 3 and 4 and the satellite photo ... unfortunately the picture resolution only show basic details to ensure that this is the same pipe. .



We have therefore two clear events here:

The concealment of the breakage of the SGTS pipe prior in the explosion of reactor 4 which is difficult to support the explosion of said reactor claiming the hydrogen gas injection from the reactor 3.

The mysterious absence of even a single video of the explosion of reactor 4, even though it was the last reactor blowing up in the Fukushima disaster and therefore all media and all government agencies would have it in front of his lens.

I hope that those mysteries become revealed one day for the good of all.
No comments:

20120819

Disguised police provoking riots in spanish pacific protests

No comments:

20120815

Hint to American girls: Gasols are Spanish

http://www.bballheadlines.com/hint-to-american-girls-gasols-are-spanish-tweets/


They play in America, get money there, pay taxes there.. buy in Olympic Games they play for Spain..
No comments:
Subscribe to: Posts (Atom)