[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Intercepting Southern California Gas Company user credentials... (socalgas.com)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Intercepting Southern California Gas Company user credentials... (socalgas.com)
From: Kristian Erik Hermansen <kristian.hermansen@xxxxxxxxx>
Date: Fri, 21 Aug 2009 13:40:07 -0700

...should be pretty easy ;-)  Company has been notified many times
privately of this issue, but they appear incompetent.  Time for public
shaming.
"""
$ sslscan myaccount.socalgas.com | grep NULL
    Accepted  SSLv3  0 bits    NULL-SHA
    Accepted  SSLv3  0 bits    NULL-MD5
    Accepted  TLSv1  0 bits    NULL-SHA
    Accepted  TLSv1  0 bits    NULL-MD5
"""

NULL cipher SSL/TLS presents the illusion of security and customers
should be aware that their credentials are easily intercepted.  Wanna
shut off someone's gas in Los Angeles?  :-)
-- 
Kristian Erik Hermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Questions for the iProphet
Next by Date: [Full-disclosure] FreeBSD stuff
Previous by thread: [Full-disclosure] OWASP Announces International Application Security Conference for 2009
Next by thread: [Full-disclosure] FreeBSD stuff
Index(es):
- Date
- Thread