RE: Software vendor clueless

Thomas.Ray_at_tcud.state.tx.us
Date: 08/19/03

  • Next message: Jonathan A. Zdziarski: "document_all.pif" 
    To: incidents@securityfocus.com
Date: Mon, 18 Aug 2003 17:49:21 -0500

    I'm a few days behind since I only get the digest, but I noticed that only
    one other person pointed it out.

    This is not a matter of 'confronting' the vendor, this is an issue of legal
    liability. Based on my interpretation of the original post, it sounds like
    the network for a legal firm (lawyers) may be wide open. If that is the
    case,then depending on where this firm is located, they could be in serious
    trouble for not protecting the confidentiality of their work between
    themselves and their clients. That confidentiality extends to all things;
    email, financial records, and any other work product associated between
    legal firm and client. That could lead to being censured by the legal
    regulatory firm in their state/location.

    You have several choices.
    1 - talk to the legal firm and make sure they understand the consequences of
    leaving the relay open. if there is a relay open, there probably will be
    other things open. in which case I would hazard a guess that they have not
    done any pen-testing or, at the least, scanning of their firewall/LAN. (very
    bad practice)

    2 - leave it alone. you gave them fair warning, in writing, and they have
    decided to ignore you

    3 - talk to the vendor and ask him why he is doing things his way. if he is
    being asinine, then turn around and tell your customer the situation and
    then further inform your customer that this will put restrictions on the
    quality of the service you render them and that due to the situation you can
    make no guarantees whatsoever about the state of their network unless this
    problem is resolved. in fact, if the situation is bad enough, I would advise
    you to drop them as a customer (with several weeks notice) because you do
    _not_ want to be in a situation where you have to clean up after they
    ignored your recommendations.

    good luck,
    tom

    >-----Original Message-----
    >From: Jeff Peterson [mailto:jpeterson@btiis.net]
    >Sent: Saturday, August 16, 2003 2:32 PM
    >To: incidents@securityfocus.com
    >Subject: Software vendor clueless
    >
    >
    >All,
    >
    >I have a customer whose company does legal work for lots of
    >businesses.
    >
    >The data housed on their network is what I would call 'financially
    >sensitive'. Recently, I found their Exchange server had been
    >turned into
    >an open relay. It was not that way a month ago.Once I stopped the
    >bleeding, I told them I wanted to change the Administrator password,
    >(NT4.0, Exch5.5. I know, I know). They told me they were not
    >allowed to
    >change the password. "Sez WHO", I asked. "Our software vendor", they
    >replied. Turns out the vendor in question has a niche market in this
    >kind of legal field. Also turns out they use the same 4-letter, (no
    >caps, no special chars), administrator password on ALL their customers
    >networks. To make matters worse, they have PCAnyWhere ports
    >open on all
    >these networks, because their software is so buggy, the
    >developers need
    >to remote in and fix things all the time. The spokesman for the group
    >claims that the AT&T managed firewall prevents anyone else
    >from using the
    >PCNoWhere ports by IP address.
    >
    >I'm not a great negotiator, and I'm going to face the SW
    >spokesman next
    >week. He is a good spin doctor. I'm looking for help in making him
    >secure his stuff. All help is appreciated.
    >
    >
    >Jeff Peterson
    >BTIIS

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------

  • Next message: Jonathan A. Zdziarski: "document_all.pif"

    Relevant Pages

    • RE: Software vendor clueless
      ... Id suggest ensuring the vendor is willing to take full liability for all ... Your customer should perform due diligence in reviewing ... Global Security Architecture & Engineering ... The data housed on their network is what I would call 'financially ...
      (Incidents)
    • RE: Vendor wants remote control of our Servers and Workstations
      ... If you do not feel 100% comfortable with someone else entering your network, ... Vendor wants remote control of our Servers and Workstations ... > access to a targetted customer network). ...
      (Security-Basics)
    • RE: Vendor wants remote control of our Servers and Workstations
      ... > this vendor uses the same method to support a number ... > access to a targetted customer network). ... > with problems because they don't have to interact with ...
      (Security-Basics)
    • Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]
      ... Otherwise the ISP is just ... My most recent contacts were in response to appeals here by "imhotep" ... got an abuse complaint for email coming from our network, ... system on a server that saw all traffic coming from the customer side ...
      (comp.os.linux.security)
    • Re: Conficker (and friends) v.s. Penetration Testing
      ... their network with PDF and the reverse http connection. ... The customer implemented our recommendations and when we ... Conficker v.s. Penetration Testing ...
      (Pen-Test)