Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: Steve Friedl <steve () unixwiz net>
Date: Wed, 4 Oct 2006 12:46:03 -0700
On Wed, Oct 04, 2006 at 03:07:12AM -0400, Joseph McCray wrote:
This probably won't sound like that big of a deal, but it still bothered me so I figured I'd ask the list. I was teaching a Web Application Security class last week and we were performing simple XXS, SQL Injection, etc on the vulnerable web apps I use for class. Normally, I go to a live public website or two during the class and we talk about common tests to perform and how to approach certain types of websites. A common subject is how to handle large website with tons of dymanic content - so the class chose a major newspaper's website for the discussion.
[ snip: security problems found, letters ignored ]
Has anyone else gone through a similar situation? Was the company receptive? Other companies I've contacted in the past have been quite receptive - I'm just curious if other people have gone through this as well.
This is what I have long called The Big Surprise of security consulting: people just don't care about this. I used to make unsolicited reports of this nature, but I gave up years ago because the response was always so lousy. The rough breakdown over several years was something like: 80% - got no reply, didn't fix the problem 10% - received thank you, fixed the problem 5% - received thank you, but didn't fix the problem 5% - received hostile reply Now these were reports that could not be confused with a threat or a shakedown: respectful, specifically disclaimed any consulting, included all the technical information to allow them to verify it for themselves, and an urging to contact their local security experts to get help. It's easy to imagine that a non-technical shop (say, a big newspaper) would simply not get it due to the eyes-glaze-over factor, but this is not sufficient to explain this effect: Item: My old ISP, a substantial enterprise (not a mom+pop shop) had their entire corporate network wide open, and it was a small matter to attach to their customer-care systems and find my own records. This was ignored for more than a year in spite of ongoing reports to a guy in customer service who seemed to appreciate the seriousness of the matter. Item: The *Association of Computing Machinery* had the same problem - wide open everything, including their Oracle database - but this time I did get a reply. I was told to GET LOST. It was only because I was persistent that I convinced the guy to let me tell him how to see the issue himself (he was *certain* that I could not get into the Oracle system remotely), and only then did he grudgingly allow me to help him set up some NETBIOS filters on his firewall. There were other problems, but at this point it was just too much work so I let the rest go. If a professional ISP (with a security consulting arm!) and the ACM don't "get it" about security, it suggests the problem is rooted more in human nature than it is about technical -vs- nontechnical staff. I gave up doing these kinds of reports a long time ago because of this. Steve --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Informing Companies about security vulnerabilities... Joseph McCray (Oct 04)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)