Full Disclosure mailing list archives
Re: Do world's famous companies take care of their security?
From: <uncleron () hushmail com>
Date: Mon, 31 Jul 2006 19:03:48 -0500
My experience has been that many companies simply do not care about security until they are forced to. I used to work for a company called Isthmus Group, which claimed to be a security consulting company. Their web hosting environment featured an array of unpatched web servers with vulnerable (sometimes dev versions) of php. Their negligence placed clients (like Sargento Foods) at risk. An IDS that I built recorded automated attacks against servers, yet Isthmus Group left those vulnerable servers in production for months after the NIDS indicated that they were attacked and likely compromised. When Isthmus Group chose to fire me, rather than pay me a fair wage, the reaction from one of the company's owners was that they 'would just have to adjust their clients' expectations downward'. Now isn't that what you look for in a security company? The ability to take the client's money even when they can't provide competant professional services. That has become far to common in IT, at least in the united states. After I left Isthmus Group, I contacted Sargento and informed them that they may not be getting the 'secure web hosting environment' that they were paying for. I suggested that they demand a third party vulnerability assessment and review of Isthmus Groups' (non existant) patching and business continuity/disaster recovery policies; I also offered to provide them with any information they might require to protect their interests. Sargento never responded to my generous offer; it appears that the integrity of customer data submitted to their web site is not a priority for them. As long as companies are not held accountable for their actions (or inactions) data that they collect will not be secure. As long as Sargent o continues to pay Isthmus Group for sub-par web hosting, there is no incentive for Isthmus Group to do things right and patch their hacker-bait servers. As long as Sargento's customers continue to use the vulnerable web site and submit private data to insecure servers, there is no incentive for Sargento to clean up their act. Most consumers are oblivious to the gross incompetance of the companies that they deal with every day. Companies (at least in the united states) are primarily interested in funneling as much money as possible to the criminal executive officers. This results in cutting corners, and prime territory for cutting corners is service to customers. As long as companies can ignore data security with impunity, they will do so. On Mon, 31 Jul 2006 03:17:20 -0500 Valery Marchuk <tecklord () argocom cv ua> wrote:
Do world's famous companies take care of their security? There was discussion last week in the Full-Disclosure about XSS vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron suggested creation of a separate mailing list for just XSS vulnerabilities. I would agree with him if PayPal and many other world's famous companies tried at least to patch such bugs: The incident with Netscape must be example for everyone. Actually I don't understand the behavior of such companies. XSS bugs are easy to discover and easy to fix, so what's the problem? And instead of monitoring bugs these companies just put into risk their customers. That's how they do their business and that's how they take care of us - their customers. There are XSS flaws at Digg's and Netscape's web sites. Are they planning to fix them? There are still XSS flaws at PayPal`s web site (two years and one week after XSS bugs were reveled). Are they planning to fix them? Example of XSS vulns are in my blog at http://www.securitylab.ru/blog/tecklord/?category=19 I will publish such information in my blog and hope that companies will take care of their security. Valery Marchuk
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Do world's famous companies take care of their security? Valery Marchuk (Jul 31)
- Re: Do world's famous companies take care of their security? n3td3v (Jul 31)
- Re: Do world's famous companies take care of their security? n3td3v (Jul 31)
- Re: Do world's famous companies take care of their security? Octal (Jul 31)
- Re: Do world's famous companies take care of theirsecurity? Morning Wood (Jul 31)
- Re: Do world's famous companies take care of their security? Octal (Jul 31)
- <Possible follow-ups>
- Re: Do world's famous companies take care of their security? uncleron (Jul 31)
- Re: Do world's famous companies take care of their security? Dude VanWinkle (Jul 31)