Homebusinessinstitution.com: Probable fraud, definite XSS

While I've recently been trying to take a more positive tack in my exploration of online security issues, I must digress.
Cable viewers have again been endlessly inundated with Home Based Business advertisements claiming riches beyond your wildest dreams.
You know the one..."I made over $9000 last month working from home part-time."
Right...
Same message, different URL; they simply change the URL every so often. The current domain is 67gogreen.com, others have included crazyfox.com and 46homeworker.com.
All of this complete bulls**t is brought to you by LG Technologies of Temecula, CA, under the premise of Home Based Busines - As Seen on TV.

First, the fine print:
The incomes depicted are not typical and represent a small percentage of actual participants. There are no guarantees that participants will be able to achieve the income levels depicted.

Second, your privacy at risk:
We will maintain a record of your Personally Identifiable Information (PII) that will be sold or transferred to third parties that we believe offer products, services, and/or opportunities that are consistent with your expressed interests. Note that if you voluntarily provide us with Personally Identifiable Information, you consent to our sale, transfer, and use of your information.

Third, security:
We treat your Personally Identifiable Information very carefully and use our best efforts to protect your Personally Identifiable Information against unauthorized access and disclosure.

Do you now? Let's investigate...

HomeBusinessInstitution claims to be VeriSign Secured and are indeed using a Verisign cert. Thereafter, they display badges claiming "100% Safe Secure" and "100% Privacy Verified". Too bad they're both utter crap.
All measures of security (there aren't any) falter drastically, as homebusinessinstitution.com falls immediately to cross-site scripting (XSS).
To exemplify both my dismay and the lack of secure input validation, I offer the following screen shot of customized Javascript executing in the context of homebusinessinstitution.com.



Companies such as this, who exploit the gullible and naive, infuriate me well before I endeavor to dissect their weak claims of securing your PII. To find that their victims are then at further risk leaves me blistering. It strikes me that only their vast disclaimer language serves to protect them from the likes of criminal prosecution or civil litigation.
There's an interesting study of LG Technology and their associates provided here.
I do hope someone finds a way of putting this likely fraud to an end.

del.icio.us | digg | Submit to Slashdot

The Breach Blog: What Have We Come To?

SC Magazine recently put The Breach Blog on line, a veritable wall of shame for almost daily information breaches. You'll find gems like the Bowling Green professor who kept students personally identifiable information (PII)on his USB stick, then lost or the Texas A&M-Corpus Christi professor who did exactly the same thing WITH EVERY STUDENT'S PII ON THE USB STICK! The losses are consistent: lost or stolen laptops, USB sticks, and backup tapes, along with the occasional server administration meltdown or ye good olde hack.
What's it going to take to convince universities to implement better policies and practices such as USB device management, including encryption and approved devices only?
When will Ohio state government managers realize that the intern you're paying $10.50 an hour is not the ideal caretaker for an unencrypted backup tape containing the PII of all 64,467 state employees?
Say it with me, people. Encryption. Best practices. Policy. Standards. Easier said than done, I know. But here are the simple facts. We are data custodians. Management, systems administrators, security analysts...we are all data custodians, and we must take better care of the information we manage. It's not our information. It belongs to our students, our customers, our veterans.
"First, do no harm." Failure to protect the information in our care is doing harm, as much as the criminal who stole it.
Kudos to SC for The Breach Blog, but it's a shame we even need it.