lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20060801000351.E38B3DA820@mailserver8.hushmail.com>
Date: Mon, 31 Jul 2006 19:03:48 -0500
From: <uncleron@...hmail.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>,
	<tecklord@...ocom.cv.ua>
Cc: 
Subject: Re: Do world's famous companies take care of their
	security?

My experience has been that many companies simply do not care about 
security until they are forced to.  

I used to work for a company called Isthmus Group, which claimed to 
be a security consulting company.  Their web hosting environment 
featured an array of unpatched web servers with vulnerable 
(sometimes dev versions) of php.  Their negligence placed clients 
(like Sargento Foods) at risk.  An IDS that I built recorded 
automated attacks against servers, yet Isthmus Group left those 
vulnerable servers in production for months after the NIDS 
indicated that they were attacked and likely compromised.

When Isthmus Group chose to fire me, rather than pay me a fair 
wage, the reaction from one of the company's owners was that they 
'would just have to adjust their clients' expectations downward'.  
Now isn't that what you look for in a security company? The ability 
to take the client's money even when they can't provide competant 
professional services.  That has become far to common in IT, at 
least in the united states.

After I left Isthmus Group, I contacted Sargento and informed them 
that they may not be getting the 'secure web hosting environment' 
that they were paying for.  I suggested that they demand a third 
party vulnerability assessment and review of Isthmus Groups' (non 
existant) patching and business continuity/disaster recovery 
policies; I also offered to provide them with any information they 
might require to protect their interests.  Sargento never responded 
to my generous offer; it appears that the integrity of customer 
data submitted to their web site is not a priority for them.

As long as companies are not held accountable for their actions (or 
inactions) data that they collect will not be secure.  As long as 
Sargent o continues to pay Isthmus Group for sub-par web hosting, 
there is no incentive for Isthmus Group to do things right and 
patch their hacker-bait servers.  As long as Sargento's customers 
continue to use the vulnerable web site and submit private data to 
insecure servers, there is no incentive for Sargento to clean up 
their act.  Most consumers are oblivious to the gross incompetance 
of the companies that they deal with every day.

Companies (at least in the united states) are primarily interested 
in funneling as much money as possible to the criminal executive 
officers.  This results in cutting corners, and prime territory for 
cutting corners is service to customers.  As long as companies can 
ignore data security with impunity, they will do so.



On Mon, 31 Jul 2006 03:17:20 -0500 Valery Marchuk 
<tecklord@...ocom.cv.ua> wrote:
>Do world's famous companies take care of their security?
>
>
>
>There was discussion last week in the Full-Disclosure about XSS 
>vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron 
>suggested creation of a separate mailing list for just XSS 
>vulnerabilities. I would agree with him if PayPal and many other 
>world's famous companies tried at least to patch such bugs:
>
>The incident with Netscape must be example for everyone. Actually 
>I don't understand the behavior of such companies. XSS bugs are 
>easy to discover and easy to fix, so what's the problem? And 
>instead of monitoring bugs these companies just put into risk 
>their customers. That's how they do their business and that's how 
>they take care of us - their customers. 
>
>There are XSS flaws at Digg's and Netscape's web sites. Are they 
>planning to fix them?
>
> 
>
>There are still XSS flaws at PayPal`s web site (two years and one 
>week after XSS bugs were reveled). Are they planning to fix them? 
>
>
>
>Example of XSS vulns are in my blog at 
>
>http://www.securitylab.ru/blog/tecklord/?category=19
>
>
>
>I will publish such information in my blog and hope that companies 
>will take care of their security.
>
> 
>
>
>Valery Marchuk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ