Below are a collection of both old and new security or privacy incidents authored by our Privateers. We believe in Responsible Full Disclosure and generally follow the policy of the venerable RFP (Rain Forest Puppy), found here RFP Policy 2.0. We believe that information security professionals should try to work with the vendor or agency in identifying and documenting any security or privacy incident found. We also believe in working with both federal and state law enforcement agencies, where that applies.
/* Disclaimer: Nothing in these reports are designed to identify any illegal or regulatory compliance issue. Privateers do not hack into targets for fun, and do not hack into, run web app assessment software or perform penetration testing or vulnerability testing on any site or company without explicit permission and contracts from the responsible company */
United Airways® united.com Insecure Transmission of User Credentials
Category: Information Disclosure
Author: Michael Scheidell, CCISO – Managing Director, Security Privateers
Original Public Release Date: June 30th, 2014.
Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF)
Notifications: May 5th, 2014. Update sent to MECTF and
Revision Date: July 11, 2014
Reason for Revision: Added information on date vulnerable from archive.org
It has been reported that the ftpd server, included in the Embedded Real Time Operating System (ERTOS) of 3Com Superstack 3 NBX IP phones, contains a denial of service vulnerability. This issue can be triggered by sending a CEL paramater of excessive length, effectively causing the ftpd server and various VoIP services to no longer respond.