Right on, Zot. Analyze your system and prioritize your vulnerabilities. Apply defense in depth. Hide valuable targets (it is hard to attack what you can't find) where you can an provide multiple layers of protection. . Any encryption is light years better than none because the encryption helps to hide the interesting stuff. Encryption is one piece of an overall program and in most cases probably not the most important. What a laugh when people generate long keys based upon an eight character pass phrase. >>> "Zot O'Connor" <zot@private> 04/18/02 04:19PM >>> A few points to add to the fray: 1) Things like SSL are *minimum* steps. If a site does not even have SSL up and running, it tells me volumes about their *lack* of skill. Having it does not mean the credit card is not stored on a flat file available via network neighborhood, buts its a start. 2) Even weak cryptography raises the bar phenomenally. I have done clean up jobs on boxes that has every single password for an ISP based on POP, FTP and telnet passwords. It was in a nice neat formatted file. Had the information been encrypted, it would have raised the bar. 3) So bad encryption worst problem is a false sense of security. Had the script kiddees in the box in #2 had a ssh cracker, ssl crack, or other, they would of have more password. The ISP *might* have noticed the load then....... So, does this mean you have to sprint out and replace all SSL right now? No. It should be included in all future maintenance and upgrades. You might want to check critical data flows, but I'd be more worried about data storage than transmission (if the transmission is encrypted). -- Zot O'Connor http://www.ZotConsulting.com http://www.WhiteKnightHackers.com
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:12 PDT