Re: Informing Companies about security vulnerabilities...

[gat0r <gat0r () toughguy net>]

If the armchair lawyers and their lap dogs are done giving their free advice
and stroking their egos...

Perhaps we could get some input from some people who have actually done some
real security work and audits on this situation, legal opinions on scanning
a public website aside.  Thanks to Steve for a decent response to the
question.

Frankly its naïve to a have internet public facing anything and not expect
it to get scanned and (at some point) owned.  I would personally rather get
an email from a guy helping me fix my site versus waking up and not having
the index.html I left it with the day before.  And a defacement is probably
the lesser of all the potential evils...


-G



On 10/4/06 2:10 PM, "Brian.Marino () onenterprises com"
<Brian.Marino () onenterprises com> wrote:

> My sentiments exactly.
>
>
>                  
>              bugtraq@cgisecuri
>              ty.net
>              Sent by:                                                   To
>              listbounce@securi         joe () learnsecurityonline com;,
>              tyfocus.com               pen-test () securityfocus com
>                                                                         cc
>                                        bugtraq () securityfocus com
>              10/04/2006 03:15                                      Subject
>              PM                        RE: Informing Companies about
>                                        security vulnerabilities...
>                  
>                  
>                  
>                  
>                  
>                  
>
>
>
>
> So you are admitting publicly that you and a class of students that you
> teach are illegally testing random public
> websites for the purpose of learning about security vulnerabilities? Sounds
> like you/your company need to speak
> with a lawyer.
>
> - Robert
> http://www.cgisecurity.com/ Application Security news and more
> http://www.cgisecurity.com/index.rss [RSS Security Feed]
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Joseph McCray
> Sent: Wednesday, October 04, 2006 3:07 AM
> To: pen-test () securityfocus com
> Subject: Informing Companies about security vulnerabilities...
>
> This probably won't sound like that big of a deal, but it still bothered me
> so I figured I'd ask the list. I was teaching a Web Application Security
> class last week and we were performing simple XXS, SQL Injection, etc on
> the vulnerable web apps I use for class.
>
>
> Normally, I go to a live public website or two during the class and we talk
> about common tests to perform and how to approach certain types of
> websites. A common subject is how to handle large website with tons of
> dymanic content - so the class chose a major newspaper's website for the
> discussion.
>
> Usually when we do this we only find a few simple things (XXS for
> example) - no big deal right. With this particular website we just kept
> finding another, after another and on and on. Over 600 instances of XXS,
> over 200 SQL Injection - this was bad. After a while it started to get
> boring there was so many....
>
> So I drafted a letter to the editor as well as several other prominent
> people at the newspaper. It detailed my finding and recommended some
> possible mitigation strategies. After emailing this I didn't hear anything
> for a few days, so I emailed it again and followed up with a phone call.
> After getting no response to the second email and then having been bounced
> around from department to department when I called I just said forget it.
>
> Has anyone else gone through a similar situation? Was the company
> receptive? Other companies I've contacted in the past have been quite
> receptive - I'm just curious if other people have gone through this as
> well.
>
> No need to fill the list with this, you can email me directly with your
> inputs and stories.
>
> --
> Joe McCray
> Toll Free:  1-866-892-2132
> Email:      joe () learnsecurityonline com
> Web:        https://www.learnsecurityonline.com
>
>
> Learn Security Online, Inc.
>
> * Security Games        * Simulators
> * Challenge Servers     * Courses
> * Hacking Competitions  * Hacklab Access
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016000000
> 08bOW
>
> ------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016000000
> 08bOW
> ------------------------------------------------------------------------




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------