Security Incidents mailing list archives
Re: *MAJOR SECURITY BREACH AT CCBILL**
From: l0rtamus Prime <simon () snosoft com>
Date: 19 Dec 2001 17:49:57 -0500
Also on this note: Did you request permission to disclose this information from CBILL to this list? I know that many companies prefer to deal with issues like this on their own and have their own controlled ways of disclosing information. I am asking because I know of a site that has similar issues (not nearly as serious). When I contacted the person responsible he flat out insulted me and accused me of trying to make money off of his vulnerability. (which is not the case at all.) When I asked him if he would like me to explain the issue he said "no" and hung up the phone. The problem with his web site is a simple perl issue that any average perl programmer can figure out. Any advice on what I should do? Should I post a full disclosure? I have tried to contact him, his ISP (verio) and other people but thus far have yet to speak to anyone reasonable. On Wed, 2001-12-19 at 15:16, Dayne Jordan wrote:
Yes, I notitifed CCBILL/Cavecreek.Net at approx. 4:00am EST. I spoke directly with their network security. As of this morning, they are unreachable as they are all in a meeting. The person I spoke with this morning over there told me that they are meeting regarding this situation right now and would make an announcement to their customers soon. D. ============ H C wrote:Dayne,It is my opinion that Cavecreek/CCBILL has had a breach of security thus releasing user ids and logins on various servers around the internet. CCBILLS customer base is in the tens of thousands.Just out of curiosity, did you happen to contact anyone at CCBILL prior to posting this information to a public list server? __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Regards, l0rtamus Prime ---------------------------------------------- "The best defense against logic is ignorance." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** H C (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** l0rtamus Prime (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Robert van der Meulen (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** H C (Dec 19)
- RE: *MAJOR SECURITY BREACH AT CCBILL** Rick Darsey (Dec 19)
- Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Christian Vogel (Dec 20)
- Re: Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Damir Rajnovic (Dec 21)
- Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Christian Vogel (Dec 20)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Matthew S. Hallacy (Dec 24)
- <Possible follow-ups>
- RE: *MAJOR SECURITY BREACH AT CCBILL** NESTING, DAVID M (SBCSI) (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- RE: *MAJOR SECURITY BREACH AT CCBILL** robh (Dec 20)
- RE: *MAJOR SECURITY BREACH AT CCBILL** jlewis (Dec 20)