[iwar] [risks] Risks Digest 21.76 (fwd)

From: Fred Cohen (fc@all.net)
Date: 2001-11-20 12:23:05
Next message: Robert D. Hughes: "RE: [iwar] ATT@Home cable enumeration attack"
Previous message: Fred Cohen: "Re: [iwar] CNN: Timeline: A 40-year history of hacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200111202023.fAKKN5f01150@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Tue, 20 Nov 2001 12:23:05 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [risks] Risks Digest 21.76 (fwd)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Date: Fri, 16 Nov 2001 12:03:56 -0700
From: Brett Glass <brett@lariat.org>
Subject: IP: 800 directory "assistance" redirecting calls

  [From David Farber's IP
    http://www.interesting-people.org/archives/interesting-people/]

IPers might be interested in something that happened to me today. I am
planning a trip to Denver, and wanted to stay at the Adam's Mark hotel.  Not
knowing the toll-free number for the chain, I called 800-555-1212 (toll-free
information) to ask for the number.

"Toll-free directory assistance, powered by TellMe!" said a recorded
message. I told the recording that I wanted the number of the Adam's Mark.

However, instead of receiving the correct number for the chain (listed on 
their Web site as 800-444-ADAM), I received a different number: 
800-866-5038. This number was not actually the number of the hotel chains, 
but rather that of a third party room wholesaler in Orlando, Florida.

Calling the correct number, I confirmed that the hotel chain had no idea
that calls were being diverted to a third party.

As the economy continues into recession, we are likely to see more and more
instances of "customer hijacking," in which companies -- perceiving their
markets as a zero sum game -- work to grab customers from one another in any
way possible, regardless of ethics. "Slamming," and the hijacking of ISPs'
DSL customers by ILECs, are only two of the many other hijacking techniques
which are now becoming prevalent in slowly growing, or shrinking, markets.

Brett Glass

------------------------------

Date: Fri, 16 Nov 2001 09:53:48 +0000 (GMT)
From: Ian Chard <ichard@cadence.com>
Subject: Paperless billing and opening a bank account

I recently opted for paperless (i.e., e-mailed) billing from both British
Telecom and my electricity provider, and am now finding that's it's much
harder for me to convince some financial institutions of my identity.

Many banks insist on a "recent utility bill" [1] as partial proof of ID, and
the application processing staff seem to be trained to reject anything that
looks remotely unusual.  Unsurprisingly, they rejected a printout of my
"e-bill" as well as my (paper) gas bill, as I'm not on mains gas and they
hadn't heard of the supplier.  The only way I could satisfy them was to ask
the electricity company to provide a printed copy of my bill (something they
tried to charge me for).

Ironically, this was an application for a paperless account!

[1]  Of course, this means that the bank have an implied trust in the utility
     companies to do some checking of their own.

Ian Chard, Unix Systems Administrator, European IT, Cadence Design Systems Ltd
The Alba Campus, Livingston, Scotland  EH54 7HH  +44 (0)1506 595019  

------------------------------

Date: Fri, 16 Nov 2001 10:49:44 -0000
From: "Chris Leeson" <CHRIS.LEESON@london.sema.slb.com>
Subject: Metro Headline: "Windows hacked in hours"

The 01 Nov 2001 edition of Metro (a free newspaper in London) had this
article on the front page, which began as follows.

    "Hackers cracked and copied Microsoft's much-lauded new Windows
     software within hours of its launch, it emerged last night.

     Black market copies of the supposedly uncrackable Windows XP,
     which took 16 years to develop, are already on sale for 5 pounds."

After making a reference to Microsoft's advertising, the article goes on
to mention that:

    - Hackers were exploiting two "simple security loopholes"
    - One of these was a security key "now widely available on
      the Internet"
    - Microsoft had admitted that illegal copies were already
      on sale in China.

Not being an expert on such things, I cannot comment on the "security
loopholes", but I thought that the "16 years to develop" was a classic!

------------------------------

Date: Thu, 15 Nov 2001 16:00:44 -0500
From: Jonathan Epstein <Jonathan_Epstein@nih.gov>
Subject: Windows XP accounts by default are administrator with no password

The Register has an entertaining article:
  http://www.theregister.co.uk/content/4/22863.html
which, among other things, points out Microsoft Knowledge Base article Q293834:
  http://support.microsoft.com/support/kb/articles/Q293/8/34.ASP
whose summary reads:

"After you install Windows XP, you have the option to create user accounts.
If you create user accounts, by default, they will have an account type of
Administrator with no password."

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Robert D. Hughes: "RE: [iwar] ATT@Home cable enumeration attack"
Previous message: Fred Cohen: "Re: [iwar] CNN: Timeline: A 40-year history of hacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST