Dublin bike scheme billboards threat to drivers : JC Decaux’ “free” bikes are now delayed another 6 months — to next spring. in the meantime, the ads are up all over Dublin. what a rip-off
(tags: jc-decaux bikes cycling dublin advertising spam civic ireland)Return Path to Acquire Habeas : that’s the two main legit-email whitelisting reputation dbs merged into one
(tags: return-path habeas ssc bsp bonded-sender spamassassin anti-spam dnswl dnsbl reputation deliverability)scammers buying phones, then wardialing the nearby number-space to scam them : this just happened to Simon Willison, pretending to offer to cancel extremely expensive insurance, but with a “cancellation fee”. great demo of why consecutive assigned numbering schemes are bad for security
(tags: phishing scams phones uk iphone via:simonw security numbering ids)DRI calls for data-breach disclosure in Ireland : +1
(tags: breach-disclosure security exploits social-welfare ireland identity-theft)
Tag: ids
The Samizdata weblog posts more details about the Daniel Cuthbert case, where a UK techie was arrested for allegedly attempting to hack a tsunami-donation site. Here’s what happened:
Daniel Cuthbert saw the devastating images of the Tsunami disaster and decided to donate UKP30 via the website that was hastily set up to be able to process payments. He is a computer security consultant, regarded in his field as an expert and respected by colleagues and employers alike. He entered his full personal details (home address, number, name and full card details). He did not receive confirmation of payment or a reference and became concerned as he has had issues with fraud on his card on a previous occasion. He then did a couple of very basic penetration tests. If they resulted in the site being insecure as he suspected, he would have contacted the authorities, as he had nothing to gain from doing this for fun and keeping the fact to himself that he suspected the site to be a phishing site and all this money pledged was going to some South American somewhere in South America.
The first test he used was the (dot dot slash, 3 times) http://taint.org/ sequence. The ../ command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allows you to move three times. It is not a complete attack as that would require a further command, it was merely a light ‘knock on the door’. The other test, which constituted an apostrophe (`) was also used. He was then satisfied that the site was safe as his received no error messages in response to his query, then went about his work duties. There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.
20 days later he was arrested at his place of work and had his house searched.
(His actions were detected by the IDS software used by British Telecom.)
In my opinion, this is a travesty of justice.
His actions were entirely understandable, under the circumstances, IMO. They were not hostile activities in themselves — they might have been the prelude to hostility, in other cases, but, as his later activity proved, not in this one.
Instead of making parallels with “rattling the doorknob” or “lurking around the back door of a bank”, a better parallel would be looking through the bank’s front window, from the street!
If only law enforcement took this degree of interest in genuine phishing cases, where innocent parties find their bank accounts emptied by real criminals, like the unprosected phisher in Quebec discussed in this USA Today article!
Appalling.
Comments closed