Feb 18th, 2018
We’ve long had it in mind that a lot of the SSL findings discovered by VA Scanners are of dubious interest to the majority of companies. Sure, if you are a nation state or a bank with a transactional website, it might be worth attacking you in this way, but if you are a maker of widgets or someone who rents out badminton courts, the chances that someone is going to even try that approach against you is vanishingly small. If they did want to get into your network, a far more realistic approach would be social engineering followed by dumping a piece of malware on to the PC of someone non-technical.
So, we are giving this out as a challenge way in advance of our conference just to give anyone who wants to try it plenty of time. Here is a string encrypted with RC4, which according to all the VA scanners is terribly insecure. We are having a competition at the conference where the answers to the questions can be picked up from our sponsors and the encrypted string will be displayed on the icing of a cake which will be served during the afternoon break.
But if anyone wants to have a go at cracking it in advance – here is the encrypted string. Any correctly decrypted answer needs to come with workings and will be checked by a tame cryptographer. There will be a prize for anyone cracking it in advance and also on the day with the key obtained from the sponsors.
86 35 3D 0C 1A 77 2E C1 EB 39 7F B7 98 93 06 44 E7 71 46 96 68 78 E4 4B A4 77 AC 79 46 27 D1 B1 0C 47 EF 1C 0F DE F5 67 BF A0 09 FA 67 B7 F8 AC E6 2C 02 1B CE EF FC AD 51 07 9D 25 C3 83 64 FF A5 A0 95 44 96 BB E8 32 86 91 92 01 B4 13 50 E5 2C 36 E8 28 5A 81 13 86 57 1F 26 1F 6C 2F 4C 88 D2 5C FC CF 34 EB D1 7E 8A 46 52 16 A6 5A 06 AE 76 FF 62 78 45 7E 6D 8B 12 AC