Free Stuff a Security Risk; New Firefox Flaws Surface
Overwhelming Security Risk: Free Stuff
What’s the price of personally identifying information?
When it comes to sensitive information, people may give it away for almost nothing. According to a recent study, 92 percent of people valued the information needed to open a bank account in their name at the price of a London theater ticket, or about $37.
Here’s what happened: Infosecurity Europe researchers took to the streets of London, stopping people with the offer to win free theater tickets in exchange for answering some theater-related questions. Two hundred people began the three-minute survey.
Mixed in with theater-related questions, however, were leading questions. One posed that actors’ stage names were usually a combination of the name of their pet, and their mother’s maiden name. Researchers then asked survey-takers what their stage name would be, and 94 percent responded with apparently accurate information. To another leading question, 96 percent shared the name of their first school—a piece of information British banks use to verify identity—and in case they should win, 98 percent of survey takers shared their full address.
Finally, interviewers said they needed date-of-birth information to prove they’d actually conducted the survey with a real person. All told, 92 percent of respondents provided a date of birth, and an equal number shared their home telephone number.
Of course, identity thieves could have a field day with such information. “One lady I surveyed said, ‘I work for a bank and this information could be used to open a bank account.’ I replied ‘yes’; she then proceeded to give me all her details,” says Claire Sellick, Infosecurity Europe’s event director. “Another man provided all his information without question, but returned five minutes later asking for it back, as he thought that we could use it to gain access to his online bank account. We gave him back his survey form, but did not provide any evidence of who we were. If we had been fraudsters, he would have been too late.”
The survey results “highlight the need to raise public awareness of identity theft,” notes Chris Simpson, the head of Scotland Yard’s computer crime unit. He recommends people restrict who they share sensitive information with, and properly dispose of printed materials containing such information, especially shredding relevant documents.
For its part, Infosecurity Europe says it conducted the survey to alert people to the danger of social engineering attacks aimed at stealing people’s personal information. In Britain, 100,000 people are victims of identity theft every year. The U.S. Federal Trade Commission says it received about 250,000 identity theft complaints last year. A study from 2003, however, estimates over three million people had been victims of identity theft.
Infosecurity also says it destroyed all collected information, and randomly rewarded the three promised free theater tickets.
- - -
Firefox: Three Vulnerabilities Revealed
Mozilla’s Firefox is vulnerable to three highly critical vulnerabilities, reports security information provider Secunia. The vulnerabilities could let an attacker bypass PC security and access the PC directly.
The first vulnerability involves “an error in the restriction of privileged XUL files,” says Secunia. XUL stands for XML-based user-interface language; it’s used to describe how Mozilla’s browser window should look. “By tricking a user into dragging a faked scrollbar,” it says, a local and otherwise privileged XUL file could be opened. That said, “the vulnerability itself does not pose any direct security risk as no XUL files in the product use external parameters in an insecure way nor do any destructive actions when being opened.”
The final error involves how Firefox processes GIF images. “A heap-based buffer overflow” could be caused, notes Secunia, “via a specially crafted image.”
Mozilla released version 1.0.2 of Firefox to fix the problem. All previous versions of Firefox are reportedly vulnerable.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.