Wed, 04, 2006 at 03:07:12AM -0400, Joseph McCray wrote:
This probably won't sound like that big of a deal, but it still bothered
me so I figured I'd ask the list. I was teaching a Web Application
Security class last week and we were performing simple XXS, SQL
Injection, etc on the vulnerable web apps I use for class.

Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to approach certain types of
websites. A common subject is how to handle large website with tons of
dymanic content - so the class chose a major newspaper's website for the
discussion.

[ snip: security problems found, letters ignored ]

Has anyone else gone through a similar situation? Was the company
receptive? companies I've contacted in the past have been quite
receptive - I'm just curious if other people have gone through this as
well.

This is what I have long called The Big Surprise of security consulting:
people just don't care about this. I used to make unsolicited reports
of this nature, but I gave up years ago because the response was always
so lousy.

The rough breakdown over several years was something like:

80% - got no reply, didn't fix the problem
10% - received thank you, fixed the problem
5% - received thank you, but didn't fix the problem
5% - received hostile reply

Now these were reports that could not be confused with a threat or a
shakedown: respectful, specifically disclaimed any consulting, included
all the technical information to allow them to verify it for themselves,
and an urging to contact their local security experts to get help.

It's easy to imagine that a non-technical shop (say, a big newspaper)
would simply not get it due to the eyes-glaze-over factor, but this is
not sufficient to explain this effect:

Item:

My old ISP, a substantial enterprise (not a mom+pop shop) had their
entire corporate network wide open, and it was a small matter to attach
to their customer-care systems and find my own records. This was ignored
for more than a year in spite of ongoing reports to a guy in customer
service who seemed to appreciate the seriousness of the matter.

Item:

The *Association of Computing Machinery* had the same problem - wide open
everything, including their database - but this time I did get a reply.
I was told to GET LST.

It was only because I was persistent that I convinced the guy to let me
tell him how to see the issue himself (he was *certain* that I could not
get into the system remotely), and only then did he grudgingly
allow me to help him set up some NETBIS filters on his firewall. There
were other problems, but at this point it was just too much work so I
let the rest go.

If a professional ISP (with a security consulting arm!) and the ACM don't
"get it" about security, it suggests the problem is rooted more in human
nature than it is about technical -vs- nontechnical staff.

I gave up doing these kinds of reports a long time ago because of this.

Steve

Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve (AT) unixwiz (DOT) net

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Thu, 05, 2006 at 10:06:04AM +0200, Andreas Putzo wrote:
04, pand0ra wrote:
"You can try to set them an ultimatum pretending to disclose the holes
to the public. Perhaps they are more willing to react if they are forced
to do so."

Ethically, that is bad. You should never force (or threaten) anyone
into doing something they don't want to. I agree completely with Jay
and Dan.

This depends greatly on the information that can be retrieved via a
vulnerable website IMH
What if you can get personal data of the customers of the company or
you can do financial harm to them? Then it would be unethical to do
nothing against it.
In general i agree with you that it is never nice to force someone to
do something.
However, i don't want to put this threat into a discussion ethical vs.
unethical behavior

Putting aside the ethics of using a public website for classwork,
assuming you have something to report, there's still a question of
how hard one ought to press. This depends not on how insecure the
site is, but on who would be harmed by potential compromise.

If a website is insecure - even massively - but the only party harmed
is the website owner itself, then it's their problem and we really ought
not do much more than pass on the news.

"I told them, they blew me off, they got hacked. well."

But if third parties could be harmed, then it may warrant stepping
it up a notch: if the website's customers have credit card numbers
exposed, then raising the issue with the CC-issuing banks might be
the way to handle this.

Going public is only warranted in extraordinary cases, if only because
it's hard to separate our own desire for our fifteen minutes from whatever
benevolent intentions we might have. In most cases, *we* have no dog
in that fight, so shouldn't seek to put ourselves in the middle when
there are more direct ways to protect the innocent.

Steve

Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve (AT) unixwiz (DOT) net

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.