RE: Informing Companies about security vulnerabilities...



Joe,

Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to
approach certain types of websites. A common subject is how to handle
large website with tons of dymanic content - so
the class chose a major newspaper's website for the discussion.

Do you normally perform security assessments or pentests against
networks that do not give you permission to do so?

Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept
finding another, after another and on and on.

Over 600 instances of XXS, over 200 SQL Injection - this was bad.
After a while it started to get boring there was so
many....

So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding
and recommended some possible mitigation strategies. After emailing
this I didn't hear anything for a few days, so I
emailed it again and followed up with a phone call. After getting no
response to the second email and then having been
bounced around from department to department when I called I just said
forget it.

Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past >have been quite
receptive - I'm just curious if other people have gone through this as
well.

I think I can speak for most people on the list saying - it sounds like
what your doing is unacceptable and unprofessional.

If you stumble across vulnerabilities you should report them, but please
don't have an entire class of individuals testing someone's web
application without being granted permission to do so.

The newspaper is probably gathering their legal team for a formal
response and possible legal action against you at this very moment.

In fact , they probably found this archive of admission logged on the
internet and collected it for their evidence :P

-Daniel Clemens

-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • RE: LAN pen test
    ... ImmunitySec has a good resource for vulnerability sharing that isn't ... Confidentiality Notice: This e-mail communication and any ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: The legal / illegal line?
    ... But those who unintentionally hide their heads in the sand often will give you permission if asked. ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • Re: SecurityException on GetTempFileName()
    ... I think it may be the security settings in my communication ... But it is possible that it is my separate dll. ... Yes and no. Using these attributes only affects the permission set of the ...
    (microsoft.public.dotnet.framework)
  • Re: The legal / illegal line?
    ... should be modified to be "Do you have written permission?" ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • Re: The legal / illegal line?
    ... But then how do you "prove" to someone that their system isn't as secure ... Once they give you permission, as long as you stay within the scope agreed upon, I would think it would be hard to call it trespassing. ... Chris Travers ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)