[SecurityRatty] tag: accessibility

Target Web Sites Sued for Being Inaccessible to Blind Students

Thu, 28 Aug 2008 09:33:49 +0000

I fully support people’s civil rights and freedoms, and regulations that help people with disabilities survive and succeed in society. Still, I sometimes wonder if certain things can go a bit too far. Recently, a blind student sued the retailer giant Target for having a web site that couldn’t be parsed by his special reader…and won, even though no regulations actually exist to control the accessibility of web site content…

Target has settled a class action lawsuit with the National Federation of the Blind over accessibility complaints with Target.com. Despite the law being unclear as to whether the Americans with Disabilities Act (ADA) applies to websites, the company will pay a substantial fee and update its web site to make it accessible to the blind.

In February 2006, Bruce Sexton Jr., a student at the University of California-Berkeley and president of the California Association of Blind Students, sued Target because its web site was inaccessible to the blind. Filed in conjunction with the National Federation of the Blind, the suit was used as to spotlight many corporate sites that don’t play well—if at all—with screen reading technology.

Read the full article here.

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.

Awareness in Installing Some Types of Software

Wed, 01 Aug 2007 15:14:00 +0000

Awareness in Installing Some Types of Software

Generally considered as some kind of potentially unwanted programs (PUP) by the Internet Security Company (McAFee,) adware and spyware could pause as a menace to original computer owners, web developers, and IT of certain corporations. Advertisements (adware) already included and mainstay of the program could present a threat or traffic nuisance for reason of its vulnerability to information disseminations, causing notorious cases of "identity theft," that'd been threatening risk on the loss of personal properties, finances, bank's credibility, financiers, and other financial institutions over the globe.

In the United States alone there is a rampant of identity theft to personal properties thru the process of transfer of ownership to a wrong person because of stolen Credit Card numbers, passwords, and other personal identifications robbed thru the internet in forms of spywares that camouflaged use-legalities that are merely ignored by users and computer owners.

Adware and Spyware software present a totally different usage in program inclusions, and for the user. While adware is a legal part of the computer's administrative settings, spyware is ironically a deceptive method, that'll not directly pause as illegal for it may be included in some software that fronts acceptance. By the time it reaches the user's end it reacts like semblance of some kinds of virus or worms; at times just ignored not to be serious and obvious, but with motives, to invade the accessibility and manipulations of some confidential information from the computer, to be transmitted to other end users who may just wait for any advantage taken from this kind of traffic interference.

When the adware database link discovers the effects of detailed interference on some confidential records, those that need financial consideration of return-payments in nature, and wherein, exclusive website agenda had already been diverted to the other end without having to pay from the mother source, it'd be too late to reconstruct to normal settings. It is expensive to replenish and change to untarnished software. At times immune anti-virus is also out there, but anywhere it goes about entails some extra expense on part of the developer.

Spyware is software that support adware usage by PC espionage on different activities in a computer such as e-mail or chat logging, but could easily cause to detour web traffic that's detrimental to e-commerce if abused or used without consent; therefore, by no means the deceiving technology in adverse adware usability.

A number of adware companies seem to feel bias about PC surveillance (spyware) for reason that, although, they had already disclosed specific data collections and transmissions on account of privacy security from their database link, it can't totally control the chances of any outgoing data, where, and to whom it might be sent. Spyware technology has the capability to send not just the banner data from the mother PC, but could channel it to other interested parties that could even install-in to a new program.

The spyware technology is by far infused into the database without the owner's awareness or consent, however, they come in as "drive-by downloads" or the user goes to click in options in "pop-up" windows, and immediately detoured to some other programs, either pornographic, or anything else without essence.

The adverse effect of adware is the fact that when it is installed in the computer and the user consents to include tracking features, it automatically becomes a "spyware" when used by another user who interacts with the "adware" outside any database link.