| Subcribe via RSS

You Call This Security

November 10th, 2005 Tagged as: ,

A few days ago I was browsing the Data Security site on the UPS intranet. I was doing this not because I was bored, but because I had to fix some dead links on our department’s internal website. When I went to log into one of their password reset forms to see if it was what I was looking for, the page broke on me. Basically, stuff got displayed that was not supposed to be. Anyway, I decided to look at the source code for the page to see if I could figure out why it was so screwed up. What I saw was surprising: my full name, address, phone number, birth date, first date of employment with UPS, SSN, and other bits of sensitive personal information. I can understand why you would need to access some of this data on the server to authenticate my login, but there is no reason whatsoever to send this to the client. This is the kind of information that any security person would tell you that you should not enter on a website, especially one where you don’t have a secure SSL connection (signified by a little padlock icon in the browser). Anyone who happened to capture the packets from my transmission could easily reconstruct the web page and see all of that personal information. Not only that, but anyone, including you, could have caught those packets. I think that they should reconsider their department name.

If you read my last post or have been paying attention to tech news this past week or two, you should have heard about the rootkit included on some Sony-BMG audio CDs marketed as copy protection software. This rootkit hides all files and registry entries that start with $sys$. I mentioned in my last entry how a crack has already been released for Blizzard’s MMORPG World of Warcraft. Now, CNN reports that a virus, named Stinx-E, has been created that takes advantage of the cloaking provided by the copy protection on the Sony-BMG CDs. The real kicker is that currently, no virus scanners or spyware scanners will detect the virus since they cannot see it. I must say, it looks like Sony is going to get hit hard for their little trick.

This entry was posted on Thursday, November 10th, 2005 at 8:19 pm. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.