Security Bullet In
Communiques from the security front, sir
Monday 7 July 2008, 4:40 PM
Daily Mail loses hacks' personal details
The Guardian has reported that the organisation behind the Daily Mail, Associated Newspapers, has lost the details of thousands of staff.
Associated Newspapers sent a letter to staff and hacks letting them know that a laptop, stolen last week, contained their names, addresses, bank account numbers and sort codes.
The Guardian took the angle that the Daily Mail had likely been embarrassed, as the Mail had lambasted the government over its repeated data loss incidents.
"After months of criticising "criminally careless" government departments for losing confidential records, the company has been forced to send out an embarrassing letter telling journalists they may now be at risk of identity theft," said the Guardian piece.
You can see the Guardian's point. When the Daily Mail described the loss of a Ministry of Defence laptop in January, it called the situation a "huge embarrassment to the MoD" and the "latest in a string of data blunders", while its headline for the HMRC data breach screamed "Mind Blowing Incompetence."
It will be interesting to see the angle the Daily Mail takes over future government and private sector data loss incidents.
Friday 4 July 2008, 4:49 PM
Barracuda launches counter-suit against Trend Micro
Court cases are never pleasant or simple. The ongoing battle between security companies Trend Micro and Barracuda Networks took a new twist on Wednesday, when Barracuda launched a counter-suit in the companies' patent battle.
Trend Micro initially started to sue Barracuda Networks in 2006, claiming the company had infringed Trend Micro patents developed around gateway antivirus.
Now Barracuda is suing Trend, claiming infringements of patents bought from IBM "for defence".
"Barracuda Networks would prefer to focus on innovation, not litigation, so it is unfortunate that we must defend ourselves with a countersuit," said Dean Drako, president and CEO of Barracuda Networks, in a statement. "Innovation will lead to a safer Internet, litigation will not."
Thursday 3 July 2008, 2:52 PM
The GoDaddy saga continues...
I've been trying to sort out an incident with registrar GoDaddy since last week. I blogged on Tuesday and Thursday about the situation, but in a nutshell I found out that I was registered as the owner of the travel-getaways.com site. This was news to me.
The owner of a legitimate domain contacted me to let me know that travel-getaways.com was pulling content from his site, and displaying it on travel-getaways.com. He did a WHOIS lookup, discovered I was registered as the site owner, and so got into contact writh me through the ZDNet.co.uk community email.
Since I found out that somebody used my name, with my altered work details, to register a dodgy site, I've been emailing and speaking on the phone with the registrar company GoDaddy almost daily.
The good news is that the owner of the website that travel-getaways.com was nicking content from managed to convince the hosting service, Host Gator, to pull the plug on travel-getaways.com. I am pleased about that. My feeling about content is that you should always attribute where you get information from.
Meanwhile, I've been bound up in red tape trying to convince GoDaddy firstly that the details they have for me are fake, and secondly that I am who I say I am.
More on this later...
Tuesday 1 July 2008, 3:49 PM
IT guy busted over insider trading
An IT professional has been fined £85,000 for insider trading, Management Today reports.
The fine was imposed by the Financial Services Authority on John Shevlin, who used to work at the Body Shop. He was found to have used his position to log into private emails and access insider information.
The FSA said that it couldn't directly prove Shevlin was guilty, but that there was "compelling circumstantial evidence" to indicate he was.
Shevlin borrowed £29,000 to take a short position over 80,000 Body Shop shares, just before a profit warning was issued. Shevlin made just under £40,000 in a day.
In the words of Management Today:
"[Shevlin] claimed that he’d just made a savvy prediction based on the over-valued share price. But despite this expertise, he’d only ever made two trades before in his life – both in the Body Shop. And this was a huge bet: he borrowed more than his annual salary, took a position worth twice as much as his entire net assets, and accounted for a quarter of all the shares traded that day. Plus he did it all in his own name, in his own company, the day before a profit warning. Even the FSA couldn’t miss an open goal like that..."
Thursday 26 June 2008, 7:35 PM
Caught in the GoDaddy red tape
This is one of those situations that would be funny if I wasn't the one caught up in it.
I blogged on Tuesday that I'm listed on WHOIS as the administrator of a charming site called travel-getaways.com. The problem is that I have absolutely no links to travel-getaways.com at all, and the site is pulling content from a legitimate travel site, to populate travel-getaways.com with content.
Now, looking at the WHOIS entry for travel-getaways.com, it has my name, fake address, and a fake contact email address and number. The owner of the legitimate site -- a ZDNet.co.uk reader -- got in contact with me through the community email, to let me know that a site registered in my name was nicking content off his site.
The domain registrar is GoDaddy.com. I gave them a ring. Ok, I thought, I'll be straight with them -- I told them from the beginning that I am an IT security journalist. I didn't go through their PR, however, as I wanted to get a flavour of the GoDaddy complaints procedure.
So what's my complaint? Someone has used my details, subtly altered, to set up a fake GoDaddy account. While not exactly being identity theft, this is definitely somebody using my name, with my slightly altered work details, to register a dodgy site. Obviously I'm not happy about that.
There's also the small matter of the potential intellectual property infringement by travel-getaways.com against the owner of the legitimate site. I'm not happy about that, either.
I wanted to see how GoDaddy would react, given the nature of my concerns.
I contacted GoDaddy to speak to a person in the GoDaddy support department, who very politely directed me to the office of the president. I emailed my complaint to the office of the president, detailing the situation.
The email I got back contained the line:
"It is the domain registrant's responsibility to review and maintain their WHOIS data."
This made me laugh.
"Ok, fair enough, it's the domain registrant's responsibility to maintain their data, but I AM NOT THE DOMAIN REGISTRANT," I said to the computer, shaking my fists.
The email directed me to log a complaint with GoDaddy Domain services, which I duly did, outlining the situation. I gave them a link to the fraudulent WHOIS lookup, as well as contact details -- my (real) work email and telephone number.
Meanwhile I wrote another letter of complaint, also outlining the situation but in stronger terms, and asking GoDaddy to take my details off its register, and to turn over the payment details for the fake account to law enforcement in the States. I doubt very much whether law enforcement would have the time or resources to do anything, but it's worth asking.
I got an answer back from my original complaint:
DearTom Espiner,
Thank you for your email. Please provide evidence to prove your information is being used in the Whois for the domain travel-getaways.com. We can accept a copy of a utility bill showing your name and mailing address or an email from the email address listed. Once we have this documentation from you, we can move forward with your complaint.
Thank you,
GoDaddy.com, Inc.
Domain Services
I must admit, I'm not good with bureaucracy at the best of times, but this email made me both laugh and get angry. For a start, I'd already provided the link to the fake WHOIS entry. It was in the complaint that Domain Services was replying to.
The work address is fake in the fake entry, so providing proof of my real work address wouldn't help at all. Plus, who gets utility bills to their work address, unless they work from home?
The email address listed in the fake WHOIS entry is also, you guessed it, fake. So I couldn't respond from that email address, unless I fiddled around spoofing the sender details, which I doubt would have helped my case much.
Feeling like I was bashing my head against a brick wall, I rang up GoDaddy. In fairness to the company, the person I dealt with first very patiently escalated me to a polite man in the office of the president. GoDaddy is currently looking into the situation. They did keep me on hold for approximately an hour, but to be fair, they were trying to sort the situation out there and then.
So far as I can tell so far about GoDaddy's complaints procedure, it seems that the people on the other end of the phone are courteous, efficient, and professional, while GoDaddy's processes seem clunky, unhelpful, and bureaucratic to the point of being obtuse.
Previous
