[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering
From: "Mikhail A. Utin" <mutin@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Dec 2013 10:34:11 -0500

Hello,
I'm on your side. You are right in both how you are handling the case and you 
conclusion. They failed in a few business aspects, thus responsible for 
outcome. After all, legal side of our work is not less important than IT and 
InfoSec technologies we use.
Good luck

Mikhail Utin, CISSP, PnD
_____________________________________________________________

Today's Topics:

   1. Re: [CVE-2013-6986] Insecure Data Storage in      Subway Ordering
      for California (ZippyYum) 3.4 iOS mobile application (Daniel Wood)


----------------------------------------------------------------------

Message: 1
Date: Tue, 17 Dec 2013 16:13:03 -0600
From: Daniel Wood <daniel.wood@xxxxxxxxx>
To: Full Disclosure Mailing List <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage
        in      Subway Ordering for California (ZippyYum) 3.4 iOS mobile
        application
Message-ID: <5E0B8213-D336-4D52-9C44-2FBE931152F7@xxxxxxxxx>
Content-Type: text/plain; charset="windows-1252"

I would like to point out that the statements made in the emails from 
mikken.tutton@xxxxxxxxxxxxxxxxxxxxx are untrue at best, defamatory at worst.  I 
am not going to lambast Jeff, Mikken, or Intersec Worldwide - but I will defend 
myself.  Normally I would not respond to something like this in a public forum, 
however, Intersec Worldwide has forced my hand due to their untrue statements.

I never signed a Non-Disclosure Agreement with Intersec Worldwide when I 
started my contracting work for them.  Now that?s not to say I am going to 
start publishing all the vulnerabilities of their clients, far from it.  I am 
stating this because prior to this email going out, I was called by Jeff Tutton 
the ?CISO? about the matter.  We talked briefly for about 10 minutes on 
Wednesday, December 11, 2013.  During this phone call I mentioned the fact that 
no NDA had been signed.  He said he would look into this and work with his 
client on the matter regarding the vulnerability disclosure.  I never heard 
back from him or anyone at Intersec Worldwide after this.  
 
I emailed Jeff/Intersec this morning when I saw Fyodor?s post and 
Mikken?s/Intersec email alleging I violated their NDA.  I gave Jeff/Intersec 
until EOB today to provide the original email with the signed NDA I sent to 
them, however, I have yet to receive this.  I asked for a copy of the allegedly 
signed NDA last week as well.  Failure to provide a legitimate copy of my sent 
email with a signed NDA proves to me that they forgot to have me sign an NDA.  
I should not be held liable for a lapse in their own processes.  If they are 
able to come up with a legitimate copy of the signed NDA and email with 
legitimate email headers - I will gracefully apologize?which won?t occur since 
I did not sign such a document.  In this email, I also informed Jeff that I am 
terminating my 1099/contractor agreement with Intersec Worldwide effective 
immediately.

Due to the mention of legal action in their email, I have now retained the 
services of an attorney and will be ready to see this matter to a close.  
Instead of focusing on the fact that information was disclosed after they had 
6+ months to fix the vulnerability, they should be focusing on the positive 
aspect that they were able to fix the vulnerability and that it does not affect 
their product?s current release version.  

- Daniel Wood

On Dec 16, 2013, at 4:50 PM, Fyodor <fyodor@xxxxxxxx> wrote:

> On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood <daniel.wood@xxxxxxxxx> wrote:
> Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for 
> California (ZippyYum) 3.4 iOS mobile application
> 
> Reported to Vendor: May 2013
> CVE Reference: CVE-2013-6986
> 
> Apparently you touched a nerve!  If the legal threats we received for 
> archiving this security advisory on SecLists.org are any indication, ZippyYum 
> really doesn't want anyone to know they were storing users' credit card info 
> (including security code) and passwords in cleartext on their phones.
> 
> "Please remove this information from your website immediately in order 
> at avoid further legal action." --Mikken Tutton, CEO of ZippyYum 
> client IntersecWorldWide
> 
> Of course we have ignored the threats and kept the advisory proudly 
> posted at: http://seclists.org/fulldisclosure/2013/Dec/39
> 
> Here are the legal threats we received today and last Wednesday:
> 
> ---------- Forwarded message ----------
> From: Mikken Tutton <mikken.tutton@xxxxxxxxxxxxxxxxxxxxx>
> Date: Mon, Dec 16, 2013 at 1:33 PM
> Subject: Fwd:
> To: johnc@xxxxxxxxxxx, fyodor@xxxxxxxx, hostmaster@xxxxxxxxxxxx
> 
> Dear Webmaster,
> 
> We contacted you last week regarding some private information about 
> our client that you have posted on your website, in violation of 
> Non-Disclosure agreements we have in place with our customer Zippy 
> Yum. We are requesting that this information be removed immediately. 
> The information to which I am referring is located on this page of 
> your website: http://seclists.org/fulldisclosure/2013/Dec/39
> 
> We would appreciate the courtesy of a response to our email within 48 hours 
> so we can resolve this issue.
> 
> If we do not receive a response, we will turn this matter over to our 
> attorney for legal action. Thank you for your prompt attention to this matter.
> 
> Sincerely,
> 
> Mikken Tutton
> CEO
> 
> 
> ---------- Forwarded message ----------
> From: Mikken Tutton <mikken.tutton@xxxxxxxxxxxxxxxxxxxxx>
> Date: Wed, Dec 11, 2013 at 11:03 AM
> Subject: Re:
> To: fyodor@xxxxxxxx
> Cc: johnc@xxxxxxxxxxx
> 
> Dear Mr. Lyon,
> 
> It has come to my attention that the attached information is posted on your 
> website about one of our clients. However, this information was released to 
> you with out authorization and is protected by the Non-Disclosure Agreements 
> we have in place, both with our client and also with the contractor who 
> submitted the information to your website in violation of said NDA.
> 
> Please remove this information from your website immediately in order at 
> avoid further legal action. Attached is a screen shot of the client 
> information I am referring to. Please advise if you have any questions.
> 
> We appreciate your prompt attention to this matter.
> 
> Thank you.
> 
> 
> Sincerely,
> 
> Mikken Tutton
> CEO
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20131217/6ccba76b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: 
<http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20131217/6ccba76b/attachment-0001.bin>

------------------------------

Subject: Digest Footer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

------------------------------

End of Full-Disclosure Digest, Vol 106, Issue 21
************************************************
CONFIDENTIALITY NOTICE: This email communication and any attachments may 
contain confidential 
and privileged information for the use of the designated recipients named 
above. If you are 
not the intended recipient, you are hereby notified that you have received this 
communication 
in error and that any review, disclosure, dissemination, distribution or 
copying of it or its 
contents is prohibited. If you have received this communication in error, 
please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of 
this communication 
and any attachments. For further information regarding Commonwealth Care 
Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Prev by Date: [Full-disclosure] Apache Santuario security advisory CVE-2013-4517 released
Next by Date: [Full-disclosure] [ MDVSA-2013:295 ] gnupg
Previous by thread: [Full-disclosure] Apache Santuario security advisory CVE-2013-4517 released
Next by thread: [Full-disclosure] [ MDVSA-2013:295 ] gnupg
Index(es):
- Date
- Thread