[ISN] Symantec's "Submit a Deal" Flawed

From: InfoSec News (isnat_private)
Date: Thu Jan 30 2003 - 00:51:58 PST

  • Next message: InfoSec News: "[ISN] Firm loses secrets of 180,000 clients"

    By Brian McWilliams 
    Jan. 29, 2003
    A security glitch at Symantec's corporate website revealed to casual
    Web surfers hundreds of proposals from companies seeking to be bought
    out by the security firm.
    The hole at Symantec's Submit a Deal site has some would-be buyout
    targets fuming over the billion-dollar company's careless handling of
    their sensitive data.
    "We're talking about business deals. This is critical stuff, and I'm
    pretty upset about the potential damage this could do to us," said
    Eric Robichaud, chief executive of Rhode Island Soft Systems. RISS'
    proposal that Symantec acquire its Vmyths virus information site was
    among the many proffered deals revealed on the site.
    After being notified this week that entries in its Lotus Notes
    database could be viewed by anyone with a Web browser, Symantec took
    the deal site offline. NGS Software, one of many security software
    companies that had submitted partnership proposals at the site,
    discovered the flaw.
    Chris Paden, a spokesman for Symantec's business development group,
    said the company was unsure how long the data went unprotected.  
    According to Paden, the information in the database was not
    "It's not necessarily classified or covert information or tied up
    through legal bounds," he said.
    But security industry analysts said the goof could be harmful to
    companies that opened their kimonos to Symantec.
    "Just exposing the fact that a company sent in a deal to Symantec is a
    bad thing," said John Pescatore, vice president of security research
    for Gartner. "It lets competitors see each others' moves, including
    Symantec's competitors."
    Robichaud confirmed that RISS has been shopping Vmyths since late
    2001, when the site's ad revenues dried up. In his proposal, submitted
    in June, Robichaud offered to sell Vmyths to Symantec for $350,000,
    plus $50,000 a year for the contract of the site's editor, Rob
    Rosenberger is renowned for his scathing attacks on the security
    industry, which he accuses of trying to fuel hysteria to sell more
    software. A note on the front door of Vmyths states: "This site is NOT
    sponsored by antivirus companies."
    "Having Rob in your hip pocket during his daily press interviews can
    only help ... Rob would lead to more sales in 12 months than this site
    would cost to acquire," stated the RISS proposal in Symantec's
    In an e-mail interview, Rosenberger said he signed a contract with
    RISS in 2000 to create Vmyths.com from his popular Computer Virus
    Myths homepage. To establish credibility, the site rejected ads from
    antivirus software companies, he said. But now that Vmyths has proven
    its independence, Rosenberger said that "if bought out by an antivirus
    firm, Vmyths probably could survive in today's more open, more honest
    critical environment."
    Symantec's Paden declined to comment on Vmyths or any of the other
    proposed deals. He did say that none of the 10 companies Symantec has
    recently acquired had submitted proposals on its website.
    "More than anything else (the site is) a good indicator of what's
    going on in the market and who's doing what. It serves a bunch of
    purposes besides just figuring out what kind of deal to cut next,"  
    Paden said.
    Symantec's stock (SYMC) has risen by about a third over the last four
    months. Revenue for the nine months ending Dec. 31 was up 34 percent
    to $1.02 billion.
    Christine Kozachok, a sales manager for software firm Secure
    Computing, said she submitted two proposals at the Symantec site last
    year and received no response.
    "If they're telling people to submit proposals, and they're not really
    acting on the information, then that's misleading. That seems shady to
    me," she said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:55:43 PST