Cisco blunders with insecure web page

[InfoSec News <isn () c4i org>]

http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=52897&REQSTR1=silicon.com

Wednesday 24th April 2002

Cisco has been forced to close an online registration form after
neglecting to secure the web page.

The page was part of a marketing programme which offered Cisco's
second-tier resellers in Europe the chance to increase marketing funds
if they upped sales of certain Cisco products.

But applicants registering for the programme online discovered their
banking and company details were going onto an open web page. When one
irate silicon.com reader called the Cisco helpdesk, he was informed
that the company was aware of the problem because several other users
had complained.

Helpdesk staff recommended that users enter fake details on the web
and forward the real information in the post, a course of action our
reader regarded as an extreme waste of time.

In a statement, Cisco said it had pulled the registration URL for 48
hours to install SSL (secure sockets layer) - a common way of securing
web pages.

A spokesman for the company said: "I can only put it down to an
unfortunate oversight in corporate procedure&not a great deal of
people have been affected but that's no excuse."

The registration site had been running for 10 days before it was taken
down on Monday. Cisco said just 100 people had registered in that
time.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.