Sophos Has A Lot of Nerve Knocking IEEE for Security Lapse
A week after security firm Sophos released antivirus update that identified parts of the Sophos software as malware it tried making fun of another organization due to a security lapse. Then it did the hardest thing: Admitted and corrected a mistake.
By Constantine von Hoffman, CIO
UPDATE: What once was a story of corporate hubris is now a story of how to handle a mistake. Read what follows — my original report on this — and then look to the end to see how Sophos took fast action to atone.
Dragusin stumbled across publicly readable uploads on the IEEE’s FTP server. Bad enough on its own, but a veritable security disaster for the IEEE.
Seems the organisation was using its upload server as a drop location for log files from the websites ieee.org and spectrum.ieee.org(its online magazine). Ouch.
According to Dragusin, the logs recorded the details of nearly 400,000,000 HTTP requests.
These 400,000 log entries included the usernames and plaintext passwords of nearly 100,000 unique users.
How is this bad? Let me count the ways:
A world writable upload server? Maybe. But never world readable.
Log all your web traffic? Maybe. But never log plaintext passwords.
Allow vanilla FTP for uploads? Don’t do that. Use SFTP or scp instead.
Let’s get one thing straight: I respect Sophos. It makes good products and, as noted, its blog is a good source of information. And Lord knows I like schadenfreude a lot; probably more than the next person.
But it takes some pretty big transistors to make fun of an organization’s security problem when a week ago an update to the Sophos antivirus program detected parts of its own software as malicious code. Once detected the software then disabled and/or deleted parts that included its ability to auto-update and thus repair itself.
How is this bad? I’ll let Sophos customers count the ways.
Do unto others as you do unto yourself, folks. When (not if) I make a mistake I identify it clearly and make fun of myself, too. A few of the words I’ve used about me when acknowledging my own failings: Idiot, moron … there’s more.
THE REST OF THE UPDATE: My experience is that few companies ever, ever, ever admit to making a mistake. When they do it’s a long time later and covered in verbal gobbledy-goo; it wasn’t a “retreat,” it was a “tactical reallignment” sort of thing.
Well, not so for Sophos.
This post went up Friday afternoon, I think around 2.
Here’s what landed in my email at 3:28 that day.
You make a valid point about the Naked Security’s article. The tone was inappropriate, especially in light of recent events. We have amended it based on your feedback.
Thank you for alerting us to it.
Head of Naked Security
That, ladies and gentlemen, is how you should respond when you mess up. As my mother always told me, “Don’t argue with people when they are right.”