Comments on: Salesforce.com targetted again! http://www.breachbytes.com/2008/01/09/salesforcecom-targetted-again/ Network Forensics | Network Monitoring | Incident Response Sat, 22 Nov 2008 20:55:06 +0000 http://wordpress.org/?v=2.5.1 By: Andy Alsop http://www.breachbytes.com/2008/01/09/salesforcecom-targetted-again/#comment-31 Andy Alsop Tue, 22 Jan 2008 19:50:24 +0000 http://www.BreachBytes.com/2008/01/09/salesforcecom-targetted-again/#comment-31 Stephen: Excellent comment. Thanks for posting! I assume much like anything else in an unregulated industry there are varying degress of "abuse." Some of the lesser known SaaS businesses can fly under the radar but isn't there the potential that Salesforce.com's entire business could be in jeopardy if it were to hit the wires that they were using customer data inappropriately or irresponsibly? My assumption is that a competitor like SugarCRM or Sage CRM Solutions would just love to expose a company like Salesforce.com if they were collecting and using their customers - customers data in ways that would be obvious violations of even the most basic ethics (like selling names or brokering out confidential information). The NY Times would love to do a Sunday Business piece on that! Stephen: Excellent comment. Thanks for posting!

I assume much like anything else in an unregulated industry there are varying degress of “abuse.” Some of the lesser known SaaS businesses can fly under the radar but isn’t there the potential that Salesforce.com’s entire business could be in jeopardy if it were to hit the wires that they were using customer data inappropriately or irresponsibly?

My assumption is that a competitor like SugarCRM or Sage CRM Solutions would just love to expose a company like Salesforce.com if they were collecting and using their customers - customers data in ways that would be obvious violations of even the most basic ethics (like selling names or brokering out confidential information). The NY Times would love to do a Sunday Business piece on that!

]]> By: Stephen Smoogen http://www.breachbytes.com/2008/01/09/salesforcecom-targetted-again/#comment-30 Stephen Smoogen Tue, 22 Jan 2008 19:28:31 +0000 http://www.BreachBytes.com/2008/01/09/salesforcecom-targetted-again/#comment-30 The main issue with SaaS (Software as a Service) systems is that the majority of them use the philosophy of collecting as much information about their customers as possible in order to sell it to other people (in the case that they need to for further revenues). Most collected and stored their data in plain text and in ways that would have made Credit Card companies flinch before the days of PCI. I remember one site that one could get to any other customers data by just getting a minimal paying account and then changing a tag in the post from one 5 letter 'string' to another. And when the company went under.. all its data 'disappeared'... except for the copy that was for sale on a cracker site in Russia. I think that is the major reason for Reasonable Fear, Uncertainty and Doubt about this sort of data. Banking at ATM's are somewhat regulated and controlled in ways that may not 'completely' protect the customer does raise the level of trust. The self-regulation of the PCI standards does the same for Credit Card data on websites.. until there is a similar set of government or industry regulations that have teeth.. I would seriously doubt putting confidential data blindly into SaaS. Any SaaS company must be able to show in some clear and transparent way: 1) What it collects 2) What it stores and how? 3) What are the security mechanisms and methodologies you use to protect that data. (using the methodology that if you are protecting your customers information by obscurity.. you aren't doing enough because the crackers just have to get someone hired in for a short time to make it 'open' to them). 4) How do you truly purge that data when asked to. 5) How else do you lower customer risk? 6) What are your general Incident Response Items from customer notification and cleanup to methodologies on trying to rectify and remediate found vulnerabilities. 7) What is a customers rights and responsibilites and what is the companies (in clear English that a high school student can understand). The main issue with SaaS (Software as a Service) systems is that the majority of them use the philosophy of collecting as much information about their customers as possible in order to sell it to other people (in the case that they need to for further revenues). Most collected and stored their data in plain text and in ways that would have made Credit Card companies flinch before the days of PCI. I remember one site that one could get to any other customers data by just getting a minimal paying account and then changing a tag in the post from one 5 letter ’string’ to another. And when the company went under.. all its data ‘disappeared’… except for the copy that was for sale on a cracker site in Russia.

I think that is the major reason for Reasonable Fear, Uncertainty and Doubt about this sort of data. Banking at ATM’s are somewhat regulated and controlled in ways that may not ‘completely’ protect the customer does raise the level of trust. The self-regulation of the PCI standards does the same for Credit Card data on websites.. until there is a similar set of government or industry regulations that have teeth.. I would seriously doubt putting confidential data blindly into SaaS.

Any SaaS company must be able to show in some clear and transparent way:
1) What it collects
2) What it stores and how?
3) What are the security mechanisms and methodologies you use to protect that data. (using the methodology that if you are protecting your customers information by obscurity.. you aren’t doing enough because the crackers just have to get someone hired in for a short time to make it ‘open’ to them).
4) How do you truly purge that data when asked to.
5) How else do you lower customer risk?
6) What are your general Incident Response Items from customer notification and cleanup to methodologies on trying to rectify and remediate found vulnerabilities.
7) What is a customers rights and responsibilites and what is the companies (in clear English that a high school student can understand).

]]> By: Andy Alsop http://www.breachbytes.com/2008/01/09/salesforcecom-targetted-again/#comment-28 Andy Alsop Mon, 21 Jan 2008 21:20:44 +0000 http://www.BreachBytes.com/2008/01/09/salesforcecom-targetted-again/#comment-28 I remember back in the 80's when everyone screamed "Ahhh! You’re going to put your money in that bank machine?!" Then in the 90's everyone was saying "I can't believe you’re putting your credit card into that web site!" Now it's SaaS. I am sure it will be something else at some point. Yes, SaaS apps have been the target of attacks but in the case of Salesforce the attacks have been an effort to dupe human beings into giving away credentials and in this case it was successful. Crooks have been trying to do this in the real world for centuries. Did Salesforce sit back and just wave their hands saying it wasn’t a problem? No, they made changes to their system that stopped this from happening in the future. And they did it quickly. Yes, our customer info is in Salesforce but we don’t put CC info or social security numbers or copies of their passwords into the system. I assume you do some banking online. Don’t those banks have far more sensitive data such as SS numbers, bank account numbers, etc? I remember back in the 80’s when everyone screamed “Ahhh! You’re going to put your money in that bank machine?!” Then in the 90’s everyone was saying “I can’t believe you’re putting your credit card into that web site!” Now it’s SaaS. I am sure it will be something else at some point. Yes, SaaS apps have been the target of attacks but in the case of Salesforce the attacks have been an effort to dupe human beings into giving away credentials and in this case it was successful. Crooks have been trying to do this in the real world for centuries. Did Salesforce sit back and just wave their hands saying it wasn’t a problem? No, they made changes to their system that stopped this from happening in the future. And they did it quickly.

Yes, our customer info is in Salesforce but we don’t put CC info or social security numbers or copies of their passwords into the system. I assume you do some banking online. Don’t those banks have far more sensitive data such as SS numbers, bank account numbers, etc?

]]> By: Michael http://www.breachbytes.com/2008/01/09/salesforcecom-targetted-again/#comment-25 Michael Thu, 17 Jan 2008 21:17:23 +0000 http://www.BreachBytes.com/2008/01/09/salesforcecom-targetted-again/#comment-25 What is the name of your company so I make sure to not do business with you! How can you be so caviler about your customers data that is why SF was targeted they want your customer data. SaaS is dangrous because it's weakest link is always the same the people and they are going to break no matter what you do. OWN YOUR CUSTOMERS DATA DON'T LET SOME ELSE! What is the name of your company so I make sure to not do business with you!

How can you be so caviler about your customers data that is why SF was targeted they want your customer data. SaaS is dangrous because it’s weakest link is always the same the people and they are going to break no matter what you do.

OWN YOUR CUSTOMERS DATA DON’T LET SOME ELSE!

]]>