- TalkBack 9 of 23:
- Next »
- « Previous
- Thread View
- Flat View
- "Good luck" as security strategy
-
Over the past 2 years I came across a number of similar cases like these on major websites. What is worse is the attitude that most of the operators demonstrate when you point the finger onto the flaws.
Without any hacking attempts (or knowledge, for the matter) I accidentially downloaded an entire database with detailed information about users, addresses and their calls from the public website of Winstar. All it took was to type in a search term into the povided search box. They never even bothered to fix the hole (and finally went out of business). Just 2 weeks ago, I alerted Ebay about a fairly clever credit card phishing attempt by a Swiss company, delivered the name, phone number, address, website etc. to Ebay's fraud department. After a week, the site was still online, a second attempt to contact Ebay was as fruitless as the first (no response at all), only after I contacted PayPal they started some action. So much about Ebay's dedication to combat fraud...Tower Records recently got fined for not fixing security holes after they were alerted about them, Covad's online account manager was not even encrypted (any cheap hosting account provides better security then this!), a US Healthcare company enabled me to break into their entire client database without any particular skills ( this got fixed later) etc. etc.
It is my job to build web applications, so maybe I tend to look a bit more closely at the details. However, none of the above examples involved any special skills, coding capabilities, backdoors, DDoS attacks, brute force attacks, exploiting of buffer overflows or publicly knows vulnerabilities etc. None of them even required particular talent to get fixed by the companies. But they required some action.
I always explain to clients the importance of not only designing a secure system, but also testing it extensively before a launch and monitoring is afterwards. Of course, in the meeting they always approve everything "Yes!Yes!Yes!" - until the next budget request comes in. Reality is that the all-mighty "Return on investment" and "Time to Market" is the best guarantor that systems will sooner or later fail, simply because the development team is not given the necessary means to develop and test it properly from all the angles that a creative hacker (or a clueless lucky/unlucky user) will probably approach it from.
When large players like Cingular demonstrate such a degree of ignorance and arrogance for the privacy of their customer information, there is truly no excuse. They have the money & means to build good systems & interfaces, and compared to the funds that they spend on advertising and their exec's top salaries, the effective costs would be ridiculously small.
On the other hand, software developers are also partly to blame for not being more responsible (or aware) of the complexity and vulnerabilities of online web-based e-commerce and CRM applications, and for not insisting on more extensive Q/A. Unfortunately, especially on the lower end of software projects, the competition among developers often leads to underfunded projects and irrealistic development times - simply for the sake of "getting the job". But I doubt that this was the case in this example.
MG - Posted by: mgfint Posted on: 06/09/04 You are currently: a Guest | Members login | Terms of Use
What do you think?
SponsoredWhite Papers, Webcasts, and Downloads
- VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the costs of maintain ever larger data centers?or building ... Download Now
- Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
- The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Save time with automated shipping solutions
-
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
- Visit the UPS Business Essentials Guide
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- The more you simplify, the more you save
-
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
- Learn more >>
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
- Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
-
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
- Learn more about the free, six-month trial offer>>
Meet Doc
-
-
Here to help you with your Document Management Needs
- Check out Doc’s Blog on ZDNet
- Help your company, help the earth I want to share with you the Environmental Defense Fund Paper Calculator, which allows you to gauge your organization's environmental impact.
- Which is Greener: Paper or Digital? The Answer May Surprise You Anything we can do to reduce paper consumption is good. But what about the impact of digital waste?
-
Produced by
ZDNet and -
