Information Security News mailing list archives
Re: Columbia House breach exposes customer info
From: InfoSec News <isn () C4I ORG>
Date: Sat, 24 Feb 2001 22:05:14 -0600
Forwarded by: Nicolas GREGOIRE <nicolas.gregoire () 7thzone com> InfoSec News a ?crit :
"It's almost negligent to have this type of error--it's something you're trained to solve in very basic Web training courses, not to leave directory indexing on. A large business shouldn't have such a simple mistake on their site," said Alway, who immediately sent an e-mail to technical contacts at the site Friday. He said he received a response Wednesday that the site had been fixed.
Setting "Directory indexing : Off" doesn't solve the problem. That's just "security through obscurity" ! The right thing to do is restrict acces via login/pass and/or IP. I've seen some CGI scanners trying /admin/, /test/ and these tricks work really too often. So, the webmasters of big sites doesn't need _only_ "basic Web training courses" but also security courses about the risks of their website-structure design ... Nicob ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Columbia House breach exposes customer info InfoSec News (Feb 22)
- <Possible follow-ups>
- Re: Columbia House breach exposes customer info InfoSec News (Feb 26)