The Five High-level Types of Vulnerability Reports

[This was originally published on the OSVDB blog.]

Based on a Twitter thread started by Aaron Portnoy that was replied to by @4Dgifts asking why people would debunk vulnerability reports, I offer this quick high-level summary of what we see, and how we handle it.

Note that OSVDB uses an extensive classification system (that is very close to being overhauled greatly for more clarity and granularity), in addition to CVSS scoring. Part of our classification system allows us to flag an entry as ‘not-a-vuln’ or ‘myth/fake’. I’d like to briefly explain the different, but also in the bigger picture. When we process vulnerability reports, we only have time to go through the information disclosed usually. In some cases we will spend extra time validating or debunking the issue, as well as digging up information the researcher left out such as vendor URL, affected version, script name, parameter name, etc. That leads to the high-level types of disclosures:

  • Invalid / Not Enough – We are seeing cases where a disclosure doesn’t have enough actionable information. There is no vendor URL, the stated product name doesn’t come up on various Google searches, the proof-of-concept (PoC) provided is only for one live site, etc. If we can’t replicate it or dig up the vendor in five minutes, we have to move on.
  • Site-specific – Some of the disclosures from above end up being specific to one web site. In a few rare cases, they impact several web sites due to the companies all using the same web hosting / design shop that re-uses templates. Site-specific does not qualify for inclusion in any of the big vulnerability databases (e.g. CVE, BID, Secunia, X-Force, OSVDB). We aggregate vulnerabilities in software and hardware that is available to multiple consumers, on their premises. That means that big offerings like Dropbox or Amazon or Facebook don’t get included either. OSF maintains a separate project that documents site-specific issues.
  • Vulnerability – There is enough actionable information to consider it valid, and nothing that sets off warnings that it may be an issue. This is the run-of-the-mill event we deal with in large volumes.
  • Not a Vulnerability – While a valid report, the described issue is just considered a bug of some kind. The most common example is a context-dependent ‘DoS’ that simply crashes the software, such as media player or browser. The issue was reported to crash the software, so that is valid. But in ‘exploiting’ the issue, the attacker has gained nothing. They have not crossed privilege boundaries, as the issue can quickly be recovered from. Note that if the issue is a persistent DoS condition, that becomes a valid issue.
  • Myth/Fake – This was originally created to handle rumors of older vulnerabilities that simply were not true. “Do you remember that remote Solaris 2.5 bug in squirreld??” Since then, we have started using this classification more to denote when a described issue is simply invalid. For example, the researcher claims code execution and provides a PoC that only shows a DoS. Subsequent analysis shows that it is not exploitable.

Before you start sending emails, as @4DGifts reminds us, you can rarely say with 100% assurance that something isn’t exploitable. We understand and agree with that completely. But it is also not our job to prove a negative. If a researcher is claiming code execution, then they must provide the evidence to back their claim. Either an additional PoC that is more than a stability crash, or fully explain the conditions required to exploit it. Often times when a researcher does this, we see that while it is an issue of some sort, it may not cross privilege boundaries. “So you need admin privs to exploit this…” and “If you get a user to type in that shell code into a prompt on local software, it executes code…” Sure, but that doesn’t cross privilege boundaries.

That is why we encourage people like Aaron to help debunk invalid vulnerability reports. We’re all about accuracy, and we simply don’t have time to test and figure out every vulnerability disclosed. If it is a valid issue but requires dancing with a chicken at midnight, we want that caveat in our entry. If it is a code execution issue, but only with the same privileges as the attacker exploiting it, we want to properly label that too. We do not use CVSS to score bogus reports as valid. Instead, we reflect that they do not impact confidentiality, integrity, or availability which gives it a 0.0 score.

Crossing the line on ‘appropriate’ response to a breach…

You have likely seen the news that eBay was compromised and disclosed on Wednesday the 21st, resulting in as many as 145 million customers being affected. eBay was quick to state that the criminals did not gain access to financial information, trying to allay customer concerns. Despite that, there are many aspects of the aftermath that concern people. Andy Greenberg at Wired and Madeline Bennett at The Inquirer are just two of many to write articles on “how not to handle a security breach”.

It didn’t take long for several US Attorney Generals and one official in the UK to start or express interest in a formal investigation. I think it is warranted given the slow response from eBay and given that there are no details about the incident available from the company. It took them several days to finally add a banner to their site warning users to change their password.

ebay-banner

What is disturbing is that four days later, I have not received an email from eBay warning me of this breach, while still receiving notices of random auctions ending that I am not watching. Getting notice of a breach for several days via the news, and not the company is bad form. In a comment made to BBC on Friday, the 23rd, eBay said:

EBay told the BBC that it was not aware of any technical problems with the password reset function on the site.
“The site is busy, but our secure password reset tool is working,” a spokesman said.

This caught my eye today as I read it just hours after seeing a Tweet from Kenn White in which he shows how ‘secure’ the password reset feature is:

ebay-passwd-snafu

Between the lack of response, slow action to get a visible password reset warning, not mandating that users change passwords, and not understanding what good password security is, I think it is time for the FTC to step in. Companies must be held accountable for the security of their customers.

Update #1: I received my breach notification letter and request to change password an hour ago, almost eight hours after posting this blog, four days after it hit the news.

Update #2: @miaubiz points out that the actual breach happened between late February and early March, leading to questions on why it took them so long to disclose.

Surprise! Guinea pigs… (the end of an era)

Almost 7 years ago (August 18, 2007), I returned from a business trip to find a guinea pig in my living room. My significant other at the time, Kay, had wanted to rescue a guinea pig or three. We had talked about it and I was willing, but wanted to talk about it more. She figured why wait. So upon returning home… surprise! Guinea pig. This turned into a steady stream of adoptions that led me to have a herd. This is an important distinction in the guinea pig world. One or two pigs can bond with their human if given a lot of attention. They will happily sit in their human’s lap and look forward to it every night. When you have more than two though, especially a lot more, they will revert to their more natural herd mentality. This is considered to be healthier by many people, but is not favorable to many owners. Why? Because pigs are prey animals, and you are perceived as a threat to them. You don’t get to bond with them and they do not enjoy being picked up. But, if healthier for the pigs, that is important so we had a herd. A few years later, Kay and I split and I decided to take the pigs. While they were her idea, it was clear that I was a better and more consistent provider for them. Even when given the opportunity to come over and help with cage cleaning, or even keep me company while I did it, she rarely showed. Eventually, she became a completely absentee parent, leaving me to care for the pigs. The following is a list of the guinea pigs adopted, in the order that they moved on. While I cared for all of them equally and to the best of my ability, two of the nine were ‘mine’ in some fashion.

The first was ‘Snickers’, aka A156576, a female Abyssinian adopted from the Boulder Valley Humane Society. One of my hesitations on adopting is because I had not taken the time to read up on them, but Kay had. Our first pig ended up not being the typical adoption. Only four years old, she had serious hair loss and complications due to a life of poor nutrition. Snickers reminded us that guinea pigs are frequently not cared for properly. I wrote a brief summary of her adoption and what was going through my head at the time. While she was not with us long, she opened the gates for more adoptions.

‘Pringle’, originally named Cerra aka A253868), a female American shorthair adopted from the Larimer Humane Society on March 9, 2008. Estimated to be around 4 years old, she was picked up and found to be extremely skinny (660 grams). She was surrendered to the shelter with no history other than “good with kids”. Based on her weight and appetite the first night, we’d guess she was not given hay or veggies very often. Once home, she took to most veggies instantly and slept by the hay bowl half of the night. By the next day she was energetic, standing on her rear feet wheeking happily for veggies and sleeping all over the cage. Better, she was already up to 730 grams. Her first vet appointment confirmed that she had mammary tumors which were removed successfully during surgery with a very fast recovery. After the surgery, she proved she was the perfect pig in temperament and demonstrated how pigs can recover from the worst of environments. Pringle passed on April 15, 2009 due to masses on several internal organs. She was also experiencing very minor weight loss and potentially had neurological issues (serious spasms when she slept sometimes). She went peacefully in her sleep, head on a pillow.

JuineaPig, originally Ginny aka A419947, was a female Abyssinian adopted from the Denver Dumb Friends League on December 29, 2007. When we went in, she was described as “problematic” and it took over 30 minutes for the staff to catch her because “she bites”. Given up for adoption for “recently starting to bite”, despite being almost two years old, once securely held she seemed to do fine. Due to her behavior, the DDFL had decided to pull her adoption information down and were going to declare her unsuitable for adoption. Once we gave the rundown of our current herd and ability to properly take care of her, they agreed that we could provide a good home for her. In the months after adoption, the only time she would bite is if she felt directly threatened, and even then, only warning nips. It was immediately clear that her previous owners had not given her any veggies as it took several months to get her to eat a wide variety. Since adoption, she was nothing but a sweet pig and clearly not a biter. JuineaPig passed on May 20, 2009 due to many internal complications including cancerous tumor, kidney issues, bladder stone, GI obstruction, and more. Her last two days were not very happy, but she fought as best she could.

snickerspringlejuineapig2

Figlet, originally Willow aka A762196, was a female Abyssinian (likely with a peruvian mix) adopted from the Humane Society of the Pike’s Peak Region on June 20, 2008. Originally down there to adopt another ‘female’, we found two large males with health problems. Despite correcting the shelter on the gender of the pigs, they didn’t appear to care or update the web page days later. Figlet was in a large cage by herself (good), but with half of it covered in water-soaked litter and no water in her bottle. Almost unable to hold her, we managed to get her in the carrier and bring her to the pig mansion. She integrated into the herd within hours (after quarantine) and did great. Clearly younger than advertised, Figlet was the most energetic and spastic pig we had. Even six months after adoption, she was almost impossible to hold for more than a few seconds as she tried to escape and find her own footing. Fearless doesn’t begin to describe her. Figlet passed on Oct 15, 2009 due to complications during surgery to remove a mass causing Hyperthyroidism, a rare condition in guinea pigs. A full write-up of diagnosing and treating her was created to share information about this rare condition in pigs. Figlet was ‘my’ pig and I spent a lot of time trying to figure out what was wrong, and went to great lengths to try to help her live a happy life. After losing her, that convinced me that I was not going to rescue any more pigs myself; rather, I would continue to support shelters and rescues.

Nugget, originally Nibbles, was a female American shorthair adopted from the Denver Dumb Friends League on November 2, 2007. They believed her to be about four years old but we suspected she was a bit younger. She was our first shorthair guinea pig with a great personality and strong love for hay and veggies. The DDFL said she was “surrendered because the previous owners couldn’t afford to maintain her” which is sad, as a pig is relatively cheap to house and feed. Nugget was hands-down the most mellow guinea pig and frequently ends up being a vet buddy when one of the other pigs needs to see the doc. Nugget passed on Oct 31, 2010 from natural causes. She was a senior piggy and lived a glorious three years with me. While I can accept that logically she had already moved on and was not aware of her surroundings or had any real mental faculty, the last 45 minutes of her life were spent in my lap at 3AM having spasms. That is very hard to deal with.

OLYMPUS DIGITAL CAMERAnugget

Zesty, unnamed aka A089150, was a female Abyssinian adopted from the Denver Municipal Animal Shelter (DAS) by Kay on September 7, 2007, one of three guinea pigs brought in that were apparently found near an auto repair shop, left to fend for themselves. The only female of the bunch, she was described by the staff as an ‘escape artist’ and estimated to be approximately one year old. We feared she was pregnant due to being housed with the two males she was found with, which was another reminder that despite the good intentions of shelters, guinea pigs simply aren’t well known. We soon learned that she was indeed an escape artist but fortunately not pregnant. She became the queen of the herd, and was certainly the most feisty guinea pig we had. Zesty passed on June 3, 2012 from natural causes. Based on her life history, she lived a long time all things considered.

Biscuit was a female Abyssinian adopted the same day as Zesty to provide companionship to the feisty beast. Oh, and she was ridiculously cute and mangled. Our third guinea pig at the time and first baby, adopted at only 5 weeks old, Biscuit knew no fear since she grew up in a happy home full of daily vegetable platters, endless hay, and a huge play pen to run around in. She was definitely the most tranquil pig, and knew absolutely no hardship in her life like the rest had. Biscuit passed on September 28, 2012. Sweetest of the herd, she lived a wonderful life.

zestybiscuit

Waffle was a female Abyssinian personal adoption taken in on November 16, 2007. She was ‘my’ second pig, adopted selfishly. Part of regrets that we got her from a pet store, but I wanted one guinea pig that we knew the absolute history on and who should have no health problems as compared to the hit-or-miss you get with shelter rescues. Despite that desire, she lived her life with some respiratory issues. It never affected her, but hearing her ‘hoot’ as if congested was a constant reminder of her being in the herd. Ultimately, she lived over 6 years and her frequent breathing issues had nothing to do with her passing. Waffle was the most distinct color we had seen, a great blend of white, grey, and black, giving a ‘peppered’ appearance. Her black feet were also quite distinct and made her stand out in the herd (and a pain to trim the black nails as we couldn’t see the quick). Approximately five weeks old when adopted, she seemed to live for fresh hay more than anything else. When she wasn’t bouncing around her home she would lay in one of the hay lofts for easy access to her precious hay. Waffle reached end of life on May 9, 2014 (today) due to an intestinal tumor.

At this point, it left me with a single pig (Tater) that had grown up in a herd and knew nothing else. When Biscuit passed, Tater did not handle it well. That point moved from three pigs to two, which is decidedly not a herd. After three weeks, Tater finally settled down and accepted the situation and fell back into a happy routine with Waffle. With Waffle’s passing today, I fear for the worst; that Tater will realize Waffle is gone (she hasn’t as of writing this blog) and freak out. Today, she has gotten a series of extra veggies, a cob of corn, and fresh hay. I have checked on her periodically to ensure she is doing alright. In the morning, I will be taking her to Cavy Care, the only all-guinea pig rescue in Colorado. I have visited the sanctuary several times over the years and love what they do. They treat their guinea pigs exceptionally well and screen adoptions to ensure it will work. Unlike pet stores who will sell pigs to anyone, even if it is not ideal for the animal, Cavy Care will make sure the would-be owners understand what they are getting into. Tater will be given a new friend, also a senior female piggy, to live with. While it isn’t the herd, she will have companionship like she has had for the last two years. As a now senior pig, it is hard to tell when she will move on. In the last few months, she has lost over 100 grams which is considerable for a pig, and a sign that health issues are happening. I hate to take a pig to a rescue that is already over-burdened, but they understand my choice, and Tater will come with a donation and all of my supplies to help the shelter. So more about Tater…

Tater is a female Peruvian Abyssinian Silky (longhair) personal adoption taken in on April 11, 2008. The runt of a five-pig litter, she was taken from a family that had pigs living in poor conditions and mostly neglected as they “didn’t have time for them any more”. If left in those conditions, she certainly would have been housed with mom, dad, and any brothers in her litter leading to a very early pregnancy. Said to be four weeks old, we believe she was much closer to two weeks old when we got her. It only took her a few days to become extremely lively, eat any veggie she was given, and develop a great personality. She integrated faster than any other pig had, likely due to being around many other pigs early on. She received hair cuts every couple of months as her coat was too long and bulky, dragging the cage and getting mucked up. While she whines during the trimming, she becomes considerably more energetic and seems much happier afterwards.

waffletater

For the last four to five years, I have been the only provider for my pigs. While Kay started the adoption spree, they lived a majority of their lives under my care. In that time I learned a lot about them. Everything from behavior quirks, to proper care, to treating odd conditions. I drove hours to ensure they received the best care possible. Every week for five years, I bought $20 – $40 of vegetables for them, special ordered Timothy Gold hay, and gave them a steady stream of chewable houses and items to keep them stimulated. I cleaned their cages every week when the herd was big, using bleach and vinegar to scrub down the ‘trays‘, washed their bedding, rotated their hay, and more. I adjusted my lifestyle and social availability to guarantee they got their vegetables about the same time every night. When traveling, they had in-home sitting most of the time, or twice-daily visits if not. When the air conditioning went out, I made sure someone was here to fix it within hours, as pigs can overheat easily. The temperature in my place very rarely crossed 76 degrees for their benefit. Every month or three, they got weighed to better determine they were healthy, as significant weight change is one of two ways to diagnose problems (the other being behavioral changes). I learned of common pig problems like cysts and little growths that can be removed, as well as common problems with senior female piggies like tumors, ovarian cysts, and unknown masses. When someone in a herd wheeks, I can identify it generally as it reflects on their emotional state. I have had to separate Zesty from the herd from going on a three-hour dominance mounting spree, ‘terrorizing’ the other pigs in her way. I have almost gotten kicked out of pet stores when I overheard a sales person spewing bullshit about guinea pigs. I have sighed casually and spouted back more disturbing facts than “you know some people eat guinea pigs?” to assholes trying to shock me (they were a lot more shocked than I was). Yes, I have read more books about guinea pigs than you have, about their history and indigenous lifestyle.

This is an end of an era in my life. Not having a huge guinea pig mansion in my living room, a few feet from where I spend a considerable amount of my life. Not hearing the happy wheeking, the frenzied wheeking as a pig tries to mount another, and the general chatter of guinea pigs day in and day out. Quarantining a newly adopted pig for 30 days before integrating into the herd. Bathing a guinea pig in some cases, no easy feat. No more setting up a play pen in the living room so they could run full speed, at least while they were young. No more watching Zesty jump over the guinea pig fence, and then laughing as Nugget observed Zesty and followed suit. I remember having to buy a new set of fences that were much taller to thwart the escape artists. Biscuit running in circles in the living room, entirely too fast for my camera to capture. The many nights I would take Figlet out of the cage and put her on the kitchen counter as I prepared veggies, giving her first shot to enjoy them without contest. The elaborate veggie platters I would make for the herd. Buying wheat grass for them to enjoy, because that was like crack to them. Cutting Tater’s hair, leaving a little sprout on her forehead because it amused me.

Despite the emotional turmoil in taking care of these critters, they were definitely worth it. If you have a bad day, you can look in the habitat and see the adorable guinea pig living their life. They have their own drama and dynamics, but ultimately it gives you perspective on your own drama. Picking up a guinea pig and getting nothing but an abject reaction reminds you they keep it real.

herd

The Scraping Problem and Ethics

[This was originally published on the OSVDB blog.]

[2014-05-09 Update: We’d like to thank both McAfee and S21sec for promptly reaching out to work with us and to inform us that they are both investigating the incident, and taking steps to ensure that future access and data use complies with our license.]

Every day we get requests for an account on OSVDB, and every day we have to turn more and more people away. In many cases the intended use is clearly commercial, so we tell them they can license our data via our commercial partner Risk Based Security. While we were a fully open project for many years, the volunteer model we wanted didn’t work out. People wanted our data, but largely did not want to give their time or resources. A few years back we restricted exports and limited the API due to ongoing abuse from a variety of organizations. Our current model is designed to be free for individual, non-commercial use. Anything else requires a license and paying for the access and data usage. This is the only way we can keep the project going and continue to provide superior vulnerability intelligence.

As more and more organizations rely on automated scraping of our data in violation of our license, it has forced us to restrict some of the information we provide. As the systematic abuse rises, one of our only options is to further restrict the information while trying to find a balance of helping the end user, but crippling commercial (ab)use. We spend about half an hour a week looking at our logs to identify abusive behavior and block them from accessing the database to help curb those using our data without a proper license. In most cases we simply identify and block them, and move on. In other cases, it is a stark reminder of just how far security companies will go to to take our information. Today brought us two different cases which illustrate what we’re facing, and why their unethical actions ultimately hurt the community as we further restrict access to our information.

This is not new in the VDB world. Secunia has recently restricted almost all unauthenticated free access to their database while SecurityFocus’ BID database continues to have a fraction of the information they make available to paying customers. Quite simply, the price of aggregating and normalizing this data is high.

In the first case, we received a routine request for an account from a commercial security company, S21sec, that wanted to use our data to augment their services:

From: Marcos xxxxxx (xxxxxxx@s21sec.com)
To: moderators osvdb.org
Date: Thu, 16 May 2013 11:26:28 +0200
Subject: [OSVDB Mods] Request for account on OSVDB.org

Hello,

I’m working on e-Crime and Malware Research for S21Sec (www.s21sec.com), a lead IT Security company from Spain. I would like to obtain an API key to use in research of phishing cases we need to investigate phishing and compromised sites. We want to use tools like “cms-explorer” and create our own internal tools.

Regards,

S21sec

*Marcos xxxxxx*
/e-Crime///

Tlf: +34 902 222 521
http://www.s21sec.com , blog.s21sec.com

As with most requests like this, they received a form letter reply indicating that our commercial partner would be in touch to figure out licensing:

From: Brian Martin (brian opensecurityfoundation.org)
To: Marcos xxxxxx (xxxxxxx@s21sec.com)
Cc: RBS Sales (sales riskbasedsecurity.com)
Date: Thu, 16 May 2013 15:26:04 -0500 (CDT)
Subject: Re: [OSVDB Mods] Request for account on OSVDB.org

Marcos,

The use you describe is considered commercial by the Open Security
Foundation (OSF).

We have partnered with Risk Based Security (in the CC) to handle
commercial licensing. In addition to this, RBS provides a separate portal
with more robust features, including an expansive watch list capability,
as well as a considerably more powerful API and database export options.
The OSVDB API is very limited in the number of calls due to a wide variety
of abuse over the years, and also why the free exports are no longer
available. RBS also offers additional analysis of vulnerabilities
including more detailed technical notes on conditions for exploitation and
more.

[..]

Thanks,

Brian Martin
OSF / OSVDB

He came back pretty quickly saying that he had no budget for this, and didn’t even wait to get a price quote or discuss options:

From: Marcos xxxxxx (xxxxxxx@s21sec.com)
Date: Mon, May 20, 2013 at 10:55 AM
Subject: Re: [OSVDB Mods] Request for account on OSVDB.org
To: Brian Martin (brian opensecurityfoundation.org)
Cc: RBS Sales (sales riskbasedsecurity.com)

Thanks for the answer, but I have no budget to get the license.

We figured that was the end of it really. Instead, jump to today when we noticed someone scraping our data and trying to hide their tracks to a limited degree. Standard enumeration of our entries, but they were forging the user-agent:

88.84.65.5 – – [07/May/2014:09:37:06 -0500] “GET /show/osvdb/106231 HTTP/1.1” 200 20415 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0”
88.84.65.5 – – [07/May/2014:09:37:06 -0500] “GET /show/osvdb/106232 HTTP/1.1” 200 20489 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko”
88.84.65.5 – – [07/May/2014:09:37:07 -0500] “GET /show/osvdb/106233 HTTP/1.1” 200 20409 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”
88.84.65.5 – – [07/May/2014:09:37:08 -0500] “GET /show/osvdb/106235 HTTP/1.1” 200 20463 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36”

Visiting that IP told us who it was:

s21-warn

So after requesting data, and hearing that it would require a commercial license, they figure they will just scrape the data and use it without paying. 3,600 accesses between 09:18:30 and 09:43:19.

In the second case, and substantially more offensive, is the case of security giant McAfee. They approached us last year about obtaining a commercial feed to our data that culminated in a one hour phone call with someone who ran an internal VDB there. On the call, we discussed our methodology and our data set. While we had superior numbers to any other solution, they were hung up on the fact that we weren’t fully automated. The fact that we did a lot of our process manually struck them as odd. In addition to that, we employed less people than they did to aggregate and maintain the data. McAfee couldn’t wrap their heads around this, saying there was “no way” we could maintain the data we do. We offered them a free 30 day trial to utilize our entire data set and to come back to us if they still thought it was lacking.

They didn’t even give it a try. Instead they walked away thinking our solution must be inferior. Jump to today…

161.69.163.20 – – [04/May/2014:07:22:14 -0500] “GET /90703 HTTP/1.1” 200 6042 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36”
161.69.163.20 – – [04/May/2014:07:22:16 -0500] “GET /90704 HTTP/1.1” 200 6040 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36”
161.69.163.20 – – [04/May/2014:07:22:18 -0500] “GET /90705 HTTP/1.1” 200 6039 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36”
161.69.163.20 – – [04/May/2014:07:22:20 -0500] “GET /90706 HTTP/1.1” 200 6052 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36”

They made 2,219 requests between 06:25:24 on May 4 and 21:18:26 on May 6. Excuse us, you clearly didn’t want to try our service back then. If you would like to give a shot then we kindly ask you to contact RBS so that you can do it using our API, customer portal, and/or exports as intended.

Overall, it is entirely frustrating and disappointing to see security companies who sell their services based on reputation and integrity, who claim to have ethics completely disregard them in favor of saving a buck.

mcafee-ethics