Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... more info
From: David Vandervort <irvingthemagnificent () YAHOO COM>
Date: Tue, 31 Oct 2000 15:25:57 -0800
It doesn't matter what you tell them, it won't be good enough.
Certificates: The bank will issue its own certificates using MS Certificate Server. They will not use the recommended method, certificate hierarchy. They will instead manually set up and issue certificates to clients when a request is approved.
This is the killer. Outside attacks will go for social engineering to gain bogus certificates. They're vulnerable as hell from the inside. They will try to set up accounting controls to limit access, but they've shown by other decisions that they don't understand the technology well enough to make that work.
The certificates will be installed in MS IE by our support at client sites after receipt via email of the notification of certificate approval.
And the e-mail also has a certificate to verify it? Didn't think so.
Any detection of certificate compromise will be addressed by revocation and re-issuance to the client using the manual / approval process.
So do a clumsy attack on one in order to force re-issuance of another - that can be stolen.
The issue is the reliance on the certificate schema versus the VPN. We could argue forever about the effectiveness of authentication by logonid/password, and I'd rather focus on the issue.
The issue is that no matter what you tell them, it will be inadequate. DON'T put yourself in the position to be blamed! Bow out of this one before there's trouble.
The client base will not exceed 200, so scaling is not really an issue.
Sounds like a special service for the really big bucks clients. The incentive to break their system is, therefore, very high. And their system is inadequate. Do yourself a favor. Walk away. __________________________________________________ Do You Yahoo!?
From homework help to love advice, Yahoo! Experts has your answer.
http://experts.yahoo.com/
Current thread:
- [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info L.W. (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... more info St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info krisk (Nov 02)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Matthew Micene (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info David Vandervort (Nov 01)