Re: Security problems at the NSA Web site?

[Paul Schmehl <pauls () utdallas edu>]

--On December 28, 2005 6:02:32 PM +0000 Barrie Dempster 
<barrie () reboot-robot net> wrote:

> On Tue, 2005-12-27 at 11:20 -0500, Richard M. Smith wrote:
> > I just tried applying for a job at nsa.gov and got this error message:
> >
> > https://www.nsa.gov/servlets/iclientservlet/applyonline/?ICType=Panel&Me
> > nu=ROLE_APPLICANT&Market=GBL&PanelGroupName=HR_RESUME_ADD_APP
>
> I've seen a couple of SQL injection and XSS bugs in the NSAs site. I
> notified them to a few different email addresses but received no
> response. I publicised one of the more tame vulnerabilities in the hope
> it would spur them on to fix the issues the site has but they have
> ignored the private and public postings. After publicising that
> vulnerability I received a few emails from friends/others with details
> of even more vulnerabilities (one of them was the same one you've
> experienced I believe). They don't take security of their public site
> seriously for one reason or another. There have been lots of speculation
> on this from ignorance to baiting and even recruiting techniques. None
> of which I'd care to comment on.
>
> Point is they just don't fix it.
Maybe there's a reason they don't fix them......

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.