Sunday, 13 March 2005

Why spend money on schools, police or hospitals when you can spend it on insecure web services?

I recently got a letter from the council, saying they've set up a web site to access your council tax details - presumably to cut the cost of their staff answering simple enquiries. Sounds like a good idea in theory, until you remember who you're dealing with.

They gave me a password by post. They told me my account number was on my bills. The password was a f***ing 6 digit numeric code! It looks like everyone in town must have got one of these letters and I'm guessing each one of them has their own easily-crackable 6 digit password. When I got around to reading the damn thing, I logged on in a panic and changed it but I wonder how many other people would actually be bothered?

What's to stop me (if I where so inclined) using a brute force attack to access somebody's account details? Of course, I'd hide this attack using proxies and maybe space it out over a period of time to hide the traffic boost - but what's the likelihood of the council being competant enough to be checking their logs for attacks anyway?. Alright, I'd need the account number - the easiest way to do that is probably just to ring the council, pretend to be the target and just ask for it! There are other ways of course - read Kevin Mitnick's 'The art of deception' if you're interested.

From this attack, I've gained the following information:

Their name, address, council tax account number, the complete details of their council tax payments and perhaps whether or not they live alone (if they claim the single occupant's discount).

Then unless their telephone number is X-Directory (not listed) -maybe even if it is- I could find out their telephone number and social engineer my way to their bank account details, like so...

Social Engineer: 'Hello Mr/Mrs X, I'm Bob from the local council, you're account no. 5687458743 right?'
Victim: 'Erm... yeah. right.' (would you even check?)
SE: 'Great, we're having some computer problems right now and the engineers are repairing some damaged tax records, mind if I just double check that we've got our records straight for your account?'
Victim: 'Yeah, ok, if it's quick.'
SE: 'Great, thanks, shouldn't take long. First, can you just confirm your address.. is it [reads out full address]'
V: 'Yeah'
SE: 'right, that's a band B property?'
V: 'Yes'
SE: 'Ok, so you made the following payments on this date right....[lists recent payments]'
V: 'Sounds about right'
SE: 'great, thanks, oh... and can you just confirm your bank account and sort-code payment details please?'
...

Now I have your personal details, your martial status, your phone number and your bank account details. Scared yet? Wait until I phone you back three months later when you've forgotten the sound of my voice claiming to be 'Fred' from your bank who's having difficulty with our 'on-line banking service' and needs your current bank password so they can log in and 'reset it' (empty it into my Swiss bank account).

Banks loose millions of pounds a year from social engineering and identity theft and it's all thanks in part to incompetent idiots like the local council. Nice work, idiots. It's good to see that my annual council-mugging of £683 a year is well spent! I mean, why spend that money on the schools, police or hospitals when you can spend it on insecure web services?


Related:

Friday, 11 March 2005

Star Wars Episode 3

The Star Wars Episode 3 Trailer is now available for download at Torrent Reactor.

It's going to be a PG-13! This one looks a lot more like it's going to be a lot darker like 'The Empire strikes back' rather than the sad puppet show that was episode 1 - lets hope this doesn't suck as much a** as that did. From the looks of it though, this is going to be pretty good.


found at Slashdot.

Thursday, 3 March 2005

So you're on TV - nobody cares!

There's been an alarming increase of 'reality' shows on TV over the past couple of years (although I'm not quite sure how being locked in a room full of ugly lesbians and loud-mouthed scouse-t***s can be classed as reality: unless you are exceptionally unlucky). I can't understand why.

Also, there's all these magazines like 'Heat' advertised on TV, over and over again. Telling us who's sleeping with who, what they're wearing, their latest hair style and which designer made their handbag, etc -riveting stuff like that. Just once I'd like the 'Heat' advert to tell it like it really is:

Idiot Girl: [teases co-wokers about having magazine that they don't]
Co-worker: I'm sorry, I think you're confusing me with someone who gives a f***.
Idiot Girl: Oh... [puts mag in the bin and gets back to over-paid data-entry job].

If you ever flip through these mags as I'll admit I've done occasionally while I'm in the dentist's waiting room- you'll notice they're mostly just full of pictures of celebrities attending events.

Seriously, who gives a f***? Why the hell should I care what someone's wearing/doing/f***ing just because their ugly face has been on TV? What's with all the ex-soap/reality TV types releasing records and/or fitness videos? Here's some free advice to annoying attention-whore celebrities (like Jade from Big Brother): if you look like a pig and you're more annoying than the crazy frog ring-tone, stay at home.