Show FAQ
Close (X)
Close (X)
Close (X)
Close (X)
CAR LEASING
Want a cheap
new lease car?

Start HERE!


Cheapest Car Leasing CHAT
My Customer Letters!
My Fun Pages!
Read All About Me!
Note: I live inside this website Monday to Friday 9am-6pm, to give you the very best service and make your experience a happy one! - I am Ling, accept no substitutes
Car LeasingCar Leasing
Vote for your favourite motorway sign message!
Version 237.1.
You can trust me! ... In 2015 I rented over £85million of cars (at RRP).
Spacer
Spacer
CAR LEASING - CONTRACT HIRE - CHEAP LEASE CARS
Home
Cars and Vans
How It Works
Price Lists
About Ling
 Customers
Fun Stuff
Quote/ Order
 
Customer Maps Customer Letters (1523) Customers Live in Process Website Comments Customer Poetry
Customer Complaints Customers' Driving Licences Customer Stats CUSTOMER LINGO SYSTEM LOGIN Insurance Car Updates E-MAIL SCAM Husband Scrappage Allowance DIY Credit Check

Loading...

The twitter pigeon is loading "LINGsCARS"
LIVE + KICKING twitter feed... WAIT!

New!
Intro Film Blog Office TV Contact Moan Links Play Quiz Privacy Policy Google Visitors
Ling Valentine Quote Quote Apply for Quote DRAGONS' DEN

Richard Farleigh - "I wanted to invest; I was amazed by Ling's
complete lack of nerves, and also by her business acumen."

Duncan Bannatyne - "I wanted to
invest... but ye turrn'ed me dooon!"

Deborah Meaden
"Harrumph! I'm out!"

Ling Valentine is Viz's Official Ethnic Business Ambassador Play stupid crash game! Cheap insurance Google Spider Google Spider
Food --->
Google Spider Food

View LIVE visitors: 1 online

 
Hi! I am Ling Cheap Car Leasing - WAH! from Dragons' Den. I lease cheap new cars!
UPDATE... The latest car I've added is a Vauxhall Corsa Hatchback (2019 - 2023) 1.2 SE Edition (75bhp) Hatchback 5dr Petrol Manual Petrol at £365.00 inc VAT at 16:48 yesterday - Ling
Car Leasing Traffic Light
Candybar
I EXPOSE MASSIVE SECURITY HOLE IN SCOUSER EMAIL CLIENT MERSEYMAIL
UPDATE: 12 August 2009
SUCCESS!
MerseyMail has been shutdown, but Connect have still not mentioned the vunerabilities to users and have not warned that they are exposed to hacking!
Click here


UPDATE: 14 August 2009
...OR IS IT?
MerseyMail/Connect deny and lie to users and publicly call me a "hacker"!
Read more here...

7th Aug 2009 - Mersey Mail are tonight exposing THOUSANDS of their Liverpool-based clients to scammers by leaving their customers email accounts open to being hacked. Any intruder who gets a click-through to their website from a MerseyMail customer can IMMEDIATELY access all the mail and information in the private or business MerseyMail account. This security hole probably applies to ALL businesses and private individuals who use Mersey Mail!

I exposed the open-door policy of Mersey Mail when I was monitoring a website customer visiting to check progress of his new car. I always monitor visitors to ensure my car supply (and customers) are not exposed to fraud. For instance, if the customer purports to be British but is logging on from a Russian server, I want to know why!

My customer "George" who is a teacher in a Merseyside college, clicked on a normal email I sent him (he logged on from his MerseyMail account), to let him know he had a new message on my secure LINGO server. But I noticed something was wrong! The customer was passing his session ID and his IP address was not being checked.

By pasting the information into a web browser, I had immediately accessed all George's private emails including a loan application from a major bank, plus details of bank statements and many other messages. I was totally horrified! This is the first time I have seen this back-door access from a private email account.

I immediately phoned the customer to tell him, and also tried to phone Mersey Mail and their parent company. No one was available to speak to me at Mersey Mail despite me telling the receptionist that all their customers are currently exposed to hackers. The problem still hasn't been fixed, so I have informed the police, the local BBC, and informed the Information Commissioner's office.

Mersey Mail are owned by Connect Internet Solutions.com in Liverpool, who claim on their website "To ensure that what we build is best of breed, a solution that is both robust and future-proof." - what a laugh!

Connect claim to be accredited to ISO 27001 in Information Security. That's complete nonsense in my opinion, a first-year student could do better than this! Mersey Mail should be shut down and every customer informed. All passwords and private account details need to be changed, as soon as possible!

My own customer has been totally compromised. It's a good job LINGsCARS.com checks the provenance of incoming customer connections. If I was a scammer, I could have taken this customer to the cleaners. George was checking on his new Nissan Qashqai, but could have ended up being hacked for thousands of pounds.



08 Aug 2009: I have been visited by the Police to help sort this foolish email hosting company out, but it turns out that Connect Internet Solutions.com also built the Intranet for the Serious Fraud Office (below), LOL! What a joke.



The Serious Fraud Office investigates and prosecutes cases of serious fraud in England, Wales and Northern Ireland. It deals with cases of suspected fraud which are complex, require specialist knowledge, are likely to give rise to national publicity and widespread public concern and those having a signifcant international dimension.

Now the SFO can learn that they may be using systems built by fools who allow this very fraud to happen!

The Police now have to go away check their own systems for the same badly-coded bug!!!








THE RESULT:

UPDATE: 12 August 2009
SUCCESS!
MerseyMail has been partly shutdown, but Connect have still not mentioned the vunerabilities to users and have not warned that they are exposed to hacking!
Connect Internet have shut down the service! They say "Due to a technical issue, we will be permanently shutting down the MerseyMail service at 5.00pm BST on Tuesday 8th September 2009."

THEY HAVE DISABLED WEB-ACCESS TO MAIL

Now, the problem is, MerseyMail/Connect Internet have not disclosed to any user the potential exposure of ALL their private documents and sensitive information, or that 3rd parties could have ALREADY accessed all their mail. This means that users are ignorant about taking security measures
(such as changing passwords on bank accounts, and changing login details to private areas they may have mentioned in previous mails) to avoid the use of malicious information that has already been gathered about them, by hackers.


Connect make no reference at all to any SECURITY ISSUES to users, instead they talk about "TECHNICAL ISSUES"

This hiding of problems for MerseyMail users is disgraceful!

THIS PROBLEM WILL STILL AFFECT THOUSANDS OF MERSEYSIDE EMAIL USERS, INCLUDING SOME OF MY CUSTOMERS!

Once sensitive data is lost, you cannot get it back. Plugging the hole is only half the answer. Users should be told!

Connect Internet have a DUTY OF CARE to inform all their customers, in full. I wonder if they have reported the BREACH OF DATA SECURITY to the Data Commissioner?

12/08/2009 - I have contacted Connect Internet AGAIN (never any reply) and said: I notice Connect have shut down MerseyMail service due to my campaign about my customer who was exposed by terrible security, BUT, you make no attempt to disclose to customers the extent of the potential problems. Instead you talk about "technical issues". Customers should be told all their sensitive information has been at risk and may already be in the hands of hackers, so they can take steps to change passwords etc. Can you please let me know you have done this. The notice should also be posted clearly on the MERSEYMAIL WEBSITE. You should offer free technical assistance for users who have concerns. Can you please confirm this has been done and also please confirm that you HAVE INFORMED THE DATA COMMISSIONER of the extent of the problems, the length of time of the problems and the number of users of MerseyMail exposed. You are legally obliged to do this. Please reply with clear answers for me. Ling Valentine



UPDATE: 14 August 2009
OH DEAR!
Connect Internet now lie to users and call me a HACKER! As ever, these inept companies LIE and BLAME others to cover up their own ACTIONS!
Connect Internet issued the following completely inaccurate and plain WRONG statement to their MerseyMail users:




"GENERAL MESSAGE TO ALL USERS REGARDING THE CLOSURE OF THE MERSEYMAIL SERVICE

INCIDENT SUMMARY

A vulnerability has been identified within MerseyMail, possibly affecting a small number of users in a specific set of circumstances. A hacker attacked our system using this vulnerability and then posted a guide on how to do this on their website. We therefore had to respond quickly and, as soon as we were aware of the problem, temporarily suspended the website while we investigated. As a result of this investigation, Connect has taken a business decision to close down the MerseyMail service. We will continue to provide access to any messages within the service using standard mail programs (such as Microsoft Outlook) until 5.00pm BST on Tuesday 8th September 2009, to allow users to retrieve any messages they have stored in the MerseyMail system. The vulnerability has been closed and is no longer exploitable.

Connect has provided MerseyMail as a free service to the Merseyside community for a number of years and hopes that it has been useful to many people in that time. However, we feel that the Web has moved on since the introduction of MerseyMail and there are now many other free e-mail services (such as GoogleMail and Microsoft's Hotmail) which offer many benefits to users. We therefore feel that it is appropriate to close down MerseyMail. Ideally, we would have liked to close the service in a more structured way (indeed as the first step in this process we stopped new registrations some time ago), but the actions of this hacker have made this impossible.

THE VULNERABILITY

This vulnerability could possibly have affected a small number of users in a specific set of circumstances:

1) The hacker must have somehow obtained your MerseyMail "session ID"
2) You would have to had be logged in to MerseyMail while the hacker was trying to gain access to your account
3) Even if you were still logged in, you would have had to have been active within the "session timeout period"

The hacker only has a few of ways of obtaining the "session ID". They can somehow see it in your browser (e.g. if you send them a screen shot including your browser's address bar) or they need to own a web server and actively obtain it from within their system.

If a hacker were to have obtained such access to the system, they would have only been able to access information about that user. They would not have been able to access information about other users.

Connect is not aware of any active attempts to exploit this vulnerability. The only known exploit has been the original hack mentioned earlier.

SENSITIVE INFORMATION

Although there is only a small possibility that your e-mail could have been seen by someone and we have no evidence of that being the case, as a precautionary measure we would suggest changing your password on any account where your current password has been sent to your MerseyMail address. This could be for a forum, or some other type of site requiring membership.

This is only an issue if you received an e-mail including your password in plain text and you have not changed the password since then. It will not affect you if the e-mail was an "activation e-mail" which did not contain the password or if you have subsequently changed that password.

We are really sorry for the inconvenience this has caused, however we feel that this is the appropriate course of action.

mail.team@merseymail.com"


***NOTE: they send and have a reply address to a "closed" service - utterly stupid - Ling




So now I am "a hacker"!!!

Let me deal with this, and these fools and idiots at Connect.

I am not a "hacker". I am a website owner who sells cars. I have a fantastic personal reputation as anyone can see by reading the 1,350 customer testimonials on my website here: CUSTOMER LETTERS.

MerseyMail freely and knowingly passed MerseyMail user session IDs to websites (being visited by MM users) when links to websites were clicked through in emails, and did not check IPs if the session IDs were used by the website to gain reverse access to MM user email accounts.

Connect (aka MerseyMail) gave away the entry key to users email accounts in a widespread fashion and did not (and were not planning to) inform users until I blew the whistle.

This does not make me a "hacker". Their use of the term is completely incorrect. Connect were acting as if they were like the Royal Mail posting your front door key to any business that send you a letter to which you respond.

If I was a "hacker", the police would have arrested ME. Instead, I am the complainant! Connect's choice of language is astonishing. It is CONNECT who were the subject of police action!

This whole saga is completely and utterly a faux-pas by Connect. A shooting in the foot by them. It was an own-goal in football terms (people in Merseyside will get that).

Now, Connect are lying. I deal with their points - It is not "affecting a small number of users in a specific set of circumstances" it is affecting EVERY user in a very common circumstance. They are being blatantly disingenuous and are misleading.

What they should say is:
"Connect have been giving away your privacy every time every user clicked a website link in an email"

Damn right the actions of the "hacker" (ME) caused them to shut down the service in an "unstructured manner". The service was giving away every user's full personal information! How long would they have allowed this to continue in a "structured" manner???

One question is, how many of their users have been exposed to abuse and invasion of privacy and malice by Connect's criminal condoning of this vulnerability?

Yes, it is criminal. It is a criminal offence under the Data Protection Act.

I did not "somehow" obtain the session ID. - Connect gave it away in plain text with the click through.

It is true that you would have had to have been logged in (ie the session still active), But, knowing the vulnerability, this would have made it easy for criminals. It is easy to act while people are still logged in. Few people click links and then close the program immediately. You click to a website and keep your email program OPEN, to read other messages. Once I logged in, I took over the session, the user could have logged out and I would have still been inside, squirrelling away.

As any link to a website goes to the website owner's server, every website visited can grab the plain text session key (and plain text username). It is easy. Connect make it sound unlikely. It appeared in front of my eyes like a neon sign saying "rob me, come on in"!

True, the intruder could only compromise (the whole email account) of one user at a time. Connect are saying "don't worry, the malicious intruder can only break into YOUR house".

Users will have to change (or should change) lots of passwords to different services. As many people tend to use the same password for many services, giving a thief a good guess at what password the user has for everything, Connects statement about passwords is false. It would only be true if users used unique strings for every account password of theirs. People do not act in that way. We all know that.

Also, an intruder can read ALL user mail, see what you services you are signed up for and hammer away at them all, if they know one typical password.

The intruder can also access a user's whole address book, raising the issue of the heavy use of MerseyMail by schools and kids.

In their statement Connect are utterly and irresponsibly minimising the danger to users.

I will say to Connect, you are acting diabolically. I am that "Hacker". Come and get me arrested!!!!

The problem Connect have, is that the police decided Connect were in the wrong and went and knocked on THEIR door, not mine.

I disclosed everything, immediately, to a) the MerseyMail user, b) Connect (who ignored me), c) the police, d) the BBC... all to cover myself, as well as e) on my website here www.lingscars.com/merseymail.php , and f) here on this Liverpool community forum, as well as on my blog and on Twitter. I was completely open.

Questions:

1. Have they informed the Data Commissioner of the scale and their complicity in this scandal?

2. When will they tell the truth to users, including saying that there was no "hacker" in this instance and that the police told CONNECT to close the service down, it was so bad?

3. When will they say it is widespread and happened with EVERY click through, therefore EVERY user has MASSIVE risk?

4. When will the Managing Director/CEO of Connect resign?



There is a full thread to read on Liverpool community forum Yo! Liverpool





lingscars.com
CLICK! See 160 clients live in LINGO!
Live!!
CLICK to VIEW!
Online Service
Response Times
Quote > Proposal > Order > Delivery
 
82 CLIENTS IN 'PROPOSAL'
...LING REPLIES IN:
  HRS : MINUTES sec  
 
78 CLIENTS IN 'ORDER'
...LING REPLIES IN:
  HRS : MINUTES sec  
Lingscars.com Limited (GB)
Customers use my secure LINGO management system.
Response times above based on last 4 hour period between
9am - 6pm, Mon to Fri
-Ling
WOW! UK's best service times!
No Waiting
lingscars.com
Hello, hello! This is me!
Don't run, little customers! I'm friendly...
I am the Viz UK business ambassador!
Post me Ferrero-Rochers! Yum Yum!
Unlike most other internet car leasing sites, I publish all my contact information openly!
...so, you know who I am
- Ling


THE UK's FAVOURITE
CAR LEASING WEBSITE!

The UK's FAVOURITE car leasing website
The UK's FAVOURITE car leasing website
Boss: Ling Valentine MSc IoD
LING World Headquarters
Vance Business Park
Gateshead, NE11 9NE
Tel 0191 460 9444
Fax 0870 486 1130
sales@LINGsCARS.com
I prefer email to phone - Ling
VAT No: 866 0241 30
Co Reg No: 6178634
Consumer Credit Licence: 663330
Data Protection No: Z1098490
Best Before: 17/08/2007
Spacer

Latest BBC NEWS from LING in CHINGLISH!
Spacer
5 Titanic Cars
Sky
Top 5 Car

168kW bhp 5dr
electric, auto, met
Hyundai
Ioniq 5 El
Grass
Click Here
£457.43
per month, inc VAT
Sky
Top 5 Car

35 TFSI 150bhp 5dr
petrol, auto, non-met
Audi
A5 Sportba
Grass
Click Here
£425.53
per month, inc VAT
Sky
Top 5 Car

1.5 TSI EVO 150bhp 5dr
petrol, auto, non-met
VW
T-Roc Hatc
Grass
Click Here
£355.88
per month, inc VAT
Sky
Top 5 Car

77.4 166kW A... bhp 5dr
electric, auto, non-met
Kia
EV6 Electr
Grass
Click Here
£502.44
per month, inc VAT
Sky
Top 5 Car

1.4 Booster... 129bhp 5dr
petrol, manual, non-met
Suzuki
S-Cross Ha
Grass
Click Here
£277.75
per month, inc VAT
Titanic
Spacer
Auto email updates
Car update me!
Get my latest EMAIL car updates!
Spacer
Want a Quote?
Spacer
FREE Badge
...get a FREE BADGE!
Collectors item - FREE!

APPLY NOW!
Spacer
Dragons' Den
Spacer
Ling's Awards
Spacer
Titanic
Spacer
Portrait
Spacer
Duncan Bannatyne
Spacer
Webcams
Spacer
Spacer
Ryanair
Spacer
Live Google
Spacer
Extra Cheap Cars
EXTRA CHEAP
CARS
HERE
See 30 cheapest cars!
Spacer
As seen on TV... Plus over 30 movies!
Spacer
Bottom trumps. Play me! Can you win???
PLAY BOTTOM TRUMPS!
Spacer
FREE Badge
...get a FREE BADGE!
Collectors item - FREE!

APPLY NOW!
Spacer
Nuclear Truck
My Nuclear
Missile Truck
Spacer
Honest John
Spacer
Play Ling's quiz
Win!
Play my brilliant motoring quiz!
Spacer
Contact Ling
Spacer
Workers
Spacer
Not sponsored by


...don't do lease cars, but if they did, they would be done like this - Ling
Spacer
Traffic
Spacer
LINGsCARS customer mosaic!
Spacer
Tyres
Spacer
Free Delivery
Spacer
Spacer
Honest John
Spacer
Spacer
LIVE customers
Click to see my LIVE lease car customers! - Ling
Spacer
KFP
Spacer
As seen on TV
Spacer
Viz
Spacer
Spacer
LIVE customers
Click to see my LIVE lease car customers! - Ling
Spacer
Honest John
Spacer
Traffic
Spacer
As seen on TV... Plus over 30 movies!
Spacer
Duncan Bannatyne
Spacer
Play Ling's quiz
Win!
Play my brilliant motoring quiz!
Spacer
Contact Ling
Spacer
FREE Badge
...get a FREE BADGE!
Collectors item - FREE!

APPLY NOW!
Spacer
Close (X)