Subscribe to Virus Experts – We Make Your Digital Life Secured RSS FeedSubscribe to Virus Experts – We Make Your Digital Life SecuredComments FEED

Browse > Home /

Transport website leaking private information of 168,000 passengers

May 19, 2010 by admin  
Filed under Security News

Leave a Comment

A hacker called “ins3ct3d” has demonstrated that he can access the personal information of 168,000 users of public transport in The Netherlands via an insecure website.

 

A campaign to encourage residents living in the provinces of Gelderland, Overijssel and Flevoland to use public transport has been promoting a website called “Experience the OV” at www.ervaarhetov.nl, which allows people to request a card allowing them to try out public transport travel for free.

 

However, as magazine Webwereld reports, a simple SQL injection attack allowed “ins3ct3d” to access how to access the personal information of subscribers – including names, addresses, birth dates, email addresses and phone numbers.

 

The hacker, who has chosen to remain anonymous, demonstrated the attack to the magazine by accessing the personal data of one of Webwereld’s reporters.

 

Explaining his reason for exposing the security vulnerability, “ins3ct3d” explained that he felt compelled to warn his fellow citizens as long as the government continues to use unsafe systems. “This time it’s sensitive personal data, next time your fingerprints or EPD,” he said.

 

(EPD is the Electronische Patientdossier.. I guess I don’t need to give a translation of that for you to realise why that’s not data you want falling into the wrong hands).

 

There’s no confirmation that banking data was exposed, but there were fields in the databases for ID card numbers, payment agreements and so forth. At the request of Webwereld, the hacker did not retrieve more data, so there’s no telling if any of these fields had been filled.

 

Webwereld contacted the authorities, and the website is currently “temporarily unavailable”:

temporarily unavailable website Transport website leaking private information of 168,000 passengers

I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.

 

By Graham Cluley, Sophos

 

Tags: , , , , , , , , , , , , , , , ,

95% don’t support Facebook privacy changes, poll reveals

April 7, 2010 by admin  
Filed under Security News

Leave a Comment

Controversial proposals by Facebook to change its privacy policy have been slammed by users, according to poll results released today.

 

At the end of March, Facebook proposed a change to its privacy policy which, amongst other things, would make it possible for it to share your information automatically with “pre-approved” websites.

 

As I explained at the time, this would mean that might visit a website and discover that it already knows who you are, your date of birth, where you live, who your friends are. All, without ever having given the site explicit permission to access that data.

 

Even though Facebook says that only a small number of pre-approved sites will be offered this feature and that users would be able to “opt-out”, an overwhelming 95% of the 680 people polled on this blog declared that they thought Facebook’s privacy changes were “a bad thing”:

facebook privacy poll 95% dont support Facebook privacy changes, poll reveals

Only 2%, 16 of those polled, said that they supported the change. As an aside, it tickled me that some of those votes approving Facebook’s privacy policy came from an IP address at Facebook.com. (Which was fine, after all there was nothing saying that Facebook employees couldn’t vote).

 

Yesterday, following a backlash of criticism about the new policy, Facebook published a response, attempting to justify its position, and underlining that it would only offer the data to “carefully selected partners”, and that such partners would be “required to provide an easy and prominent method” for users to opt out directly from their websites and delete your personal data.

 

Personally, I still think it stinks.

 

Most users still don’t know how to set their Facebook privacy options safely, finding the whole system confusing. The onus should not be on Facebook users having to “opt-out” of this new feature, but instead on users having to “opt-in”.

 

Once again, it feels like online privacy is being eroded by stealth. Too many websites are chipping away at their members’ privacy and security, potentially exposing their personal data to third parties that were never in the equation when they first signed-up for the service.

 

If you are on Facebook and want to keep yourself informed about the latest news from the world of internet security and privacy you could do a lot worse than become a Fan of Sophos on Facebook.

 

* Image source: Max-B’s Flickr photostream (Creative Commons)

 

By Graham Cluley, Sophos

 

 


Related Blogs

    Tags: , , , , , , ,

    Facebook privacy settings: What you need to know

    December 11, 2009 by admin  
    Filed under Security News

    1 Comment

    Facebook is making big changes to its privacy settings that may mean millions of people begin to expose information that they previously considered to be restricted to only their Facebook friends to the entire internet.


    This YouTube video explains more.

     

    Facebook is recommending that users adopt a series of new privacy settings that would reveal their personal data to anyone on the internet. Chances are that when you login to Facebook today you’ll be advised to make various pieces of your personal information available for “Everyone” to see.

    To get a clear picture of what Facebook means by everyone (and its implications) you should check out the revised Facebook privacy policy:

     

    "Information set to 'everyone' is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations."

    "The default privacy setting for certain types of information you post on Facebook is set to 'everyone.' You can review and change the default settings in your privacy settings. If you delete 'everyone' content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."


     

    So, let’s make this clear. If you make your information available to “everyone”, it actually means “everyone, forever”. Because even if you change your mind, it’s too late – and although Facebook say they will remove it from your profile they will have no control about how it is used outside of Facebook.

     

    There’s a real danger that people will go along with Facebook’s recommendations without considering carefully the possible consequences.

     

    by Graham Cluley, Sophos

     

    Tags: , , , , , , , ,