Penetration Testing mailing list archives
Re: demoing sslv2 vulns
From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 08 Jul 2010 19:56:11 -0500
"Cor Rosielle" <cor () outpost24 com> writes:
Apart from the attack there is a solution which is fast and easy to implement in Microsoft IIS as in Apache. It will take you a lot more time to do a risk analysis to decide to skip this fix than it takes to actually do it.
Often true. This is a pretty good situation to emphasize, though, that penetration tests aren't always purely technical in nature. They're often rather political after the dust settles. I've seen environments where the time/effort/risk of changing anything is so high, or there are so many servers in need of change that management needs a pretty brow-raising demonstration of a paper threat becoming "Look, here's me seeing and modifying your precious SSL transaction, and here's how you will lose money or possibly lose your business" versus "well, there's this theoretical exploitation of a cryptographic weakness conjured by researchers in a very controlled environment that suggests these ciphers are weak, and if you have this cluster of PS3's running custom code, a focused attacker could break your key in a fortnight, and really... it's not hard to fix it." The ability to demonstrate that is part of why certain companies buy penetration testing services--sometimes the techies need a third party to tear through an environment they've been wanting to upgrade to address security concerns in order to show management exactly why the risk of fixing is much lower than the risk of not fixing. If a demonstration of this particular issue is that important to a given client, that client should also not be surprised if the assessment company asks for additional money to work up an all glowing all singing all dancing demo for management that needs to be convinced that best practices are worthwhile and that this one is a change that involves pretty minimal risk. Also, if weak ciphers are really the client's only problem, they should count themselves very lucky (or shortchanged in the assessment due to the pen tester not finding another way in, or their own fault of having tied the pentesters' hands behind their back with an overly restrictive rules of engagement). -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- demoing sslv2 vulns Robin Wood (Jul 03)
- Message not available
- Re: demoing sslv2 vulns Robin Wood (Jul 04)
- RE: demoing sslv2 vulns Cor Rosielle (Jul 07)
- Re: demoing sslv2 vulns Todd Haverkos (Jul 12)
- Re: demoing sslv2 vulns Yered Céspedes (Jul 13)
- Re: demoing sslv2 vulns Richard Miles (Jul 20)
- Re: demoing sslv2 vulns chintan dave (Jul 21)
- Re: demoing sslv2 vulns Richard Miles (Jul 24)
- Re: demoing sslv2 vulns chintan dave (Jul 24)
- Re: demoing sslv2 vulns Saleh (Jul 28)
- Re: demoing sslv2 vulns Robin Wood (Jul 28)
- Re: demoing sslv2 vulns Robin Wood (Jul 04)
- Message not available