RE: Informing Companies about security vulnerabilities...

To: joe@xxxxxxxxxxxxxxxxxxxxxxx;, pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Informing Companies about security vulnerabilities...
From: bugtraq@xxxxxxxxxxxxxxx
Date: Wed, 4 Oct 2006 15:15:07 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

So you are admitting publicly that you and a class of students that you teach 
are illegally testing random public 
websites for the purpose of learning about security vulnerabilities? Sounds 
like you/your company need to speak
with a lawyer.  

- Robert 
http://www.cgisecurity.com/ Application Security news and more
http://www.cgisecurity.com/index.rss [RSS Security Feed]

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On 
Behalf Of Joseph McCray
Sent: Wednesday, October 04, 2006 3:07 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Informing Companies about security vulnerabilities...

This probably won't sound like that big of a deal, but it still bothered me so 
I figured I'd ask the list. I was teaching a Web Application Security class 
last week and we were performing simple XXS, SQL Injection, etc on the 
vulnerable web apps I use for class.


Normally, I go to a live public website or two during the class and we talk 
about common tests to perform and how to approach certain types of websites. A 
common subject is how to handle large website with tons of dymanic content - so 
the class chose a major newspaper's website for the discussion. 

Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept finding 
another, after another and on and on. Over 600 instances of XXS, over 200 SQL 
Injection - this was bad. After a while it started to get boring there was so 
many....

So I drafted a letter to the editor as well as several other prominent people 
at the newspaper. It detailed my finding and recommended some possible 
mitigation strategies. After emailing this I didn't hear anything for a few 
days, so I emailed it again and followed up with a phone call. After getting no 
response to the second email and then having been bounced around from 
department to department when I called I just said forget it.

Has anyone else gone through a similar situation? Was the company receptive? 
Other companies I've contacted in the past have been quite receptive - I'm just 
curious if other people have gone through this as well.

No need to fill the list with this, you can email me directly with your inputs 
and stories.

--
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@xxxxxxxxxxxxxxxxxxxxxxx
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

Follow-Ups:
- RE: Informing Companies about security vulnerabilities...
  - From: Wolf Halton

Prev by Date: Re: Security contact for Myspace/Fox?
Next by Date: PHP Live! <= 3.1 help.php Remote File Inclusion vulnerability
Previous by thread: Observations on Mandatory Integrity Control (MIC) in Windows Vista
Next by thread: RE: Informing Companies about security vulnerabilities...
Index(es):
- Date
- Thread