03.10.08
Posted in IT, Interesting Stuff, Phishing / Scams at 3:43 am by Tyler Reguly
One of my favourite non-IT blogs has got to be The Consumerist. I really like the idea of a public online watchdog that has the freedom to publish pretty much anything.
Anyways, the other day this post caught my attention:
Why doesn't a bank (cough HSBC cough) offer the option to have text message alerts sent to a registered phone number any time a withdrawal is made from a specific account via ATM? "$120 was withdrawn at 2:51pm EST in Palo Verde, CA. Reference #293005"
I think this is a great idea... There's plenty of software that takes advantage of Pager/SMS/Email notifications, why can't the bank due the same? We're becoming more and more technologically advanced and cell phones are everywhere. even my 15 year old sister has an HTC S720.
I would love this feature. My fiance, a while back, got a letter saying that her debit card had been used at a business known to have conducted malicious activities with customers banking information. She got a letter because the bank called, during business hours, and didn't leave a message (I've never quite figured out why service based businesses operate during the hours that people work... there should be an offset, especially if you're trying to contact the individual). Sure the proposed feature is for withdrawals, but why couldn't it exist for all fraudulent activities?
Now maybe the reason this doesn't exist is to avoid opening yet another avenue of attack. My bank "requires" (you don't HAVE to enter it, but they sure do want you to) an email address. They send me quasi-important information via email. The next think you know when I log into my online banking, there's a notice warning me about yet another phishing attack that's targeting customers of my bank. Perhaps they don't want to introduce a new method that phishers can take advantage of. I seem to recall getting random SMS spam with my first cell phone, coming from numbers like '00000' and '12345', however I haven't seen any of that in quite some time... either I'm really lucky or cell phone companies have figured out how to stop spoofed messages. (Which I find unlikely given that landlines can't prevent Caller ID spoofing.) So would we be making things riskier by allowing SMS Fraud Notifications?
Scenario
- Customer gets SMS stating that their account has had $500 withdrawn in Mexico.
- SMS asks customer to contact the bank, providing a number.
- Customer is in a panic and calls the number immediately.
- "Agent" asks customer to provide personal information (Bank Account info, SSN/SIN, Address, DoB) to verify that it isn't the fraudulent user.
- Customer has just been scammed.
Do I foresee that scenario happening if SMS Fraud Notification is introduced? Definitely. Do I still think SMS Fraud Notification would be very beneficial? You bet! Banks simply have to remind customers to always contact the bank following an SMS, but to use the number on their debit card or a known trusted source (bank's website, phone book, bank statement, etc.) Banks also have to accept that this is for Fraud Notification only, if customers start getting non-fraud related notifications, they'll grow lax and be more likely to succumb to a targeted phishing attack.
So thoughts... SMS Fraud Notification -- Good or Bad? Beyond that would you pay for the option or only take advantage of it if it were free?
Permalink
Digg this post
12.10.07
Posted in IT, Interesting Stuff, News, Security at 11:51 am by Tyler Reguly
In a previous post, I had reviewed a SecTor presentation done by Johnny Long. I had also mentioned on Hackers for Charity, a charity started by Johnny to link up hackers with charities that require IT/IS assistance. I see this as an incredible contribution and was looking forward to getting involved myself, but at the same time I was receiving feedback from readers who were interested based on the brief mention I had made of it. I decided the best way to follow up was to contact Johnny for a brief interview. I sent him a few questions, in hopes of getting a bit more information out to everyone that reads it, and I've basically inserted the email responses below.
Who is Johnny Long? While most that read this will know who you are, there may be a few that don't...
I'm a hacker by trade, a pirate by blood, a ninja in training, a
family guy and author.
How did you first get involved with charity organizations and what drew you to the IT side of their operations?
My wife went on a mission trip to Uganda last year, and I joined her
in her research about what was going on in Uganda. This led me to
Invisible Children. I mentioned them in my talks, raised some support,
etc but when my wife returned from Uganda, I felt drawn to do more
than raise money. This past may, she returned to Uganda and I went
with her. Several corporations and the hacker community chipped in to
fund our trip. We worked with an organization called AOET (aoet.org)
who is working to help orphans left in the wake of the HIV/AIDS
pandemic.
What is Hackers for Charity?
We exist to connect the skills of the hacking community with charities
that need those skills. We aim to empower charities through the use of
information technology.
At SecTor you had mentioned that it was for 'unemployed hackers', is this true... Does an employment restriction exist?
Not at all. But generally we tend to attract those looking for work.
We have some senior members that are very well-set career-wise, and
those folks are looking for a positive outlet for their skills. We
provide that.
Could you provide an explanation / description of how the "references for work completed" 'thank-you/reward' system works.
It's pretty simple. Successful completion of a project results in a
LinkedIn connection and resume reference from myself and other
professionals that can vouch for the work. The professionals are
well-known in the industry, and their recommendations carry real weigh
to potential employers. Those that are already gainfully employed
receive the same benefits, but can add our organization and the
charity name to their list of professional accomplishments. We're also
working on a link/referral system that provides exposure for companies
that donate time or money.
How successful has Hackers for Charity been so far?
We have a mailing list of 80+ members. We've successfully completed
three projects: a reusable mail system, a reusable blogging system,
and our largest project-- an online child sponsorship system for AOET.
The child sponsorship system is amazing. It was developed by Paul
Madoff in the span of about two weeks, and will literally save the
lives of children in sub-Saharan Africa. Designed for AOET, this
system replaces their old cumbersome system with a streamlined system
that allows potential child sponsors to browse a gallery of children
in need, and select one for sponsorship. The old system was so
cumbersome that many potential sponsors got lost in the process and
often went to more popular and more technically advanced child
sponsorship programs. It could be argued that sponsoring a needy child
anywhere is better than not helping at all, it's heartbreaking to see
the AOET sponsorship system crippled because of technology issues.
This system addresses that, and once it passes a vetting process, it
will be released for public use through the AOET.org web site. Last
but not least, we've raised over $2000 for AOET, most of which went to
supporting their work in Kenya.
Hackers for Charity currently uses a Google Groups mailing list (which is becoming more common) which requires a Google email address. Have you considered moving away from that to a standard mailman list to allow for more accessibility? (Note: This question was asked due to comments received when I had previously mentioned Hackers for Charity)
Uhm, yes.
Hackers for Charity is still young... are there any planned next steps?
We plan on growing. =) Honestly, this thing has taken off so fast that
it's difficult for me to keep my head above water. We won't be able to
do much without some sort of (corporate?) sponsorship that will help
pay the overhead associated with running the organization. There are
only so many hours in the day, and I'd like to devote more of them to
the organization.
Has there been any thought to Hackers for Charity stepping towards a Doctors Without Borders type approach. Where in additional for volunteering to help a charity from the comfort of your own home... volunteers could be sent to third world countries or disaster areas to help implement or rebuild an IT
infrastructure?
Absolutely. I can't go into too much detail right now, but we're in
the planning stages of making that happen next year (2008).
Any words, advice or thoughts for people who have been thinking about volunteering but haven't taken any action yet... for either procrastinators or people who they might not be the type of person (or have the type of skill set) that Hackers for Charity is looking for?
Forget your skills. Come with an eagerness to help those less
fortunate. Heck, just come if you could care less for all that
altruistic crap and are just looking for a bump up on your resume.
Some of the most needed skills are those you may think are useless.
Soft skills, such as business, marketing, management, accounting, etc
are all needed.
Permalink
Digg this post
11.27.07
Posted in Interesting Stuff at 11:11 am by Tyler Reguly
It seems to me that Google isn't the biggest fan of Tor...
Do a search for 'what's my IP' and you get a number of results, whatsmyip.org being the first one. Now do that same search with Tor running... I got a 403 page from Google:
We're sorry...
... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.
We'll restore your access as quickly as possible, so try again soon. In the meantime, if you suspect that your computer or network has been infected, you might want to run a virus checker or spyware remover to make sure that your systems are free of viruses and other spurious software.
We apologize for the inconvenience, and hope we'll see you again on Google.
To continue searching, please type the characters you see below:
If you can read this, you do not have images enabled. Please enable images in order to proceed.
Disable Tor and once again I can run the query.
Permalink
Digg this post
11.22.07
Posted in Interesting Stuff at 2:32 pm by Tyler Reguly
This was on Slashdot earlier and the original article can be found here (including a video which demonstrates the sound that is made). It seems that in order for cell phones to be handicap accessible, they are required to (in some way) alert the user that a 911 call is being made. The FCC Telecommunications Act requires that some sort of notification occurs, it doesn't, however, require that the notification be audible.
I see many of the same issues that the person who complained about this sees. You are kidnapped, held hostage, or trapped and you attempt to secretly dial 911. As soon as you dial the number, your phone essentially becomes a siren (Don't believe me? Watch the video), alerting your aggressor that you are calling the authorities. I seriously hope that Verizon rethinks this and does something more appropriate such as a message on the display, or even flashing the keypad lights.
I'm against "creating fear" but I think this is an issue that the public needs to be aware of. It could actually mean the difference between life and death in hostile situations.
Permalink
Digg this post
10.01.07
Posted in Interesting Stuff at 12:38 pm by Tyler Reguly
After a week of headaches and hassles, I've got a PVR... actually I'm on my third PVR since Friday. The first one had NIC-related issues (it couldn't get an IP Address), the second one had HDD-related issues (it couldn't record anything), so let's hope this third one works. So now I've got a Rogers branded Explorer 8300 sitting in my living room, it's sitting on top of my Symphonic CSHP80G [manual].
So now to share a few things about the Explorer 8300 (and I invite everyone to post comments or fire me emails with additional notes... we'll grow this into the ultimate resource). Please note that some of this will be Rogers specific.
Information:
Rogers Specific:
IP Address: 47.15.X.X [ARIN Search: Bell-Northen Research (Nortel Networks)]
Subnet Mask: 255.255.192.0
Rogers OnDemand App: bfs://apps/HW/Smilp.ptv [Version: 4.1.1.7; AppID:101; EID=0x01A3; Size=415K]
HardDrive Info:
Model: WesternDigial Caviar [WDC WD800BB]
Size: 80GB
Partition Information:
Partition 1
FS: ITFS
Size: 1GB
Free: 995MB
Partition 2
FS: AVFS
Size: 72GB
Free: 66GB
Partition 3
FS: Reserved
Size: 1GB
Free: 0K
Other:
OS Version: 6.14.79.1
Files with Errors: config.c; CHDDCacheFiller.cpp
Accessing Diagnostic Menu: Hold Select until the message light appears -> Press Info -> Navigate with volume keys (all on device, not remote)
Enjoy!
Permalink
Digg this post
09.18.07
Posted in Interesting Stuff at 11:40 pm by Tyler Reguly
The new iPod Nano has caught my attention. Since I have an smartphone with wifi and everything else I don't find the iPod Touch overly appealing, but the 8GB Nano is looking very attractive right now (I currently have a 4GB Mini).
So I was over at The Apple Store (Canada) and I was looking at the comparison page for the various iPods. I was a little concerned by the numbers on the comparison chart [boxed in Red]
So we've got more storage on the Nano if you store Songs but less if you store Pictures or Video? How does that make sense? At first the Songs portion made sense... the iPod Touch probably requires more space for software, but I don't get how the numbers are higher than the Nano, especially since they are both 8GB models. Thoughts?
Permalink
Digg this post