Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Expired certificate

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 04 Aug 2010 09:44:29 -0500
--On Monday, August 02, 2010 12:36:37 -0400 Elazar Broad <elazar () hushmail com> 
wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>
Can't you? The world is full of unpatched systems. You can even find
systems where patches are not installed because it is running a
piece of
mission critical software and they would lose support if they
installed
any patches (I am not making this up).
</snip>

Spot on. I know of one large accounting/ERP system(which shall
remain nameless, though I am sure there are those out there who
have come across it) that checked the SQL version, including the
revision number at runtime, which made patching SQL impossible.



In those cases where there are such systems, there should be mitigating 
controls around them that increase the difficulty of break-in.  Otherwise the 
IT department is negligent.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: