[ISN] ICSA certifies weak crypto as secure

From: cult hero (jerichoat_private)
Date: Fri May 28 1999 - 00:15:31 PDT

Next message: cult hero: "[ISN] SANS Web Briefing, (What an attacker knows about you)"

Previous message: cult hero: "[ISN] Hack attack knocks out FBI site"
Next in thread: cult hero: "Re: [ISN] ICSA certifies weak crypto as secure"
Reply: cult hero: "Re: [ISN] ICSA certifies weak crypto as secure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded From: "Jay D. Dyson" <jdysonat_private>
Originally From: Lucky Green <shamrockat_private>
Originally To: BUGTRAQat_private

I am becoming concerned about the apparent lack of professional competence
within even well-known segments of the security community. I hope the
incident I discovered is an isolated one, but even a single such incident
is disquieting.

There is a site that offers credit reports to consumers called
ConsumerInfo.com. https://www.consumerinfo.com

The site owner seems to have tried to do everything right. They joined
TrustE. They had their site certified by ICSA. They clearly have given
security a serious thought. But the company and all its customers were
severely let down by ICSA, since the highly confidential information
submitted by the user to the site is insufficiently "secured" by 40bit
TLS.  And it is not as if using 128 bit would have been a challenge. The
site uses IIS and is located in the US. (Not that deploying 40 bit crypto
would be acceptable even outside the US).

I find it frightening to think that somebody calling themselves a security
professional might even consider certifying a site using 40bit SSL to
protect crucial customer information. Especially a site in the financial
sector. Certifying obfuscation as security is an unacceptable level of
performance by any computer security professional.

I would like to be able to blame simple ignorance of crypto for this deed,
which alone would be bad enough coming from a security "professional", but
I am afraid that's not possible since it is inconceivable that the
certifying ICSA member was unaware that 128 bit TLS/SSL is industry
standard. Instead, we must assume that for reasons unknown, but ultimately
irrelevant, a certification was issued for technology the issuer knew to
not afford the customer security or simply didn't bother to check the
crypto strength.  Either way this condemns ICSA (a member of the Gartner
Group), and reflects very badly on our industry as a whole.

- --Lucky Green <shamrockat_private>
  PGP 5.x  encrypted email preferred


-o-
Subscribe: mail majordomoat_private with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]

Next message: cult hero: "[ISN] SANS Web Briefing, (What an attacker knows about you)"
Previous message: cult hero: "[ISN] Hack attack knocks out FBI site"
Next in thread: cult hero: "Re: [ISN] ICSA certifies weak crypto as secure"
Reply: cult hero: "Re: [ISN] ICSA certifies weak crypto as secure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:58 PDT