Penetration Testing mailing list archives
Re: Insecure Security Technologies
From: Dotzero <dotzero () gmail com>
Date: Wed, 24 Dec 2008 17:37:18 -0500
Interesting post Adriel.....but not particularly surprising. In fact, I find this type of scenario more common than not. Not too long ago I came across an appliance where the admin interface (web) can be forced to fall back to SSL2 from SSL3. Fortunately I know someone at the company and they responded quickly in addressing it. In other cases the response has not been so good. You recommend that the customer get a third party to evaluate the software/appliance but the previous post you asked to have discussed here points out all the fake security experts out there. What's a poor body on the client side supposed to do? <G> The overall gist you are communicating to me (and likely others) is that there is an awful lot of insecurity out there. Details at 11? Very few organizations are going to be able to afford third party evaluations specifically on their behalf every time they purchase software, appliances or even hardware. Hardware you ask? Yep.... a few years back I found a bug in an ASIC in a network device. I'd love to claim that I found it based on something other than accident. I was investigating an interesting behavior in the device out of curioisity. Speaking from the client side, I'm going to beat the heck out of an eval unit (or software), I'm going to read the reviews and comments of others, ask for independent reports from a third party, and lastly I'm going to ask about the vendors liability insurance. I am highly unlikely to contract with a third party to test it specifically for my organization. The juice aint worth the squeeze. Just a few thoughts. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Insecure Security Technologies Adriel T. Desautels (Dec 23)
- Re: Insecure Security Technologies M.B.Jr. (Dec 24)
- Re: Insecure Security Technologies Adriel T. Desautels (Dec 24)
- Re: Insecure Security Technologies M.B.Jr. (Dec 24)
- RE: Insecure Security Technologies Shenk, Jerry A (Dec 24)
- RE: Insecure Security Technologies Erin Carroll (Dec 24)
- RE: Insecure Security Technologies Shenk, Jerry A (Dec 24)
- Re: Insecure Security Technologies Adriel T. Desautels (Dec 24)
- Re: Insecure Security Technologies Adriel T. Desautels (Dec 24)
- Re: Insecure Security Technologies M.B.Jr. (Dec 24)
- Message not available
- Re: Insecure Security Technologies M.B.Jr. (Dec 24)
- Message not available
- Re: Insecure Security Technologies Adriel T. Desautels (Dec 24)
- Re: Insecure Security Technologies Adriel T. Desautels (Dec 27)
- Re: Insecure Security Technologies Micheal Cottingham (Dec 27)