[ISN] Security cert body gives lesson in insecurity

From: InfoSec News (isn@private)
Date: Thu Jun 03 2004 - 23:30:26 PDT

  • Next message: InfoSec News: "[ISN] Revenge-seeking university employee hacks into server"

    By John Leyden
    3rd June 2004 
    Security certification and training body (ISC)2 has apologised for a
    serious security breach which saw the personal details of thousands of
    respondents to a survey posted onto an insecure server.
    Phone numbers, email and contact addresses for many of the estimated
    20,000 respondents to (ISC)2 Constituent Survey were easily available
    on the site because of lax security for a short time towards the end
    of last week. The data was unencrypted and left open to harvesting
    through simple URL manipulation despite a promise from (ISC)2 to
    survey participants that "your answers and feedback will be kept
    strictly confidential and will not be associated with you, your
    organization, or your employer". It was also possible to modify the
    information filled in, according to a Register reader, who sent us a
    sample of data (home and work addresses and phone numbers) to back up
    his concerns.
    Upon hearing about the problem, (ISC)2 responded quickly by closing
    the survey site. The survey was re-opened on Tuesday after coders
    closed up the gapping security loophole. Itís unclear whether any
    sensitive data got into the wrong hands as a result of the cock-up.
    (ISC)2 has issued a statement explaining its handling of the problem:  
    "In the few hours after (ISC)2's annual Constituent Survey 2004 was
    distributed by its survey vendor last Thursday, several constituents
    alerted (ISC)2 that the survey had a potential vulnerability which,
    under the right circumstances, could reveal a respondent's name and
    survey answers. The survey was shut down immediately and all survey
    data was locked down. The issue has been resolved and the survey was
    re-opened on Tuesday."
    "This is an internal survey of (ISC)2 constituents who are certified
    information security professionals bound by the (ISC)2 Code of Ethics.  
    (ISC)2 is investigating the matter with its survey vendor. We
    apologize to our constituents for any inconvenience," it added.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Fri Jun 04 2004 - 01:50:32 PDT