From: Craig Wright (cwright@bdosyd.com.au)
Date: Wed Oct 04 2006 - 18:30:04 EDT
Wonderful. Let's teach students to disobey the law from the onset.
Who cares about criminal sanctions, property rights etc. How about
teaching them that they NEED authorisation first - in writing.
Craig
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Joseph McCray
Sent: Wednesday, 4 October 2006 5:07 PM
To: pen-test@securityfocus.com
Subject: Informing Companies about security vulnerabilities...
This probably won't sound like that big of a deal, but it still bothered
me so I figured I'd ask the list. I was teaching a Web Application
Security class last week and we were performing simple XXS, SQL
Injection, etc on the vulnerable web apps I use for class.
Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to approach certain types of
websites. A common subject is how to handle large website with tons of
dymanic content - so the class chose a major newspaper's website for the
discussion.
Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept
finding another, after another and on and on. Over 600 instances of XXS,
over 200 SQL Injection - this was bad. After a while it started to get
boring there was so many....
So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding and recommended some
possible mitigation strategies. After emailing this I didn't hear
anything for a few days, so I emailed it again and followed up with a
phone call. After getting no response to the second email and then
having been bounced around from department to department when I called I
just said forget it.
Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past have been quite
receptive - I'm just curious if other people have gone through this as
well.
No need to fill the list with this, you can email me directly with your
inputs and stories.
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@learnsecurityonline.com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:05 EDT