Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How can you trust a company you don't know?

From: SMiller () unimin com
Date: Tue, 21 Oct 2003 17:18:07 -0400

Nicholas,

At the risk of recommending a non-technical solution, I suggest you begin
with the often overlooked but very useful basic reference check.  Get a
customer list from the provider.  Make sure you tell them that you want
only random customers with whom they do not have multi-faceted
relationships (i.e., not customers who are also stakeholders, vendors,
etc.)  Start calling the references and ask pointed questions, including
some about the nature of their relationship with the vendor.  Make sure you
get responsive answers from at least 3 of those customers.  That will
probably mean trying to contact a dozen or so.  You won't like all the
answers, that is to be expected and may not rule out the vendor.  But if
you get a  clear indication that the vendor has seriously mislead you
(about the service ~or~ the customer relationship) or that the abuse cites
are legitimate, run like hell.  If the vendor tries to tell you that they
can't allow you to check references because their customer list is
confidential, your BS alarm should be clanging immediately;>)

Scott Miller


                                                                                                                        
   
                      Nicholas Diotte                                                                                   
   
                      <xphox () xphox net>        To:       security-basics () securityfocus com                        
         
                                               cc:                                                                      
   
                      10/21/2003 02:39         Fax to:                                                                  
   
                      PM                       Subject:  How can you trust a company you don't know?                    
   
                                                                                                                        
   
                                                                                                                        
   






Greetings List,



Recently I've been asked to look into a product, that a company I've never
heard of sells.  The company in question has a service that our Marketing
Department would like to purchase.  It being computer related, IT gets
final say.



Basically this company is advertising, "Fully-Branded Emails".  Currently
we restrict our Marketing Dept. from using "fancy" HTML emails, and only
allow them to send plain text.  However this company will allow them to
send Rich Text, and HTML emails.  They will even provide what seems to be
impossible reporting, dynamic content (via database), and custom emails
based on user interaction (in other words profiling).  Basically I'm
assuming each email will contain embedded hidden pictures, etc that will
track what users are doing.  A little scarry for me, as the last thing I
want is our company emails being picked up by spyware scanners, etc..



I've done some basic research on the company and they do seem rather
legitamite, however I have found traces of them on a couple mail abuse
lists.



Basically it's an opt-in newsletter, how it works is you give them a
subdomain, and point the MX record to their mailserver.  But how do I know
they won't spam from our domain, how do I know they won't sell the opt-in
list, and what about user tracking...  Do I have to alert our subscribers
that they will in fact be "profiled"?



What steps would you take if you needed to look into a company and give a
report to your VPs, giving the product a yeah, or nah.



Thanks,

--Xphox

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021

----------------------------------------------------------------------------








---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that 
makes the complex - easy
www.clearsightnet.com/jmp6-downloadtrial.jsp
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: