[Chugalug] OT: Chattanooga Technology Council

Stephen Haywood stephen at averagesecurityguy.info
Tue Aug 13 19:27:29 UTC 2013


I didn't look any further into the matter after the http stuff. I don't plan to give them my CC. I don't trust any mom&pop web site with my CC data. I prefer to see stripe or PayPal. Thanks for the additional information.
--
Stephen Haywood
Owner, ASG Consulting
CISSP, GSEC, OSCP
423.305.3700
stephen at averagesecurityguy.info




On Aug 13, 2013, at 3:09 PM, Mike Harrison <cluon at geeklabs.com> wrote:

> On Tue, 13 Aug 2013, Stephen Haywood wrote:
>> If any of you folks have contacts at the Chattanooga Technology Council you may want to let them know about a problem with their "join" page. Credit card forms should only be used on HTTPS pages.
> 
> Stephen,
> 
> I see it as: https://www.chattanoogatechnologycouncil.org/join/
> 
> Which is HTTPS
> 
> But I get warnings: "Connection Partially Encrypted"
> The real issue is:
> 
> they are using "gravity forms" to collect credit card info,
> 
> http://www.gravityforms.com/
> 
> I'll wager the "CC Info" you supply is stored in plain text or trivially reversable encryption on the web server, and probably emailed to the Tech Council in plain text so they can see it, and enter it manually in someplace else. There is a small chance they are using Gravity Forms + Stripe  http://wordpress.org/plugins/gravity-forms-stripe/ properly configured,
> 
> I know you are only an "Average Security Guy", but do you really want to
> put that info into a Wordpress site hosted on a shared server at
> inmotionhosting.com? It looks like they have a dedicated IP
> but their ip address range is shared by spammers, publiclaly published vulnerabilities http://myip.ms/view/ip_addresses/3636635648
> and I'll again wager they are a shared site, not an isolated virtual machine.
> 
> Biggest crime: Not supporting a local(ish) technology company.
> How could they possibly be the Chattanooga Technology Council,
> located in "GigCity" and be putting their web host in Los Angeles?
> 
> --Mike--
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130813/cdbac212/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130813/cdbac212/attachment-0001.pgp>


More information about the Chugalug mailing list