Software vendor clueless

• Previous message: Ansgar Wiechers: "Re: mod to "killblast.vbs" script"
• Next in thread: Kirt Cathey: "RE: Software vendor clueless"
• Reply: Kirt Cathey: "RE: Software vendor clueless"
• Maybe reply: Jeff Peterson: "RE: Software vendor clueless"
• Reply: Harlan Carvey: "Re: Software vendor clueless"
• Maybe reply: H Carvey: "Re: Software vendor clueless"
• Maybe reply: Drew, Dale: "RE: Software vendor clueless"
• Maybe reply: Pierre A. Cadieux: "RE: Software vendor clueless"
• Maybe reply: Jeff Peterson: "RE: Software vendor clueless"
• Maybe reply: Thomas.Ray_at_tcud.state.tx.us: "RE: Software vendor clueless"
• Maybe reply: Mark Medici: "RE: Software vendor clueless"
• Maybe reply: Mark Medici: "RE: Software vendor clueless"
• Maybe reply: Jeff Peterson: "RE: Software vendor clueless"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 16 Aug 2003 19:31:35 -0000
To: incidents@securityfocus.com

All,

I have a customer whose company does legal work for lots of businesses.
The data housed on their network is what I would call 'financially
sensitive'. Recently, I found their Exchange server had been turned into
an open relay. It was not that way a month ago.Once I stopped the
bleeding, I told them I wanted to change the Administrator password,
(NT4.0, Exch5.5. I know, I know). They told me they were not allowed to
change the password. "Sez WHO", I asked. "Our software vendor", they
replied. Turns out the vendor in question has a niche market in this
kind of legal field. Also turns out they use the same 4-letter, (no
caps, no special chars), administrator password on ALL their customers
networks. To make matters worse, they have PCAnyWhere ports open on all
these networks, because their software is so buggy, the developers need
to remote in and fix things all the time. The spokesman for the group
claims that the AT&T managed firewall prevents anyone else from using the
PCNoWhere ports by IP address.

I'm not a great negotiator, and I'm going to face the SW spokesman next
week. He is a good spin doctor. I'm looking for help in making him
secure his stuff. All help is appreciated.

Jeff Peterson
BTIIS

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

• Previous message: Ansgar Wiechers: "Re: mod to "killblast.vbs" script"
• Next in thread: Kirt Cathey: "RE: Software vendor clueless"
• Reply: Kirt Cathey: "RE: Software vendor clueless"
• Maybe reply: Jeff Peterson: "RE: Software vendor clueless"
• Reply: Harlan Carvey: "Re: Software vendor clueless"
• Maybe reply: H Carvey: "Re: Software vendor clueless"
• Maybe reply: Drew, Dale: "RE: Software vendor clueless"
• Maybe reply: Pierre A. Cadieux: "RE: Software vendor clueless"
• Maybe reply: Jeff Peterson: "RE: Software vendor clueless"
• Maybe reply: Thomas.Ray_at_tcud.state.tx.us: "RE: Software vendor clueless"
• Maybe reply: Mark Medici: "RE: Software vendor clueless"
• Maybe reply: Mark Medici: "RE: Software vendor clueless"
• Maybe reply: Jeff Peterson: "RE: Software vendor clueless"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]