It was my assumption also - but are we sure this attack was through a "trivial, well-known attack vector"?
On 11 January 2012 14:40, Laurelai <[email protected]> wrote: > On 1/11/12 8:39 AM, Ferenc Kovacs wrote: >> >> >> Because the ones with the so called ethics either lack the technical >> chops or lack the enthusiasm to find simple vulnerabilities. Not very >> ethical to take a huge paycheck and not do your job if you ask me. >> > > If the only thing missing to secure those systems was somebody being able to > use sqlmap and xss-me, then that could be fixing without hiring people who > already proved that they aren't trustworthy. > from my experience, the lack of security comes from the management, you can > save money on that (and qa) on the short run. > so companies tend to hire QSA companies to buy the paper which says that > they are good, when in fact they aren't. > most of them don't wanna hear that they are vulnerable and take the risks > too lightly. > if they would take it-security seriously it simply couldn't be owned through > trivial, well-known attack vectors. > > -- > Ferenc Kovács > @Tyr43l - http://tyrael.hu > > :D at least one person here gets it. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
