PayPal Tests Mobile Payments
http://www.wirelessweek.com/toc-newsat2direct/03%2F23%2F06
http://www.attrition.org/pipermail/isn/2006-March.txt
http://www.eweek.com/article2/0,1895,1931904,00.asp
By Paul F. Roberts
February 27, 2006
Have you ever hit "Send" on a text message on your mobile phone before
addressing it? Ever wondered where all those lost SMS text messages
go? If so, you might want to speak with Stan Bubrouski, whose cell
phone has been channeling wayward text messages from across the
country for years.
Bubrouski, a computer science major at Northeastern University in
Boston, is the proud owner of 'Null at vtext.com,' an account on the
popular Verizon text messaging service that allows Internet users to
send e-mail and IM messages directly to his cell phone as SMS text
messages.
Bubrouski said he was just being clever when he signed up for a
Verizon vText account with the user name 'null,' after his parents
bought him his first mobile phone during his freshman year at
Northeastern, in 2001.
"I've been paying for it ever since," Bubrouski told eWEEK.
Bubrouski's new vText account didn't just hook him up with his
friends, it also opened the door to a blizzard of unsolicited messages
from individuals and companies that, for the last five years, have
unwittingly forwarded reams of data to his phone.
That data has become more sensitive in recent months, as companies
rush to deliver everything from SAT test scores to medical information
and automobile diagnostics to cell phones and PDAs.
Bubrouski's experience, while unusual, could be a sign of growing
pains in the wireless industry, as companies rush to provide wireless
data services, overlooking steps that could secure the data in
transit, according to one security expert.
Bubrouski, who is finishing his senior year at Northeastern, noticed
something strange about his vText account almost immediately after
activating it in 2001.
"I started getting phantom text messages with no callback number and
an empty 'From:' field," Bubrouski wrote.
Initially, the content of the messages was innocuous, he said. "It was
things like 'don't forget to drop the car off at baker's' and to 'call
mom at 781-XXX-XXXX', stuff like that," Bubrouski wrote.
The problem worsened in mid-2002, when Bubrouski's phone began
channeling what he claims were dozens of messages from an e-mail
address used by General Motors' then-new "OnStar" system.
The messages quickly filled up the memory on his cell phone and
contained diagnostic response to tests on a beta version of OnStar.
"Basically, peoples' cars were sending messages to my phone,"
Bubrouski wrote.
Bubrouski contacted GM and was able to reach someone familiar with the
OnStar tests, and get them to stop the messages after about a week.
"I was happy again - for about two weeks," he wrote.
Next, Bubrouski's phone started receiving SMS sports scores and news
from ESPN, the sports cable network, which had struck up a partnership
with Verizon.
Bubrouski's phone was still getting dozens of messages from the
service, but because the service wasn't public yet, he couldn't find
anyone at Verizon or ESPN who had heard of it and could help him with
his problem.
Bubrouski said he deleted the messages from his phone. He was unable
to provide proof of the OnStar or ESPN messages to eWEEK.
In a pattern that would repeat itself in the years to come, Bubrouski
simply blocked the ESPN e-mail address using a blocking list at
vtext.com and waited for the next stream of messages to hit his phone.
Over time, Bubrouski accumulated a block list of around 15
"offenders"?individuals and companies who were sending him large
volumes of unsolicited information.
Bubrouski theorizes that his choice of user name is the culprit in the
data leaks.
In the world of software design, "Null" is commonly used to represent
"no value" or "0." Developers of mobile services use the "Null"
address during testing routines, assuming that the messages won't be
sent to anyone.
Verizon may also be substituting "Null" for an invalid or missing "To"
address in messages sent over Vtext, he said.
Misplaced "Call Mom" messages aren't likely to harm anyone, but by
late 2004, the unsolicited SMS problem exploded, and took on a darker
nature, as mobile data services started popping up all over to take
advantage of a new generation of feature-rich mobile phones, Bubrouski
said.
"I was getting people's grades, order information from unknown
retailers, personal messages with people's credit card numbers [and]
social security numbers," he wrote.
Most of the messages were sent by individuals, but many arrived in
volume from companies like eMbience Inc. of San Diego, Calif., which
unwittingly sent reams of MapQuest Traffic data to Bubrouski's phone.
An eMbience spokeswoman said that Bubrouski's vText account was the
same as an account used by engineers for internal testing.
Once eMbience was informed, in November, that MapQuest test messages
were going to Bubrouski's phone, they changed the address used in
testing for the company's services.
Another company involved was Vocel Inc., also of San Diego, which
develops mobile data services for companies including The Princeton
Review and Random House.
The company's Princeton Review service helps students study for a
variety of standardized tests using their cell phone, including the
SAT, GRE and LSAT, according to Tyler Jensen, vice president of
operations at Vocel.
A new Vocel service that is in testing called "Pill Phone" sends
medication reminders to individuals' cell phones, he said.
Messages from both the Princeton Review Service and Pill Phone were
accidentally sent to Bubrouski's phone because of a flaw in a sharing
feature in the service that allows test results completed on the phone
to automatically be forwarded in SMS or e-mail format to a third party
such as a parent or tutor, he said.
Messages without a "To" address were not delivered by the service.
However, because of a programming flaw in the client server software,
messages with an invalid address, such as a blank space, were
translated as "Null," and wound up on Bubrouski's phone, Jensen said.
"The fault was entirely ours," he said.
Vocel was informed of the problem by Bubrouski on Feb. 8 and had the
problem fixed by Feb. 10.
Verizon Wireless sues another spammer. Click here to read more.
While the Princeton Review messages that Bubrouski received were from
a service that is in production, the Pill Phone messages were merely
test data generated by Vocel engineers, not actual reminders, he said.
For example, text messages from server at vocel.com told Bubrouski that
"A student at 4105704297 has just completed Princeton Review Word Set
1 with a score of 71%."
A message from pillphone at vocel.com informed him that "A user at
7325894169 has not responded to his/her 01:45 PM dose of
Pronestyl-SR," according to examples of data provided to eWEEK.
Vocel does not channel sensitive data from third-party servers. All
the data that is circulated, such as test scores and medication
information?is entered by the cell phone user, or generated on his or
her phone, Jensen said.
Still, Vocel is taking the incident seriously.
"This was a wake-up call for us from the standpoint of ensuring that
back-end systems are doing verification and checking," he said.
Jensen was loath to criticize Verizon, which provides SMTP gateways
that route data sent from cell phone users and providers like Vocel to
its customers.
However, others said that Bubrouski's experience may be a sign of
larger problems with the way that providers like Verizon are running
their text messaging networks.
SMS users, like e-mail users, rely on the fact that carriers like
Verizon won't accidentally deliver improperly formatted messages, such
as those with no addressee, to an unrelated address, said John
Pescatore, a vice president at Gartner.
"There's no way that this should be happening. No e-mail system would
ever do that," he said.
Verizon should be rejecting messages with improperly formatted
addressee information, not forwarding it to an account, he said.
Bubrouski agrees.
"I'd have to say Verizon is at fault. Sure, service providers make
mistakes, but Verizon shouldn't be accepting messages from no one to
no one," he said.
Verizon declined to comment in detail on Bubrouski's case. However,
Verizon wireless spokesman Jeffrey Nelson thanked eWEEK for bringing
the 'Null' account issue to the company's attention, and said Verizon
is looking into the issue.
The problems that Bubrouski experienced may be particular to Verizon's
network. However, security is a larger problem in text messaging and
e-mail, where trust is assumed between senders and receivers of
message data, said Brian Berger, a vice president of marketing at Wave
Systems Inc. and marketing chair at the TCG (Trusted Computer Group).
TCG is developing specifications for hardware building blocks,
including the TPM (Trusted Platform Module) chip that can secure
transactions from mobile devices.
Companies like Nokia, Motorola, ARM, Vodaphone, Wave Systems, as well
as Intel and IBM are participating in the process, and specifications
are expected this Summer, Berger said.
As mobile devices become more powerful and are used to log into secure
networks, and conduct high value transactions, users will need to have
a way to authenticate themselves, manage passwords and prove their
identity using mobile phones, he said.
While Verizon works on the problem, Bubrouski said he's grown
accustomed to his plight as a shepherd for lost text messages.
"I've received thousands of text messages over the past five years,"
he wrote. "Probably only about 200 or so were actually meant for or
even sent to me directly."
Getting rid of his vText account would stop the stream of unwanted SMS
message problem, but Bubrouski said he enjoys reading the messages he
receives, and blocks companies and individuals when the volume of SMS
they're sending him gets too high.
"I've kind of gotten used to it," he wrote.
From isn at c4i.org Fri Mar 3 05:29:30 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 3 Mar 2006 04:29:30 -0600 (CST)
Subject: [ISN] Fight Spam with Blacklists
Message-ID: <Pine.LNX.4.44.0603030428340.26639-100000@idle.curiosity.org>
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Availl
http://list.windowsitpro.com/t?ctl=22685:4FB69
St.Bernard Software
http://list.windowsitpro.com/t?ctl=22670:4FB69
====================
1. In Focus: Fight Spam with Blacklists
2. Security News and Features
- Recent Security Vulnerabilities
- Over 45,000 New Malware Threats Discovered in 2005
- Phishing Sites Increase Significantly in December 2005
- Combining LogParser and Sed
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
- Share Your Security Tips
4. New and Improved
- Block Bots and Other Web Malware
====================
==== Sponsor: Availl ====
Ensure instant access to files at all remote servers and eliminate 95%
of your network traffic.
Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or
Replication technologies? Do you have remote sites with common data or
file needs?
Get a free software trial, and register for the free seminar.
http://list.windowsitpro.com/t?ctl=22685:4FB69
====================
==== 1. In Focus: Fight Spam with Blacklists ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
I'd guess that the biggest spam headache we all face is false
positives--messages that are inadvertently flagged as spam. False
positives can be a significant problem, particularly for businesses.
After all, you don't want business associates to think you're ignoring
them.
I recently wrote in the Security Matters blog about my findings with
one particular mail server's various filters (at the URL below). The
system uses a dozen filters to help eliminate unwanted email. One thing
to keep in mind about filters is that what works for one entity might
not work as well for another. You should try several filters and
monitor your systems to determine what works best to eliminate the
particular types of unwanted mail you receive.
http://list.windowsitpro.com/t?ctl=2267E:4FB69
That said, my findings for the organization in question might be
interesting to you. After observing the filters process more than
254,000 messages, I found that the most effective one for this
particular organization is a simple language filter. The filter drops
messages written in character sets that aren't used by the
organization. Language filters might not be appropriate for every
business, particularly those that have international relations, but
many businesses might find such filtering useful.
The second most effective filter is an IP blacklist filter. IP
blacklist filters query blacklist service providers about a given IP
address, including the address of the message sender and any addresses
that relayed a particular message along its delivery route. If the
result of the query shows that the IP address is on the service
provider's blacklist, then the probability is high that the message is
spam. Some blacklist service providers also track addresses that are
known to send viruses, Trojan horses, worms, back doors, and other
sorts of malware. These blacklists can be useful in helping you keep
such nuisances off your network.
News 
Market Data 
Discover 
AI
