Junilu Lacar wrote:The first thing your friend should probably do is to make her board private as well, so there will be less likelihood of someone viewing the page source and trawling for information that can be used to exploit the system. You'd be surprised at how much sensitive information lies just below the surface of a web page and it only takes a little patience and motivation to spend the time and effort needed to find it. A number of attacks could have been perpetrated, including SQL injection. I wouldn't worry too much about looking stupid -- if she has a legitimate complaint, I would think the police would at least refer her to the appropriate department, if they have it, that handles cyber crimes. Also consider consulting a lawyer to get advice on the proper legal actions she can take, if any. Good luck.
Stefan Evans wrote:Of course it is possible that the guy has found a "feature" of this online exchange to exploit trades.
I wouldn't get hung up on sql injection, there are any number of ways it could be done.
If he is senior enough, he (or someone) might have the permissions to do 'force' a trade. Or perhaps he has just found a way to give himself the credentials of another user.
90% of the time things like this don't require hacking, just admin access to the system.
Without knowing the details of the system, it would be impossible to tell.
Going to the police sounds extreme though.
Vague ideas running through my head
- is there any difference between a 'legit' trade and a 'dodgy' one in the records?
- is it possible to keep a log of 'lost' shifts
- is there a pattern to them if you compare notes with friends?
- if you make your own board private it might prevent 'theft' of shifts in the future...
- on the Mac vs Linux thing, MacOS is unix based, so might potentially show up as linux in some cases (don't know details, but the possibility is there)
Tom Nielson wrote:What is really crazy is the alleged hack makes it look like the owner of the shift legitimately traded it to Carl, and that is why the IT executive over the system keeps dismissing the complaints. But I think he is being jaded and lazy, because I see lots of red flags. One really shocking email had one worker showing a screenshot of her board history, and the shift she lost was traded by her on LINUX!!! She said she had a Mac and never used Linux in her life.
No more Blub for me, thank you, Vicar.
chris webster wrote:
Tom Nielson wrote:What is really crazy is the alleged hack makes it look like the owner of the shift legitimately traded it to Carl, and that is why the IT executive over the system keeps dismissing the complaints. But I think he is being jaded and lazy, because I see lots of red flags. One really shocking email had one worker showing a screenshot of her board history, and the shift she lost was traded by her on LINUX!!! She said she had a Mac and never used Linux in her life.
If you're going the legal route, your friend and her lawyer should request full copies of the relevant system logs for the bad trade, including the IP addresses and timestamps. These transactions have a financial impact and - hopefully - should be logged properly, just like banking transactions. This may help to prove your friend didn't make the trade and, possibly, that "Carl" did. If the trades are not being logged properly, then there would probably be unpleasant implications for the company in terms of financial accounting and tax reporting, for example.
But I suspect it's probably going to cost your friend a lot more than $1200 to pursue this, and many companies prefer to fire the person who reports a problem, rather than deal with the problem.
Guillermo Ishi wrote:What industry is this? I've never heard of this kind of business.
Tom Nielson wrote:
Guillermo Ishi wrote:What industry is this? I've never heard of this kind of business.
I was deliberately vague for a reason. This is a discussion board on security after all.
Guillermo Ishi wrote:
Tom Nielson wrote:
Guillermo Ishi wrote:What industry is this? I've never heard of this kind of business.
I was deliberately vague for a reason. This is a discussion board on security after all.
LOL well, you have a union so it's not a criminal enterprise, maybe.
Tell me the name of a similar business, then. I'm just interested because it's something I've never heard of.
Tom Nielson wrote: Compare this to any job that requires you to be gone 4-9 days at a time, such as working on an oil rig.
Guillermo Ishi wrote:
Tom Nielson wrote: Compare this to any job that requires you to be gone 4-9 days at a time, such as working on an oil rig.
I worked on a rig up in N. Dakota. Nowhere near as captivating as this...
Don't get me started about those stupid light bulbs. |