Donate for the Cryptome archive of files from June 1996 to the present

2 January 2014. A2 sends:

To see a list of Omniquad's clients exposed by the Surf Wall Remote data breach:-

https://www.google.com/search?q=swrinfo+mozilla&filter=0

It is worth noting that searching just on "SWRInfo" will yield a blameless unrelated German radio station.

30 December 2013

Omniquad Exposes You Online


A sends:

Omniquad - the data protection specialists who expose you online

Back in 1997, Daniel Sobstel, then a 25 year old "computer wizard" started
Omniquad Limited.

He now describes it as "a trail blazing internet Security Company which
helps businesses and organisations secure and manage their business
networks, email security and web security."

He continues, "Omniquad is now providing cutting edge IT Security Services
that have won both industry acclaim and media recognition."

http://www.independent.co.uk/news/business/your-office-manager-is-
watching-you-1074597.html

But Omniquad is no stranger to data privacy breaches.

http://www.channelweb.co.uk/crn-uk/news/1893948/omniquad-rapped-breach

Now it can be revealed that Omniquad's latest key product, called Surf Wall
Remote, is actually exposing precise client identifying information.

http://www.omniquad.com/surfwall-remote-cloud-hosted-web-security-and-
filtering.html

Rather than protecting clients, it reveals their identity to every website they visit.

Surf Wall Remote (SWR) injects an extra string into the browser user agent, that personally identifies the visitor.

An example visitor log entry (here, split over two lines and redacted with
asterisks):-

109.169.6.130 - - [**/***/2013:**:**:** *****] "GET / HTTP/1.1" 200 ***

"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;)
(SWRInfo: ****:****:****)"

In this example, the visitor's own IP has been replaced with Omniquad's (109.169.6.130),

https://www.robtex.com/ip/109.169.6.130.html#whois

But Surf Wall Remote has injected into the user's MS Internet Explorer 8 browser user agent string an extra piece of information with the format:-

SWRInfo:nnnn:yyyy:xxxx

Here, "nnnn" is an integer related to the client organisation that has purchased the Surf Wall Remote product and installed it across their entire corporate IT infrastructure. "xxxx" and "yyyy" are the portions of the individual person's email address either side of the "@" symbol.

If a person called John Fitzgerald Doe working for Acme Industries, Inc was using Surf Wall Remote, his injected user agent string might look something like:-

SWRInfo: 1234: acme-industries.net: john.f.doe

As a real world example, I offer you this (partially redacted to protect the individual):-

SWRInfo: 2025: sytner.co.uk: ****

This is unfortunate, as Sytner ("the UK's leading retailer of prestige cars") has provided a glowing reference on the Testimonials section of Omniquad's website.

Embarrassing too for Caretower, the UK distributor of Omniquad's Surf Wall Remote, who provide a case study featuring Sytner's use of the sister product Mail Wall Remote:-

http://www.caretower.com/files/casestudies/sytner-2010-01-28.pdf

Another example:-

SWRInfo: 3051:pitguk.com:****
http://www.pitguk.com

Which currently leads to

http://www.phoenix.co.uk

"... one of the UK's leading providers of hosting, Cloud, managed IT services and business continuity."

Finally, another real world offering:-

SWRInfo: 3129: ****.mod.uk: ****

Clearly a sensitive UK government department.