WiFi monetization by a patent pending system that allows us to inject
any kind of content including ads, during the browsing session rather
than just on the landing page like our competitors. Our deployment will
allow advertisers to advertise by geo-location and segment in order to
pinpoint the right audience.
Cloud Services
Simplicity in creating and editing landing and connection pages (and
much more) with Yadwire’s back office and studio. Instead of paying an
outrageous amount on a WiFi system with a landing page, with us it can
be done in a minute, online! We have a series of products to offer as a
WiFi service and they are all cloud based.
Management system
With our cloud management system, every WiFi owner or other IP
related technology owner can manage messages, ads and any kind of
content from the cloud. Owners can also communicate with their
guest/employees on a real time basis."
אם עד היום התרגלתם לראות פרסומות על האוטובוסים של אגד, בקרוב תוכלו לצפות בפרסומות גם בזמן גלישה בזמן נסיעה,ואולי קצת יותר.
לא
ברור עדיין מה מידת המעקב אחר הגולשים, אבל יש כאן מהפכה ביחס ליכולת של
בתי עסק וגופים לפרסם פרסום ממוקד ומפולח למשתמשי הקצה ברשת האלחוטית.
כחלק
ממכלול השירותים של השירות שמציעה Yadwire, היא מאפשרת פרסום ממוקד,
שמשתלט על חלקים ממסך המחשב או הטלפון האישי של הגולש,לדוגמא באוטובוס של
אגד.
אישית, אני בעמדה דואלית כלפי הנושא.
אני בעד תיעול של מערכת האינטרנט האלחוטי, אבל נגד איסוף פרטים אישיים.
אני חושב שאגד שהייתה הראשונה שהטמיעה אינטרנט אלחוטי באוטובוסים בישראל, מאמצת כאן חידושים טכנולוגיים שיקדמו אותה ויש לברך אות על הנושא.
מנגד, יש לשים לב לאבטחת המידע והפרטיות של הלקוחות.
Looking for a job can take you into very interesting places.
That's how I found this security flaw in TMP Worldwide.
If you looking only for technical report, I'll make it simple for you.
Instead of typing password,attacker had abilities to insert the email of his victim.
Attacker can check, where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from jobs if the current employer find that's they want to change a job. (BI)
TMP Worldwide, didn't handle so well. they even told me to contact theirs client,instead of taking the problem into the hand.
eBay answer me,but didn't gave me new update for up then 45 days.
Since the major problem has been fixed, I'm publishing my finding.
פרצת אבטחה שאיתרתי בסוכן המשרות החכם של חברת TMP Worldwide פגעה בין היתר בחברות:
HP
Walmart
Officedepot
eBay inc
Scotiabank
כל המועמדים לעבודה בחברות אלו,אשר השתמשו במערכת שוכן המשרות החכם (Job Alert) היו חשופים לפגיעה.
רמת הפגיעה: נמוכה עד בינונית
היקף:רחב
Many
of you are trying to get a job, In my recent journey to get one, I've
found this security flaw in TMP Worldwide (Telephone Marketing
Programs).
I really wanted a job,nothing more nothing less.
TMP
got the warning first, I was trying phone call (i was ugly) as well as
email exchange which started fine but then they disappeared.
SInce
I was told by TMP representative to speak with the company where the
problem appears, I was emailing eBay related to the issue.
eBay answer was
Into the point: you can read more about TMP Worldwide in theirs website or Wikipedia
In
generally,they are independent recruitment advertising agency, The
product which had a problem was theirs Job Alerts system, which is part
of the TalentBrew
Stay
connected with your candidates through e-mail sign-up and RSS feeds.
Job Alerts give job seekers the ability to receive customized updates on
job listings they are interested in."
After understanding who are TMP, let's try to understand more about the impact of the problem.
In
the Talent service they gives, potential recruits got an offer to add
his email,as well as the favourite countries/jobs. by then, the job
alert system start to work,and the potential recruits get update for any
new job listed in the website.
As a SAAS (Software as a service) product,and with great integration into verity of clients, TMP Worldwide got awards and made later on cooperation with major players over the world,such as Oracle which acquired Taleo Corporation (NASDAQ:TLEO) back in 2012.
The
Impact is really clear, Taleo and TalentBrew in many recruits website,
coming hand by hands, Teleo for the job offer, and TalentBrew to do many
things behind the scene,like Job Alerts.
Since TMP Worldwide have verity of clients, in many cases they handle the whole recruits website,not only the TalentBrew integration.
To make things clear, the problem appears in TMP, Oracle is another way to sell the SAAS services of TMP.
Now to the problems:
Architecture - didn't fixed:
Basic system problem:
1.Password contain only six digits,number only which can be hacked very easy by brute force.
2.The channel is not secure with SSL
3.The emails came from tmp.com which is not eBay/PayPal or any of your group.
Attack scenario:
Attacker can brute force the password
Those problem never fixed.
The problem which has been fixed,is the ability to hack into the recruits alert system,when you know the target's email.
Attack scenario:
Using
the email of the target, and by having the database of eBay's workers,
the HR office can check if someone added him self into HP recruits
website,this gave the attacker ability to know what are the planes or
wanted jobs of his workers.
By the way, remember this? "Apple, Google, Intel, Adobe to pay $325 million to settle hiring lawsuit" ..
We can just imagine how many workers, are using Job alert system every year.
Potential workers should get better security.
After sock:
Attacker can know now now where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from his jobs, if the current employer find out who want to change a job. (BI)
HP
eBay inc
Wallmart
OfficeDepot
Scotibank
In here you can see how I've spotted the SQL vulnerability VIA Google:
To add more data, I've added this who.is proof to show the conncetion into TMP Worldwide.
If you really want to see the video, here is the POC related to eBay inc.
The Israeli Movement for Freedom of Information,exposed again private and sensitive data, of many private and public personal this included phone numbers and more sensitive data.
To be clear, I blame the minister offices,who gave them the files. I blame the NGO - Movement for Freedom of Information who publish it - as is. I blame as well any information security and legal advisory who didn't edit the private information in the files.
The exposed took place during usual act of sharing with the public, information which was hidden until now.
In the 2th of Nov. 2014 just couple of days ago,the NGOexposeddata of up to 85 mental ill people,who were mention in a list,given them by the ministry of health.
Unlike the ministry health,who took responsibility,and apologized, the NGO answer the the issue was (Calcalis) blaming only the ministry of health. they didn't said anything about the fact that's they published online information of people against the privacy of them.
"והיה גם המקרה המוזר של משרד הבריאות, שהעביר לנו רשימת ספקים שכללה
בין השאר גם שמות של חוסים ופגועי נפש שהוא מעביר להם תשלומים. הסבנו את
תשומת לבו של משרד הבריאות לעניין וביקשנו לקבל רשימה מעודכנת (המגנה גם על
צינעת הפרט). משרד הבריאות טרם שלח רשימה מעודכנת."
They said: "We asked the ministers to their appointment calendar for 2013. Despite
the directive of the Attorney General determined that this information
should be published - only 14 ministers from the 23 we gave them, and
they partially. And these are the names of ministers who have not shared the public in their path: Gideon Sa'ar Yuval Steinitz and Israel Katz. Prime Minister Benjamin Netanyahu ignored our request" (Google translate from Hebrew)
Well,they did published many dairies which is good,but many information related to private people, phone numbers and much more has been published as well.
The NGO used to blame anyone who send him info,and said "we don't touch it" but saying that's you don't take any responsibility on information which is giving you by others, doesn’t put you with clear hand. I really like what they do,but I'm sure everyone who want to publish information about elected officials,or government ministry ,should see if more people will be in the line of exposure.
This story can't be understood ,without knowing that's now days,there is a very cool project in Israel which called "100 days of Transparency" founded by Tomer Avital.
This different project had a significant success,by getting crowd funding of 159,151 ILS from 1473 Backers,as well as making people in the parliament,looking around to see if there is a private investigator.
Having this kind of activity,can be really good,as long as you don't harm the public,like the Movement for Freedom of Information, done at least in the story related the the mental ill people.
The story have a twist,since not only the government ministry have a responsibility,of sharing other people information with NGO,knowing it will be publish,we can realized that's there is lasting impact against privacy in Israel.
Last week we have heard about the story of the Dog centre apps, which have been publishedhere in the first time,and made the Minister of agriculture
agreed with the problem of the apps, and even consider of taken it down..
Now,back to our story, I can see how the project "100 days of Transparency" can be change to "100 days of protecting the privacy"...
I really hope that's this project of Tomer Avital will be a great story,I really like it.
Moreover,I will do my best to help the Movement for Freedom of Information,but I can't accept the idea of publishing private information like they did,with blaming others on the miss editing.
As the government as the NGO,they both did mistakes. Unlike the NGO the ministry of health took responsibility,while they refuse to do it,end even insist to keep the same process in the future.
Since it's contain many pages, I'm adding them now for the public review.
To remind you, the ministry of health,as well as the NGO did a bigger mistake not so long ago.
In my opinion,the Movement for Freedom of Information should double check any data they publishing,as well as the people who giving it to them,which is mostly government officials.
Sharing data with the public should have more privacy related rules,and guarding the privacy of the public, should be integrated into the motivation of sharing all we knows about the Elected officials.
Update 15:52 13.11.2014:
Answers from the NGO
09:23 AM
אמיתי שלום רב,
ראשית חשוב להבהיר שהתנועה מפרסמת מידע כמו שהוא נמסר לה. ללא כל שינוי, הוספה או גריעה.
שיקול הדעת כיצד למסור את המידע מצוי בידו של מוסר המידע, במקרה זה משרדו
של בנט, על כן ממליצה לך לפנות אליהם ולהביע הסתייגותך מהאופן בו בחרו
למסור את המידע.
בברכה,
רחלי אדרי, עו"ד
התנועה לחופש המידע
10:56 AM
אמיתי,
כפי שאתה הצלחת להשיג אותנו
בטוחה שמי שמחפש גם כן ימצא. לא מסובך, אנו זמינים לרוב בטלפון במשרד
ובמייל הזה וכפי שאתה רואה עונים לכל פונה.
לגבי משרד
הבריאות, המידע לא התפרסם, אנו הסבנו לכך את תשומת לב משרד הבריאות,
וביקשנו מהם שישלחו רשימה חדשה ללא שמותיהם של חוסים. טרם קיבלנו רשימה כזו
ולכן מכל רשימות הספקים שקיבלנו הרשימה של משרד הבריאות חסרה, על אף
שנמצאת ברשותנו.
גם פה, הטעות הייתה של משרד הבריאות וכמו שכתבתי אילולא תשומת הלב שלנו היה נגרם עוול גדול מאוד לעשרות חוסים.
הנהלים שאנו עובדים לפיהם הם הוראות חוק חופש המידע ותו לא.
כמו שכתבתי לך במייל הקודם כל טענה על המידע שנשלח עליך להפנות למי ששלח את המידע.
למיטב
הבנתי, לשכת בנט עובדת על רשימה חדשה כשזו תשלח אנו כמובן נעדכן, בינתיים
לא קיבלנו כל פניה רשמית ממשרדו של בנט להסיר את המידע.
ᐧ
--
רחלי אדרי, עו"ד התנועה לחופש המידע המסלול האקדמי המכללה למנהל ת.ד. 25073 ראשון לציון, מיקוד - 7502501 טלפון: 03-9560146 | פקס: 03-9560359 |