Identity theft victim branded as a pedophile
Security Bytes for 2008/04/21 (IMG:J.Anderson)
Simon Bunce, after his credit information was stolen, was investigated during Operation Ore, a U.K. Police effort to track down online pedophiles. Bunce shopped online all the time, and on once instance, his credit card number was stolen. Then that number was later used to purchase child pornography. The number was found during a raid on the company who processed credit cards for pornography websites.
Bunce was swiftly arrested. He lost his job, had his computer and various accounts seized, and his family turned on him. All along, he knew he was innocent, but the trick was proving it. Using the Freedom of Information Act, he was able to obtain the IP information of the computer used in the pornography buy, and track its location to Indonesia. This information allowed him to prove his innocence by showing that at the exact time the pornography was purchased; he was using his card in a London restaurant.
Bunce told the BBC he is suing the retail website for not protecting his credit information. He would not name the company. “I wouldn't say that I live in the cash economy now, but I'd rather go to the bank to withdraw money to buy petrol, as you hear of card details being harvested at garages,” he told the news service.
“I'm paranoid about data security. I shred everything; I never use credit cards anymore. Being arrested and accused of what is probably one of the worst crimes known to man, losing my job, having my reputation run through the mud, it's a living nightmare,” he added.
GAO says military equipment up for sale on Craigslist, and eBay
The Government Accountability Office (GAO) said in a report that sensitive military equipment is available online for purchase. Items from various US Military branches such as body armor, night vision goggles, bio-chemical suits and gear, and F-14 aircraft parts were available on sites such as eBay and Craigslist.
The items were listed during Jan. 2007 to March 2008. The GAO said there are safeguards in place to prevent these things from going into public domain, but they obviously failed to catch these items.
“By making these components available to the general public, the eBay sellers provided an opportunity for these components to be purchased by an individual who could then transfer them to Iran,” the report said. “The continued ability of Iran to use its F-14s could put U.S. troops and allies at risk.”
“The Internet is one place that defense-related items can be purchased, raising the possibility that some sensitive items are available to those who can afford them. In addition to the risk that sensitive defense-related items could be used to directly harm U.S. service members or allies on the battlefield, these items could be disassembled and analyzed (i.e., reverse engineered) to develop countermeasures or equivalent technology,” the GAO added.
Perhaps there is a larger issue. “When I was returning from combat zones, it was difficult to get supply to accept "used" gear, when I was separating it was impossible to get supply to take anything issued more than a year before... that resulted in me finding homes for A Lot of gear, that definitely wasn't stolen,” one anonymous veteran said on the Network World forums.
700,000 records potentially exposed in Indiana
The Central Collection Bureau, a collection agency based in Indianapolis, IN., reported this week that one of their servers, containing information on more than 700,000 people, was stolen from its offices. The CCB said that the server contained past-due billing information turned over for debt collection.
The consumers who were listed in the database on the server come from some well known companies in Indianapolis. Methodist Medical Group, St. Vincent Hospitals, and Citizens Gas and Coke Utility (Gas Company) were the three biggest names on the list of creditors.
“We’re obviously heartsick about this,” said Chet Klene, the collection agency’s president. “We’ve been in business since 1972, and nothing like this has ever happened before.
The data was stored in clear text. This alone was the damaging factor regarding the data, but the company thought the data was safe because it was stored behind three different locked doors and required two passwords.
The companies who used the CCB to collect payment are attempting to notify all the potential fraud victims. So far, the bulk of the people have been notified. The sad thing is, this could have been prevented, and less of an issue if the data stored on the server was encrypted.
“What I want to know is when the idiots that work for these companies will realize that military grade encryption for PCs, Macs, and Unix is available, and for free. There is simply no excuse for business or government data to not be encrypted,” one local citizen commented.
XSS flaw in popular ISP practice exposed
ISPs who used a London-based company to serve advertisements on redirected URLs unknowingly subjected customers to Phishing attacks. Looking to make a little extra money, ISPs like Time Warner, Comcast, EarthLink, and AOL redirect traffic from malformed and mistyped URLs to a search page that helps the customer get what they were looking for while serving ads. The problem, is that BareFruit (provider for the ads), was wide open to XSS (Cross Site Scripting) attacks.
Dan Kaminksy and Jason Larsen, security researchers from IOActive, gave a talk recently and explained the flaw. There is extensive coverage, and research on the XSS flaw, so I won’t bore you with the details. However, the flaw (http://not.www.google.com for example) was corrected in twenty-seven minutes according to the researchers.
PPT from the talk: http://www.doxpara.com/DMK_Neut_toor.ppt
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!