Re: Informing Companies about security vulnerabilities...

[Steve Friedl <steve () unixwiz net>]

On Wed, Oct 04, 2006 at 03:07:12AM -0400, Joseph McCray wrote:
> This probably won't sound like that big of a deal, but it still bothered
> me so I figured I'd ask the list. I was teaching a Web Application
> Security class last week and we were performing simple XXS, SQL
> Injection, etc on the vulnerable web apps I use for class.
>
> Normally, I go to a live public website or two during the class and we
> talk about common tests to perform and how to approach certain types of
> websites. A common subject is how to handle large website with tons of
> dymanic content - so the class chose a major newspaper's website for the
> discussion.

[ snip: security problems found, letters ignored ]

> Has anyone else gone through a similar situation? Was the company
> receptive? Other companies I've contacted in the past have been quite
> receptive - I'm just curious if other people have gone through this as
> well.

This is what I have long called The Big Surprise of security consulting:
people just don't care about this. I used to make unsolicited reports
of this nature, but I gave up years ago because the response was always
so lousy.

The rough breakdown over several years was something like:

        80% - got no reply, didn't fix the problem
        10% - received thank you, fixed the problem
         5% - received thank you, but didn't fix the problem
         5% - received hostile reply

Now these were reports that could not be confused with a threat or a
shakedown: respectful, specifically disclaimed any consulting, included
all the technical information to allow them to verify it for themselves,
and an urging to contact their local security experts to get help.

It's easy to imagine that a non-technical shop (say, a big newspaper)
would simply not get it due to the eyes-glaze-over factor, but this is
not sufficient to explain this effect:

Item:

My old ISP, a substantial enterprise (not a mom+pop shop) had their
entire corporate network wide open, and it was a small matter to attach
to their customer-care systems and find my own records. This was ignored
for more than a year in spite of ongoing reports to a guy in customer
service who seemed to appreciate the seriousness of the matter.

Item:

The *Association of Computing Machinery* had the same problem - wide open
everything, including their Oracle database - but this time I did get a reply.
I was told to GET LOST.

It was only because I was persistent that I convinced the guy to let me
tell him how to see the issue himself (he was *certain* that I could not
get into the Oracle system remotely), and only then did he grudgingly
allow me to help him set up some NETBIOS filters on his firewall. There
were other problems, but at this point it was just too much work so I
let the rest go.

If a professional ISP (with a security consulting arm!) and the ACM don't
"get it" about security, it suggests the problem is rooted more in human
nature than it is about technical -vs- nontechnical staff.

I gave up doing these kinds of reports a long time ago because of this.

Steve

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve () unixwiz net

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------