[24227] in bugtraq
MorningStar.ca Canada And Security Practices
daemon@ATHENA.MIT.EDU (Noam Eppel)
Sun Feb 10 03:28:34 2002
From: "Noam Eppel" <noameppel@hotmail.com>
To: smackenzie@morningstar.ca, tgilbert@morningstar.ca,
tfunnell@morningstar.ca, info@morningstar.ca,
clearfuture@morningstar.com, joe@morningstar.com,
kathy.habiger@morningstar.com, margaret.cohen@morningstar.com,
pressroom@morningstar.com, donnahi@microsoft.com,
jennifer.koster@hillandknowlton.ca
Date: Fri, 08 Feb 2002 10:23:48 -0500
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F36HirDNiPvsnQ9z9No0001072e@hotmail.com>
MorningStar.ca Canada And Security Practices
--------------------------------------------
[Please see Document v.1.0 link below.]
Dear Customers of MorningStar Canada,
Being in December of last year, Scott Mackenzie, President of MorningStar
Canada was provided with information he choose not to act upon. The
information, which is now being provided to the public, contained evidence
of various security vulnerabilities with the MorningStar Canada service -
vulnerabilities which affected not only the stability and integrity of the
MorningStar Canada service, but the personal privacy of their customers.
Mr. Mackenzie chose to respond to this evidence by covering it up, and with
lies rather then to deal with the situation. In response I am acting in
accordance with CERTŪ/CC Disclosure Policy by releasing the evidence to the
public.
Security is the responsibility of everyone from the CEO to the Webmaster.
While it is impossible to stop all potential future threats or
vulnerabilities, it is possible to manage those potential threats in a
timely fashion to minimize the window of opportunity that a malicious user
has to cause damage. Security management requires that proper policies and
best practices are in place which then allows businesses to respond to and
address any future security threat.
"Time is of the essence when notifying key individuals of critical security
incidents, like virus alerts, vulnerabilities, and denial of service
attacks. During past major virus outbreaks, like Melissa and LoveLetter,
hours often meant the difference in saving millions in recovery costs and/or
revenues. In cases like these, response needs to be immediate." - Risto
Siilasmaa, President and CEO, F-Secure Corporation.
Security Vulnerability Notice:
=============================
Document v.1.0 - http://www.noameppel.com/research/Morningstar.ca.html
Acknowledgment:
===============
- Thanks to RCMP, Technical Security Branch for assistance.
Related Links:
===============
CERTŪ Coordination Center: http://www.kb.cert.org/vuls/html/disclosure/
Full Disclosure and the Window of Exposure:
http://www.counterpane.com/crypto-gram-0009.html#1
RFP on Full Disclosure Policy:
http://www.pcworld.com/news/article/0,aid,63944,00.asp
Noam Eppel
Web Security Consultant
http://www.noameppel.com
secure@noameppel.com
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
