According to the Daily Mail an undercover investigation in India has uncovered that some call center workers have been selling confidential information on nearly 500,000 Britons.
Undercover reporters from The Sunday Times met with two individuals who claimed to be IT workers who offered to provide them with 45 different types of data gathered from the victims.
Information offered up included names, addresses, phone numbers and credit card details (including CCV/CVV codes and expiration dates).
The reporters allege they could purchase the records for as little as 2 pence apiece ($0.03 USD). One of the
IT workersthieves bragged:
"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number."more
Anonymous continued their crusade against governments and organizations this weekend, attacking the myBART.org website belonging to San Francisco’s BART (Bay Area Rapid Transit) system.
They performed a SQL injection (SQLi) attack against the site and were able to extract more than 2,000 records containing names, usernames, passwords (plain text), emails, phone numbers, addresses and zip codes.
They also defaced the website with Guy Fawkes masks, which BART has yet to remove more than four hours later.
While it is understandable that people are upset with BART after the recent blocking of cell phone communications to prevent protesters from organizing, it is puzzling to me how exposing thousands of innocent people’s personal information hurts BART more than it hurts transit users.
Users of rapid transit are certainly not the problem, and this simply takes a bad situation and makes it worse by creating even more victims.
During my interview about the incident with KCBS radio in San Francisco this afternoon, I was asked what people can do to protect themselves against these types of attacks. What an interesting question…
The best approach is to not provide your personal information where it isn’t needed and make sure you always use a unique password for every website, regardless of how unimportant you think the site may be.
If you are a user of myBART.org, I recommend changing your passwords anywhere you might have used the same password. Aside from that, there is little you can do now that your information has been published.
Website admins, if you are still storing passwords in plain text and haven’t examined your web site for SQL injection vulnerabilities, even after the attacks against Sony, I highly recommend doing so. This is not a list you want your site to be added to.
By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.
SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.
Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”
If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.
Contact me at : firstname.lastname@example.org
This evening (Monday 30 May 2011), I’ll be lecturing at the New South Wales branch forum of the Australian Computer Society (ACS).
The topic is Privacy and security in the cloud – is there any?
The Cloud - whatever that is - isn't new, whatever the marketing material may imply. But the scale of many modern-day cloud-oriented services is simply enormous. And since those services are run by experts, they readily promise to deliver the "holy trinity" of computer security - confidentiality, integrity and availability.
But do they? Will they? Can they? This thought-provoking presentation will help you advise your colleagues, your friends and your family how to embrace the benefits of the cloud whilst steering clear of the major risks.
Our collective will to rush headlong into cloud computing – especially as the providers of content to global services such as Facebook and YouTube – is enormous. Our desire to publish information and content about ourselves (and, frequently, about other people, with or without their permission) has even led to new units of measure.
For example, YouTube now quantifies its success in “hours per minute”. According to a recent post on YouTube’s official blog, more than 48 hours’ worth of video are uploaded to YouTube each minute, and more than 3 billion videos are viewed each day.
Is this a good thing? Or bad? Or just meaningless on an individual scale?
To an astrophysicist, for example, 48 hours’ upload per minute works out at approximately three kiloseconds per second. (Actually, it’s 2.88 ksec/sec, but astrophysicists are allowed to make approximations.)
But what sort of unit is “seconds per second”, anyway? Surely the seconds simply cancel out and we’re left with a dimensionless number – 2880?
Worse still, as that number increases – and YouTube is delighted to tell us that it’s gone up by 100% over the past year – we’re all compelled to watch more YouTube videos just to keep up.
And with official YouTube video views up by a mere 50% over the past year, it looks as though we’re going to have to spend twice as long watching other people’s pets do much the same sort of repetitious things as our own, but slightly out of focus.
Is it really worth publicising ourselves and sharing personal and business information to the extent we do? Or do we need to take time to re-evaluate the boundary between the data we can safely entrust to other people, and the data we ought to guard more jealously – or, at least, to sell at a higher price?
There are still a few places left at tonight’s lecture. It’s at Circular Quay in Sydney; it’s free to ACS members ($55 for non-members); it starts at 6.15pm (arrive from 5.30pm); and you can register here.
If you’re in the vicinity, why not come along and help us argue through the issues?
(And if you’re a Facebook user, why not review some tips on protecting your identity on social networking sites, or join the Sophos Facebook page, where we have a thriving community of over 85,000 people.)
Contact me at : email@example.com