Re: Explanations about the NASA security issues and confused people

[qobaiashi <qobaiashi () gmx net>]

Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez Garcia-Hierro:
> Hi all,
> Some people is a little confused with the NASA related security
> issues and my advisory,
> so i'm explaining the confusing things:
>
> 1.- Every time NASA staff was knowing what i was doing , i sent
> messages to administrators before doing anything.
>
> 2.- John R. Ray of the NASA Competency Center ( Information
> Technologies Security ) contacted me for solve the issues.
>
> 3.- The report was completely closed to public access when the
> systems were vulnerable
>
> 4.- I provided an accesscode to see the advisory for the NASA staff.

leet

> 5.- I was everytime testing the vulnerabilities and when i found that
> the most important were patched i make public with some restrictions
> the advisory.
>
> 6.- Of course , i wrote a disclaimer that can be found in the main
> web site and http://advisories.nsrg-security.com/disclaimer.txt
>
> 7.- A mail log that has all the exchanged mail between NASA staff and
> me ( and action log too with dates and details ) is available at:
>      http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt
>      So ,please , be careful saying that i made it public without
> contacting before the NASA staff.

pretty cool, man!

> 8.- In the report there is no private information about NASA nor
> working exploits against important security holes like sql
> injections.

multo importante!

> 9.- ScreenShots are modified for remove private url addresses ( like
> www.nasa.gov portal admin access )

0day screenshots? 

> 10.- Some people was saying that i wanted fame doing it , definately
> not , i made it for demostrate that web security is a real problem
> and a thing that must be included in security policies of the
> enterprises.

now i see it's not about fame. naming "NASA" +10 times is just to sound...erm 
trustworthy.

> The next generation of hackers will can make damage against servers
> with the only help of a web navigator, the web browser will be a
> really dangerous hacking tool, and it is not the future , it is now ,
> just see last advisories about phpnuke , etc

yeah that's realy interesting!
i've just started writing my new 0day browser with neat phpnuke sploiting 
capability!!

> 11.- The communication between NASA staff and me was completely clear
> except that i didn't received response after i sent a message
> confirmand that the report was finished an they had the access code
> to see it.
>
> CONCLUSIONS
>
> It was a completely clear job between NASA staff and me , they were
> really fast patching ( one day ) and really fast replying my first
> email.
>
> The important thing is that NASA staff knows now wich risk has web
> applications security and how to solve web application securiuty
> issues.

saint lorenzo!
and thanks for letting all of us know what you've done!

> Everything in this life has a final mean , in this case : web
> security must be treated as other security issues , if not , you are
> in risk

clear thing!

> How much times i must rewrite this mail ?

we'll see..

> Best regards and thanks to all members of Ful-Disclosure,

-- 
-q/UNF


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html