[Full-Disclosure] openssl exploit code (e-secure-it owned)

From: hellNbak (hellnbak@nmrc.org)
Date: 09/19/02


From: hellnbak@nmrc.org (hellNbak)
Date: Thu, 19 Sep 2002 10:54:04 -0400 (EDT)

On Thu, 19 Sep 2002, Arjen De Landgraaf wrote:

> Thank you for taking the time to research our background,
> although a bit one-sided.
> Yes, a website got defaced a long time ago. That is a fact.
> No-one is 100% secure (Richard Clarke), and we did learn from it.

You were defaced by a known security issue. There was a patch available
yet you still got defaced. So don't try and fall back on to the no one is
100% secure garbage because you were not even 50% secure when the
defacement happened.

> However, you could acknowledge that we were not the
> only one at the same time. Untold security companies
> and sites were defaced by PoizonB0x and others
> in that very same period. Including: SecurityNewsportal, CNet,
> Attrition, Lucent. Microsoft (18 times in total?), SANS,
> CERT, SecurityFocus and many others.

Was SecurityFocus actually defaced? I thought they wacked an add server
that then placed a hacked banner on the SF site. I could be wrong though.

> If you also would have taken the effort to dig a bit further,
> you would also have found that two weeks later IDG NZ
> published a correction on their article, as it contained
> factual errors. As it happens with news media,
> the first article got spread around the world pretty
> quickly, the correction did not.

In other words, you guys made a quote; "oh it was a honeypot" then
realized how stupid it sounded so had a retraction printed.

> from readers of this list, and they are all very positive.
> In fact, you are the only negative. Even more particular,
> your review is extremely negative. Makes me wonder why.

Here is another negative one. Your site it horrible to navigate through.

> Our logs show no evidence that you actually went into
> the database to "do your review", and I must therefore ask
> questions on the objectivity of the "review" you conducted.

So your database includes a list of every known IP address that Eric might
have used?

> I challenge you to show any other online single free source with
> more complete information, any other free portal that enables
> a complete check-up on any and each IT infrastructure component,
> incl routers, firewalls, databases, O/S's etc etc. in a practical
> way. Where an IT professional can check on all components
> of their IT infrastructure on potential vulnerabilities and patches.

There is one coming. Although it is different than yours. Its not being
used to sell a service and there are no fees associated with it.

> You mentioned that the data is a week old.
> Heh, we just got it on the air last Sunday, give us a break. We
> have already had many thousands of hits within a few days. Managing
> performance is a more important issue. Anyway, the data was
> at the time of your "review" only 2 days old.

I thought you guys only did weekly updates? Can I do a dump of the entire
database for my use?

> These subscribers are very happy to pay for the added value we
> provide to them in our E-Secure-IT alerting service.

There is the kicker. You are not a free service. So don't pretend to be
one.

> The actual E-Secure-DB database component is now available to
> the global IT and business community. Free.

As a marketing ploy to sell your other services. At least be honest about
it.

> We believe that this initiative can make a powerful and positive
> difference to the IT professionals all over the world.

You are right, it probably will but don't pretend that you are not a
business and that you don't have the motive of also making money off of
this venture. That is where the problem is, in my mind anyways.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I don't intend to offend, I offend with my intent"
hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Relevant Pages