Mobile top up promotions:

Movistar Argentina: Get Additional Mobile Bonus on Top Ups from October, 20 2014 to December, 31 2014 (GMT -0300)

Claro Colombia: Get 100% Online Bonus on Mobile Refills October, 22 2014 (GMT -0500)

Movistar Colombia: Get 100% and 200% Mobile Bonus on Recharges October, 22 2014 (GMT -0500)

Tigo Colombia: Receive Additional Bonus on Mobile Refills from October, 03 2014 to October, 31 2014 (GMT -0500)

Kolbi Costa Rica: Get Additional Mobile Bonus on Recharges from September, 01 2014 to October, 31 2014 (GMT -0600)

Cubacel Cuba: October Double Cubacel Recharge Promotion from October, 21 2014 to October, 24 2014 (GMT -0400)

Viva Dominican Republic: Get Double Balance on Mobile Recharges from October, 17 2014 to December, 10 2014 (GMT -0400)

Digicel Grenada: Receive Double and Triple Bonus Credit on Recharges from October, 01 2014 to October, 31 2014 (GMT -0400)

Digicel Guyana: Receive 100% Online Bonus on Mobile Refills from October, 20 2014 to October, 23 2014 (GMT -0400)

Digicel Haiti: Get Double Bubble and Free Minutes for Calls on Refills from October, 20 2014 to October, 23 2014 (GMT -0400)

Tigo Honduras: Get Double and Triple Balance on Mobile Recharges from October, 01 2014 to October, 31 2014 (GMT -0600)

Cellcom Liberia: Get 500% Online Bonus on Mobile Top Ups from August, 04 2014 to November, 04 2014 (GMT +0000)

Telcel Mexico: Get Online Bonus on Top Ups from September, 01 2014 to January, 01 2015 (GMT -0500)

Claro Nicaragua: Get Triple Balance on Mobile Recharges October, 22 2014 (GMT -0600)

Digicel Saint Lucia: Get Double and Triple Online Bonus on Mobile Recharges from October, 01 2014 to October, 31 2014 (GMT -0400)

Digicel Saint Vincent and the Grenadines: Get Double and Triple Bubble on Mobile Refills from October, 01 2014 to October, 31 2014 (GMT -0400)

MobiFone Vietnam: Receive 50% Bonus Credit on Top Ups from October, 23 2014 to October, 24 2014 (GMT +0700)

Teen Reported to Police After Finding Security Hole in Website

AddThis Social Bookmark Button

Joshua RogersA teenager in Australia who thought he was doing a good deed by reporting a security vulnerability in a government website was reported to the police.

Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department.

It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne.

Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.

“It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Phil Kernick, of cyber security consultancy CQR, told the paper. “So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”

The paper doesn’t say how Rogers accessed the database, but says he used a common vulnerability that exists in many web sites. It’s likely he used a SQL injection vulnerability, one of the most common ways to breach web sites and gain access to backend databases.

The practice of punishing security researchers instead of thanking them for uncovering vulnerabilities is a tradition that has persisted for decades, despite extensive education about the important role such researchers play in securing systems.

The Age doesn’t say whether the police took any action against Rogers. But in 2011, Patrick Webster suffered a similar consequence after reporting a website vulnerability to First State Super, an Australian investment firm that managed his pension fund. The flaw allowed any account holder to access the online statements of other customers, thus exposing some 770,000 pension accounts — including those of police officers and politicians. Webster didn’t stop at simply uncovering the vulnerability, however. He wrote a script to download about 500 account statements to prove to First State that its account holders were at risk. First State responded by reporting him to police and demanding access to his computer to make sure he’d deleted all of the statements he had downloaded.

In the U.S., hacker Andrew Auernheimer, aka “weev”, is serving a three-and-a-half-year sentence for identity theft and hacking after he and a friend discovered a hole in AT&T’s website that allowed anyone to obtain the email addresses and ICC-IDs of iPad users. The ICC-ID is a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.

Auernheimer and his friend discovered that the site would leak email addresses to anyone who provided it with a ICC-ID. So the two wrote a script to mimic the behavior of numerous iPads contacting the web site in order to harvest the email addresses of about 120,000 iPad users. They were charged with hacking and identity theft after reporting the information to a journalist at Gawker. Auernheimer is currently appealing his conviction.

Rogers confirmed: the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age.

(wired.com)