Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Insecure Security Technologies
From: Dotzero <dotzero () gmail com>
Date: Wed, 24 Dec 2008 17:37:18 -0500

Interesting post Adriel.....but not particularly surprising. In fact,
I find this type of scenario more common than not. Not too long ago I
came across an appliance where the admin interface (web) can be forced
to fall back to SSL2 from SSL3. Fortunately I know someone at the
company and they responded quickly in addressing it. In other cases
the response has not been so good.

You recommend that the customer get a third party to evaluate the
software/appliance but the previous post you asked to have discussed
here points out all the fake security experts out there. What's a poor
body on the client side supposed to do? <G>

The overall gist you are communicating to me (and likely others) is
that there is an awful lot of insecurity out there. Details at 11?

Very few organizations are going to be able to afford third party
evaluations specifically on their behalf every time they purchase
software, appliances or even hardware. Hardware you ask? Yep.... a few
years back I found a bug in an ASIC in a network device. I'd love to
claim that I found it based on something other than accident. I was
investigating an interesting behavior in the device out of curioisity.

Speaking from the client side, I'm going to beat the heck out of an
eval unit (or software), I'm going to read the reviews and comments of
others, ask for independent reports from a third party, and lastly I'm
going to ask about the vendors liability insurance. I am highly
unlikely to contract with a third party to test it specifically for my
organization. The juice aint worth the squeeze.

Just a few thoughts.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]