by Constantine von Hoffman

Sophos Has A Lot of Nerve Knocking IEEE for Security Lapse

Sep 28, 20124 mins
Data and Information SecurityData BreachSecurity

A week after security firm Sophos released antivirus update that identified parts of the Sophos software as malware it tried making fun of another organization due to a security lapse. Then it did the hardest thing: Admitted and corrected a mistake.

UPDATE: What once was a story of corporate hubris is now a story of how to handle a mistake. Read what follows — my original report on this — and then look to the end to see how Sophos took fast action to atone.

Considering what the IEEE (Institute of Electrical and Electronics Engineers) represents, it is pretty damn amusing that the group left 100,000 usernames and plaintext passwords out in the open for at least a month. However, it astounds me that Sophos–whichrecently issued an upgrade to its antivirus software that identified its own security program as malware–is making fun of IEEE.

The IEEE botch was discovered by a Denmark-based, Romanian computer scientist named Radu Dragusin, who reported it to the organization and then wrote about it on the company’s blog.

Here’s a quote from Paul Ducklin’s post on the (usually excellent) Sophos Naked Security blog:

Dragusin stumbled across publicly readable uploads on the IEEE’s FTP server. Bad enough on its own, but a veritable security disaster for the IEEE.

Seems the organisation was using its upload server as a drop location for log files from the websites and online magazine). Ouch.

According to Dragusin, the logs recorded the details of nearly 400,000,000 HTTP requests.

These 400,000 log entries included the usernames and plaintext passwords of nearly 100,000 unique users.

How is this bad? Let me count the ways:

  • A world writable upload server? Maybe. But never world readable.
  • Log all your web traffic? Maybe. But never log plaintext passwords.
  • Allow vanilla FTP for uploads? Don’t do that. Use SFTP or scp instead.

Let’s get one thing straight: I respect Sophos. It makes good products and, as noted, its blog is a good source of information. And Lord knows I like schadenfreude a lot; probably more than the next person.

But it takes some pretty big transistors to make fun of an organization’s security problem when a week ago an update to the Sophos antivirus program detected parts of its own software as malicious code. Once detected the software then disabled and/or deleted parts that included its ability to auto-update and thus repair itself.

How is this bad? I’ll let Sophos customers count the ways.

The company’s blog post on this was terse to the point of practically being a haiku. All customers got was a cursory “we apologizes for the inconvenience.”  (CEO’s apology is here)

Do unto others as you do unto yourself, folks. When (not if) I make a mistake I identify it clearly and make fun of myself, too. A few of the words I’ve used about me when acknowledging my own failings: Idiot, moron … there’s more.

So Sophos, I’m sorry to get all John 8:7 on you but you’ve been humbled and apparently decided to ignore that.

Leave the sarcasm to the pros.


THE REST OF THE UPDATE: My experience is that few companies ever, ever, ever admit to making a mistake. When they do it’s a long time later and covered in verbal gobbledy-goo; it wasn’t a “retreat,” it was a “tactical reallignment” sort of thing.

Well, not so for Sophos.

This post went up Friday afternoon, I think around 2.

Here’s what landed in my email at 3:28 that day.

You make a valid point about the Naked Security’s article. The tone was inappropriate, especially in light of recent events. We have amended it based on your feedback. 

Thank you for alerting us to it. 

Carole Theriault

Head of Naked Security

That, ladies and gentlemen, is how you should respond when you mess up. As my mother always told me, “Don’t argue with people when they are right.”