Archive for the ‘security examples’ Category.

Referers lead back to internal discussions

Tim Bray: Insecurity by Obscurity: A legal department’s weblog is open to the world, and easily discovered via referer logs.

Money for nothing

Two more scam victims tell their tales –

“They transferred $20,000 to my bank account and then sent me details to transfer money via Western Union to some place in Russia,” he said. “I told them that it would take five working days to take the money out, as I wanted to make sure this money weren’t stolen.

One must note that, having given account information to a stranger, it’s amazing that these dolts have any money left at all.

Forensic analysis of PHP/Geeklog compromise by spammers

The Rise of the Spammers:

The person who has coded both the client and the master server (I think that is the same person) is an intelligent person, with strong knowledge of technology, just because there are too many things involved: thread and network programming, mail server modification adding new commands, mask feature, reports, binary auto-removal, UPX compression, …, she also reads the security vulnerabilities mailing lists (bugtraq, full-disclosure, …), and somehow finds out another ones (I haven’t been able to find my vulnerability described in the Internet).

Debian Investigation Report After Server Compromises

Some Debian Project machines have been compromised

Another source server compromise,
this one at Debian

Voting Without Quality Assurance or Auditability

Ed Felten in Freedom to Tinker: Flaky Voting Technology cites
Washington Post: Fairfax Judge Orders Logs Of Voting Machines Inspected
regarding yet another specific example of a buggy or fraudulent voting machine in action, and concludes:

You could hardly construct a better textbook illustration of the importance of having a voter-verifiable paper trail. The paper trail would have helped voters notice the disappearance of their votes, and it would have provided a reliable record to consult in a later recount. As it is, we’ll never know who really won the election.

Banking Scam Revealed

SecurityFocus: Banking Scam Revealed:

A single spam gang, using a unique bulk-mailing tool, appears responsible for the recent rash of financial fraud emails. This gang has targeted over a dozen financial sources, had dabbled in malware, and has struck over 20 times, showing what appears to be a serial pattern.
Attempts to report these findings to Citibank were unsuccessful, and Citibank was unavailable for comment. Citibank has publicly stated that they do not know who has been victimized by the Citibank scams, nor do they know how many victims [ref 10]. In truth, their web logs very likely indicate exactly who fell victim to the 16-Aug-2003 fraudulent Citibank scheme. In addition, Citibank may not be able to identify “who” fell victim on 25-Sep-2003 and 25-Oct-2003 to the second and third revisions of the fraud scheme, but Citibank can identify “how many” victims are likely. This is because the fraudulent web sites used HTML links that directly referenced the financial institution’s web site.

Crime gangs extort money with DDoS hacking threat

Financial Times: Crime gangs extort money with hacking threat:

Evidence of a new type of international extortion racket emerged on Tuesday with revelations that blackmailers have been exploiting computer hacking techniques to threaten the ability of companies to conduct business online.

Gangs based in Eastern Europe have been found to have been launching waves of attacks on corporate networks, costing the companies millions of dollars in lost business and exposing them to blackmail.

Wireless hacking bust in Michigan

SecurityFocus: Wireless hacking bust in Michigan:

In a rare wireless hacking prosecution, federal officials this week accused two Michigan men of repeatedly cracking the Lowe’s chain of home improvement stores’ nationwide network from a 1995 Pontiac Grand Prix parked outside a suburban Detroit store.

Security risk of processing medical and tax files overseas

Rick Alber, via
Dave Farber’s Interesting-People:

David Lazarus, an investigative business reporter for the San Francisco
Chronicle, had a series of 3 chilling articles about how companies
cannot maintain privacy protections when they send medical and tax
records overseas for processing. The folks on the IP list might like to
read about these recent developments: