KGB Vulnerability Advisory 20061013-1

Title: Notre Dame Federal Credit Union Lack of Encryption of Non-Public
Information
Date: 13 October 2006
Author: Particle Bored

Vulnerability Class: Information Disclosure

Affected Systems: http://www.ndfcu.org

Overview:
Customer data posted to the site is not encrypted which causes non-public data
to be transmitted over public networks in clear text.

Technical Details:
HTTP POSTs to http://129.74.238.26/borrowers/apply/private/Cosignerinfo.asp
transmits non-public data in clear text including but not limited to name,
address, Social Security number and drivers license number.

Impact:
System Administrators and others with access to communications destined for the
site can easily acquire enough information to steal an individuals identity.
Such theft of data would be impossible to detect.

Recommendations:
Utilize SSL, TLS or other globally accepted protocols to encrypt non-public data
as it traverses public networks.

History:
Discovered:
02 October 2006

Vendor Notified:
13 October 2006 (ndfcu@ndfcu.org)

General Release:
13 February 2007 After no response from vendor

Disclosure:
In order to best serve the interests of all those invloved this advisory will be
made publicly available 30 days after vendor notification.

Disclaimer:
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. The information contained
within this advisory is supplied "as-is" with no warranties or guarantees of
fitness of use or otherwise. Neither the author nor the publisher accepts any
liability for any direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.

About KGB:
KGB is an independent vulnerability research organization based in the United
States. It provides the results of its research free of charge since that is all
most development companies are willing to pay for security and quality assurance.

Copyright 2006 KGB.TO. All rights reserved.
Permission is hereby granted for the redistribution of this advisory electronically.
It is not to be edited in any way without express consent of KGB.TO.  If you wish
to reprint the whole or any part of this alert in any other medium excluding 
electronic medium, please email particle.bored@kgb.to for permission.