[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Explanations about the NASA security issues and confused people
- To: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@nsrg-security.com>, "Full-Disclosure" <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] Explanations about the NASA security issues and confused people
- From: qobaiashi <qobaiashi@gmx.net>
- Date: Sat, 25 Oct 2003 17:28:35 +0200
Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez Garcia-Hierro:
> Hi all,
> Some people is a little confused with the NASA related security
> issues and my advisory,
> so i'm explaining the confusing things:
>
> 1.- Every time NASA staff was knowing what i was doing , i sent
> messages to administrators before doing anything.
>
> 2.- John R. Ray of the NASA Competency Center ( Information
> Technologies Security ) contacted me for solve the issues.
>
> 3.- The report was completely closed to public access when the
> systems were vulnerable
>
> 4.- I provided an accesscode to see the advisory for the NASA staff.
leet
> 5.- I was everytime testing the vulnerabilities and when i found that
> the most important were patched i make public with some restrictions
> the advisory.
>
> 6.- Of course , i wrote a disclaimer that can be found in the main
> web site and http://advisories.nsrg-security.com/disclaimer.txt
>
> 7.- A mail log that has all the exchanged mail between NASA staff and
> me ( and action log too with dates and details ) is available at:
> http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt
> So ,please , be careful saying that i made it public without
> contacting before the NASA staff.
pretty cool, man!
> 8.- In the report there is no private information about NASA nor
> working exploits against important security holes like sql
> injections.
multo importante!
> 9.- ScreenShots are modified for remove private url addresses ( like
> www.nasa.gov portal admin access )
0day screenshots?
> 10.- Some people was saying that i wanted fame doing it , definately
> not , i made it for demostrate that web security is a real problem
> and a thing that must be included in security policies of the
> enterprises.
now i see it's not about fame. naming "NASA" +10 times is just to sound...erm
trustworthy.
> The next generation of hackers will can make damage against servers
> with the only help of a web navigator, the web browser will be a
> really dangerous hacking tool, and it is not the future , it is now ,
> just see last advisories about phpnuke , etc
>
yeah that's realy interesting!
i've just started writing my new 0day browser with neat phpnuke sploiting
capability!!
> 11.- The communication between NASA staff and me was completely clear
> except that i didn't received response after i sent a message
> confirmand that the report was finished an they had the access code
> to see it.
>
> CONCLUSIONS
>
> It was a completely clear job between NASA staff and me , they were
> really fast patching ( one day ) and really fast replying my first
> email.
>
> The important thing is that NASA staff knows now wich risk has web
> applications security and how to solve web application securiuty
> issues.
saint lorenzo!
and thanks for letting all of us know what you've done!
> Everything in this life has a final mean , in this case : web
> security must be treated as other security issues , if not , you are
> in risk
clear thing!
> How much times i must rewrite this mail ?
we'll see..
> Best regards and thanks to all members of Ful-Disclosure,
--
-q/UNF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html