| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Oct 2008 17:00:16 -0700
From: James Malberry <jamesny10028@...mail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Diamond Prize Center internal documents not
secure ...
Here's an actual tele marketing script to get you to goto a timeshare presentation. I do not work for diamond prize, nor a former employee. I am a tax accountant that has a background in Information Technology. Their Company site, www.diamondprizecenter.com a single webpage that is password protected. I did not hack this website, google crawled on their site (and all sites) and cached one of their training pages which I have reproduced below.If this email does make it back to DPC, I suggest the following:
1) Rewrite your script(s), without brainer.
2) I highly suggest that you remove sarcastic comments
3) In the beginning of the script, you should state your *purpose* of the call
4) Also suggested is to ask the prospect if they entered for a car in the last 90days
Buried in the script is an admission that 1 in 4 people actually stay during the whole 90min presentation. Whoever is left, gets a scratch off to see who gets what prize. I would post plain and clear on your website as to how your contest is "State registered for the last 22 years". Such a claim could border on fraud, and this email is already in the hands of state's attorney generals, and Department of Consumer Affairs.
The site also features 'recruitment pages' in order for current agents to earn referral bonus. These pages are under the main DPC domain name. typical format is: www.diamondprizecenter.com/(recruiter's nickname).
If you *are* Damien Tackett, founder of Tackett, LLC, you have not done the due diligence required to maintain your company’s security. You may decide to keep your single password box to internal documents; however, you should not have your documents in clear text after that. I would zip them, encrypt them, rotate the passwords based on training cycle.
Or you do what larger corporations do: Install a DMZ on your network, and put up a password box there, so an agent can authenticate through the DMZ and onto the internal network where your internal training documents SHOULD be. Considering how everything is on one server, online, I presume that all your DPC listings are there as well, and if your DPC list is complete without regard to any security, those W9s that you require agents to fill in can be stolen.
It would take an actual hacker and disregard for the law to steal corporate data. I am a white hat system's analyst. I publically point out problems concerning companies' IT procedures.
Through your homepage on your public domain, there is an admission by DPC that someone is posing as DPC and is engaged in a fake check scam. Whether your victim or perpetrator, the general public must be aware that they could get a fake check from DPC urging the consumer to cash it. Granted, on your page, you are talking to federal authorities on the matter and have warned consumers about the fake check scam, again, your due diligence is not completely fulfilled. Have you actually contacted all the consumers that your company sent to those QA's [qualified appointments] in the first place? Im not talking email here, Im talking about actual hard-copy letters stating that DPC was targeted in a fake check scam.
When I experienced a data loss of income tax records, I immediately sent all clients a hardcopy letter describing the data loss, and information about identity theft, and contact information for the three credit bearu’s with their 800 lines advising clients to put themselves on a fraud watch list for six months. That, sir, is due diligence.
If and when things at DPC get back to normal, you also need to perform due diligence on fully disclosing the 1099 status for agents. Sure, you mention that its work at home, and 1099, meaning self employed, but its buried on the site. You must use everyday language as to what the tax implications of becoming a 1099 contractor actually is. Your spamming of Christian message boards illustrates this point.
A word about taxes and your script. DPC agents frequently talk about that there's no single men because they didn't pay their taxes on the car they won. As a company, your diligence is giving the contest winning a W9 to fill in that discloses his or her social security number. Your responsibility is limited to reporting the income earnings to the IRS. The IRS is responsible for tax collection, not you, not DPC, nor any of your agents. If the taxpayer does not report their income properly, the IRS will add penalties and interest in hopes of collecting taxes due. That is out of your hands.
I hope you take this letter seriously, and constructively. My intent was not to harm DPC, nor you personally, Mr. Tackett. I don't mind tele marketing companies for doing legitimate business. Where the problem lies is that agents are leaving messages saying to the consumer that they won a prize, and call us back. That antic is illegal. Instruct your agents of such fact, and continue to use your word, "finalist".
== BEGIN telemarketing script ==
< ... snip ... >
_________________________________________________________________
Stay up to date on your PC, the Web, and your mobile phone with Windows Live.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093185mrt/direct/01/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists