Re: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?

From: Gregory A. Gilliss (
Date: 06/30/04

  • Next message: B3r3n: "Re: [Full-Disclosure] PIX vs CheckPoint"
    Date: Wed, 30 Jun 2004 12:31:17 -0700

    Oh the naivete ...

    Regardless of the fact that this is full disclosure, does anyone really
    think that any medium to large business concern wants to make public the
    fact that their IT infrastructure is vulnerable? Especially in the Fascist
    Utopia that we call America? Pu-LEEZ!

    The reason that you have not seen anything is because no one wants to
    admit that (a) they are vulnerable, (b) their equipment sucks, (c) they
    employ idiots, (d) seventeen year old hackers are more intelligent/
    diligent/ persistent than their US$100,000+ per year IT guru (who's
    currently in a meeting...please leave a detailed message).

    As a normal part of any security audit that I perform, I provide the
    client with a contract that explicitly states that I will not, under
    penalty of law, divulge the identity of the client to anyone (except
    maybe the DoJ if they come after me). Companies (infallible as they are)
    have no desire to publicize their shortcomings. The lack of news
    regarding victims of this huge gaping hole (HGH) is no conspiracy
    or coverup. It's called "standard operating procedure". If you ever
    get a job in a corporation, you will become familiar with it.
    Acadamicians aren't supposed to practice information hiding. However I
    wonder whether your search would uncover any academic institutions that
    have suffered a similar fate?

    BTW, I don't necessarily advocate the silence; I merely understand it.


    On or about 2004.06.30 08:39:32 +0000, Edge, Ronald D ( said:

    > >From the latest issue of:
    > ************************************************************************
    > *
    > SANS NewsBites June 30, 2004 Vol. 6, Num.
    > 26
    > ************************************************************************
    > *
    > Legal liability question: Has anyone contacted an attorney yet about
    > damage done by either of these two possibly negligent actions: (1) the
    > Wittie worm when the security software vendor may have allowed many
    > customers to have their systems disabled because selected users may not
    > have gotten the patch for weeks after it was ready, or (2) Download.Ject
    > damage done to consumers - through loss of identity data and banking
    > passwords -- by infected web sites that apparently did not tell their
    > clients that the site was infected? If you have gotten legal advice
    > about these, please let us know by emailing with subject
    > "legal liability."
    > ================================
    > So here was my email to SANS:
    > What I want to know is where the heck are the publicized identies of the
    > supposedly many major web sites that were infecting their
    > customers/visitors??
    > I have rarely seen such an obvious massive hush job and coverup. I have
    > searched the news articles on Download.Ject and to date I have not found
    > a SINGLE EXPOSED IDENTITY of a web site.
    > I have pointed this out to a well known IT journalist I correspond with
    > by email regularly, and he replied that he thinks it is definitely a
    > story worth pursuing.
    > I frankly am appalled that not a single site has been named, at least
    > not to my knowlege, and I have TRIED to find one named in the news
    > online.
    > Ron.
    > Ronald D. Edge
    > Director of Information Systems
    > Indiana University Intercollegiate Athletics
    > (812)855-9010
    > Corporate IT's reaction to spyware has been surprising: it's been
    > largely swept under the rug. The problem is that you can't hide an
    > elephant by sweeping it under the rug. It leaves quite a bulge.
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter:

    Gregory A. Gilliss, CISSP                              E-mail:
    Computer Security                             WWW:
    PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
    Full-Disclosure - We believe in it.

  • Next message: B3r3n: "Re: [Full-Disclosure] PIX vs CheckPoint"

    Relevant Pages

    • Online News Consumers Become Own Editors
      ... By ANICK JESDANUN, AP Internet Writer ... he's down to three -- yet he consumes more news online than ... Some Web sites are already responding. ... Yahoo News, rather than trying to keep readers from leaving, provides ...
    • Katrina Overwhelms Weather Web Sites
      ... Several U.S. weather and news Web sites were deluged by heavy traffic ... Keynote was not immediately available for comment. ... Availability of the National Weather Service Web site ...
    • RE: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?
      ... >supposedly many major web sites that were infecting their ... >searched the news articles on Download.Ject and to date I have not found ... >elephant by sweeping it under the rug. ...
    • Re: CSS instead of frames (but how)?
      ... if I wanted to move a border, ... Now for the visual aspect - it is a flawed premise that web sites should be designed visually. ... It's an attractive premise to clients, who think that users all have a 21 inch monitor completely devoted to their web site, but unless the client is going to follow the user around with an appropriate piece of hardware to play their website on, graphic design gets in the way. ...
    • WinXP---Problem with WebDAV- Known problem since 8/3/04---Where is the Fix????
      ... WebDAV support for some Web Sites from a Windows XP-based computer". ... >and every time I go to the virtual directory using the IE 6 webdav client, ...