White-Hats and Hacks

Information Security Sell Out: White Hats & Application Security

Interesting post on the Information Security Sell out blog which comments on story from CNet here and a post over a StillSecure here

I'm mainly with the sellout guy. Whilst it's a shame that we lose an aspect of bug finding, there's no way for a company who see malicious traffic to tell what the intent of the person generating it is and the defence of "I was researching their web site security your honour" doesn't and shouldn't work.

All that said there is a problem and here it is. with the current climate if I find a security vulnerability in a site through legitimate traffic I probably won't report it because I don't want to deal with the possibility that the site owner will take it the wrong way and accuse me of hacking.

Here's an example. I clicked on a link to a site from a forum I hang out on, took me to the site.... LOGGED-IN as the user who'd posted the link, with the ability to view and update his profile on the site!

The site had made the very stupid mistake of putting the session identifier in the URL (D'oh). So completely legitimate traffic, security problem identified. But if I report it, they could easily scream "hacker" and I'd have a world of hassle to deal with which I don't need. so I quietly told the forum poster, he removed the link and I went on my way..

So there is a fine line here. Find a problem through legitimate traffic fine... Think "ooh a problem, what happens if I try ' OR 1=1;-- " not so fine.

What might be good would be a mechanism for people to report suspected problems to a central point anonymously that could then notify site owners...

About this Entry

This page contains a single entry by Rory2 published on April 14, 2007 12:45 PM.

Oracle Listener Security Guide was the previous entry in this blog.

A Difference between IT and Information Security is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Pages

Powered by Movable Type 4.37

About this Entry

This page contains a single entry by Rory2 published on April 14, 2007 12:45 PM.

Oracle Listener Security Guide was the previous entry in this blog.

A Difference between IT and Information Security is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.