Had an interesting incident with a company I contacted about a flaw in their website (They were about to get hacked as I was writing to them)
http://blog.alcor.se/index.php/2014/08/ ... seriously/" onclick="window.open(this.href);return false;
When people don't take security seriously
When people don't take security seriously
"The best place to hide a tree, is in a forest"
Re: When people don't take security seriously
nice...
i have a list of vulnerable websites... ones that belongs that local universities (big ones), and some companies.. (including a development company... i checked there clients, also vulnerable) still hesitating about contacting them. last time didn't go well.
i have a list of vulnerable websites... ones that belongs that local universities (big ones), and some companies.. (including a development company... i checked there clients, also vulnerable) still hesitating about contacting them. last time didn't go well.
There is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly. "The Jester"
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: When people don't take security seriously
I stopped notifying people and companies about their security flaws, because as you experienced: most don't care. let me correct this: they don't care because they are IT illiterate morons. if they wouldn't be IT illiterate morons their sites/servers wouldn't be as vulnerable as you been naked under shower (ok, add an exception for DNR on that one 
).
I only make very few exceptions, the last one I did was with my VPN provider when I stumbled over a (not working) shellscript on their site.....they were really grateful (even if the script was a remain of an incident that was taken care of already) and even gave me some free extra time.
I have to add that I also don't take advantage of flaws when I find them (ok, sometimes maybe
), because it's simply pretty boring to dig around in user data that's only interesting to spammers.
btw, have you read about the XML attack that hit WP and Drupal a week ago? from my experiences with WP sites (that are not on my servers) it's safe to say that ~50% of them are open to DoS attacks now:
http://www.breaksec.com/?p=6362" onclick="window.open(this.href);return false;
).I only make very few exceptions, the last one I did was with my VPN provider when I stumbled over a (not working) shellscript on their site.....they were really grateful (even if the script was a remain of an incident that was taken care of already) and even gave me some free extra time.
I have to add that I also don't take advantage of flaws when I find them (ok, sometimes maybe
), because it's simply pretty boring to dig around in user data that's only interesting to spammers.btw, have you read about the XML attack that hit WP and Drupal a week ago? from my experiences with WP sites (that are not on my servers) it's safe to say that ~50% of them are open to DoS attacks now:
http://www.breaksec.com/?p=6362" onclick="window.open(this.href);return false;
Re: When people don't take security seriously
bad_brain wrote:I stopped notifying people and companies about their security flaws, because as you experienced: most don't care. let me correct this: they don't care because they are IT illiterate morons. if they wouldn't be IT illiterate morons their sites/servers wouldn't be as vulnerable as you been naked under shower (ok, add an exception for DNR on that one
I only make very few exceptions, the last one I did was with my VPN provider when I stumbled over a (not working) shellscript on their site.....they were really grateful (even if the script was a remain of an incident that was taken care of already) and even gave me some free extra time.
I have to add that I also don't take advantage of flaws when I find them (ok, sometimes maybe
btw, have you read about the XML attack that hit WP and Drupal a week ago? from my experiences with WP sites (that are not on my servers) it's safe to say that ~50% of them are open to DoS attacks now:
http://www.breaksec.com/?p=6362" onclick="window.open(this.href);return false;
Yeah I'm considering doing the same.
But one of the more high profile servers that got hacked a few days ago (military one) has reported it to the police.
So now I'm hoping that they will take it more serious and actually use the information I have collected.
If not then I'll just give up and save myself some time ^^
Yeah I read about the WP flaw : D.
Loads of WP vulns showing up now.
And lol at the DNR reference x)
"The best place to hide a tree, is in a forest"
Re: When people don't take security seriously
hehe same problem everywhere , I have a huge list of big companies and ... and ... and .... (fill in the blanks) not only vulns like sqli that can leak all their financial and clients data but also networks vulnerabilities but am just staying away of that list because I was advised not to repport them since they won't care and some will take it as a threat 
Re: When people don't take security seriously
Indeed people are really stupid sometimes and go after the people who are trying to help.scatter wrote:hehe same problem everywhere , I have a huge list of big companies and ... and ... and .... (fill in the blanks) not only vulns like sqli that can leak all their financial and clients data but also networks vulnerabilities but am just staying away of that list because I was advised not to repport them since they won't care and some will take it as a threat
Seen it a number of times already.
In my case the intrusions are being posted on a forum, so I just send them to the forum instead, which makes it a bit easier.
So far I have only been suspected twice
"The best place to hide a tree, is in a forest"
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: When people don't take security seriously
<- disappointed because he got no "official requests in the cats cases" yet 