Viewing posts from : December 2011



While trying to find out how much a medium flat rate box would cost to ship earlier today, we spotted a strange item that roused our privacy hackles.  That other users wouldn’t see unless they happened on this site with their flash settings locked down.  It seems the government, in the form of the USPS, in the form of somebody called prioritymail.com, wants to TAKE YOUR PICTURE  just to tell you what a flat rate shipment might cost.  Isn’t that interesting?

can i takez u picchur?

Hey, “might” doesn’t mean they actually *want* to take my picture, just some sloppy flash coding, right?

Oh.

While we don’t have time to ferret out if it’s a goof or who’s responsible, we do find it interesting that in this day and age, anything like this can see the light of day.

The price of freedom may be eternal vigilance, but this impingement on it is free.

 

[updated/edited] As a B-Sides sponsor, we’re rather concerned about the post from attrition regarding B-Sides, but we’re certainly glad it came out. We are pulling our, admittedly limited, sponsorship of local B-Sides events until such time as the matter is resolved to public satisfaction, or the entity known as B-Sides is provided with adequate management. We will continue to support local events with time and money, even one’s with a B-Sides logo, but will do so only through direct funding.  To that end, and to ensure B-Sides DE carries on, we’re committing $500 to the next B-Sides DE event.

Here’s hoping for speedy resolution to this situation.

Adding centralized controls for corporate browser settings and locking down security settings to increase security is a great idea, as opposed to letting users do whatever they please. It shows attention and dilligence.

However, doing so while still permitting lax passwords and not alerting on security failures demonstrates a distinct lack of focus. Fine detail settings in the browser won’t help your organization if a bad guy can roll up on your Internet presences and run THCHydra with impunity.

Your internal controls don’t amount to much protection if your external controls are stuck in the 1980’s. Failure to fix the obvious is an invitation to being hacked.

Don’t forget about the simple stuff, and have your systems tested by people that will do more than just point a vulnerability scanner at the address space. Use some sense and focus on what’s going to be most effective, not what was in the news last week.

One of our clients received a check from a financial institute in the mail last week, a check they weren’t expecting. Given that they don’t even do business with the company who’s check it was, they were quite aware that some mistake had been made. They contacted the company and found out that they weren’t the only stranger getting a hefty check in the mail. At least a dozen checks had been received, and several cashed. The company had suffered some sort of breach and lost banking information, checks, and their FedEx account codes. Not only were they dealing with the fraudulent checks, they had to pick up the bill for the overnight shipping.

Ironically, my client had, just one week prior, received an email regarding an item they posted on Craigslist. The “buyer” stated he would send a check to cover the item and the shipping plus a little extra just in case and my client was to send whatever was left after all the shipping and packaging back to the buyer.

Luckily, our customer was educated (we offer seminars) about various fraudulent scheme’s and called us after the first incident. We had them send a stock response to the mystery buyer that discourages further contact.

Then this check showed up at their office. It could be coincidence.

What’s not coincidence is the use of a fraudulent Craigslist transaction to locate targets for fraudulent schemes. It’s not Craigslist’s fault, this happens with every public forum, like eBay, Gunbroker, chat channels, bulletin boards, and listmails. Before the Internet and computing, it was classified ads in news papers.

It’s been said often enough: the Internet makes everything faster and more efficient, especially crime.

Should you receive an unexpected check, contact the company in question. Even if they sound convincing on the phone, there’s no guarantee who you’re talking to is who is actually attached to the bank account. It’s just a string of numbers; there could be anyone’s name printed at the top of the check. Contact your local FBI office and report the situation.

Here’s one that may be a first, calling cell-phone users about their overdue bills and extracting credit card info, bank account info, personal information, or some combination of these.  You get a call about your overdue bill.  If you blindly proceed to pay, the scam is simple enough, but what about if you know it’s been paid?  Then they drag you through a series of question and answer checks that will (they hope) get you to confirm (reveal) credit card or bank account information.  Both options also allow for obtaining other information, such as passwords, through verbal manipulation.

So be careful and spread the word.