Re: demoing sslv2 vulns

[Todd Haverkos <infosec () haverkos com>]

"Cor Rosielle" <cor () outpost24 com> writes:

> Apart from the attack there is a solution which is fast and easy to
> implement in Microsoft IIS as in Apache. It will take you a lot more time to
> do a risk analysis to decide to skip this fix than it takes to actually do
> it. 

Often true.  

This is a pretty good situation to emphasize, though, that penetration
tests aren't always purely technical in nature.  They're often rather
political after the dust settles.

I've seen environments where the time/effort/risk of changing anything
is so high, or there are so many servers in need of change that
management needs a pretty brow-raising demonstration of a paper threat
becoming "Look, here's me seeing and modifying your precious SSL
transaction, and here's how you will lose money or possibly lose your
business" versus "well, there's this theoretical exploitation of a
cryptographic weakness conjured by researchers in a very controlled
environment that suggests these ciphers are weak, and if you have this
cluster of PS3's running custom code, a focused attacker could break
your key in a fortnight, and really... it's not hard to fix it."

The ability to demonstrate that is part of why certain companies buy
penetration testing services--sometimes the techies need a third party
to tear through an environment they've been wanting to upgrade to
address security concerns in order to show management exactly why the
risk of fixing is much lower than the risk of not fixing.

If a demonstration of this particular issue is that important to a
given client, that client should also not be surprised if the
assessment company asks for additional money to work up an all glowing
all singing all dancing demo for management that needs to be convinced
that best practices are worthwhile and that this one is a change that
involves pretty minimal risk.

Also, if weak ciphers are really the client's only problem, they
should count themselves very lucky (or shortchanged in the assessment
due to the pen tester not finding another way in, or their own fault
of having tied the pentesters' hands behind their back with an overly
restrictive rules of engagement).

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------