MorningStar.ca Canada And Security Practices -------------------------------------------- [Please see Document v.1.0 link below.] Dear Customers of MorningStar Canada, Being in December of last year, Scott Mackenzie, President of MorningStar Canada was provided with information he choose not to act upon. The information, which is now being provided to the public, contained evidence of various security vulnerabilities with the MorningStar Canada service - vulnerabilities which affected not only the stability and integrity of the MorningStar Canada service, but the personal privacy of their customers. Mr. Mackenzie chose to respond to this evidence by covering it up, and with lies rather then to deal with the situation. In response I am acting in accordance with CERTŪ/CC Disclosure Policy by releasing the evidence to the public. Security is the responsibility of everyone from the CEO to the Webmaster. While it is impossible to stop all potential future threats or vulnerabilities, it is possible to manage those potential threats in a timely fashion to minimize the window of opportunity that a malicious user has to cause damage. Security management requires that proper policies and best practices are in place which then allows businesses to respond to and address any future security threat. "Time is of the essence when notifying key individuals of critical security incidents, like virus alerts, vulnerabilities, and denial of service attacks. During past major virus outbreaks, like Melissa and LoveLetter, hours often meant the difference in saving millions in recovery costs and/or revenues. In cases like these, response needs to be immediate." - Risto Siilasmaa, President and CEO, F-Secure Corporation. Security Vulnerability Notice: ============================= Document v.1.0 - http://www.noameppel.com/research/Morningstar.ca.html Acknowledgment: =============== - Thanks to RCMP, Technical Security Branch for assistance. Related Links: =============== CERTŪ Coordination Center: http://www.kb.cert.org/vuls/html/disclosure/ Full Disclosure and the Window of Exposure: http://www.counterpane.com/crypto-gram-0009.html#1 RFP on Full Disclosure Policy: http://www.pcworld.com/news/article/0,aid,63944,00.asp Noam Eppel Web Security Consultant http://www.noameppel.com secure@noameppel.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
