[LINK] Post to deliver Telstra bills online

Galen Townson galen@townson.net
Sat, 6 Oct 2001 09:53:47 +1000 

Garry

> -----Original Message-----
> From: owner-link@www.anu.edu.au [mailto:owner-link@www.anu.edu.au]On
> Behalf Of Garry Brennan
> Sent: Saturday, 6 October 2001 8:00 AM
> To: Rowe, Joshua; link@www.anu.edu.au
> Subject: Re: [LINK] Post to deliver Telstra bills online
>
> on 3/10/01 10:18 AM, Rowe, Joshua at
> Joshua.Rowe@auspost.com.au wrote:
>
> > Post to deliver Telstra bills online
> > http://www.post.com.au/mediacentre/index.asp?link_id=1.332

[...]

> It would appear that this Billpay system uses Microsoft ASP
> on MS IIS on NT
> 4.
>
> Now I think everybody on LINK has been presented with
> overwhelming evidence
> that this is about the worst option for reliable and secure
> web services and
> e-commerce.
>
> Is Australia Post seriously intending to win public
> confidence in this
> service?
>
> Tell us it ain't so, Josh
>
> r,
>
> gbrennan

ASP and even NT can be reasonably secure - well enough to have avoided
all the recent problems - unfortunately most don't either have that
clue, the time to be vigilant, or the automagic monitoring systems in
place to watch, test and report potential problems.

NT4/IIS4's default setup is the problem - but doesn't have to remain
that way.

Most of the recent issues were already know potential problems and
even a casual nessus vuneralbility scan would haven't warned of what
eventuated.

Better would be to run all HTTP traffic through an application level
gateway behind a firewall (generic term) for even more scruntiny. A
live naked NT4 standalone is really doing it the hard way :(

Does anyone remember the last time x.microsoft.com got defaced?

Alternatively, AusPost could just be running Chili ASP -
http://www.chilisoft.com/

Hmm... or maybe not... unless it's running some funky content switch
passing off URL paths to other servers?

Trying 155.144.24.84...
Connected to www.auspost.com.au.
Escape character is '^]'.
OPTIONS * HTTP/1.1
Host: www.auspost.com.au

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Fri, 05 Oct 2001 23:49:18 GMT

--
Galen
galen@townson.net