Note: This column represents the opinions
of the writer and as such, is not purported as fact
Sponsor's Message
|
IMPORTANT NOTE: The report you're about to read will soon be illegal
thanks to the proposed Crimes Amendment Bill. In researching this story
to and to check the veracity of "information received" I accessed other
people's accounts on the T&E webserver. Right now there's no
specific law against such activities but doing this after the CAB is passed
could land me in jail on hacking charges.
I like the service provided by Trade & Exchange.
For many years I've been a regular purchaser of their now twice-weekly
free-advertising publications. Within its pages are often great bargains
and it's also a good way to get rid of unwanted items.
What's more, I've always had a much better response from an ad placed
in the T&E than I've ever gotten from similar ads in the NZ Herald.
So why actually pay for less effective newspaper classified advertising
when T&E let's you place up to three ads per week for free?
Check Out The Aardvark PC-Based Digital
Entertainment Centre Project
Updated 2-Dec-2002
Things got even better when, a few years ago, T&E put themselves on the
Web.
Instead of having to telephone or fax in your advertisement, you could just
go online and enter it through a relatively friendly website that, while
not an ergonomic masterpiece, was basically quite functional.
Then they went and ruined it all by upgrading to a new site -- oh dear!
I was going to write a column on
the new T&E site shortly after it
was released but the thing was so very bad that I thought it only fair
to give them a little time to sort out the worst of the bugs.
Well it's been a few months now and things haven't improved at all.
In fact the site is so buggy that each time I place an ad, T&E staff
have to ring and ask if I'm buying or selling because on the web-based
advertisement entry form, both buttons
remain checked despite my best efforts to select just one. Things got a whole
lot worse yesterday however, when a reader alerted me to the fact that
the site is also wildly insecure.
Using just my web-browser and no "hacking tools" of any kind, I was able to
verify that anyone with half a brain (ie: anyone that really wanted to) can
access the accounts of other users and thus obtain their passwords, rack
up charges against their account, etc, etc.
All this is possible despite the fact that on this page
under the heading "Security", it is boldly stated that:
"te.co.nz has an extensive firewalling procedure to ensure our customer
database is protected and cannot be accessed by unauthorised persons."
I'm sorry guys but I think you're placing just a little too much reliance
on your firewall and this complacency has meant that you've left the
front door to your customer database wide open.
Let me ask yet again (albeit with a little self-interest), what happened
to the simple precaution of paying an expert to perform a basic survey
and security audit on this new website before going live?
Is nobody listening when I say that absolutely no website that collects
personal information, email addresses or operates any kind of billing
system should go live without a mandatory security audit?
Time for a blatant commercial plug here. Before ANYONE launches a new
or revamped website they really must get it
independently surveyed, today's column
should provide all the proof you need to support this assertion.
Fortunately the T&E site doesn't keep a record of
customers' credit card numbers but it does provide a pre-pay account facility
for advertisers. So, by exploiting the security hole(s) a cracker could
easily rack up charges against someone else's Pre-Pay balance. Given that you can
also examine an accounts ad-placement history, smart fraudsters could choose
to defraud an account with a pre-pay balance that hadn't been used for a while.
That way it's likely that some time could pass before the fraud was discovered.
What's more, the customer database contains an email address for each registered
user, along with information that would allow some very nice targeted spam
lists to be created by an entrepreneurial cracker with time to burn.
So there you have it -- what was once a great online adjunct to a wonderful service
has become a real shambles and a threat to the privacy and wallets of its users
(although I'm sure T&E would refund amounts fraudulently billed to one of their
Pre-Pay accounts).
Now this is a big enough story on its own -- but the fact that pretty soon
I won't be able to report this kind of thing with any authority raises an even
more important issue. Being unable to legally verify a tip-off that a site is
insecure creates a very real dillema.
What can I (or a real IT journo) do in such a case?
Publish "rumours" that a site is insecure, without verification?
Contact the site operators and rely on them to admit honestly that their site
has a gaping security hole?
Or just publish nothing at all -- effectively allowing the information
to spread through the cracker underworld but leaving those who might
be most affected (the site's customers or users) completely unaware
of the risks?
Should journalists be granted special dispensation to check reports of
security holes "in the public interest" perhaps?
Finally, let me add that I have a lot of respect for the guys and gals at
T&E and I'm sure that they'll move quickly to plug this hole.
Regular Aardvark readers will know that when I blow the lid on a security
hole I never publish details of how to exploit the vulnerabilities
and am always happy to work with the site owners to sort out the mess. This
case is no different.
I can only assume that T&E are unaware of the vulnerability exhibited by
their new website or they would not have continued to claim that the site was
safe and secure. I look forward to receiving their request for details.
Yes, You Can Donate
Although the very kind folks at iHug continue to generously sponsor the
publication of Aardvark, the bills still exceed the income by a fairly
significant amount. It is with this in mind therefore that I'm once
again soliciting donations from anyone who feels they're getting some
value from this daily column and news index. I've gone the PayPal
way of accepting donations because the time involved in processing a bunch
of little credit-card billings sometimes exceeds the monetary value they
represent. Just click on the button to donate whatever you can afford.
NOTE: PayPal bills in US dollars so don't accidentally donate twice
what you were intending :-)
Contacting Aardvark
As always, readers are invited to submit their comments on material covered
in this column. If you'd like your comments published here then please
be sure to use this form and select For Publication.
Other media organisations seeking more information or republication rights
are also invited to contact me.
Add Aardvark To Your Own Website!
Got a moment? Want a little extra fresh content for your own website or
page?
Just add a
couple of lines of JavaScript
to your pages and you can get
a free summary of Aardvark's daily commentary -- automatically updated
each and every week-day.
Aardvark also makes a summary of this daily column available via XML using
the RSS format. More details can be found
here.
Contact me if you decide to use either of these feeds and
have any problems.
Linking Policy
Want to link to this site? Check out Aardvark's
Linking Policy.
|
Did you tell someone else about Aardvark today? If not then do it
now!
|
|
| 
= open in new window