Main Menu
Login

Security Blog

Credit Card Information Given Away

PostDateIconThursday, 20 August 2009 13:51 | PostAuthorIconWritten by Randy Ross | PDF Print E-mail

When you purchase something online, do you take time to read the terms and conditions or do you just check the little box that says you agree?  If you are like most people, you hurriedly check the little box and move on.  If you are one of those, what are you agreeing to?

Currently, class action lawsuits and a Senate investigation have been launched against two companies, Vertrue and WebLoyality for their practices.  In short, they offer e-commerce companies an opportunity to increase their revenue while “offering targeted, relevant offers at checkout.”  That does not sound so bad.  After all, anyone who has used the internet has ignored hundreds of ads.  But in this case, in order to complete your transaction, you are forced to provide an email address to the ad. For doing this, you are offered discounts on future purchases or coupons for other retailers.  You may think, “So what.   It will just be another piece of spam in my inbox.”  Perhaps, if you are more savvy, you may give them a throw-away email address and complete the transaction.

When you complete a transaction online, you expect the retailer to take appropriate actions to keep your credit card and identity information safe.  You do certainly do not expect the retailer to hand your identity and card information off to a completely disinterested third party. That is exactly what the partners of Vertrue and WebLoyality did.  Buried deep in the terms and conditions most people do not read, but always agree to is a condition allowing the retailers to pass this information, including credit card information, on to these third parties.  When you provide an email address in the ad, you are subscribing to their service.  Many people who have completed orders with online retailers such as Orbitz, buy.com and hundreds of other retailers have found mysterious charges on their credit/debit card statements.  In fact, a quick search of Google yields thousands of stories of people who have become a victim of these predatory practices.

The retailers are hiding behind the claim that they are offering a value-added service to the customers.  They defend themselves behind the claim that customers agreed to the additional terms and therefore agreed to the subscription.  The class action lawsuits and Senate investigation will certainly settle this issue. 

The moral of the story: be sure to take the time to read and understand the terms and conditions of any website you sign up on or give your card information to.

For more information, please read the full article on CNet. 

 

Twitter's DDoS

PostDateIconWednesday, 12 August 2009 17:57 | PostAuthorIconWritten by Randy Ross | PDF Print E-mail

Last week (August 6, 2009), the popular micro-blog site, Twitter, went off line during a DDoS or Distributed Denial of Service attack.  It has been widely reported that the target of this attack was a blogger named Cyxym.  

The attack targeted Twitter as well as several other social networking sites. This blogger, a resident of the eastern European country of Georgia, was reportedly targeted because of his political views.  He is a supporter of the Georgian government. This makes him a direct enemy of the Russian government and its sympathizers.  Facebook's chief security officer, Max Kelly has said the attack was coordinated to "keep his [Cyxymu's] voice from being heard," according to Cnet.  Could it be that this DDoS attack was politically motivated? 

Just a week later, on August 11, Twitter was the subject of yet another DDoS attack.  Twitter's own blog reports that they are now up, and investigating the issue.

Whether motivated by pride, profit or politics, DDoS attacks are a growing threat to the free exchange of ideas and information.  These DDoS attacks can only be prevented by actively securing your computer and protecting yourself from virus and malware infections.

 

 

iPhone Security

PostDateIconFriday, 24 July 2009 00:00 | PostAuthorIconWritten by Randy Ross | PDF Print E-mail

Apple has claimed that the new iPhone 3Gs is secure and ready for both business and government use.  This claim is based on the idea that the file system on the iPhone is encrypted.  According to Apple, all user data is encrypted using AES 256 bit encryption.  That is strong encryption.  Properly implemented, AES 256 would not be breakable with the tools we have today.  However, the implementation on the iPhone leaves much to be desired.   

It would seem that Jonathan Zdziarski has revealed a very simple process which, within two to three minutes, will allow anyone with access to the phone to decrypt and recover any information contained on the phone.  This would include photographs, contact information, documents, pictures, videos, sound clips, email messages, etc. 

Zdziarski demonstrated the process using tools he has prepaired for law enforcement.  However, the tools to recover any information from the iPhone 3Gs are redily available to anyone with internet access and a few minutes to play with the phone.

Based largely on Apple's sales claim of iPhone security and hardware encryption, the iPhone is beginning to be used by Fortune 100 compaines and government employees. 

So, if you are using an iPhone, what should you do? They are great phones and offer lots of candy and even a littel functionality.  But, whatever you do, please don't put anything on the phone that is confidential. 

 
feed-image

Copyright © 2009 ---.
All Rights Reserved.