RE: Monkeybrains.net and badtrans compromise information

From: van Wyk, Ken (Ken@para-protect.com)
Date: 01/04/02 

From: "van Wyk, Ken" <Ken@para-protect.com>
To: incidents@securityfocus.com
Date: Fri, 4 Jan 2002 14:37:41 -0500

Jon Williams writes:
> I've got to admit, I was suspicious when I got the same message, but when
I
> tried getting the information and was told essentially "You've got
> compromised passwords, but you have to pay us to find out which," it
sounds
> more like extortion than good cyber citizenship.

I'd just like to point out a couple things briefly:
1) We have no affiliation whatsoever with monkeybrains.net;
2) We were unaware of their intent to charge for this information;
3) After scanning for ":443" in their database/web site and seeing > 2000
compromised SSL-encrypted sessions, we started alerting our customers;
4) We alerted a number of companies whose employees, customers, etc., were
in that database, however there was no obligation or fee to any of those
companies for our alerts;
5) Had we known of monkeybrains.net's intention to charge for releasing the
information, we would have noted so in the alerts that we sent to companies
that we found in their database.

Cheers,

Ken

Kenneth R. van Wyk
CTO & Corporate Vice President
Para-Protect, Inc.
www.para-protect.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com