Cisco blunders with insecure web page
Cute..like they didn't know any better, sheesh!
http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=52897&REQSTR1=silicon.com
Wednesday 24th April 2002
Cisco has been forced to close an online registration form after neglecting to secure the web page.
The page was part of a marketing programme which offered Cisco's second-tier resellers in Europe the chance to increase marketing funds if they upped sales of certain Cisco products.
But applicants registering for the programme online discovered their banking and company details were going onto an open web page. When one irate silicon.com reader called the Cisco helpdesk, he was informed that the company was aware of the problem because several other users had complained.
Helpdesk staff recommended that users enter fake details on the web and forward the real information in the post, a course of action our reader regarded as an extreme waste of time.
In a statement, Cisco said it had pulled the registration URL for 48 hours to install SSL (secure sockets layer) - a common way of securing web pages.
A spokesman for the company said: "I can only put it down to an unfortunate oversight in corporate procedure¬ a great deal of people have been affected but that's no excuse."
The registration site had been running for 10 days before it was taken down on Monday. Cisco said just 100 people had registered in that time.
But applicants registering for the programme online discovered their banking and company details were going onto an open web page. When one
Makes it sound like Cisco were publishing the private details, so they forgot an SSL cert. big deal, its not like snooping unencrypted details on ISP backbones is a reality anyway!
irate silicon.com reader called the Cisco helpdesk, he was informed that the company was aware of the problem because several other users had complained.
In fact people have much more access to the information when its posted in the mail.. looks like Silicon have an axe to grind Steve
Helpdesk staff recommended that users enter fake details on the web and forward the real information in the post, a course of action our reader regarded as an extreme waste of time.
In a statement, Cisco said it had pulled the registration URL for 48 hours to install SSL (secure sockets layer) - a common way of securing web pages.
A spokesman for the company said: "I can only put it down to an unfortunate oversight in corporate procedure¬ a great deal of people have been affected but that's no excuse."
The registration site had been running for 10 days before it was taken down on Monday. Cisco said just 100 people had registered in that time.
Once upon a time, blitz <blitz@macronet.net> said:
But applicants registering for the programme online discovered their banking and company details were going onto an open web page. When one irate silicon.com reader called the Cisco helpdesk, he was informed that the company was aware of the problem because several other users had complained. <snip> In a statement, Cisco said it had pulled the registration URL for 48 hours to install SSL (secure sockets layer) - a common way of securing web pages.
SSL does not secure web pages. It secures web _traffic_. If you don't protect a web page by required a password (either via HTTP authentication or a CGI based scheme), SSL won't help protect the data stored on the web server one bit. Okay, SSL _can_ be used to secure web pages with client certs, but that is not as common in the "real world" as different forms of password based authentication. Or is the article an over-simplification of the issue? -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
participants (3)
-
blitz -
Chris Adams -
Stephen J. Wilcox