-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 04 February 2003 12:45, Mark Lane wrote:
> When I buy something on Interac, it updates my account balance in
> real-time. When I do online banking, it updates my account balance in
> real-time. So both systems have access to my account balance at the bank in
> real-time. Therefore, there must be a connection to the database server
> from both the Internet and Interac Networks.
not really. the database is likely hidden deep behind a firewall that allows
well defined and limited access from specific systems on the net. this would
mean that if you were to compromise the *web server* your online banking
exists on you may have access to the programs that have access to the
database, but this wouldn't alleviate the need for authentication or allow
further access to the database. in fact, if set up correctly, the web server
doesn't handle the actual authentication but relies completeley on the
database and simply passes auth data from the client to the db and back
again.
further, it likely isn't even the full master database that the web server
connects to, but a replicated subset of the bank information that is
carefully watched via IDS and human eyes for intrusion.
> If the database server is
> compromised from the internet, it can be used as a gateway to access the
> interac network.
this assumes the database can be compromised from the Internet, and that the
database controls the interac network (i understand that it is the other way
around, though).
denial of service (which is what Slammer did) is quite different from being
able to take hostile control of a system.
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+QBrz1rcusafx20MRAmymAKCe0YSyd6QLf6IyhidiQ16bTMi8TQCeLr1N
4ay1Yux/yXi1P8GfLMtJgfk=
=bP9h
-----END PGP SIGNATURE-----
