Caveat Emptor: Egghead.com Credit Records Nabbed 164
Voorshwa and at least a dozen others wrote with this news: "Found this one over on ZDNet.com news. Turns out the security over at Egghead wasn't very good. Losing 3.1 million credit card numbers has got to put a damper on a lot of Christmas cheer!! Wish these big companies would learn a little ..." No yoke. It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions. Reader insmod points to coverage at MSNBC as well which mentions that Egghead was not the only site hit this holiday season.
strict legal data protections are needed (Score:2)
I worked for egghead until a month ago (Score:2)
Re:This cries out for one-time use credit card num (Score:1)
Who cares (Score:2)
Re:Blame (Score:1)
as much as i dislike ms, they cannot be held responsible for mismanagement of their software. if the software was faulty (ie there was a bug and they didnt notify their customers), then hopefully they will be held responsable (although their eula probably obsolves them of that). when the eula bails them out the IT person who made the decision to go with ms should be smacked around with a stick....
but it's really too early to lay any blame on anyone but the crackers...
use LaTeX? want an online reference manager that
Re:Any idea what part was cr/hacked? (Score:1)
Part of the reason I believe it's a hole in the firewall is that I control the one in our office. I run it in paranoid mode. Some people in the office don't like it. If there are legitimate business reasons I will open things up, it's just not going to be a free for all.
Merchant Accountability (Score:2)
Re:IIS is known to have had many security flaws. (Score:2)
It's a fact that most reported Web Site compromises for Microsoft sites happen via IIS. It's also a fact that most of those are RDS. It's another fact that the last significantly visible break-in was reported as the Unicode
The quote is definitely based on currently available information. It's also got a greater than 75% lieklyhood of being the true vector of attack. FWIW, we also called the Microsoft vector of attack correctly about two days before MS figured it out.
I challenge you to take the top 6 IIS exploits and run scans against your ~60 NT sites and report the results. If they're not all virtual servers, I'd bet you'll find at least 30% of them vulnerable to one form of attack or other.
Given the initial information circulating in the press and in the community, I blamed the attack on incompetent administration. While IIS has more holes per pound than Apache, it's trivial to make any Web server vulnerable, and I was careful to state that it didn't matter *what* server you were running (and Rob quoted that at the very end of the article- so it was obviously clear to him that my intent was to ensure that he understood that the likelyhood of the attack being due to poor administration was fairly high.)
If you design sites where the DB is on the same server as IIS, you'd better get down off that high horse, you bear some culpability for poor design practices.
Paul
Re: (Score:1)
AMEX? I'd rather be in the pan than in the fire! (Score:2)
These transfers were not authorized by me, were from accounts that didn't belong to me, and went through before I had received the card in the mail, or indeed even knew the account number.
AMEX, when I finally rattled enough cages to get them to look into the matter, removed the charges as 'Fraud'. They refused to explain to me how this fraud occurred, without being subpoenaed. But you figure it out. It was either an inside job, or there was some hacking involved somewhere.
They pissed me off so badly, I did up an entire website about their piss-poor customer service, and I got threatened by their lawyers over the domain name. The site has been down since the problem was finally fixed, but I just threw it back up into my webspace [home.net] for anyone who's interested in reading it (there are a few things that need to be changed before I make it a permanent part of my forthcoming personal site).
~Philly
Re:IIS is known to have had many security flaws. (Score:3)
Why can't they secure the fscking box, then?
Personally, I believe that this is not a question based on the techical merits, rather, the social or cultural merits. These kinds of problems are, in the oh-so-eloquent words of my father, "dumb-boy shit".
I don't think IIS is inherently insecure; I think the computing model promoted by Microsoft - that an accountant, secretary, or poorly-trained nobody can set up a fully functional e-boz site - is the inherent insecurity. That MS's "bring computing power to the masses" crusade is what's biting them on the ass.
Any idea what part was cr/hacked? (Score:2)
The backend of the system is MACS or what's now called ecometry from Smith-Gardner. The main part of the system runs on an HP3000. Since until recently there wasn't a secure web server on the 3k they used NT/IIS to front end the system on the web.
So was it actual access to the 3k?A problem with NT/IIS?
A weakness in the S-G software?
Bad home grown code on eggheads side?
Poor security practices?
The later is my guess... it would be rather hard to get to the 3k if it was firewalled properly.
By the way the Smith-Gardner software is fairly widely used... if you don't believe me take a look at http://www.ecometry.com/clients/cl_list.htm
Shouldn't EggHead be responsible? (Score:3)
Re: (Score:1)
IIS is inherently insecure (Score:1)
As a person who has developed literally hundreds of smaller- to mid-size e-commerece sites, it always astounds me to find the number of people who assume that IIS is inherently insecure.
=
As a person who administers scores of NT boxes that currently services over 500 domains in both a dedicated server and shared-hosting environment, I can assure you that IIS is "inherently" insecure. By this I mean that extraordinary steps are required to provide an acceptable level of security, security is not inherent in the software by any means.
If you foolishly believe that IIS is secure, take a look at
http://www.securityportal.com/list-archive/bugt
and start from there, it's really just the tip of the iceberg. IIS has no suexec-type mechanism, so there is very little security flexibility and compartmentalization, as you can see from the content at the URL above it is even possible to execute ASP code in the SYSTEM context. Unless of course you have made manual registry changes to obscure keys. How exactly does that meet the "inherently secure" definition? It's not like it's just one issue, either. The software is plagued with poor design.
While I am on a roll here, should I touch on the issues with the FTP service, since it is part of IIS? How about the fact that users can walk all over the directory tree because the software doesn't support the equivalent of chroot jailing? How about the fact that when frontpage extensions are installed on the web site and anonymous FTP is enabled, the _vti_pvt directories become warez repositories because the "everyone" user has read and write access to that directory? Some of the largest hosting facilities in the US, such as Interland, have been waiting for an answer from MS on that one.
I had better stop now.
badtz-maru
What, Me Worry? (Score:2)
- I never shopped online there
- When I shopped at their old brick and mortar stores, the credit card I used then has long since expired, and I cancelled that credit card account.
-
Any kiddie can find a script to generate fake numbers that pass the crc tests that they use.
That being said, since I do shop online from time to time, you would expert that they could do better. That is a rather large amount of plastic.Maybe that is how Saddam Hussein is paying for all of those Sony PS2s
Re:Blame (Score:1)
Using IIS, no less. Hello, security? (Score:2)
Is it any suprise that they are using MSIIS for there server? Or that the crackers almost certainly used a well-known exploit? Or that their server software probably did not have the most up to date patches installed?
This doesn't even begin to address the issue that I (and apparently others that have commented above) feel that storing CC#'s after the transaction has finished is highly negligent. When you go to a restaurant, do they maintain a database with your CC# to speed up your next purchase? NO! If they did, there would be serious hell to pay. So why to e-tailers (god I hate e-words) feel that it is an acceptable practice? And then they have the nerve wonder why people have little confidence in purchasing online. It's because we are not morons!!!
Security is always less strong than it's weakest link. It's about time that people start taking that fact seriously.
MS rulz (Score:1)
My personal rule of internet purchasing: Go to Netcraft, figure out what software they are running, and if it is MS, it is not worth the risk to buy there.
Analysis of www.egghead.com
The site www.egghead.com runs Microsoft-IIS/4.0 on NT4/Windows 98
Re:What type of databases were broken into? (Score:2)
Re:yeah my cc is one of them (Score:3)
You can store the transaction number which does not contain the CC number at all or a way to generally access the account AND just MAYBE the last 4 numbers of the card.
I have written several e-com sites and dealt with cybercash and authorize.net... customers HAVE gotten their money back on purchases but we dont store credit cards plain and simple.
And if you REALLY must store them oh please oh please encrypt the damn things and store the private key EXTERNALLY, the simple version is you have to type the thing eery time, typically we make the customer enter it in twice just for verification because I personally have only worked with one site where we stored (encrypted using a public key with priavte keys far from the net) which was only for bad cases or customer service, the process to retrieve a CC from the DB was pretty easy but still took human intervention.
Overall if your storing them as plain text you DESERVE to be hacked big time.
That is just how it is
Excuse the formatting of my post I just wanted to mention this, thanks.
Jeremy
This cries out for one-time use credit card number (Score:5)
Simple solution to the credit card theft. (Score:2)
The other method is calling someone on the phone, or using the internet, reciting the credit card number and expiration date, giving some personal information and the charge goes through, no signiture required, no problem until someone (hopefully YOU) gets the bill.
Well, credit card companies, at the option of the cardholder, should be able to implement some type of confirmation scheme to prevent anyone with your credit card number from actually using it. For instance, if I provide my credit card to a company, I would then have to validate the transaction (by phone or web page) using information not provided to the merchant before the money would actually trade hands. For convienence, this could also be done in advance, or allow a certain merchant to always be authorized, so although that merchant could always charge the card, nobody else would be able to.
Since the service would be an optional one for cardholders, it would not infringe on anyone's convience if they're not willing to go through the extra effort to avoid having their card maxed out by someone ten thousand miles away. We have to assume that credit card numbers will get stolen and distributed. You can't rely on the security of some website or server to keep that information safe, as you have no control over that security.
Perhaps I'm missing something obvious here, but this seems like a good idea to me.
-Restil
what do you do about your CC? (Score:1)
This is awful, 3.1 million! Wow. Please let me know what we should do, if its safe to use the same one (and monitor it well), or if that's a bad idea...
Mike Roberto
- GAIM: MicroBerto
Re: (Score:1)
one-way encryption? (Score:2)
if these companies insist on storing credit cards on their servers, why not encrypt them? since just about every site that would store your credit card makes you login with a username and password, why not encrypt them with that account's password? this way if the security is comprimised, they'd have to brute force every single account to get each one's credit card number. if you use a strong password on the system, you won't be subject to the site's lame security should their database get illegally accessed.
Re:IIS is inherently insecure (Score:1)
I agree that IIS is insecure, but I dont agree that it is fundamentally a bad model. IIS could be workable, but MS needs to get moving on it.
=
I agree with you.
badtz-maru
Re: (Score:2)
Re:Simple solution to the credit card theft. (Score:1)
Re:search bugtraq (Score:1)
Sunday August 08, @05:29AM EDT
% lynx www.windows2000test.com
Looking up www.windows2000test.com first.
Looking up www.windows2000test.com.
Making HTTP connection to www.windows2000test.com.
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://www.windows2000test.com/
47 %
The windows2000test site is still not reachable.
bash$ telnet www.windows2000test.com 80 Trying 207.46.171.196... telnet: Unable to connect to remote host: Connection refused
C:\WINDOWS>ping www.windows2000test.com
Pinging www.windows2000test.com [207.46.171.196]
with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 207.46.171.196:
Packets: Sent = 4, Received = 0, Lost = 4
(100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
yeah my cc is one of them (Score:4)
They keep your CC# on file indefinately, even if you have your account suspended. I honestly don't know why they keep your CC# in the databases?
This is always the problem with all these sites that a broken into.
Plus, for pete's sake.... deny (YES DENY) all select requests on the tables that contain cc#s... if your database can't deny SELECTs then you need a new DB server!
Re:IIS is known to have had many security flaws. (Score:2)
There's been ongoing debate in the INFOSEC community and computing community at-large about the culpability of a vendor who knowingly fields bad software (the 32,000 known Win2k bugs fly immediately to mind)- in the automotive industry a manufacturer who knowingly fielded an unsafe product on such a scale would be sued into the poorhouse. Bridgestone/Firestone probably unkowningly fielded unsafe tires, and if they'd not done the recall, Congress and/or the court system would have stepped in because of the fact that they knew after the fact that the adhesive wasn't good and didn't rush to pull out the products until they had to. It's only the computer field that really hasn't felt the pain of product liability- licenses notwithstanding it's bound to get a legal precedent sooner or later.
Like many others, I feel that eventually we'll see some manufacturer culpability, and I don't like the idea of it at all. I'm even more worried about its impact on free software. Though with freee software the potential is probably less because you can pick what you use and fix it if it doesn't meet expectations, with commercial closed-source, the vendor picks when it hits the market and how it functions.
The thing I have little tollerance at all for is the lack of responsibility being placed on the attacker. We should be vilifying the hell out of people who have the ultimate responsibility for producing badness and creating victims out of consumers irregardless of the culpability of either manufacturers, retailers, adminsitrators or anyone else in the chain. In a lot of states, if a motorist has a chance to avoid an accident and doesn't- regardless of their fault in creating the accident conditions, then they bear responsibility. We need to focus more on that responsibility on the behalf of attackers.
On the DB thing:
Typically, running the DB off the same box give you the problem that the entire database is on the same likely to be compromised machine. So are the keys to the database, and that means that it's significantly easier for an attacker to grab all the cookies and go home to eat them. Also, SQL Server is its own nightmare of twisty waiting-to-be-exploited passages (as is Oracle for anyone out bias-hunting.)
Happy Holidays,
Paul
Christmas Cheer (ot) (Score:1)
I'm lucky enough not to be hit. I like to buy computer junk locally. I have had trouble with stuff, and it's easier to get service from a reputable local dealer who you can visit during lunch or after work. Better prices than the large chains, too. And the University Bookstore has all the good books and software that you are hard to find otherwise.
Re:respect? (Score:1)
Maybe not a typical troll. Maybe more of a social hack, or a very sad sort of troll. Of course, I can't say 100% it isn't real, and this is somewhat a matter of gut feeling, but here's what seemed wrong to me:
Yes, I've already posted this, but someone moderated it down and I just want to have people hear my message. Please don't moderate this down so others can hear me.
If I had a week, I wouldn't waste any of it trying to get modded up. Express and move on. There's a lot to wrap up before I go.
Hello, I'm a Linux kernel hacker.
Hello, I'm the thing most respected in this forum.
I just wanted to talk to the community one last time.
Slashdot is mostly a user community.
I'm uploading the latest versions of my code so they'll be out there before I'm gone.
For a regular contributor, it think this would be too obvious to say, and "uploading the latest verions of my code" has too much of an aura around it, and uses only terms known to a user. Wrong jargon level.
The reason I'm posting anonymously is I don't want people to find out about my illness over Slashdot. I want to spend my last remaining days with my family, not a bunch of people calling me and wishing me luck.
Too much of a tease. Also, sounds like more of a sad fantasy.
I get angry when people in the Linux community do stuff for themselves. A person may suggest a feature and people will say, "You got the source, go ahead and make it." Why not take the time to help that person if they have trouble? Maybe they'll learn and help you later, or maybe they don't have time to do it themselves (too much work, new baby, cancer).
Some of this might be real. "Take the time too..." would have been believable. "I get angry when..." smells seriously fishy. No one with a high level of skill has time to answer everything in the net that they have the knowledge to answer. Also, teaching is it's own reward. "Maybe they'll help you later" is bargaining form the POV of the side asking for help.
Ugly guess: "I'm pissed someone else won't build what I want, so I'll die of cancer."
Also, "do stuff for themselves" sounds totally wrong. Good programmers program "for themselves", ie. because it's fun.
You'll probably see a small release about my death when it happens, maybe it'll be on Slashdot, maybe it won't.
Didn't quite peg the bogometer, but this one got close. If he knows this is going to happen, there's absolutely no reason to say it here. Also, I don't think people say when-I'm-gone's" when they're really dying. And who cares if it's on Slashdot?
But a good message otherwise. Heck, I hope even trolls have a nice Christmas.
It Was Santa (Score:1)
Re:Christmas Cheer (extremely ot) (Score:1)
Can you really blame them? (Score:1)
Actually, this somewhat concerns me too as my credit card was probably on file there.. Hopefully it's just an old expired one.
-mikey
Re:one-way encryption? (Score:1)
Online transactions... (Score:4)
It's even WORSE when databases are cracked! I can easily call my credit card company when I have a dispute to a charge or suspect my credit card is screwed, but if millions of card numbers are stolen, then millions of people have to deal with it. Credit card companies probably don't like having to notify or handle millions of irate customers with disputed charges, and probably don't like having to re-print new cards for all of these cardholders. This is really sad, that this was even able to happen, and that Egghead left the credit card numbers on their server. If they'd be backed up to another computer that only has a hard connection while the backup is in place then this would much more difficult.
"Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
Re:I worked for egghead until a month ago (Score:1)
Alot of things like this can come from former employees who were let go and might have grievences, and might know a thing or two about computer security or how things were running in the office.
This just adds to the stack of things im mad at Egghead about, Including my $35 ram that never got shipped....
Why the bad security? (Score:2)
It's a long way from being a perfect system, but unlike other processes I could think of in the 30 seconds it took me to read the slashdot blurb, it wouldn't involve putting any additional software on the consumers machine, and it wouldn't involve any change in the habits of the consumer. And it wouldn't be painfully difficult to implement it for new e-commerce sites, and it wouldn't be particularly difficult to retrofit onto old e-commerce sites, either.
Oh well -- it wouldn't be much harder to implement a much more secure system than I described (i.e., the merchant wouldn't know the CC number either), but it seems credit card numbers are generally considered "disposable" by now, anyhow. There is certainly no effort made by anyone to actually keep the silly things secret.
Why store Credit Card info at all? (Score:1)
I once went so far last year as emailing a site to tell them that their site was COMPLETELY insecure. Sure they used a cert and my transaction was encrypted but after looking at the action assoicated to the credit card form I realized all they were doing was sending my credit card and all my info to a mail account using formmail.cgi. So I didn't buy anything from them. That simple. The company was a small DVD company in Canada that are not even in business any more.
So I ask people, why the heck do these companies insist on saving our credit card info at all? Shouldn't we have to give them permission to save this info? I don't care if they save my address, phone number but when it comes time to purchase ask me what my credit card number is, I'd really prefer it.
Later.
Syn Ack
paulm@nospam.spider.org | PM1819
Re:IIS is known to have had many security flaws. (Score:3)
Preach On, Brother! Preach On! (Score:1)
"It really doesn't matter what Web server you are running ... if you are not keeping up with patches, you're insecure."
I couldn't have said it better myself.
This is the Egghead letter sent to customers (Score:2)
Subject: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO
Date: Sat, 23 Dec 2000 09:43:41 -0800
From: "Egghead.com Special Update"
To: mcdan@CSI.COM
Dear Customer,
Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including our customer databases. While there
is no indication that any customer information has been compromised,
as a precautionary measure, we have taken immediate steps to protect
you by contacting the credit card companies with whom we work. They
are in the process of alerting card issuers and banks so that they
can take the necessary steps to ensure the security of cardholders
who may be affected.
We wish to underscore that we have taken these steps as precautions.
We have no information at this time to suggest that any credit card
information has been compromised. We are investigating this possibility,
and we are doing everything we can to proactively protect you. If you
would like further information, you may wish to contact the issuer of
your credit card to determine what steps they are taking. We regret any
inconvenience this may cause you.
We issued a press release on this matter earlier today. It is appended
below this message. If you have additional questions, please call our
customer service team at 1-800-EGGHEAD (344-4323).
Respectfully,
Jeff Sheahan
President & CEO
Egghead.com, Inc.
[There was a press release below this but I cut it out. It was standard business stuff.]
--
Egghead should have been more humble.. (Score:1)
Re:yeah my cc is one of them (Score:1)
Incomprehensible rantings.... (Score:1)
But when sites are stupid about the way they handle customer accounts (though i generally only trust credit card numbers to fairly reputable companies, like disney) I'm the one who ends up looking irresponsible.
As if my parents don't already think i'm a slack off, good-for-nothing college student with poor judgement half the time anyway, they then hear about all these sites that have been "hacked" or "craked" or WHATEVER (as if my parents have ANY idea what that is, anyway- even less than myself) They just can't believe that i would be dumb enough to do any online shopping and how could they have raised such a dumb daughter who'd just throw money away like that over the untrustworthy newfangled internet shit. geez....
Wow, that was random, thanks for listening....
Re:yeah my cc is one of them (Score:1)
Personally, the wait is never that long and I prefer the knowledge that my card was processed while placing the order rather than having to wait for an email to come whenever it does (like the next day).
I like ecommerce sites that require me to re-enter my card (or give me the option to not store CC#) because I am confident that when (not if) their security measures are compromised, my CC# will not be given away. Additionally, it protects me from a different kind of fraud, the kind where someone I work with accesses my computer while I dash out for a cup of coffee or discovers my password to an ecommerce site and buys stuff they want.
You're idea of a secondary ID code with the CC processor and processor keeps credit card number is a good balance between convenience and security, but still doesn't protect against someone masquerading as the buyer and simply redirecting shipments.
I like the idea (haven't tried it) of AMEX's disposable credit card numbers.
Re:Shouldn't EggHead be responsible? (Score:1)
Egghead's Response... (Score:1)
Return-Path: <owner-CUSTOMERSERVICE*jry**INAME*-COM@MORPHEUS
Received: from chmls12.mediaone.net ([24.147.1.148]) by
chmls14.mediaone.net (Netscape Messaging Server 4.15) with ESMTP
id G61HU900.US2 for <jaredcat@ne.mediaone.net>; Sat, 23 Dec 2000
16:18:09 -0500
Received: from smv664-leg.mail.com (lmtp09.iname.net [165.251.8.91])
by chmls12.mediaone.net (8.11.1/8.11.1) with SMTP id eBNLI7e22988
for <jaredcat@mediaone.net>; Sat, 23 Dec 2000 16:18:07 -0500 (EST)
Received: from promo2.eggheadlist.com (promo2.eggheadlist.com [204.106.181.12])
by smv664-leg.mail.com (8.9.3/8.9.1SMV2) with ESMTP id QAA05037
for <jry@INAME.COM> sent by <owner-CUSTOMERSERVICE*jry**INAME*-COM@MORPHEUS
Message-Id: <200012232118.QAA05037@smv664-leg.mail.com>
Received: from morpheus (morpheus.eggheadlist.com) by promo2.eggheadlist.com (LSMTP for Windows NT v1.1b) with SMTP id <4.0002D8CC@promo2.eggheadlist.com>; Sat, 23 Dec 2000 11:14:13 -0800
Date: Sat, 23 Dec 2000 09:43:41 -0800
From: "Egghead.com Special Update" <specialdeals@PROMO1.EGGHEADLIST.COM>
Subject: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
To: jry@INAME.COM
X-MIME-Autoconverted: from quoted-printable to 8bit by smv664-leg.mail.com id QAA05037
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by chmls12.mediaone.net id eBNLI7e22988
Dear Customer,
Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including our customer databases. While there
is no indication that any customer information has been compromised,
as a precautionary measure, we have taken immediate steps to protect
you by contacting the credit card companies with whom we work. They
are in the process of alerting card issuers and banks so that they
can take the necessary steps to ensure the security of cardholders
who may be affected.
We wish to underscore that we have taken these steps as precautions.
We have no information at this time to suggest that any credit card
information has been compromised. We are investigating this possibility,
and we are doing everything we can to proactively protect you. If you
would like further information, you may wish to contact the issuer of
your credit card to determine what steps they are taking. We regret any
inconvenience this may cause you.
We issued a press release on this matter earlier today. It is appended
below this message. If you have additional questions, please call our
customer service team at 1-800-EGGHEAD (344-4323).
Respectfully,
Jeff Sheahan
President & CEO
Egghead.com, Inc.
Press Release:
Contact:
Joanne Hartzell
Egghead.com, Inc (650) 470-2713
John Stodder, Shoreen Maghame
Edelman Worldwide, (323) 857-9100
Egghead.com Investigates Breach of Company Computer Systems
Company Undertakes Immediate Precautionary Measures
MENLO PARK, Calif., December 22, 2000 - Egghead.com ®, Inc. (Nasdaq:
EGGS), released the following statement today:
"Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including customer databases. As a precautionary
measure, we have taken immediate steps to protect our customers by
contacting the credit card companies we work with. They are in the
process of alerting card issuers and banks so that they can take the
necessary steps to ensure the security of cardholders who may be affected.
"Simultaneously, we have retained the world's leading computer security
experts to conduct a thorough investigation of our security procedures
and an analysis of this breach. We are also working with law enforcement
authorities, who are in the process of conducting a criminal investigation.
"For many months, we have been in the process of strengthening our security
systems in an effort to combat the increasing, industry-wide problem of
malicious hacking. We are committed to providing the highest security
standards in the industry, a process that has been ongoing and has
involved a considerable investment on the part of our company. Those
principles will continue to guide us going forward."
About Egghead.com: Egghead.com is a leading Internet direct marketer of
technology and related products. With an emphasis on Small- to Medium-sized
Business (SMB) customers, Egghead.com offers a wide range of products from
computer hardware and software, consumer electronics and office products,
to sporting goods and vacation packages. Its Clearance, After Work and
Auction formats offer bargains on excess and closeout goods and services.
Egghead.com combines broad selection, low prices, and excellent service
to provide an outstanding online shopping experience for businesses and
consumers. Egghead.com is located on the Internet at http://www.egghead.com
This press release contains forward-looking statements that involve
risks and uncertainties, including but not limited to statements relating
to steps taken to protect our customers. These forward-looking statements
are based on information available to the company at the time of this
release and we assume no obligation to update any such forward-looking
statements. The statements in this release are not guarantees of future
performance. Actual results could differ materially from current expectations
as a result of numerous factors. For example, our ability to protect our
customers from potential misuse of private information is limited, and the
impact of compromised computed security on our business is unpredictable.
Other risks and uncertainties associated with the business are detailed in
our most recent Forms 10-K and 10-Q which are on file with the SEC and
available through www.sec.gov
Shoreen Maghame
Edelman Worldwide
(323) 857-9100 ext. 231
e-mail: shoreen.maghame@edelman.com
Due to our desire to ensure every person who may be affected has been notified,
you may be receiving this message even if previously expressing a desire not to
receive email from Egghead.com. If this is the case, please be assured you will
not be receiving promotional emails from Egghead.com in the future.
To be removed from our mailing list please go to:
http://promo2.eggheadlist.com/blist.asp?e=JRY@I
it's a sign of the times (Score:1)
You basically get a new credit card number valid for x number of months and with a credit line of y dollars (you specify the details). You use the new number for one purchase and you're done with it.
Now, skip ahead a few months to the day the online retailer's database is cracked. The one-month valid card with the $90 credit line you used is long since expired, so you have no reason to worry.
MBNA (my issuer) isn't alone in providing services like these. I suspect that as cracking continues, you'll see a lot more people paying attention to the extra services their credit card company is trying to tell them about.
ck
Not quite on-topic, but... (Score:1)
Most people may miss this security feature. Since it is common to write your account number on the check when making a payment, the credit card companies came up with the guideline of asking for the expiration date, because (unless you're a dork or using ecommerce software written by dorks) the expiration date is printed only on the credit card itself. Not a foolproof defense against fraud, but a reasonable stop-gap measure that is now being compromised by some of the "larger" ecommerce sites.
Re:search bugtraq (Score:1)
I agree with you on the IIS/clueless admins thing, but if I recall correctly windows2000test.com was too busy being continually rebooted and "down due to weather" to be hacked.
-Legion
Re:Unfortunate... (Score:1)
"as I really could care less if you make rich businesses pay"
does irk me some, as "businesses" that get hit with fraud
1. either pass those costs on to consumers (or other businesses which deal with consumers - our whole society is based on CONSUMING), which ultimately affects you and me.
or 2. pay employees less because they have to 'eat' the cost associated with the fraud. If you worked at one of those 'rich businesses' you'd probably care very much if you were going to get paid less (or NOT get the pay increase you deserve - same thing in the long run) due to fraud.
Re:search bugtraq (Score:1)
windows2000test.com was not "hacked" because
1) No services were running
2) Whenever a breach was imminent, they took it off the network
I bet you think NT is C2 Secure too!
Re:What type of databases were broken into? (Score:1)
Re: (Score:1)
Re:Suggestion box @ egghead.com (Score:1)
I prefer to think of them as drunken, dyslexic chimpanzees.
Re:What difference does it make? (Score:1)
First, you're not quite right with regard to who loses with credit card fraud. The bank that issues the credit card occasionally, but rarely, eats the loss. Generally, it's the merchant who accepted the stolen card number who loses. Exactly which rules apply in a particular situation is far from simple. If by saying "CC company" you're referring to Visa or Mastercard then the CC company has nothing to do with it. They are just associations of banks that provide a brand and a set of standards; they're not real companies that you actually do business with.
Second, while you're right that in the near term there's no impact to the card holder, don't kid yourself that it will never hurt. You'll notice that both of those entities who stand to pay for the fraudulent charges make 100% of their income from you and people like you. What do you think they do with those additional costs? Further, this costs you and me even if the thief never uses the stolen numbers. How much do you think it's going to cost all of the banks involved to reissue the 3.1 million cards? I'll give you a hint: The industry figures that on average it costs approximately $8 to replace a card. You do the multiplication.
Fraud costs all of society, ultimately. In this case, I hope they find some way to make Egghead liable for at least a part of the damages for any abuse of the stolen card numbers. I wish they could be held liable for the banks' costs in reissuing all of those cards as well. Oh, and I hope the bozo that stole the numbers gets a very large, very hairy and very friendly cellmate.
Re:This cries out for one-time use credit card num (Score:1)
M$ make crackers go Ka-Chingg (Score:1)
Any of you guys remember that a few weeks ago (or was it last week?) creditcards.com that uses Microsoft Windows NT was hacked and about 3 million credit cards was stolen? Again and again and again. Even Microsoft itself has been hacked twice this year, plus another www.microsoft.si hacked.
and apache doesn't? (Score:1)
You act as though linux or anything OSS has never had a buffer overflow or security issues.
hrm (Score:1)
ok so here's what I wanna know...
If someone gets my CC number, what can someone do with it. I really don't know so that's why I'm asking. I mean, it's just a number... Don't you need more than that to make evil/good use of the whole credit card?
Yeah this is kind of a stupid question, but I've just never used one or even asked about it. So I'm just curious now
----------
Re:I worked for egghead until a month ago (Score:1)
search bugtraq (Score:1)
Don't blame IIS because of clueless admins. I don't recall windows2000test.com ever being hacked.
Consumer confidence (Score:1)
1) The consumer prefers to see the gift before purchase
2) The consumer prefers not to give out his or her credit card on line
3) The consumer finds many Web sites difficult to navigate
All of these are problems of consumer confidence and arise from the need of the customer for accountability. Individual protections against unauthorized purchases are inapplicable in the case of a DB crack due to reasons of scale mentioned in above posts.
So what is the solution?
Buy locally.
If an individual merchant decides to cheat you, YOU can go down there with YOUR baseball bat or YOUR neighborhood constable and confront the jerk.
If the merchant defrauds many people, a MOB of folks with baseball bats,or preferably their team of lawyers, can do the same thing.
The average e biz, for reasons of security, will be wanting to move to data havens pretty soon. For the same sovereignty based reasons a data haven is appealing to such firms, they will have no way of tracking and enforcing national laws against crackers.
We need international standards systems w/r/t privacy, personal information, fraud, security and intellectual property. For once, let's create safe and sensible structures BEFORE the net's growth beats us to the curve.
Re:This cries out for one-time use credit card num (Score:1)
Re:Dumbass (Score:1)
Re:one-way encryption? (Score:1)
Once again... (Score:1)
Although these disclosures and media attention are useful for letting card holders know about it (thus reminding them to check their statements), I have to compliment CNBC on something: They took the time to explain the difference between a CC# stolen during a transaction and one stolen later on from a database. Kudos to them.
REGARDLESS, I am forced to point out once again that we do "risky" things every day. Having your card # stolen from a database is no different than handing it to the guy making $5 an hour at Olive Garden and having him jot down the card info when he leaves with your check.
Granted, one might point out that getting a card stolen online might mean more people will abuse it and make illegal purchases. I counter that arguement with the fact that being one of 300,000 known stolen cards means media attention which would result in you getting advance knowledge to go over your statement with a fine-toothed comb, which you might not do (but always should regardless) if some random waiter stole your card to buy a few DVDs.
Re:SUE EGGHEAD FOR DISCRIMINATION (Score:1)
one-time credit card nums add significant security (Score:2)
In practice, I wouldn't be surprised to find that Amex's database does include the customer's permanent credit card number, but that's an implementation detail. There's no question that any way you look at it, one-time numbers really do add significant security.
Re:SUE EGGHEAD FOR DISCRIMINATION (Score:1)
Re:Incomprehensible rantings.... (Sc0re:0,Boring) (Score:1)
Re:What type of databases were broken into? (Score:1)
It doesn't matter why, it's still less safe. (Score:2)
Be it a hole in SSL or a lazy/stupid box admin that opens up the door for crackers and script kiddies to get access to your info, the fact remains that you have an annoyance on your hands. Canceling card, getting new card, notifying ISPs and other of the change in information.
I'd rather spend the time to drive to the mall, I can look at women in tight pants at the mall. Hell, maybe even score a phone number.
LK
Re:AMEX? I'd rather be in the pan than in the fire (Score:1)
Re:and apache doesn't? (Score:1)
Share the Wealth (Score:3)
At least the cracker could use one of those numbers to send the sysadmins a recovery care package:
pizza
Mountain Dew
1/2 ton of candy in Christmas colors
151 proof "eggnog"
Re:IIS is known to have had many security flaws. (Score:2)
I'm curious as to why you'd poll the database looking for unencrypted data versus arbitrating all DB access through a data broker that ensured it? In either case, the Web server has to be able to request and obtain the clear data, and while stored procedures are obviously the way to go, I've been hard-pressed to come up with a way to rate-limit the server's access to critical data if the server needs it (obviously CC#'s aren't the type of data a Web server needs access to, and stored procedures and second servers for customer service reps. fill that need quite well.) Especially in the "hundreds of thousands to millions of customers" category where queries per second are sometimes hardware limited instead of DB limited.
I've also asked folks to implement middleware changes in the past that would disallow any wildcard query and alert like hell on them. That helps reduces worst-case exposure pretty significantly even though it's not a 100% ideal solution.
My point on the number of bugs was twofold- first of all, I think that it's indicitive of the legal climate that such realities could be aggressively tilted toward contributary negligence. Secondly, one of the things that we rely on in the security community is history. Historical exposure provides significant help in determining relative security. For instance, BIND, which I now refer to as the "Sendmail of the 90/00's" has historically been insecure. Choosing DNSCache is more than likely going to produce a more secure system. It obviously shouldn't be the sole criteria, but I think it's important to add historical context to any architecture design decision.
OS Zealotry has such a limited place in any technical discussion or plan that it's minor, no matter what side the zealot fall on, but number of bugs does indeed indicate quite a bit once you normalize the results somewhat.
I've found history and current bug severity and number to be accurate in chosing firewall vendors, and in choosing at what point a firewall vendor has changed development/QA processes enough to significantly impact functionality (it's a shame there's not a money-back critical bug metric in software contracts.) 32k bugs says one good and one bad thing. It says a lot for the QA process and a bad thing about the development/release process. But then I originally worked on mainframes where you got a couple hours of scheduled downtime a year if you were lucky and vendors who produced significant recurring bugs got thrown out on their asses quite quickly.
I'm pretty happy working to secure alomst anything, but there are a lot of choices that I wouldn't make to host data *I* personally was responsible for the security of (Irix springs immediately to mind in its non-trusted varient.)
You should pause and ask yourself what the catchy number of bugs says about the design and implementaton of Win2k. The reason for its slow adoption curve is because that spoke volumes to a lot of people. Granted only a portion of those bugs have a significant security context, but security is but one piece of the whole. Win2k is where NT should have started in regards to features and stability, and I've little personal patience for any vendor who wants me to pay for QA (MS certainly isn't the only vendor on my list, just the extreme case.)
In an ideal world, we'd have easy to use and administer compartmented systems. Compartmented systems fly in the face of Microsoft's productivity in producing OS', and I see that as a potential problem moving forward- we're only starting to see the tip of that iceberg now in process-based protection mechanisms failing with very recent MS products. As usual though, security is always about compromise and securing what you have instead of what you might want. In an ideal world, OS' are commoditized to a point where it doesn't really matter which one you use and you can pick secure ones for secure purposes. That however flys in direct competition with every commercial OS vendor. It'll be really interesting to see what IBM does with AIX. SGI actually gamed it out early, but it doesn't seem to be overly important that IRIX is basicly EOL'd as far as their sales go.
Ah well, if the world was the way I'd like it to be, I'd be looking for interesting work...
Happy Holidays,
Paul
Re:Customer Service Response (Score:2)
What difference does it make? (Score:2)
Re:have fun doing some christmas shopping (Score:2)
Re:IIS is known to have had many security flaws. (Score:2)
NT4 Stability:
It's a combination of hardware, load and additional softare. These days it's *extremely* difficult to depend on a single motherboard being manufactured for more than 2 quarters, so I'm leary of anything that's hardware-finicky or driver related (having just had to try to track down some video and Ethernet chipset stuff, I'm particularly sensative to this at the moment.)
I've seen certified hardware with unescapable problems and random issues, though not as often as grab-bag stuff.
Bugs:
In the best environment, 2/3ds of bugs are known- while most won't have a direct security context, 1% of them would be pretty significant. I don't like at all the fact that Microsoft will release a product that they've no intention whatsoever of ever fixing/finishing. Instability has been a next release selling point for them, and that bothers me a lot, but mostly morally.
Some people like the idea of microkernels, I'm not convinced they have any real-world advantages, and side with Linus on that front. Given the APIs, I'm not sure that Win2k qualifies as "micro" anything
You should try Apache under NT, it's been threaded for what about 2 years now? The server is modular enough that if you spend some time with it, you can pare it down pretty significantly, and it handles named virtuals as well as anything.
ACLs are only a beginning. If you want to see how a secure OS is built (secure to the level of potentially being able to give out writable CGI directories and open shell accounts and not worry about compromise) check out http://www.rsbac.de. That's the major advantage of an Open Source OS, for a relatively miniscule sized chunk of code (not to belittle the effort, the effort was and is tremendous) RSBAC gives us role based stuff (No more superuser compromise), full ACLs, Mandatory Access Control, compartments, malware control, and the European Privacy Model. Better yet, it's not just an implementation, it's a framework for creating new security paradynes. It's securelevel taken to the next level. That's where small *secure* dedicated machines should spring from. Best of all, it's still able to run normal programs. The only thing it could really use is more socket-oriented stuff, but there's already enough to use and gain from significantly as a base for secure systems.
Don't even get me started about Exchange- you *can't* pare it down, SQL Server is monsterous- very secure doesn't come in packages that large without a lot of dedicated work that MS will never do because it's not profitable. Lovebug's spread had help from Exchange's architecture issues.
They've already got massive version control issues with the current Service Pack/Hotfix stuff adding more products would be a death knell for QA. Regression testing is probably their longest lag time to fix on critical issues and why SPs take so long to get out and can't have last-minute fixes incorporated.
Given the inroads Linux has made into the high side, it's inevitable that MS will have problems down the road getting the successor to Win2k adopted since Win2k is at least mostly-stable.
Personally, I don't think Embedded NT stands a chance against Linux/*BSD. But I've been wrong before. Twice
Back to real-world stuff- It's certainly possible to run real-world sites on NT, and we have no problem certifying our customers that do so once they've gotten through the essentials, but the level of dillagence for IIS is higher than that for Apache (mod_rewrite's last bug is the only significant security sensative Apache bug for a while now if you've configured conservatively.) Obviously because on-going reporting and testing are a part of our business, IIS is good for our model. Just like Word and the Macro Virus problem though, I personally think there are a lot of better choices that make more secure platforms. Beta was better than VHS though- and now the only Beta is the broadcast stuff, not consumer stuff (that wasn't one of the times I was wrong though, I went VHS all the way
BTW: I was serious in the first post about trying the top few exploits against your IIS servers- the last time I saw someone do it on what seemed to be well-managed sites, the results were astounding.
Best wishes,
Paul
Re:Christmas Cheer (ot) (Score:2)
Re:hrm (Score:2)
--
Re:This cries out for one-time use credit card num (Score:2)
Re:hrm (Score:2)
Site registration is bad (Score:2)
I typically avoid e-commerce site that require me to "register" before I can buy, however I do happen to a "registered" egghead customer
First off you have to give them a user name/password which after a while you start using the same username/password unless you have a very good memory. Typically passwords are stored unencrypted on a database somewhere so that you (or some devious social engineer) can retrieve your password if you forget it. Once your username/password is compromised then a simple script can test for other accounts at major e-commerce and/or stock trading sites.
Also, I prefer to have the store where I buy from wipe out my cc number after processing the order instead of leaving it around for some disgruntal employee to access.
Education (Score:2)
Education can be painful. But in the end, it's better to learn a lesson than not.
Re:Will they let individuals know? (Score:2)
This is not to say that I think keeping silent is right (taking responsibility for your mistakes is the Right Thing To Do), but it is certainly understandable.
IIS is known to have had many security flaws. (Score:4)
>Hacked servers by Microsoft
>Robertson said that Egghead.com is using Microsoft's Internet >Information Server, a common e-business server, as the platform for >its online service.
>IIS is known to have had many security flaws.
Show that to your boss.
--
Re:yeah my cc is one of them (Score:2)
- You check out for a new game on Tuesday.
- The merchant authorizes your card to make sure that it can charge the $43.64 that the game costs. Note that there is no charge yet, but the merchant has reserved $43.64 for it to take later when it ships the game to you.
- On Wednesday, the company ships the game to you.
- On Thursday, the warehouse updates the accounting system so that it knows the game has shipped.
- Thursday evening, the company charges the $43.64 that it reserved early during the card authorization.
- Monday comes, and you receive Virtual Barbie instead of Tom Braider. What's the difference? You tell me, but you wanted Tom Braider, so you call the company.
- Their customer service representatives apologize and promise to credit your account for the $43.64.
- Ten minutes later, the credit to your account is performed, and you don't have to give your card number again. Plus, the customer service rep never has to know your card number because it is already in the merchant's database, and access to the actual number is, hopefully, tightly controlled.
The point is that the company needs your card to be able to process monies later. There is a point at which the liability of keeping card numbers exceeds the usefulness gained, and apparently many companies have chosen that time poorly. I imagine that those who do purge records from their main systems keep the card numbers for at least as long as they would typically provide a money-back return to the customer. Also note that online merchants are not the only ones who keep these records. All companies follow a similar process, but online companies always have their systems connected to the Internet in some way, which makes them more obvious targets.How were the CCs stolen? (Score:2)
Merry fscking Christmas (Score:2)
Their god is Linus Torvalds and they'd live and die for him.
They believe in source code, and not in the corporate way.
So I'll go to "slashdot dot org" and post a comment and saaaaayyy....
HEY THERE MISTER SLASHDOTTER! Merry fscking Christmas!
Put down that disk of core dumps, and hear my holiday wishes...
In case you haven't noticed, it's Jesus's birthday
So get off your penguin-loving butt and fscking celebrate!
Re: (Score:2)
Re:Preach On, Brother! Preach On! (Score:2)
Seriously, getting 10-20 minutes worth of interview into a few lines of quoted text, you always hope that the reporter will understand and report the gist of what you said.
The sad part is that over two years after it's been fixed, RDS is still the #1 attack vector for IIS. It's _really_ getting difficult to point to Microsoft as partially responsible for releasing crappy code when fixes that are eons old are never applied. If we could get wu-ftpd, sunrpc, RDS and the unicode
Paul
Comment removed (Score:5)
caveat egghead (Score:2)