OT: Chattanooga Technology Council

From: Stephen Haywood 
------------------------------------------------------
If any of you folks have contacts at the Chattanooga Technology Council =
you may want to let them know about a problem with their "join" page. =
Credit card forms should only be used on HTTPS pages.


--
Stephen Haywood
Owner, ASG Consulting
CISSP, GSEC, OSCP
423.305.3700
stephen@averagesecurityguy.info





=============================================================== From: Jason Brown ------------------------------------------------------ Irony is fun.

=============================================================== From: David White ------------------------------------------------------ I'll email both the interim director as well as the assistant director, both of whom I've talked with in the past. Good find. And geeze - that's bad. I just found that page on their website in less than 10 seconds too. - David

=============================================================== From: Stephen Haywood ------------------------------------------------------ You may want to talk to them about locking down = http://chattanoogatechnologycouncil.org/xmlrpc.php if they are not using = it. -- Stephen Haywood Owner, ASG Consulting CISSP, GSEC, OSCP 423.305.3700 stephen@averagesecurityguy.info director, both of whom I've talked with in the past. website in less than 10 seconds too. wrote: Council you may want to let them know about a problem with their "join" = page. Credit card forms should only be used on HTTPS pages.

=============================================================== From: Sudo Bash ------------------------------------------------------ Haha wow

=============================================================== From: Lynn Dixon ------------------------------------------------------ Maybe the Technology Council should bring in some....technical people.... to design their site?

=============================================================== From: Ed King ------------------------------------------------------ I don't "get it" I went to the Join CTC page and it is https... https://www.chattanoogatechnologycouncil.org/join/

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting Lynn Dixon : *SNERK!* :D

=============================================================== From: Stephen Haywood ------------------------------------------------------ Ed, It depends on how you get to the page. If you type in = chattanoogatechnologycouncil.org/join it would take you to the http = page. If you clicked certain links it would take you to the https page. = They may have fixed it already. I've been talking to the web admin off = list. -- Stephen Haywood Owner, ASG Consulting CISSP, GSEC, OSCP 423.305.3700 stephen@averagesecurityguy.info =20 Council you may want to let them know about a problem with their "join" = page. Credit card forms should only be used on HTTPS pages.

=============================================================== From: David White ------------------------------------------------------ I've also talked with them (not the web admin, but the director) off-list, and they've indicated that it's now fixed (they just installed an SSL cert after Stephen and I contacted them earlier today).

=============================================================== From: Mike Harrison ------------------------------------------------------ Stephen, I see it as: https://www.chattanoogatechnologycouncil.org/join/ Which is HTTPS But I get warnings: "Connection Partially Encrypted" The real issue is: they are using "gravity forms" to collect credit card info, http://www.gravityforms.com/ I'll wager the "CC Info" you supply is stored in plain text or trivially reversable encryption on the web server, and probably emailed to the Tech Council in plain text so they can see it, and enter it manually in someplace else. There is a small chance they are using Gravity Forms + Stripe http://wordpress.org/plugins/gravity-forms-stripe/ properly configured, I know you are only an "Average Security Guy", but do you really want to put that info into a Wordpress site hosted on a shared server at inmotionhosting.com? It looks like they have a dedicated IP but their ip address range is shared by spammers, publiclaly published vulnerabilities http://myip.ms/view/ip

=============================================================== From: Mike Harrison ------------------------------------------------------ They might also want to check https://www.chattanoogatechnologycouncil.org/contact/ Lists: ideas@chatc.org Which gets you: ideas@chatc.org: The email address you entered couldn't be found. Please check the recipient's email address and try to resend the message. If the problem continues, please contact your helpdesk.

=============================================================== From: Stephen Haywood ------------------------------------------------------ I didn't look any further into the matter after the http stuff. I don't = plan to give them my CC. I don't trust any mom&pop web site with my CC = data. I prefer to see stripe or PayPal. Thanks for the additional = information. -- Stephen Haywood Owner, ASG Consulting CISSP, GSEC, OSCP 423.305.3700 stephen@averagesecurityguy.info Council you may want to let them know about a problem with their "join" = page. Credit card forms should only be used on HTTPS pages. trivially reversable encryption on the web server, and probably emailed = to the Tech Council in plain text so they can see it, and enter it = manually in someplace else. There is a small chance they are using = Gravity Forms + Stripe = http://wordpress.org/plugins/gravity-forms-stripe/ properly configured, to vulnerabilities http://myip.ms/view/ip

=============================================================== From: Lynn Dixon ------------------------------------------------------ I hate to say it, but its a bit shameful their site isn't hosted with someone in Chattanooga...the "Gig City".

=============================================================== From: Rod-Lists ------------------------------------------------------ so who runs this outfit? ----- Original Message -----