Re: Dangerous information in CentraOne log files - VENDOR RESPONSE

From: zedfly@HUSHMAIL.COM
Date: 12/27/01 

Date:         Thu, 27 Dec 2001 10:05:12 -0800
From: zedfly@HUSHMAIL.COM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

On 12/7/01, an e-mail was sent to 7 different address @ Centra, four of these e-mail addresses were obtained directly from Centra's website; the remaining three addresses, taken from RFP's Policy, were added for completeness. On 12/17/01, ten days later, without a response from Centra, the posting was submitted to VulnWatch, BugTraq and NTBugTraq.

The vulnerability described in the original posting is contained in the version available for download their website. Per Centra's response, they have chosen not to temporarily remove it until a fix is available. Anyone evaluating this software may install a vulnerable version and it is, therefore, highly recommended that you consider postponing any evaluations, and purchase decisions until Centra has made a non-vulnerable version available for download. …And you've ascertained whether or not they have actually fixed it.

As I'm sure you all know, one of the reasons vulnerability announcements are made is to test a company's effectiveness at dealing with security issues, one can learn a lot about how well you'll be supported this way.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlsEARECABsFAjwrYwYUHHplZGZseUBodXNobWFpbC5jb20ACgkQUqpz3LoqFkm3tgCb
BDP4jcpUjmssGsf7A8p1Dp9fUHsAoJzfFaVuH/3OcPYUo9XhD5toh1z+
=jPi/
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================

Relevant Pages

  • Re: MS01-058 exploit - W32/Cool.A-mm
    ... For more information on a higher level of virus protection visit www.messagelabs.com ... Delivery co-sponsored by VeriSign - The Internet Trust Company ... Protect your servers with 128-bit SSL encryption! ... transactions for serious online security. ...
    (NT-Bugtraq)
  • Re: Securing eRIC express
    ... Looks like the eRIC provides some decent security features, including 256-bit SSL encryption, the ability to create individual security certificates, and even supports LDAP and RADIUS for remote connections. ... However, I would still be concerned with connecting these cards directly to the Internet, as it exposes the device to the general public and this could result in undesired probing and poking. ... Additionally, you could expand on that by implementing a site-to-site VPN, maybe using publicly non-routable IP addresses for the eRIC's, which you incorporate into your internal LAN infrastructure (eg: you at office location 1 on the LAN with IP address 192.168.1.100, connecting to an eRIC at office location 2 with IP address 192.168.2.20). ...
    (Security-Basics)
  • RE: Securing eRIC express
    ... The traffic between clients and card will be secure, ... of the SSL encryption, but when someone find this card, he have all the time ... network security -- implement a firewall that restricts traffic to the ... Detect Malicious Web Content and Exploits in Real-Time. ...
    (Security-Basics)
  • RE: Dangerous information in CentraOne log files - VENDOR RESPONSE
    ... As I'm sure you all know, one of the reasons vulnerability announcements are made is to test a company's effectiveness at dealing with security issues, one can learn a lot about how well you'll be supported this way. ...
    (Bugtraq)
  • Re: Evolution and port problems
    ... Receiving Email Tab - under Security - SSL Encryption ... Seems to still be working and I am getting that mail from that account. ...
    (Fedora)