[Full-Disclosure] openssl exploit code (e-secure-it owned)

From: hellNbak (hellnbak@nmrc.org)
Date: 09/19/02

From: hellnbak@nmrc.org (hellNbak)
Date: Thu, 19 Sep 2002 10:54:04 -0400 (EDT)

On Thu, 19 Sep 2002, Arjen De Landgraaf wrote:

> Thank you for taking the time to research our background,
> although a bit one-sided.
> Yes, a website got defaced a long time ago. That is a fact.
> No-one is 100% secure (Richard Clarke), and we did learn from it.

You were defaced by a known security issue. There was a patch available
yet you still got defaced. So don't try and fall back on to the no one is
100% secure garbage because you were not even 50% secure when the
defacement happened.

> However, you could acknowledge that we were not the
> only one at the same time. Untold security companies
> and sites were defaced by PoizonB0x and others
> in that very same period. Including: SecurityNewsportal, CNet,
> Attrition, Lucent. Microsoft (18 times in total?), SANS,
> CERT, SecurityFocus and many others.

Was SecurityFocus actually defaced? I thought they wacked an add server
that then placed a hacked banner on the SF site. I could be wrong though.

> If you also would have taken the effort to dig a bit further,
> you would also have found that two weeks later IDG NZ
> published a correction on their article, as it contained
> factual errors. As it happens with news media,
> the first article got spread around the world pretty
> quickly, the correction did not.

In other words, you guys made a quote; "oh it was a honeypot" then
realized how stupid it sounded so had a retraction printed.

> from readers of this list, and they are all very positive.
> In fact, you are the only negative. Even more particular,
> your review is extremely negative. Makes me wonder why.

Here is another negative one. Your site it horrible to navigate through.

> Our logs show no evidence that you actually went into
> the database to "do your review", and I must therefore ask
> questions on the objectivity of the "review" you conducted.

So your database includes a list of every known IP address that Eric might
have used?

> I challenge you to show any other online single free source with
> more complete information, any other free portal that enables
> a complete check-up on any and each IT infrastructure component,
> incl routers, firewalls, databases, O/S's etc etc. in a practical
> way. Where an IT professional can check on all components
> of their IT infrastructure on potential vulnerabilities and patches.

There is one coming. Although it is different than yours. Its not being
used to sell a service and there are no fees associated with it.

> You mentioned that the data is a week old.
> Heh, we just got it on the air last Sunday, give us a break. We
> have already had many thousands of hits within a few days. Managing
> performance is a more important issue. Anyway, the data was
> at the time of your "review" only 2 days old.

I thought you guys only did weekly updates? Can I do a dump of the entire
database for my use?

> These subscribers are very happy to pay for the added value we
> provide to them in our E-Secure-IT alerting service.

There is the kicker. You are not a free service. So don't pretend to be

> The actual E-Secure-DB database component is now available to
> the global IT and business community. Free.

As a marketing ploy to sell your other services. At least be honest about

> We believe that this initiative can make a powerful and positive
> difference to the IT professionals all over the world.

You are right, it probably will but don't pretend that you are not a
business and that you don't have the motive of also making money off of
this venture. That is where the problem is, in my mind anyways.

"I don't intend to offend, I offend with my intent"