Support #5168: [SCP ID :##2560##] : Pentest 2014 - POODLE attacks. - KFH Support - Penril Support System

Support #5168

[SCP ID :##2560##] : Pentest 2014 - POODLE attacks.

Added by Zahir Abd Latif over 9 years ago. Updated over 9 years ago.

Status:

Closed - End of life cycle

Start date:

January 29, 2015

Priority:

Normal

Due date:

Assignee:

Zahir Abd Latif

% Done:

100%

Category:

Information Site

Spent time:

Target version:

Description

Hi,
Kindly attend below request:

Please advise on Pentest issue raised by IT Security team on issue POODLE attack. 
Please refer email sent by me to Penril support and KFH Support regarding this issue : Fw: VAPT Findings for Year 2014 (Internet Banking Segment) External Assessment

VAPT2014-External VA for IB segment (IT Apps Team).xls (222 KB) Zahir Abd Latif, January 29, 2015 10:51

History

#1 Updated by Zahir Abd Latif over 9 years ago

Refer email Surianie : Fw: VAPT Findings for Year 2014 (Internet Banking Segment) External Assessment

In our recent findings for External VAPT , our Internet Banking site are vulnerable to POODLE attacks ( you may refer to the attachment ). Our decision is to disable this protocol. And we would like to inform to you and require your attention whether we can proceed to disable it or not. We will give you two scenarios which will impact categories by the decisions :

1. If disable the SSL3 :

2. If remain :

Below is the screenshot of which protocol its uses :

Firefox

Internet Explorer

Bear in mind that, the browser will choose which best protocols and cipher strength it. In this case is TLS RSA and TLS RC4. Still the option to use SSL is there. We are looking forward for your concerns and answers.

#2 Updated by Yap Kah Yan over 9 years ago

Assignee changed from Yap Kah Yan to William Gozali Tan

Hi William,

Please look into this issue.

Thank you.

#3 Updated by Tan Lee Yong over 9 years ago

Status changed from New - Begin Life Cycle to Development / Work In Progress
% Done changed from 0 to 100

Please provide below answer to customer:-

We do advise you to do BAU test on UAT environment before implement to production on the new setting.
This implementation will have an impact on some older browsers and resulting in an SSL connection error. The biggest impact is Internet Explorer 6 running on Windows XP or older.
Therefore, we advise bank to inform user to use latest and supported browsers for security reason.

#4 Updated by Tan Lee Yong over 9 years ago

Status changed from Development / Work In Progress to Pending Customer Feedback

#5 Updated by Zahir Abd Latif over 9 years ago

Status changed from Pending Customer Feedback to Closed - End of life cycle
Assignee changed from William Gozali Tan to Zahir Abd Latif

Refer email : Re: [Request ID :##2560##] : Pentest 2014 - POODLE attacks

Case closed.

Also available in: Atom PDF

B - Production Support » KFH Support

Issues