Home page logo

bugtraq logo Bugtraq mailing list archives

MorningStar.ca Canada And Security Practices
From: "Noam Eppel" <noameppel () hotmail com>
Date: Fri, 08 Feb 2002 10:23:48 -0500

MorningStar.ca Canada And Security Practices
[Please see Document v.1.0 link below.]

Dear Customers of MorningStar Canada,

Being in December of last year, Scott Mackenzie, President of MorningStar Canada was provided with information he choose not to act upon. The information, which is now being provided to the public, contained evidence of various security vulnerabilities with the MorningStar Canada service - vulnerabilities which affected not only the stability and integrity of the MorningStar Canada service, but the personal privacy of their customers.

Mr. Mackenzie chose to respond to this evidence by covering it up, and with lies rather then to deal with the situation. In response I am acting in accordance with CERT®/CC Disclosure Policy by releasing the evidence to the public.

Security is the responsibility of everyone from the CEO to the Webmaster. While it is impossible to stop all potential future threats or vulnerabilities, it is possible to manage those potential threats in a timely fashion to minimize the window of opportunity that a malicious user has to cause damage. Security management requires that proper policies and best practices are in place which then allows businesses to respond to and address any future security threat.

"Time is of the essence when notifying key individuals of critical security incidents, like virus alerts, vulnerabilities, and denial of service attacks. During past major virus outbreaks, like Melissa and LoveLetter, hours often meant the difference in saving millions in recovery costs and/or revenues. In cases like these, response needs to be immediate." - Risto Siilasmaa, President and CEO, F-Secure Corporation.

Security Vulnerability Notice:
Document v.1.0 - http://www.noameppel.com/research/Morningstar.ca.html

- Thanks to RCMP, Technical Security Branch for assistance.

Related Links:
CERT® Coordination Center: http://www.kb.cert.org/vuls/html/disclosure/
Full Disclosure and the Window of Exposure:
RFP on Full Disclosure Policy: http://www.pcworld.com/news/article/0,aid,63944,00.asp

Noam Eppel
Web Security Consultant
secure () noameppel com

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]