Not so Secure Invoicing



  • There are three companies authorized to distribute Cisco products to government resellers: Comstor, Ingram Micro, and Tech Data.  I recently switched which one I purchase from.  I just received the below email with my first invoice from them.  The blue bar at the top left and the four blue links on the right side all link to Striata's website.  All five links include my seven digit account number.  I'm thinking of switching back.

     



  • Retards.  Are they under some false impression that SSL encryption covers the initial HTTP GET?



  • All five links started with http://secure3.striata.com/cgi-bin/ed/c.pl? and ended with my account number.


  • Garbage Person

     So this is a vendor-shame thread. Why the hell aren't you telling us which vendor it is? This kind of stupid should not be rewarded.


  • Discourse touched me in a no-no place

    @Weng said:

     So this is a vendor-shame thread. Why the hell aren't you telling us which vendor it is? This kind of stupid should not be rewarded.


    @Pascal said:
    The blue bar at the top left and the four blue links on the right side all link to Striata's website.


    ?


  • Garbage Person

     Striata makes the 'secure email' software. They are not the Cisco vendor



  • My intention in posting this was not to shame anyone.  Most vendors just send invoices in emails in cleartext anyway.  I just got a laugh out of what some people consider "secure" and thought I'd pass it along.  As far as I know Striata's product works well when used as designed.  I notified the vendor of the problem before posting here.  I only gave you a choice of three vendors to show this wasn't from some mom-and-pop shop.  We all make mistakes, I'm chalking this one up to human error.  Let he who is without fault...



  • Idea for a future thread topic: "What's the worst you've ever screwed up in IT?".  May not be a fair fight though, when I talk about my screwups I use words like worldwide and ATM.



  • @hoodaticus said:

    Retards.  Are they under some false impression that SSL encryption covers the initial HTTP GET?

    And what makes you think it doesn't?

    More problematic is that the links are stored unencrypted in the email body, which has likely passed through many unencrypted connections on the way from the bank, and now probably resides on the service provider's server, still not encrypted.



  •  Is your account number the only thing to appear in the link ?

    ( no one-use-server-stored-token or anything alike ) ?



  • @MustBeUsersFault said:

    Is your account number the only thing to appear in the link ?

    ( no one-use-server-stored-token or anything alike ) ?

    No, there are other things in the link, like my email address.  But the point is, if you read the 3 steps on the left side in the email, the "password" to open the "secure" invoice attached to the email is my 7 digit account number.  Anyone with half a brain who intercepted the email would see a 7 digit number in the links and give it a try.  There is no good reason for the links to download the secure reader and read instructions on how to use it to include the password to open the attachment.



  •  i got that,

    i was just wondering if you could download any docs for any other customer just by messing with the download link.

     



  • @Pascal said:

    All five links started with http://secure3.striata.com/cgi-bin/ed/c.pl? and ended with my account number.



     The subdomain has the word "secure" in it. So obviously, these links are secure. Possibly even triple-secure.



  • @MustBeUsersFault said:

    i was just wondering if you could download any docs for any other customer just by messing with the download link.

    No, the links appear to just be for downloading the viewer application and reading about it.  The invoice itself was attached to the email.



  • @Pascal said:

    Idea for a future thread topic: "What's the worst you've ever screwed up in IT?".  May not be a fair fight though, when I talk about my screwups I use words like worldwide and ATM.

    I get to use words like NAVAL WARSHIP, GUN, etc.... unfortunately you need a clearance to hear about them [truthfully]



  • @TheCPUWizard said:

    @Pascal said:

    Idea for a future thread topic: "What's the worst you've ever screwed up in IT?".  May not be a fair fight though, when I talk about my screwups I use words like worldwide and ATM.

    I get to use words like NAVAL WARSHIP, GUN, etc.... unfortunately you need a clearance to hear about them [truthfully]

    Is this an official bragging thread? I get to use **** development and **** *** among other things

    Btw it might be a while before I can post again because of the bickering about the federal funding so, later bitches



  • @Pascal said:

    My intention in posting this was not to shame anyone. 

    Must be new round here...

    @Pascal said:

    Let he who is without fault...

    Wow, that's so /not/ the tdwtf attitude!

     



  • @tdb said:

    @hoodaticus said:

    Retards.  Are they under some false impression that SSL encryption covers the initial HTTP GET?

    And what makes you think it doesn't?

    More problematic is that the links are stored unencrypted in the email body, which has likely passed through many unencrypted connections on the way from the bank, and now probably resides on the service provider's server, still not encrypted.

    Wow, you two guys can tell all that just by hovering your mouse over the image of a hyperlink in a jpg?

     


Log in to reply