Archive for February, 2008

Coding Oversight: Vodacom Security Breach

February 17, 2008

A simple coding oversight has left the Vodacom4me site vulnerable allowing access to customers private call records. The problem allows users to increment their customer number thereby accessing random customer accounts.

Here is a quick example of the problem. Say we have a call record page that displays a customer’s call records.
callrecords.php

The page accepts a customers id which it then uses to query the DB and present the returned data. i.e. callrecords.php?customerid=12345
The parameter can be accepted via a Post or a Get.

Now anyone with a little web knowledge can simply increment the id to say 12346 and thereby obtain the personal data of a random Vodacom customer.

Here is Vodacom’s response to the problem:

Vodacom spokesman Dot Field said that when the Sunday Times brought the matter to their attention, the vulnerable section of the website was “disabled with immediate effect”.

The weakness had made it possible to display random customer information from a “caching front end server” which briefly stored information. The main database of information was secure, she said.

I’m really not sure how they can say the main database remained secure. Another case of trying to throw technical terms in the air to try and cover up a blatant error.

Solution: Simple, ensure your developers have the correct security training and improve the QA process.

Advertisements

Jake White Interview

February 13, 2008

Jake WhiteIn case you missed it, here are the links to the Radio 702 interview with World Cup winning Springbok coach, Jake White. The interview is in 5 parts and well worth the listen.

South African Humor at its Best

February 10, 2008

Here is an audio clip from Good Hope FM’s Ryan O Connor which can only make you smile. He pretends to me an Eskom representative calling a disgruntled customer about the power outages.

Link 

Computrainer launches Real Course Videos

February 7, 2008

Earlier this week, CompuTrainer released their latest product, interactive real course videos. They filmed 16 Ironman races as well as the Tour of California and developed new software to precisely synchronise the film speed with your speed on the Computrainer.

The software’s features are similar to the current 3D software and include SpinScan, performance recording and detailed performance data.

Each course comes on a separate DVD. I really would’ve liked the course videos to be made available via download.

I’ve personally recently opted for the Erg Video solution, placing my order a few days before the Computrainer release. I’d keen to try both products and compare how they perform against each other. Being a huge fan of the Computrainer, I know I’m going buy at least of few of their new course videos. Perhaps only in a few months thou.

The Ironman Coeur d’Alene DVD is currently available to order online. They also have a list of the upcoming releases.

Link

image002

Update:
View the CompuTrainer and the Real Course Videos on the Today Show.
Link