lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 30 Mar 2011 18:12:37 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Ryan Sears <rdsears@....edu>, "noloader@...il.com" <noloader@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Vulnerabilities in *McAfee.com

Well, I think there is a flip side to this, and that is the fact that no one is asking these people to inspect their sites for vulnerabilities.   They are taking it upon themselves to scan the sites actively looking for vulnerabilities for the sole purpose of exposing them.  They may say that they are doing it "to ensure that the vendors fix their problems" but it's not really any of their business to do so.    

I think someone would be hard pressed to justify (defend) their actions when they basically "attack" a site that they don't own, without permission, with the express intent of finding a vulnerability.  That's the difference between a "test" and an "attack."   It doesn't matter how trivial their finds are, or what the outcome of the scan is, it is the fact that no one asked, nor wants them to do this.  

Technically, what they are doing is in fact illegal - in the US anyway.   So there is another aspect of this that deserves some discussion, I think.

t


>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
>bounces@...ts.grok.org.uk] On Behalf Of Ryan Sears
>Sent: Wednesday, March 30, 2011 10:45 AM
>To: noloader@...il.com
>Cc: full-disclosure
>Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
>Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that matter),
>if anyone should understand that a XSS should really only be construed a
>'criminal act' if it's indeed used to attack someone. If a group is taking the time
>out of their day to find and disclose issues to Mcafee, they should probably be
>thankful. What about finding a vulnerability in Mcafee's virus scanner? Could
>that be construed as a 'criminal act' if they disclose it? Where do you draw the
>line?
>
>Basically this sort of thing pushes the community into silence until something
>truly criminal happens. I'm not saying give anyone massive amounts of credit
>for publishing a few XSS bugs (because there's millions of them out there),
>but don't label them as a criminal for trying to help. That's just idiotic IMO.
>
>If you run an enterprise level solution for antivirus AND web vulnerability
>testing, the community understands that it's a process not unlike any other.
>There will be bugs, but it only demolishes the image of Mcafee to see them
>handle it like this in particular. If they would have been appreciative about it,
>and promptly fixed their website (or at the very least maintained friendly
>contact) this incident would have pretty much gone un-noticed.
>
>Look at LastPass as an example.
>
>http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
>
>They had someone poking at their site, who managed to find a XSS bug using
>CRLF injections. They were appreciative of the find, 2.5 hrs later the issue was
>fixed, and there was that blog post about exactly what they were going to do
>about it. They took full responsibility for the fact that THEIR coding was to
>blame, and basically said 'This is what happened, and this is why it will
>probably never happen again'. This spoke hugely to me (as I'm sure it did the
>rest of the community) because it shows a company that's willing to admit it
>made a mistake, as opposed to sitting on their haunches and blaming people
>for looking for these sorts of bugs. Oh and not every customer of their service
>has to pay massive licensing fees, as there's a free version as well. In my mind
>at least this equates to a company that cares more about their customers that
>don't pay a single dime, then a company who forces people to pay massive
>amounts of coin for shaky automated scanning and services. That's just the
>way I see it though.
>
>
>Someone's gotta tell the emperor he has no clothes on.
>
>Ryan
>
>----- Original Message -----
>From: "Jeffrey Walton" <noloader@...il.com>
>To: "YGN Ethical Hacker Group" <lists@...g.net>
>Cc: "full-disclosure" <full-disclosure@...ts.grok.org.uk>
>Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern
>Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
>On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group <lists@...g.net>
>wrote:
>> According to xssed.com,  there are two remaining XSS issues:
>>
>> https://kb.mcafee.com/corporate/index?page=content&id="; alert(1); //
>> https://kc.mcafee.com/corporate/index?page=content&id="; alert(1); //
>>
>>
>> You guys know our disclosed issues are very simple and can easily be
>> found through viewing HTML/JS source codes and simple Google Hacking
>>
>(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.m
>cafee.com).
>>
>> However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
>> http://www.cenzic.com/company/management/khera/,  according to
>Network
>> World News editor - Ellen Messmer.  Thus, the next target is Cenzic
>> web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
>> is.
>Too funny.... I wonder is Aaron Barr is consulting for Cenzic.
>
>Jeff
>
>>> [SNIP]
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ