Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: Wolf Halton <saphil () yahoo com>
Date: Wed, 4 Oct 2006 18:14:02 -0700 (PDT)
sla.ckers.com has lists of sites that might have various vulnerabilities. On a similar note, does knowing that most kwickset door locks can be picked by a professional in about 20 seconds make you have to pick all of them that you see? That is almost as fast as the owner of the key can turn the lock, but knowing it (even knowing how to do it) doesn't make you a criminal. I think we need a much stronger professional association to legitimize our use of our minds and skill-sets. I hate the idea of state-sanctioned anything, but state licensing based upon passing some set of certificates might be very useful to avoid these knee-jerk witch-hunting parties. --- Andreas Putzo <putzoa () gmx de> wrote:
On Oct 04, Joseph McCray wrote:Usually when we do this we only find a few simple things (XXS for example) - no big deal right. With this particular website we justkeptfinding another, after another and on and on. Over 600 instances ofXXS,over 200 SQL Injection - this was bad. After a while it started togetboring there was so many.... So I drafted a letter to the editor as well as several otherprominentpeople at the newspaper. It detailed my finding and recommendedsomepossible mitigation strategies. After emailing this I didn't hear anything for a few days, so I emailed it again and followed up withaphone call. After getting no response to the second email and then having been bounced around from department to department when Icalled Ijust said forget it.You can try to set them an ultimatum pretending to disclose the holes to the public. Perhaps they are more willing to react if they are forced to do so. Depending on the information you can get through the website (customer data anywhere?) and the laws in your country (IANAL, btw.) you may go to the intrigued publicity, indeed. They gotta have to do something if someone defaced their website actually. -- regards, Andreas Putzo
-- Summer Special - Make Money on Your Phone Bill Arrowstars.com Computer support network: http://tech.groups.yahoo.com/group/Tech_Answers/?yguid=11909323 Eggs from Happy Chickens! Catwood Farms - 1960 Hightower Trail, Conyers GA 30012-1822 - 678-384-4930 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Informing Companies about security vulnerabilities... Joseph McCray (Oct 04)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- <Possible follow-ups>
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)