[47065] in North American Network Operators' Group
Cisco blunders with insecure web page
daemon@ATHENA.MIT.EDU (blitz)
Thu Apr 25 06:06:56 2002
Message-Id: <5.1.0.14.2.20020425050501.00ab7070@mail.macronet.net>
Date: Thu, 25 Apr 2002 05:05:48 -0400
To: nanog@trapdoor.merit.edu
From: blitz <blitz@macronet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
Cute..like they didn't know any better, sheesh!
>http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=52897&REQSTR1=silicon.com
>
>Wednesday 24th April 2002
>
>Cisco has been forced to close an online registration form after
>neglecting to secure the web page.
>
>The page was part of a marketing programme which offered Cisco's
>second-tier resellers in Europe the chance to increase marketing funds
>if they upped sales of certain Cisco products.
>
>But applicants registering for the programme online discovered their
>banking and company details were going onto an open web page. When one
>irate silicon.com reader called the Cisco helpdesk, he was informed
>that the company was aware of the problem because several other users
>had complained.
>
>Helpdesk staff recommended that users enter fake details on the web
>and forward the real information in the post, a course of action our
>reader regarded as an extreme waste of time.
>
>In a statement, Cisco said it had pulled the registration URL for 48
>hours to install SSL (secure sockets layer) - a common way of securing
>web pages.
>
>A spokesman for the company said: "I can only put it down to an
>unfortunate oversight in corporate procedure¬ a great deal of
>people have been affected but that's no excuse."
>
>The registration site had been running for 10 days before it was taken
>down on Monday. Cisco said just 100 people had registered in that
>time.
