by: NMAWorldEdition


Julian Assange through his Wikileaks website promises greater government transparency. But his document dumps have angered officials around the world.

US Senator Joseph Lieberman has pressured internet companies to withdraw their services from Wikileaks. Rather than protect internet freedom, Amazon and PayPal have willingly complied with US demands.

Assange is the subject of death threats. Some government officials say he should be assassinated. Sarah Palin said he should be hunted down like a terrorist.

Efforts to take down Wikileaks have proven futile, thanks to mirror sites.

Meanwhile, Assange has been arrested in the UK on rape charges. He has vowed to release more documents in a ‘nuclear’ option if arrested or killed.

Yet more cross scripting flaws discovered on PayPal site(s)…

From Softpedia, via xssed.com

Two security researchers have independently identified cross-site scripting vulnerabilities in PayPal’s mobile and sandbox websites over the weekend, which could have been exploited in phishing attacks.

The XSS weakness on the registration.sandbox.paypal.com website was discovered by a member of the Romanian Security Team (RST) outfit, who goes by the online nickname of Nemessis.

article continues…

One vulnerability is confirmed fixed.

Please take note who is researching and reporting, Romanian bashers…

This reminds me of another incident which happened a while back. Also, If you haven’t been paying attention, it’s been reported that several smartphones are vulnerable to MITM attacks

Romanian Detained Over eBay Cyber Fraud

Romanian detained over a $3 million cyber fraud against eBay Inc.

Very interesting article from abc news:

Romanian authorities have detained a man suspected of committing cyber fraud worth $3 million against the company eBay Inc.

Organized crime prosecutors say Liviu Mihail Concioiu is being investigated for “phishing” attacks against 3,000 of eBay Inc. employees.

They said Thursday that Concioiu allegedly stole the employees’ IDs and passwords in 2009 and accessed company files, including an application with the data base of eBay clients and their transactions. Concioiu then used “phishing” sites to access the accounts of about 1,200 eBay users.

It would appear the ebay database has been hacked, cracked, and zombied AGAIN.

(or is that still?)

Also notice how the term ‘phishing’ is constantly used.  ebaY doesn’t like the “H” word it seems. But “phishing” alone does not get you access to the files and data described. We call that “HACKING

rotflmao! Who could imagine?

It also tells us that ebay employees must not be too savvy if they are falling for whatever tricks are being used to gain the logins etc.

No mention of any response from ebay.

With IT’s long and repeated history of such events, you should ask yourself whether you trust this unsafe outfit with your personal and financial data?

Who could imagine?

The long uncorrected xss flaw rears it’s ugly head again!

Auctionbytes reporting that falle-internet.de has again discovered listings with the malicious coding, this time with a virus twist.

The most important and telling quote of the article:

“They used javascript and java to address a known vulnerability; user’s computers were affected by just viewing the respective listings,”

See that part about “…just viewing the respective listings…” ?

That is one of the main reasons I advocate avoiding ebaY at all costs. Another is that they BLAME the USER for their own failures! Furthermore, they refuse to correct the flaw! Make no mistake, ebaY is a dangerous, untrustworthy, and dishonest website. Of that there is proof beyond the slightest shadow of a doubt!

ebaY is HACKED! Yes! ebaY is still HACKED!!!

Here is the report, with screencapture images, in English at falle-internet

My research indicates this issue has been onging at ebaY for about 10 full years now. Perhaps not under the same name, but indeed cross-scripting has been exploited on ebaY since before it even had that name. Ebay has been aware of the issue for that long also.  Since looooong before the US-CERT warning was posted. Bear in mind there are many variants of this exploit possible to use. It’s been used also for the redirects, and for cookie-stealing etc. The possibilities are only limited by the hacker’s imagination and ebay’s steadfast refusal to secure it’s festered site

I’ll be posting another video demonstrating the +/- 10 year longevity of the xss flaw on ebaY before long at the Cappnonymous channel

ebaY Crafty Hackers and iPhone Scams

by Cappnonymous

Very interesting article by Bruce Schneier in yesterday’s Wall Street Journal.

Reminds me of a so-called “Glitch” which occurred with PayPal not long ago and was rumoured to have been the result of malicious coding by a disgruntled employee facing layoff.

Thwarting an Internal Hacker

Rajendrasinh Makwana was a UNIX contractor for Fannie Mae. On Oct. 24, he was fired. Before he left, he slipped a logic bomb into the organization’s network. The bomb would have “detonated” on Jan. 31. It was programmed to disable access to the server on which it was running, block any network monitoring software, systematically and irretrievably erase everything –and then replicate itself on all 4,000 Fannie Mae servers. Court papers claim the damage would have been in the millions of dollars, a number that seems low. Fannie Mae would have been shut down for at least a week.

Luckily –and it does seem it was pure luck – another programmer discovered the script a week later, and disabled it.

Insiders are a perennial problem. They have access, and they’re known by the system. They know how the system and its security works, and its weak points. They have opportunity. Bank heists, casino thefts, large-scale corporate fraud, train robberies: many of the most impressive criminal attacks involve insiders. And, like Makwana’s attempt at revenge, these insiders can have pretty intense motives – motives that can only intensify as the economy continues to suffer and layoffs increase.

Insiders are especially pernicious attackers because they’re trusted. They have access because they’re supposed to have access. They have opportunity, and an understanding of the system, because they use it – or they designed, built, or installed it. They’re already inside the security system, making them much harder to defend against.

read more

This post is with regards to the Video, mentioned in this post title.

As we all know by now, the video was removed for alleged “Terms of Use” violations. What that violation may have been is completely unclear, since I have not received any communication from youtube whatsoever regarding the removal.

EDIT / UPDATE 09-29-20067 + /- 06:10 PTD.

The words “Rejected (content inappropriate)” have now appeared on the “My Account/ Videos page at youtube, for that video.

I have also added a link to a screen capture of the incorrect info I find still this morning, & I seek to have corrected/ amended

End edit


The video was posted purely and solely in the interest and the furtherance of what I feel are very important consumer awareness safety issues.

The video and the comments are still both available (upon request) for those wishing to view them. Leave comment below.

Just a note also, you will see where I purposefully zoomed OUT on text which would have revealed any sensitive portions of the shown parts of the postings. You will also notice I neglected to scroll down in the postings, where the bulk of the info was. I took pains to be sure. I did see where an email address was visible briefly in it’s entirety. To that person I apologize. It was early in the morning, and a vile red liquid coursed through my caffeine stream, causing perhaps slowed reactions.

A visit to my video channel at youtube should be enough to convince most folks that that is quite the case.

However, I have been finding more than one place where it is being, or has been mentioned that the hacker posted that video. That is wholly incorrect.

The first encounter was at the very popular AuctionBytes Blog article dealing with the incident, and a very respected member of the ebay community first mentions it there. I did attempt rebuttal immediately upon seeing that comment.

I feel my point was taken, as I have not seen that person make further such comments. Doubtful he/she is reading this, but I would like to point out these video titles to that person, and all the readers here.

Consumer Alert! Paypal Data Leaks! Compromised Accounts

Safety Alert! ~ ebaY Hacked ~ The List ~ Part 2

How do u report large numbers of compromised eBay accounts?

(this video was originally titled: Safety Alert! ~ ebaY Hacked ~ The List ~ Part 2 Soundie Version, or very similar)

Furthermore, to state that I hold no grudge for the mis-identification, and when the person responded in that discussion they did so civilly and respectfully, without insults or derision. Thank you.

Now, granted, an abundance of the Cappnonymous consumer awareness video do include in the title “Ebay Hacked” a fact has received hateful sneering comments in some quarters, most notably in discussions on the company sponsored boards at ebay. No surprise. My point; What should they be titled as?

Is there really still anyone left who STILL denies that ebaY is HACKED!?

Please go take a brief trip back though time, start at The AuctionGuild.com site around last October to November, and work your way forward.

But I digress. Now, following links on digg,com, I located at least 2 articles which appeared to be assuming the legendary hacker, Vladuz had posted the video. One site, I now see has corrected the error. Thank You.

However, there is still a site upon which the blatant, incorrect, false information is still posted.

That site is : arstechnica.com

The article is : Mystery eBay ‘hack’ exposes 1,200 accounts, possibly more

Where it is written:

‘ That done, the hacker posted a video of his exploits on YouTube to celebrate his “achievement” ‘

This information has been “on the air” now for 2 days. I finally responded last night in a discussion at digg.com.

Allow me to re-iterate one more time…

“Everyone just stroll over to my blog and my youtubetube channel and decide for yourselves.
Cappnonymous, and that name is synonymous with consumer awareness issues!”

Let me go further a bit to state the only achievement I sought was rapid and effective consumer awareness of a massive, uncorrected problems, on a website fraught with troubles.

And Furthermore the odds are, hacker Vladuz was busy hacking. He had not time for making videos and posting them. I was busy making videos. I had no time to do any HACKING. To the best of my knowledge, Vladuz has better things to be doing than posting videos to youtube, nor have I seen or heard of any purported to be created by him.

I am asking the author of that article to conduct some research and at least add the word “alleged” (unless he/she has some solid evidence. in which case they should post such)

That being said, if there were a shred of proof that Cappnonymous ever hacked anything, I feel fairly certain I would not be here, on a Friday night having to defend my fine reputation against an unfounded and baseless, non-factual assumption, or bit of repeated misinformation or speculation.

I feel confident that anyone investigating the issue of the ebay USA Trust & Safety board massive hack attack & CC info / CI data breach dump on the morning of 09-25-2007 would have looked into who made those videos by now, and whether there were any connection, other than to preserve the event and present it to the public as a Web 2.0 based, factual, documentary audio-visual safety alert, upon a venue where it was most beneficial and accessible to the potential victims.

September 25th, 2007 was very sad day for ebay users. That has compounded exponentialized since by a wave tsunami of denial, falsehoods, and censorship on the part of ebay, IMO.

I contend that far more harm was done by the responses and actions of ebay than being forthright and honest.

Nuff said!

Now here is a video which does not include the words “Ebay HACKED”

Of course, I did not create video, but I feel folks reading here may want to view it. I encourage readers/ viewers to visit the youtube page, where you can comment, rate, and/or subscribe.

The Ruination of ebay

by crazeenydriver AKA Joe



Note: this post has been edited to dis-include deprecated links. All the original materials (including the hack attack video, and screencaptures of the comments) are still available upon request.


Next Page »