Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jim Popovitch (yahoojimpop.com)
Date: Tue Jul 10 2007 - 20:39:33 CDT
On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote:
> VI. VENDOR RESPONSE
> The vendor (Wachovia Bank) was notified via their customer service
> phone number on June 25. We were transferred to "web support". The
> person answering asked us to FAX the details to her and we did so,
> also on June 25. We explained that we were reporting a severe
> security problem on their web site.
Severe? All that seems to be leaked is a person's Name/Address/SSN
number and some other details. While this is too much info to leak, I'd
hardly say it's severe. That same info can be easily found in people's
mailboxes weekdays between noon and 4pm.
> We stated that that if we did not hear back from them within 7 days and
> the problem was not fixed by then that we would post the problem on the
> Full Disclosure list, following accepted industry practice.
7 days? "industry practice"? Come on Bob I know you know that large
corporations can't feed a cat in 7 days let alone make unscheduled
website changes that fast. Change control approvals alone would include
14 or more days in most enterprises. Why the rush to "say so"?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/