OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] DeBeers' security hole reveals customer information

From: William Knowles (wkC4I.ORG)
Date: Tue Apr 04 2000 - 16:52:46 CDT

http://news.cnet.com/news/0-1007-200-1639327.html?tag=st.ne.1002.thed.1007-200-16393271007-200-1639327

By Stefanie Olsen
Staff Writer, CNET News.com
April 4, 2000, 4:45 p.m. PT

On the Web, diamonds can be a spammer's best friend.

About 35,000 customer email and home addresses were exposed on
adiamondisforever.com, an informational site about diamonds sponsored
by De Beer's, CNET News.com has learned.

Chad Yoshikawa, a Bay Area consultant, stumbled across the security
hole today while searching for his home address through a search
engine. The results turned up a little more than he bargained for.

A Web page he found, pulled from the De Beer-sponsored site, lists the
names, phone numbers, home and email addresses of people registered
with the site, along with his own. Yoshikawa, who said his wife
entered a diamond contest through the site, contacted a site
administrator immediately because "it didn't look like they were too
on top of things because it was hard to find the privacy policy."

Jim Greene, system administrator for hosting company Luminant, replied
in the email to Yoshikawa: "We have investigated and fixed the problem
with the site. This area is not active on the site any longer."

The security breach resembles several related "data spills" from Web
sites. Last year, Butterball published the names and addresses of
people who signed up to receive recipes via an online newsletter.
Nissan also exposed a list of more than 24,000 email addresses of its
potential buyers last year.

"This kind of occurrence is all too frequent. (But) the De Beer's
seems especially troublesome because it suggests access to high-net
individuals," said Jason Catlett, president of Junkbusters, an online
advocacy group.

"Who knows how many people have noticed or downloaded the list before
it came to the attention of the media." Catlett said.

Greene said Yoshikawa and CNET News.com were the only ones to spot the
file.

"We have looked into the server logs and see no indications that
anyone besides yourself and someone coming from C-Net accessed the
files," he wrote.

Adiamondisforever.com, which launched in November 1996, is part of The
Diamond Information Center (DIC), a marketing service for De Beer's,
one of the largest diamond producers and marketers in the world.

The site's privacy policy stipulates that the company does not "make
available the email addresses of those who access our site to other
organizations or companies."

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".