Monday, September 27, 2004

Interesting Corrolations

I was looking through the stats for our ResNet firewall the other day when I noticed some interesting trends ...

See more ...

Tuesday, July 27, 2004

eTV, eBay and News24.

As I mentioned in an earlier post, I send e-mail to eTV about the eBay hacking article that both they and News24 carried yesterday. My e-mail to them was as follows:

Date: Mon, 26 Jul 2004 20:26:05 +0200
From: Guy Antony Halse 
To: info(at)etv.co.za
Subject: ebay hacking article

Hi

After listening to your news article this evening discussing the hacking of
e-Bay's credit card database, I decided to do some basic investigation of my
own.

I find it strange that the only website carrying any form of coverage of
this is news24.com.  All the normal sources of IT-related news have no
mention of it at all (theregister.com, itweb.co.za, slashdot.org, etc).  Not
only that, no other major wire service carries information about it.  Nor
does Google's syndication service (news.google.com) carry any further
sources.

Some other inconsistencies piqued my interest.  For a start, e-Bay is an
auctions company.  They simply facilitate payments between two parties -
they don't handle money (apart from facilitation fees) as such.  As far as I
remember, they hive credit card transactions off to paypal.com, so it seems
odd that they'd keep records of credit card details themselves.

Your article mentioned http://www.419legal.org/.  It seems odd that a site
purporting to be part of the SAPS would be hosted on a .org domain rather
than a .org.za or .gov.za domain.  Looking at ownership information for that
domain
(http://reports.internic.net/cgi/whois?whois_nic=419legal.org&type=domain)
we find:

Registrant ID:GODA-05739656
Registrant Name:D. Squire
Registrant Organization:E-Payments
Registrant Street1:6 Wrenford Place
Registrant Street2:Hillary
Registrant City:Durban
Registrant State/Province:Kwa Zulu Natal
Registrant Postal Code:4096
Registrant Country:ZA
Registrant Phone:+27.7646957
Registrant Email:support@e-payments.co.za

Now there are a few interesting things I notice about this.  Firstly, the
South African Post Office's website (www.sapo.co.za) does not know anything
about the postcode 4096.  The postcode for Hillary is 4094.  In the same
way, the phone number "+27.7646957" does not correspond to the standard
10-digit (or 9 digit + international prefix) format of South African phone
numbers.

Of further interest is that this supposedly South African site is hosted in
the United States rather than in South Africa.  The hosting company's
generic web site can be seen at http://69.93.250.100/

Visiting the web 419legal.org web site, we discover that in order to search
the database we need to enter a credit card number (as opposed to a name or
some other identifying feature, such as surname + last four digits).  In
other words one has to reveal one's credit card number in order to "check"
it.

So my question is this: How sure are you of your sources for this story or
are you being unwittingly used to further fraud?

- Guy
-- 
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: G.Halse(at)ru.ac.za  Web: http://mombe.org/ IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer ***                                   J.A.P.H

Well as I hadn't had a reply by the end of tonight's 6.15 news bulletin, I gave them a call ...

For the record, the number eTV give after their news bulletin is 021-481-4700. It appears this number corresponds to their customer care number (unsurprisingly) and you have to jump through a few hoops to get to someone who might actually be in a position to do anything useful. After sitting on hold for a few minutes and being passed through four people, I eventually got hold of someone who answered to the title of news editor.

It appears that mine wasn't the only e-mail they got last night. They realised from the number of concerned messages that something might be amiss, and so they've spent most of today researching things. I'm told that they've managed to get a statement from the police about what's going on, and they're going to carry a partial retraction of the story this evening on the 7pm new bulletin -- the news editor wouldn't give me details on the phone about what the story would entail, but mentioned that they were as concerned as I was about the possibility of people being inadvertently defrauded. So now we watch and wait I guess ...

Well that was disappointing. eTV did indeed carry the story in tonight's broadcast, fifth from the top. They said that ebay denied they'd been hacked and that their database was "virtually impossible" to hack. The article also mentioned that Jo'burg Commercial Branch had distanced itself from Mr Visser and that they were "still in the process of investigating Mr Visser's evidence." The intimation was that Mr Visser had spoken out of turn and without consulting his superiors.

What they didn't do was tell people not to type their credit card numbers into 419legal.org. Instead they carried a full-screen shot of the 419legal.org including the big header that says "419legal.org" on it. So while they didn't directly tell people to go there this time, they certainly pointed people in the right direction. The number of inconsistencies in the way the page is set up wasn't even mentioned.

eBay hacked ... or really?

Last night, Russell and I had a lively debate on #rucus about whether News 24's article on eBay being hacked was legitimate or not.

It seems that this discussion has become a lot larger than our little network and I've been asked to publish some comments I made on our local 'varsity discussion forums forum available in a more public place. So here we go:

There is more to this than meets the eye. Last night eTV carried it as headline news. I e-mailed them straight after their 8pm news bulletin to point out the inconsistencies we'd worked out by that point (we've found more since) and as yet I've had no reply from them. I was going to phone them but unfortunately they don't have a contact number for their news desk on their website. The broadcast it at the end of every news bulletin, so I'll call after the 6.15 one -- I'll probably post more on this later. (and I did.)

It appears that this might be worse than we originally thought. Instead of being the sort of scam that we suspected, it looks like this might actually be sort of semi-legitimate. Neil hinted at this earlier today, and subsequent events seem to be bearing out that notion. I'm still trying to reconcile the idea that so many simple mistakes could have been made in the setting up of a legitimate site.

I've got nothing against the idea of hosting this sort of information online, I'd just prefer it was done properly. If this is indeed legitimate (and we're still waiting to find that out), it'd be nice if some of the inconsistencies Russell and I noticed were cleaned up, and, more importantly, if the whole idea of searching a credit card database was revised. Imagine a stolen credit card database being stolen again, or people illegitimately using the details therein to commit further fraud. If it is a project of the Jo'burg Commercial Branch, I'd like to see someone at the SAPS take responsibility for its proper running. I'd also like proper, traceable contact details to be available on the site.

Anyway, News24 have carried another article on the saga. It claims that a police statement is forthcoming, something we're all waiting with baited breath to read.

It appears the whole ebay hacking saga is almost solved. Yay! IOL carried a story today that just about says it all. I'm just glad we're getting to the bottom of this and that, for once, people (read "the popular media") seem to be taking issues of Internet security seriously.

Sunday, June 27, 2004

Website rearranged, dabblings moved

The old dabblings section of my webpage is available at http://mombe.org/dabblings/. It is mostly outdated and I suspect that eventually the content of it will find its way into bits of this blog.

See more ...

Tuesday, January 27, 2004

Not a blog

Okay, first up, this isn't a blog. It isn't a journal either (sorry Nimnod :). It is a collection of flat text files that I may or may not serve up in date order through a web server. It has arisen out of a need for me to keep the multitude of ideas in my head somewhere where they don't lost. I was going to use the whiteboard in my office to do this, but I have ideas at strange times and in strange places. It doesn't work so well.

My theory on how all of this should work is that this is a bunch of documents on particular topics. When I've got something to add to a topic, I'll update the document (and I may date it ;-). Topics should be listed somewhere in date order, where "date" is the last modification date. In other words, they may jump around a bit depending on when I edit things. That's kind of how my mind works, so it make sense to me :)

It is probably going to be mostly technical crap (to quote Nimnod), and that's probably going to piss Nimnod off at some stage because she doesn't like technical crap, but there are reasons for that. Part of it is that I don't do diaries. I don't like the idea of posting stuff that's personal to a publically accessible anything. The other part is probably that I couldn't be bothered.

I might put other stuff here - I've already thought of recipes, but don't expect it to ever be a blow by blow account of what happened yesterday. It is just a collection of random thoughts.

So it is a collection of random thoughts, not a blog, or a journal or a diary. Do I repeat myself? I really should stop doing that, it is irritating :)

Oh, and I don't spell check or anything. You don't like the way I write, go hug a tree or something. Enough said.