Archive for the ‘Identity and Fraud’ Category

You and the Internet are "The End of the World"


3D Map of the World Wide WebWay back in the day we only knew people from personal recognition after seeing that person.

There was a time when an event could only be experienced by witnessing it. If you missed the event you were left with little to go by.

There once was a generation that spread knowledge and commodities by foot.

Those days are long gone, time has passed and we have evolved:

Seeing a person, turned into a description of a person, descriptions turned into drawings of a person, drawings turned into pictures, and pictures turned into computer bytes.

Experienced events turned into word of mouth, word of mouth turned to hieroglyphics, hieroglyphics turned to scrolls, scrolls turned to books, and then books turned to computer bytes.

Traveling by foot on a weak path turned into traveling by animals on a beaten path, animals turned to engines on paved roads, and engines turned into computer bytes via the Internet (in some cases).

You, my digital friend, have become a digital signature in this world. LIKE IT OR NOT. Much of what you see, say and do is digitized and stored. Storage creates historical record, historical records can be analyzed for events, paths, and patterns. YOU ARE MAKING HISTORY. Consider yourself a star! Paul Revere and the midnight ride? BAH! You are the new history.

Just for the record “you” digitally is: 101110010110101 (rough estimate… geeks don’t correct me, I don’t care). Yeah, doesn’t make much sense to me either, but somehow or other this fabulous computer brought that definition to you (101110010110101).

Where was I? Oh yeah…

Here you were worrying and waiting for the mark of the beast to be forced on you:

“He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead.” Revelation 13:16″

Hehe… You fool! The mark is your forehead and right hand, and now it’s digitized and posted on the Internet (remember that picture you took with Grandma last Christmas that clearly showed your forehead and right hand, and then posted to your MySpace?). Yes, you’ve been marked, and oddly enough, you are the one that published your mark to the world. Sucks for you. Dang… Me too.

Scary huh? Oh, don’t be afraid. Everybody is in the same boat as you. The wonderful part is that when the boat sinks we’ll all be going down together.

YOU and the INTERNET are the end of the world. The Internet is the fast track to spreading the digital blasphemy we’ve created.

Don’t get me wrong, I love the Internet. It puts food on my table.

I just wanted to let you know. I hope I didn’t ruin your day, it wasn’t my intent. I just wanted to make you aware. I’m going to go check my email now.

Shred Your Credit Offers


Rob over at has shown us how incredibly insecure it is to rip up those credit card offers you get in the mail. Rob took an application he received in the mail, ripped it up, taped it back together, filled it out using a different address (his father’s), using his cell phone as a phone number, and submitted it. A few weeks later his Dad received the credit card.

Is that messed up or what? I can just picture some underpaid worker at Chase opening the envelope and entering the data into the system without giving one rip why the app was torn up and re-taped. Sad, oh so sad. Learn a lesson from this folks!

Just in case you don’t get it:

If you rip up your credit card offers and throw them away (or even worse, don’t rip them up at all), a thief can fish them out of the garbage, tape it back together, fill it out with his/her address and phone number and receive that card at his/her address, and then go shopping.


Read Rob’s adventure step by step here.

Quarter-million hospital patients social security numbers “lost”


A quarter-million hospital patients social security numbers were burned to CDs, put in an employees bag, the bag was exchanged at a store for a larger version, and the exchanged bag (with CDs) were bought by another person. The person brought the CDs back 3 days later.

Think about this story and the lack of responsibility next time you give somebody your social security number!

Read the full article here.

Privacy Guidelines for Developing Software Products and Services


Today, my coworker Aaron Jensen provided a link to Microsoft’s Privacy Guidelines for Developing Software Products and Services paper. I haven’t had a chance to read it yet but I think this will be a great starting step towards helping develop software with respect for user privacy. The development community needs this…The testing community could benefit highly from this document too. A guy could create a pretty sweet set of privacy test cases from this information.

Ajax Security Basics and testing


I’ve recently had a chance to write some Ajax in a side project that I’ve been working on and through use of it I started thinking about how one could easily use it to do evil things. Doing evil things reminds me of security testing, and I haven’t had an opportunity to test an application that uses Ajax but am pretty interested in finding some good exploits when I do get the chance. Before you get all “You had the chance to test it Brent, didn’t you test YOUR Ajax code Brent? You’re in Software QA and you don’t test your own code?”. Let me tell you that I did think about it being exploited, and if it did it wouldn’t really matter in my situation. 🙂

But while thinking about it, I did find the following article on Ajax Security Basics that would help a tester start thinking about how to attack the technology. After working with it, and reading the article, when I think about how dangerous this could be to an application I rank it up there with the danger of using <frames>. Are any of you testing Ajax applications? Do you have any advice or test cases you’d be willing to share?

Top 5 Security Vulnerabilities dectected from compromises


Promoting CISP (Cardholder Information Security Program), Visa has published the educational bulletin: Top Five Data Security Vulnerabilities Identified to Promote Merchant Awareness. To summarize the top 5 vulnerabilities are:

  1. Storage of Track Data
  2. Missing or Outdated Security Patches
  3. Vendor-Supplied Default Settings and Passwords
  4. SQL Injection
  5. Unnecessary and Vulnerable Services on Servers

How to avoid the .com typo-squatters


The typo-squatter top level domain .cm is being used to take your .com typo of .cm and give you a page you didn’t really want (e.g. instead of Here is an easy way to avoid the .cm typo in IE:

  1. Type the domain name minus the suffix in the URL  (e.g. microsoft)
  2. Press the keys: CTRL+SHIFT+Enter

A www. will be added to the front of the name and a .com will be added to the end. Avoid the .com typo-squatters with IE shortcuts!

FireFox trojan extension


The bad guys are using the FireFox extensions as a means of piggybacking FireFox to steal sensitve user data.

Once FormSpy is executed, it installs itself as a component of the Firefox Web browser.
The FormSpy spyware then gleans sensitive information, such as credit card and bank account numbers, from the user’s browser and forwards it to a malicious Web site. But this Trojan is capable of other tricks, as well, McAfee noted.

Read more here.

Post navigation