Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Your opinions ... more info
From: David Vandervort <irvingthemagnificent () YAHOO COM>
Date: Tue, 31 Oct 2000 15:25:57 -0800

It doesn't matter what you tell them, it won't be good
enough.

Certificates:
The bank will issue its own certificates using MS
Certificate Server.  They will not use the
recommended method, certificate hierarchy.  They
will instead manually set up and issue certificates
to clients when a request is approved.

This is the killer. Outside attacks will go for social
engineering to gain bogus certificates. They're
vulnerable as hell from the inside. They will try to
set up accounting controls to limit access, but
they've shown by other decisions that they don't
understand the technology well enough to make that
work.

The
certificates will be installed in MS IE by our
support at client sites after receipt via email of
the notification of certificate approval.

And the e-mail also has a certificate to verify it?
Didn't think so.

 Any
detection of certificate compromise will be
addressed by revocation and re-issuance to the
client using the manual / approval process.


So do a clumsy attack on one in order to force
re-issuance of another - that can be stolen.

 The issue is the reliance on the
certificate schema versus the VPN.  We could argue
forever about the effectiveness of authentication by
logonid/password, and I'd rather focus on the issue.


The issue is that no matter what you tell them, it
will be inadequate. DON'T put yourself in the position
to be blamed! Bow out of this one before there's
trouble.

The client base will not exceed 200, so scaling is
not really an issue.

Sounds like a special service for the really big bucks
clients. The incentive to break their system is,
therefore, very high. And their system is inadequate.

Do yourself a favor. Walk away.

__________________________________________________
Do You Yahoo!?
From homework help to love advice, Yahoo! Experts has your answer.
http://experts.yahoo.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]