I'm a few days behind since I only get the digest, but I noticed that only one other person pointed it out. This is not a matter of 'confronting' the vendor, this is an issue of legal liability. Based on my interpretation of the original post, it sounds like the network for a legal firm (lawyers) may be wide open. If that is the case,then depending on where this firm is located, they could be in serious trouble for not protecting the confidentiality of their work between themselves and their clients. That confidentiality extends to all things; email, financial records, and any other work product associated between legal firm and client. That could lead to being censured by the legal regulatory firm in their state/location. You have several choices. 1 - talk to the legal firm and make sure they understand the consequences of leaving the relay open. if there is a relay open, there probably will be other things open. in which case I would hazard a guess that they have not done any pen-testing or, at the least, scanning of their firewall/LAN. (very bad practice) 2 - leave it alone. you gave them fair warning, in writing, and they have decided to ignore you 3 - talk to the vendor and ask him why he is doing things his way. if he is being asinine, then turn around and tell your customer the situation and then further inform your customer that this will put restrictions on the quality of the service you render them and that due to the situation you can make no guarantees whatsoever about the state of their network unless this problem is resolved. in fact, if the situation is bad enough, I would advise you to drop them as a customer (with several weeks notice) because you do _not_ want to be in a situation where you have to clean up after they ignored your recommendations. good luck, tom >-----Original Message----- >From: Jeff Peterson [mailto:jpetersonat_private] >Sent: Saturday, August 16, 2003 2:32 PM >To: incidentsat_private >Subject: Software vendor clueless > > >All, > >I have a customer whose company does legal work for lots of >businesses. > >The data housed on their network is what I would call 'financially >sensitive'. Recently, I found their Exchange server had been >turned into >an open relay. It was not that way a month ago.Once I stopped the >bleeding, I told them I wanted to change the Administrator password, >(NT4.0, Exch5.5. I know, I know). They told me they were not >allowed to >change the password. "Sez WHO", I asked. "Our software vendor", they >replied. Turns out the vendor in question has a niche market in this >kind of legal field. Also turns out they use the same 4-letter, (no >caps, no special chars), administrator password on ALL their customers >networks. To make matters worse, they have PCAnyWhere ports >open on all >these networks, because their software is so buggy, the >developers need >to remote in and fix things all the time. The spokesman for the group >claims that the AT&T managed firewall prevents anyone else >from using the >PCNoWhere ports by IP address. > >I'm not a great negotiator, and I'm going to face the SW >spokesman next >week. He is a good spin doctor. I'm looking for help in making him >secure his stuff. All help is appreciated. > > >Jeff Peterson >BTIIS --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 10:13:27 PDT