|
Top Security News |
Enterprise CMS Fall Short On Security Demands
CMS Watch released research that finds Enterprise Content Management (ECM) products ill-equipped to meet the security requirements of Service Oriented Architectures (SOA). In its most recent research...
Flash Vulnerabilities Discovered By Google Researchers
The Register reports that Google Researchers have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal...
Hackers Bypassing Registration With PyCurl
Interesting hacking attack going on at a social networking site that I am working on today. Seems that the hacker is using PyCurl to bypass the registration page and dump user's right into the system.
IT Managers Stressed By Employees
IT managers are more worried about end users creating a problem for their IT Systems than about attacks from hackers, according to the, "2007 State of Security Report", sponsored by Websense. More than half...
|
|
|
03.12.08
G-Archiver Pulls Their Software From Distribution
 By
Dan Morrill
G-Archiver, the software that was previously caught by coding horror and blogged about here has pulled the version of the software that captures user credentials and e-mails them to Google. From the time it was discovered by Coding Horror on the 7th through to this morning when the tainted version was pulled is about 5 days.
While not bad for a company to respond in five days, the reason that the code was there in the first place was that this was debug code.
This debug code should ever have passed any form of internal QA.
Let alone using a G-mail account as a debug system further calls the "debug story" into doubt. I have never known a company to use g-mail for debugging purposes on a chunk of stand alone software. While G-Archiver does work with Google, the story just does not ring true, you don't copy and capture user login's and send them to g-mail as a debug process.
This read more like damage control than anything else. Which is valuable to do, you want to do damage control, the problem is that all this passed QA, and it took an outside researcher to catch the issue. It is like they never went back and asked themselves, "did I remove all the debug code".
There will probably be more on this one. In the longer run though, never trust software. If you have to trust software, check it out in house, Google search for it, and find out as many flaws as possible before you go and download it.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
