MSNBC: Stealing Credit Card Numbers Online is Easy 330
tiny69 writes "This is the reason why I don't use my credit card on the internet. The people I give it to may not be as responsible as I would like them to be. It's easy to point the finger at Microsoft and the MCSE's running the systems on this one." [Irony alert!] Yes, MSNBC says all the servers they cracked were running MS SQL. [/irony alert]
But do you use a cordless phone, or a cell phone? (Score:1)
Do you shred all your personal documents? Do you review the security procedures of your bank? I'll bet not.
The only reason this is noteworthy is because this abuse happened over the 'net. It's hardly a novel threat.
I'm patiently awaiting the calls for regulation of online businesses to "protect consumers" from this kind of thing. The better to tax them with.
No firewall? (Score:1)
I would hope that a database server like that would have been set up behind a firewall which blocked all access to the database admin ports, Microsoft RPCs, etc. and only allowed HTTP and HTTPS access.
OK, a hosting service might allow an IP they know is the client's to administer the server, but not the whole internet!
If a firewall isn't blocking database admin, it might not be blocking NT file sharing either, and that opens a whole new can of worms.
And no, this isn't an NT problem. If I had a MySQL system and allowed the whole internet to access port 3306 on the server, then I'd be in trouble, too.
Re:Windows 2000 (Score:1)
In other words, if you're logged into your workstation as JoeUser, you will be automatically authenticated as that user to the telnet server on the machine you're trying to connect to.
This is done via NTLM or Kerberos, depending on how your domain is set up, so it is pretty secure. It works just like how you don't have to type in a password to connect to a file share if you've already authenticated to the machine.
I would note that this the default Win2K telnet server config is actually much more secure than a regular telnet server, since passwords are not sent over the wire in plaintext.
Turn on IPsec, and the session traffic will be encrypted as well.
Fer Cryin' Out Loud (Score:1)
This only proves a point that I've long been trying to make to those who have been of the opinion that "once Microsoft enters the server market, the Bad Old Days of needing arrogant computer gurus will be over." Frequently heard in pre-WinNT days and apparently still believed by many.
The point is this: sophisticated and powerful computing problems need sophisticated solutions, implemented by knowledgeable and talented computer engineering professionals.
Make no mistake: this kind of thing is not Microsoft's fault. It was just an amusing irony that MS server products were the ones that were discovered/investigated. And lest anybody think that non-MS platforms/software are unlikely to suffer the same kind of fate: witness the Serious Bug in MySQL password handling [securityfocus.com] recently reported on bugtraq. How many E-Commerce site admins running MySQL do you suppose don't even know about that one, much-less have it plugged?
Where Microsoft is to blame, IMO, is in promulgating the myth that their products take the complexity out of complex problems. Sorry, but it just ain't so. What they do accomplish is burying details so effectively that the solutions appear simple. (And, ironically, even if you know they're not: making it hard to "get to the root of things." [No pun intended.])
Real computing problems require real solutions implemented by real computer-savvy, intelligent and, perhaps most of all, focused and responsible engineers. Not some liberal arts or business marketing graduate that took one-or-another vendor course and got his or her "certificate." Regardless of the chosen solution. (Tho I, personally, do not recommend MS-based solutions.)
Suggestion (Score:2)
Look! Up in the sky! (Score:3)
WHOOSH!
Bill Gates, Chief Software Architect! (Dah-da-da-DAH!)
Gaping holes, clueless management : help ! (Score:4)
Posted via Anonymizer [anonymizer.com] as an AC for reasons which will become obvious ...
This is off-topic as far as this story is concerned, but I'm posting because there are (I think) lots of people in a similar position & I really would like to hear some fresh thinking about how to wake my employers up.
I'm employed as an intranet developer by AMegaCorp.,Inc., a business services firm. With the thrill of anonymity I can name a client to give you an idea of how big they are : Ford Motor Co.
Our people have daily access to insanely sensitive stuff. Stock prices moves would be the tip of the iceberg. There's a fair amount of, um, politically sensitive stuff in there, too; let's just say defense, nuclear ... that kind of thing.
I've tried raising these issues in various ways, with no effect. Should I just run away ASAP ? Or am I morally obliged to do something about this ?
Seriously, any suggestions ?? This is doing my head in !
--
healing bex
CC# security - 40-bit SSL is common in UK. (Score:2)
Many companies in the UK are only using 40-bit SSL, which is blatantly insufficient. Offenders include Dabs Direct [dabs.com], who actually told me that they're happy with 40-bit SSL and don't intend to upgrade.
I've spoken to NatWest Streamline, who perform CC clearing for many online retailers, and they don't intend to increase their minimum security guidelines to 128-bit SSL. I know know which of the two is being more negligent.
Even the Which? Web Trader Scheme [which.com] doesn't mandate 128-bit SSL, which is insane.
Re:Good tactic (Score:2)
Re:Why Not Use Credit Cards over the Net? (Score:2)
Sure, this is an isolated incident, but so is the CDUniverse crack.
Re:Typical misinformation... (Score:1)
I don't know who or what you are responding to, but I've read almost all of this discussion and I haven't seen anyone 'spewing' anti-MS FUD or claiming that these servers were 'cracked'.
The article also said that the
--
Simon
Obvious solution: (Score:3)
Let's sue MS-NBC for stealing 2,500 credit card numbers!
These sorts of lawsuits are brought against [cr|h]ackers all the time. The defense? "Um... I wasn't going to use them, I was just... just wanted to see if I could get them! Yeah, that's it!" Yeah, right. And that's what MS-NBC wants you to believe too. So either we'll have a precedent for being able to collect information on the grounds that it's cool, or we'll get to sue MS-NBC back into the dark ages. Sounds good to me.
(all you have to find is one of these companies who actually knew they got hacked... um... never mind.
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
Re:This Is Probably A Good Thing... (Score:2)
1. Partitioning - Web and database server functionality should be separated as much as possible: having your database on a separate machine and fitted with proper access controls (i.e. only accepting connections from trusted hosts and using proper authentication in addition to that) is pretty much a requirement.
EXACTLY!! My first thought was why are they even allowing access from outside their own domain. It's easy to set up and can protect you from a multitude of mistakes in other areas. I wonder what those companies would do if someone issued 'delete from orders;' or some such?
All of the things you mentioned are important, but that one thing would go miles in the right direction.
I would add one more thing: NEVER allow a cgi script to pass in unchecked SQL. That's begging for trouble!
MS servers get cracked more because there are more (Score:5)
Re:MS servers get cracked more because there are m (Score:1)
Re:Windows 2000 (Score:1)
And I wholeheartedly disagree with you.
the term "bloated" refers to a lot of things, but mainly, to the fact that the bar is raised with each release with regard to minimum hardware requirements. W2K's minimum hardware requirements are fairly astronomical. When you run it on low-end hardware, it is slow as hell. And in the Microsoft-run training class I took, we couldn't get half the machines to install DNS, and therefore couldn't get ActiveDirectory to run on those machines, and therefore couldn't install most of the nifty new cool spiffy features Win2K supposedly has.
It's a big bloated piece of POO, unless you can buy shiny new very expensive Intel hardware to run it on.
I wish I had a nickel for every time someone said "Information wants to be free".
Re:You work for Microsoft, don't you? (Score:1)
other parts of the OS."
A **RESPONSIBLE** OS vendor would ship the libraries and objects SEPARATELY from the application, allowing people to install the libraries and objects, and use whatever web browser and web server applications they want.
Applications != Objects and Libraries.
I wish I had a nickel for every time someone said "Information wants to be free".
Re:Windows 2000 (Score:1)
PS. I brought in over $100k last year, and I just bought a $4500 Sun Ultra 10, so don't go talking about things you have no idea about. I'd just prefer an OS that lets you spend money on hardware for performance improvement, not spend more money for the same or worse performance, and I'd like hardware to be useful past a 2-year horizon. In an NT network, if you go W2K, if you want to take advantage of most of the new features, you need to run CaptiveDirectory, so you have to be homogeneous with respect to OS, which means the Pentium 200 you used to run NT 4 on gets shitcanned. With Linux, when you buy your shiny new dual Xeon 500, you can keep your Pentium 200 around as a DNS server or something.
There's a difference between demanding cheap, rock-bottom priced systems, and demanding value for your hardware dollar.
I wish I had a nickel for every time someone said "Information wants to be free".
I find it odd ... (Score:3)
MSNBC may be a touch more honest than Microsoft proper, but that doesn't mean they entirely have their clue on straight. Yes, tell the world that MS SQL has security holes in its defaults
Clues?
They should ask before storing the number (Score:2)
Re:It *was* fixed (Score:1)
--
Re:Typical misinformation... (Score:2)
It *was* fixed (Score:2)
These examples show that the problems don't lie in the software - it's in the wetware. Any system, OS, or combination of the two can be insecure with a stupid enough person at the wheel.
Sneakernet (Score:2)
sneakernet /snee'ker-net/ n.
Term used (generally with ironic intent) for transfer of electronic information by physically carrying tape, disks, or some other media from one machine to another. "Never underestimate the bandwidth of a station wagon filled with magtape, or a 747 filled with CD-ROMs." Also called `Tennis-Net', `Armpit-Net', `Floppy-Net' or `Shoenet'; in the 1990s, `Nike network' after a well-known sneaker brand.
(from the jargon file [tuxedo.org])
--
Bull shit (Score:2)
___
Moderate this up (Score:2)
...And then get someone to "surreptitiously" point it out to Ford's PHBs.
My suggestion: Fake up an email and run it through a bunch of anonymous remailers. Claim to be a cracker who has access to information that would be available to someone who penetrated only the outermost security layer. Mail it to yourself at Ford. Forward to supervisors with the heading, "We got a problem!" When the emergency meeting is convened, drop on the table your prepared action plan for creating reasonable security and say, "We're going to do this."
Make sure the first thing you do is install RCS/CVS/whatever version control on all security measures, and log everything. This way, they can't later claim your fake email was a ruse to install trojans, since all checkins were logged and can be reviewed.
Hey, might work...
Schwab
Is this really a new problem...? (Score:5)
----
Linux based companies have been guilty as well (Score:2)
It's true that submitting private information such as a CC number online is really no different than signing a receipt in a store, but a certain trust relationship is assumed when carrying out a secure online transaction. I think people using "the Internet" for transactions tend to rush about with their business without thinking. Maybe it's the "time dilation" that occurs on "the Internet", or maybe not.
Re:Windows 2000 (Score:2)
Re:Windows 2000: A solution to a non-existing prob (Score:2)
Select "Properties".
Select "none" for menu effect.
No more fade-in menus to bitch about.
Win2k Install Times (Score:2)
http://slashdot.org/articles/99/09/29/119245.sh
-----------------------------------------------
Was he installing from the CD? Was he installing directly from his HD under windows? Was he installing from the CD in DOS? If he was installing from DOS, he probably didn't have the foresight to load smartdrv and sat there for 4 hours while it copied all 2,000 files from the i386 dir to the HD. Anyone who has any experience installing Win2k doesn't install this way as it is like chineese water torture. DOS copies files very very slow. The better method is to either boot from the Win2k CD directly, install from Windows (if you already have it installed), or if you MUST install from DOS - make SURE you run smartdrv to speed up the file copy process.
I can't speak for beta2 since it is almost 9 months old, but Release-Canidate 2 that was released a couple of weeks ago doesn't take more than an hour to install. I am speaking on behalf of 40 or so people in #Win2000 on efnet who all install Win2k at various times. As long as they arent installing from DOS without running smartdrv, and they don't have shitty hardware, they install within an hour consistantly.
-----------------------------------------------
To add to that, Win2k RTM (final) has been quicker to install than RC2 that is mentioned in the quoted text.
Why give the CC# to the merchant ? (Score:2)
Unless I explicitly agree (hence the default being that I don't agree [that one's for all you sites which made me search for that darn check box which was inconvieniently ticked for me]) to have my e-mail Inbox or snail mail box filled with wads of trash they don't need squat.
How 'bout this. VISA (or AMEX/Diners/etc) goes into the instantaneous online transaction business.
I've filled my shopping cart with goodies and I'm heading for the checkout. At this point, I give them my name and the billing address of my VISA card (the public key). The merchant then contacts VISA and indicates that I want to make a purchase for the given amount. VISA then issues a challenge to get the credit card number correct (the private key). This can be easly done without ever transmitting the credit card number itself or anything which can be easily converted into my credit card number.
For example, VISA sends the merchant some random garbage who then passes it on to me. I enter my credit card number which is combined with the random garbage and spits out, for sake of argument, a 128 bit MD5. I send the MD5 back to the merchant who then sends it to VISA who can easily verify that the card number is correct, and then make sure I'm not over my limit etc.
VISA then indicates to the merchant if you succeeded or not and the transaction is completed. As an added bonus the transaction could require that you combine the amount of the transaction with you credit card number to prevent the merchant from being able to fiddle the books (not that a merchant would want to do this anyhow, I can't imagine that pissing VISA off is good for business).
So the net result is the merchant (whom has been identified as a weak link in the chain) never sees you credit card number.
Shooting the Messenger? (Score:5)
I've read through alot of these posts, and there seems to be two common threads to most of them:
I think both of these need to be addressed to see the underlying reasons for the problem, of which neither of the above are.
First off, I'm a professional SysAdmin, and have spent most of the last 4 years doing System Architect and Security stuff. The last two at E-commerce places.
People, the problem is threefold, none of which is easy to fix:
Virtually nothing is designed with security in mind. That includes all our favorite UNIX OSes, Windows, and virtually all applications. The few apps that seem to have some reasonable security setup often sacrifice this by using stupid defaults to aid "ease-of-use". The sad fact here is that nothing we are using these days is decently secure (no, not even OpenBSD). UNIX is stuck with the all-or-nothing model of security, while Windows actually has a good model that is horribly implimented. Apps tend to be the same. Given that the systems are poor to begin with, hardening them is more than difficult. And compromises tend to do massive damage.
Business is not taking security seriously. Right now, time-to-market is king, and everything else is sacrificed to that great Idol. This is primarily the public's fault, as people seem to reward cheap and first rather than more expensive and well-designed. The miserable state of software quality is a prime example of this mentality. And bugs are a leading cause of security problems.
Also, companies have limited resources. Right now, spending the extra money to shore up security (or maybe even - gasp - do it Right) is about as likely as giving the entire staff a free vacation to Tahiti. They simply have no reason to do it - there isn't much real PR problem, the public doesn't seem to reward companies that spend the extra on security, and there aren't really any legal liabilities yet for failing to do so. So why spend money on something that doesn't have any real returns?
Security is an ongoing battle. This is related to both the previous problems (lack of proper resources, and poor security to begin with). In order to keep a site even basically secure, it's far more complex than simply keeping an eye on BugTraq and watching for vendor security updates. A typical mid-size e-commerce site probably has at least 100 different products (remember, each script is a different product) to keep an eye on, covering at least a dozen (nowdays, with ASPs, likely several score) machines. Just keeping up to date is a daunting task, and like fighting a really war, the opponent isn't stupid, and adapts rapidly. You will suffer defeats. Security is a massively complex and difficult job. Don't let anyone kid you otherwise.
The knee-jerk reaction to fire the admin is merely a Management-covering-their-ass mentality. Blaming the product overlooks the reasons why the product is that way, and also doesn't say anything about the state of the market as a whole.
Until there is a concentrated demand from the public for security, things will continue to be as they are. If the public can stand it, well, then that's the shape of the world we live in. If they don't like it, give business the incentives to buckle down - make them legally responsible for breakins, buy only properly-designed software, etc. Until that happens, blaming the admins and the software is stupid.
Re:Typical misinformation... (Score:2)
This looks to me like a prime example of someone from the Linux community happily spreading FUD or just generally spouting ignorance. I've had a fair amount of experience with MS SQL Server recently, and, being a long-time MS-hater, I certainly didn't come to it with an open mind. But I have to say that MS SQL Server is a damn good database; I'm very, very impressed with it. It's certainly as solid and as featureful as anything else out there.
Unfortunately, it is somewhat crippled by running only under NT. This limits its reliability and security, in that the OS underneath it is not terribly reliable or secure. It also limits its scalability in that NT simply doesn't run on big machines. And, of course, I find NT system administration a complete PITA.
But there are a lot of database systems out there than can get by just fine on a 4 x 500 MHz PIII system with a gig of RAM, and under many circumstances the MS SQL Server system will be rather cheaper than the Unix options. If you've got an NT admin handy to keep the server running, it can be a worthwhile choice.
cjs
Re:Is this really a new problem...? (Score:3)
The fact of the matter is, there are lots of people who could steal your card number...and not just in the places you use it. People at the bank who issued it could get ahold of it, too...people could (and have in times past) take rubbings through the envelope in which it is delivered to you. The only way to keep your number a complete secret is not to use it at all...and what would be the point of that?
Thankfully, many of the places where one could potentially use a stolen credit card number are becoming more watchful about getting verification of details, such as billing address. It won't stop fraud completely, but will help cut it down.
::$DATA (Score:2)
Re:Typical misinformation... (Score:3)
I think the basic problem here is what you mentioned yourself, that system administrators forget to remove (unnecessary) default accounts, or forget to patch for security bugs.
What always has been part in the equation used as for why the MS solution would be best (beating Unix), was the ease of use, and the resulting lower cost of ownership because you could hire cheaper people for administering your systems, and that those cheaper people would require less time per server to administer, because the OS was to userfriendly.
That part of the equation has now, repeatedly, been proven to be faulty.
Re:Is this really a new problem...? (Score:2)
I used to work for RadioShack, and believe me there was a LARGE potential for abuse there. I would assume this potential exists anywhere in retail, but....
It was a small matter to rip off HUNDREDS of credit card numbers per week. (Not that I did this...but I'm sure some people who worked for RS did...). This may have changed since they converted to a new register system a couple of years back, but...
RadioShack would keep the yellow carbon copies of all receipts printed out. The ones for credit cards would go into a separate bin. The bin was not secured in anyway: it was sitting on a shelf, in plain sight to someone behind the counter. All one would have to do is wait till the manager went on break, and start copying credit card numbers down (yes the reciepts listed the FULL credit card number right on them, not simply the first four or last four digits as is now common place). At that time, most stores were not even videotaped, so the potential for abuse was QUITE great.
RadioShack no longer prints the full credit card number on the receipt, so this is no longer an issue with them. Most stores are now videotaped (since in the 90s many managers started setting up videocameras taken from stock to tape the store, it became common practice).
So think twice next time you use your credit card -- ANYWHERE, not just online. Make sure your CC# is not printed on the receipt in full....if it is, demand to see the "carbon copy" and black it out with a magic marker.
Re:Trust Based Method Open to Abuse (Score:2)
My primary complaint is that there is no other easy way for me to buy stuff online...
And.. as for merchants earning my trust.. I firmly feel it is the responsiblity of the CARD ISSUER to trust the merchant, and is not my problem. If someone tells me I can pay with my card, and we agree on a transaction, then that is the only transaction I am responsible for. If the merchant steals my number and uses it fraudulently, it's not my problem whatsoever, it's Visa's.
Re:Shooting the Messenger? (Score:2)
If they aren't.. that's VISA's problem.
In any rate, it is not the consumer's problem..
Re:Is this really a new problem...? (Score:2)
And I bet you are right about the merchant agreements forbidding things too.
After some thought, the consumer doesn't have a lot to worry about, really... it's the credit card companies that will bear the burden.. and they will just hand it off to the merchant.
Re:Why Not Use Credit Cards over the Net? (Score:2)
Yes.. a clerk could do it, and a kiddie could do thousands... but so what? This doesn't hurt the consumer, it hurts the card issuer, and by contract, the merchant.
Also.. they don't 'withdraw' money from your account.. they 'charge' $5 in credit.. which you can just refuse to pay.
Re:Why Not Use Credit Cards over the Net? (Score:2)
But did you call the card issuer instead? If bogus charges appear on your card (which, I believe, includes any incorrect charges) the issuer will immediately revoke them and put the onus on the merchant to sort it out. It is the merchant that should be put out by this.. not you.
Re:Is this really a new problem...? (Score:3)
On the online front, at one point, Visa said 'We will not give you a merchant account for online work unless you meet certain requirements.'
These requirements included providing information about your firewall, your security policies, who has the passwords, etc... which made perfect sense. They were protecting the consumer.
The problem is.. this gets abstracted. ONe company gets a merchant accounts, and then sells transaction 'services' to others, and at that point, security is questionable.
Re:What we really need... (Score:3)
It's not the consumer's problem. The whole reason for using a credit card is BECAUSE Of fraud protection.
The merchant is held responsible. The consumer does not have to pay unless the merchant can PROVE that it was them who initiated the transaction. If the consumer says 'I didn't do this' and the merchatn can't prove it, VISA doesnt' pay the merchant...
So.. VISA is protected.. and the consumer is protected.
And it's up to the merchants to protect themeselves.
So if someone steals the AOL customer databse.. who gives a hoot? It won't put any customers out any..
Re:Card Companies need to get wise. (Score:3)
ie: if you already have a storefront, and a merchant account, and then decide to do things online.. you don't need to tell visa.
That, or some third party farms out transactions.. making it so you don't have to deal directly with visa.
And all that aside.. VISA is not responsible... they clearly state that they do not have to honor any statement unless the MERCHANT can prove that the customer used the card legitimately (signature, basically). If a cardholder says 'I didn't do this' and visa says to the merchant' can you prove they DID?' and the merchant says 'no' then the merchant doesnt' get paid.period.
Let's get a few things straight. (Score:4)
1) You are not responsible for fraudulent use of your credit card. Technically, and I forget the exact terms, you can be held liable for up to $50 of debt.. but this is never enforced. It may only apply if you know about the theft but do not inform the card issuer immediately (kind of makes it your fault then anyway..)
2) The Credit card companies are the ones who bear the brunt of the financial burden for fraudulent use of cards. If their merchants are irresponsible, and cause them to lose money, it is up to them to deal with it. They are fairly lax about it, though, as if it was difficult to get a merchant account, then nobody would accept credit cards, and they would be out of business.
3) It is between the Credit issuer and the authorized Merchants to deal with this issue, it is not up to the consumer/cardholder. Yes, the cardholder should behave responsibly, but at the same time, who tells us this? The CARD COMPANIES tell us this.. why? Because it lessens the burden on them.
Remember.. one of the things card issuers use to get you to use their card instead of good old cash is FRAUD PROTECTION.. and that is the very beauty of credit (if there is such a thing..). You can buy online, and not get ripped off. If you buy with cash... ha.. you have no recourse.
Your own Win2K problems (Score:2)
Could well be. That really isn't saying much. There is plenty of room for improvement in Windows. (Most would say that is an understatement.)
For that matter, it's the best OS currently on the market.
Really? You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers [wonko.com]. SVCHOST.EXE starting eating up all your RAM and CPU. Very interesting, that.
You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager". So if you see something sucking up CPU time, you kill it. And if you need to find out what is wrong, you open up the source in the debugger and trace it. With Microsoft, when SVCHOST.EXE goes wonky, you do not and cannot determine what is wrong by examining the problem directly. You have to jump through hoops, like reinstalling the OS, for example.
Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.
I find it very interesting that you assert Win2K is the best OS on the market, when you yourself have encountered problems Linux has never had, and never will.
You work for Microsoft, don't you? (Score:2)
You: Uh, you've never used netscape have you?
You work for Microsoft, don't you? Well, in my book, the browser isn't part of the OS!
You: Uh, you could always get 3rd party backup software (or did Linux write all of GNU himself).
You miss the point. This guy goes around claiming Win2K is the best OS available, but its own backup program cannot understand its own filesystem? Yeah, I really want to trust my data to software of that quality.
The Linux kernel and monolithic programs; more (Score:2)
You: In fact, my friend, that is exactly what the Linux kernel is. Yes, the Linux kernel is a huge, monolithic program (thus the term "monolithic kernel") that contains a good deal of Linux's device support as well as a zillion other things.
Not quite the same thing.
Yes, the kernel is a monolithic kernel. That refers to the design of the memory management and scheduling of the kernel. All parts of the kernel share the same memory space and are scheduled together. This is one of the reasons Linux performs so well -- the kernel isn't preemptable, so there is no overhead of task switching in the kernel.
However, the kernel is still nicely modularized into separate components for software maintence, and compiles to a small binary that performs one task -- low-level device abstraction -- well. True, all of your low-level device abstraction is happening in the same program, but there really isn't a way around that. Device drivers have to have kernel privileges.
Comparing that to what I was referring to -- the many "monolithic" userland programs in Windows -- is an error. I was referring to the fact that there are a great many "do it all" processes in Windows which are essentially opaque, such as SVCHOST.EXE. You have no idea what they really do. You cannot get inside them to diagnose problems. They are a magic black box, which you are forced to trust. Hence the term "monolithic". Sorry if my usage confused you.
Now, there are various projects to include userland functionality -- knfsd, for NFS service, and khttpd, for web service -- in the Linux kernel, but I consider them the wrong solution to a problem. Fortunately, I don't have to include them in my kernel -- I can easily exclude them at compile-time, or not load them if I'm using pre-compiled modules.
That is another thing you cannot do with Windows -- you have to accept Microsoft's choices for what is and is not in the kernel. Such as the graphics layer. Originally, NT 3.x did not include the graphics subsystem in the NT kernel. This is one of the reasons NT 3.x was so slow, but it did mean better stability. However, MS decided to move parts of the GUI into the kernel itself with NT 4. This made things faster, but means there is a lot more that can go wrong in the critical kernel code.
Hmm. I guess you didn't read my article too well. I didn't use backup software to back up my files.
Hmmm. I guess you didn't write your article too well. I quote, "...installed Win2K, did an emergency restore of my wonko.com backup (which, luckily, was totally up to date)." Sure sounds like a Win2K backup program to me! How was I supposed to know that a totally up-to-date "backup" really meant you did a file copy after the problem happened? To me, a backup is something you do before problems occur.
(And before you start jumping up and down about your usage of "DOS" in the next sentence, realize that: MS still uses DOS today in some of its products. MS supports DOS programs under NT. MS has system recovery procedures that work with NT using DOS. Using a DOS-based program to run a system restore program is something they've done in the past. I didn't know you meant the actual MS-DOS(TM) product running instead of NT. I didn't think anybody still used stand-alone DOS.)
When I made that statement, I was referring to the final release of Windows 2000, which I am now using. My previous problems, as I've stated before, were with a beta version of the OS.
That is very true, but I believe the problems I describe are flaws in the design of MS-Windows, of which your problems are only examples. Windows still follows the same design approach, and I believe it will still cause problems.
Security Models (Score:2)
I think at the heart of this is the age-old debate: Open-Source/UNIX vs. Closed Source/NT/WinX. Before everyone starts flaming, or or yelling "MS basher!", let me explain...
I've noticed that most *nix software ships with a very tight setup by default. You have to specifically enable things. You have to open those ports that you want opened. And your admin needs to have a clue.
Now, with an MS solution, things are a bit different. Turn it on, click here, type in some info - and HEY! you've got an E-Commerce site up! And if you are not well-versed in security, and/or pretty clueless about the internet - you could be in big trouble, as the MSNBC article points out.
My point is, you don't have to know much about IT stuff to set up an E-Commerce site using this software. You don't have to know anything about security. And this leads to the sort of things we are seeing now. "Ease of use" on the desktop is just fine... but I think they have carried it a little too far on the server end.
I agree with many of the other posters though, this is not entirely Microsoft's fault. I think the blame should mostly fall on the PHB's hiring clueless admins.
Re:Don't be a moron.. (Score:2)
Any moron can set up an E-Commerce site with IIS, whereas to set up PHP/MySQL/Apache takes a little bit more understanding and working knowledge of the Internet.
You tend to pay more attention to security when you have to learn HOW it all works, rather then point-and-click your way online.
Re:Don't be a moron.. (Score:2)
I have seen a lot of "admins" passing themselves off as professionals in the IT field, when they knew next to nothing about how any of it worked. And most of them were NT admins. I am not bashing NT admins as a whole, but it is much easier to pass yourself off as a Professional with NT than with Linux, IMHO.
Compare and contrast Rob Malda to such. If he had not taken the time to learn how it all works, would we not see "Y0u are 0wn3D!" on the
MS Bashing (Score:2)
CowboyNeal calls it an irony alert that the servers were running SQL server. That's not ironic, it's stupid. Not putting the database servers on the other side of a firewall or inside a private IP network is dumb. SQL server, while perhaps difficult to configure, is not dumb. It might not be the best database server; that doesn't make it stupid. It is easier to develop for because there are a great number of high quality development tools.
This is just poor security. Stupid mistakes. RedHat, Apple, and people like you and me make them all the time, doing things that most of us would consider stupid out of context. It's not evidence of MS stupidity or inadequacy. It's just plain dumb.
If you don't trust other people to be perfect, then don't give them your credit card. Develop secure payment algorithims that don't require card number transmission. But don't bitch about MS. It sounds so fscking stupid when you do, and it makes people like us (you know, "Open Source" "Free Software" "Linuxheads" "BSDers "Technophiles" "Abused High-Schoolers" or whatever is our Label of the Day) sound like crybabies.
Just put your shoulder to the wheel, your nose to the grindstone, and build something. When you're done, start over. That's how we will make the world a better place.
Re:Flamebait? Moderators are Morons (Score:2)
valid - how so?
proven - by whom?
ontopic - where is Win2000 mentioned in the article?
Re:::$DATA (Score:2)
Windows 2000 (Score:3)
Re:Typical misinformation... (Score:2)
I always wonder that same thing myself.
Re:CC# security - 40-bit SSL is common in UK. (Score:2)
Re:Windows 2000 (Score:2)
--
Re:Rubbish (Score:2)
--
Re:Your own Win2K problems (Score:2)
That particular issue occurred while I was running Win2K RC2...a beta release. The issue was reported to Microsoft, and is fixed in the final release. As for running different OSes...despite my age, I've managed to use DOS, OS/2, OS/2 Warp, UNIX, Linux, FreeBSD, MacOS, GEOS, QNX, Win 3.0, Win 3.1, Win95, WinNT 3.51, Win98, WinNT 4.0, Win CE, and Win2K. So to answer your question, yes, I have used many different OSes.
You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager".
Funny you should mention that. In fact, my friend, that is exactly what the Linux kernel is. Yes, the Linux kernel is a huge, monolithic program (thus the term "monolithic kernel") that contains a good deal of Linux's device support as well as a zillion other things.
Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.
Hmm. I guess you didn't read my article too well. I didn't use backup software to back up my files. I stuck the hard drives in a DOS machine and copied them that way...thus the reason for the lost long file names, since DOS doesn't support them.
I find it very interesting that you assert Win2K is the best OS on the market, when you yourself have encountered problems Linux has never had, and never will.
When I made that statement, I was referring to the final release of Windows 2000, which I am now using. My previous problems, as I've stated before, were with a beta version of the OS. Bugs are to be expected in betas, just as bugs are to be expected in Linux's unstable development releases.
--
Re:The Linux kernel and monolithic programs; more (Score:2)
Yet again, the problem here is you not reading things correctly. I said I did an emergency restore of my wonko.com backup. NOT my hard drive backup. The wonko.com backup was a backup file made by IIS that contains all the settings for the web site. It contains NO files. Just settings. THAT is what I restored. Try to actually read the sentence before you start jumping down my throat.
--
Re:Windows 2000 (Score:2)
--
Re:Windows 2000 (Score:2)
By developing software that runs best on newer equipment, software-makers cause more demand for the new equipment, which then prompts hardware-makers to put more money into developing even newer equipment, which is the only way technology ever gets anywhere. I, for one, like this course of events. If you're too poor to be able to save up for a little while and buy a new processor, well, what are you doing playing with computers?
I bought my current machine for less than $700: a Celeron 300A OC'ed to 450mhz, running on an ABIT BH6 motherboard, with 128 megs of RAM and 37 gigs worth of 7200rpm IDE hard drive, SoundBlaster Live!, and a Riva TNT AGP video card. Yes, less than $700, and it runs all the latest software without flinching. And I'm a high school student with a low-paying part-time job. If you can't afford that, then perhaps you need to think about getting a better job.
--
Typical misinformation... (Score:5)
People, the credit card numbers that MSNBC stole were not stolen through a "cracked" database. MSNBC did no cracking of any kind, and therefore the security of MS SQL Server is not the issue. The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active. The "sa" account is included in SQL Server merely to allow the software to be set up. It is not meant to be left active on a server connected to the web.
Try cracking a Microsoft SQL Server that's been configured correctly, by someone who actually has half an idea what they're doing. It's just as impossible as cracking any other database solution...in fact, I'd venture to say MS SQL Server is even more secure than most other database servers.
Furthermore, the "::$DATA" vulnerability was only in IIS4. Microsoft patched that bug over two years ago, and anyone stupid enough to still be running an unpatched IIS4 server is just asking for trouble.
--
Re:Online checks are still worse (Score:2)
I don't know about that. We have a credit card of which the number must have been taken by someone in Florida when we where at a trade-show.
They started ordering stuff from one of these TV shows (jewelry or something) but only for small amounts. Since the card has a lot of charges on it and we travel a lot it took three months before we noticed it.
Well, the fine print reads that you have to notify them within a month or you are screwed. Fraud protection my ass. Yes, they will give you the company who charged it's information. Then you have to try to find out from that company where the goods where delivered (and why would they want to cooperate?). If you are lucky enough that you'll get that information out of them, then what? Call in the cops? We did, they laughed...
In other words, you spend hours and hours on the phone and the bottom line is: you lost your money.
I know now that you have to keep a very close eye on every statement for a credit card. This may sound obvious or stupid but when you have company cards with a hundred or more transactions per statement...
Breace.
Re:Typical misinformation... (Score:2)
VMS learned the hard way, back in the 80s that you just don't leave default passwords lying around, even if you think your users might be smart enough to change them.
You will notice that when you install most software these days that needs such facilities that it asks for a password during the install.
This is the way it should be. If a user choses a dumb password, that's different, but having a default is a good way to get bad PR, and companies that succede in getting bad PR for that will earn no sympathy from me.
Re:Typical misinformation... (Score:3)
MS deserves bad press for such a stupid blunder as would any other company or development effort.
Online checks are still worse (Score:4)
As others have pointed out in different responses, it's *worse* since credit cards have fraud limits - and that limit applies to all fradulent charges. Checks, in theory, will be fully refunded if you file the paperwork to claim fraud. In practice, most banks have quietly changed their fine print to say that if someone has your account number the presumption is that you have authorized *any* access, and it is damn hard to get them to stop honoring debits. In practice you must close the account, something that's far more disruptive with checks than with a credit card.
I can understand why the banks did this - they probably got tired of being caught in the middle between customers and health club finance companies - but the practical effect is that checks are now far less secure than credit cards.
I mention this only because I've already seen some sites advertising that they offer "online checks" as a "secure" alternative to credit cards, and stories like this will only make things worse.
Re:Typical misinformation... (Score:3)
The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active.
I usually work with Oracle databases. I am still astonished every time I find a can log in to an Oracle database as either SYS or SYSTEM. Given that the default SYS password is ChangeOnInstall, you have to wonder about the people running the systems. I guess that more than 10% of Oracle databases are misconfigured like this.
Don't even get me started about the DB2 database I found on a net-facing S/390 that still had the default admin password.
Is this Oracle's (or Microsoft's, or IBM's) fault? NO - it is the fault of the halfwit DBAs who bullshit their way into jobs that are way beyond their ability. The 'differently intelligent' managers who hire these people should also be held to account, except their mental age relieves them of criminal culpability.
PS - I actually quite like SQL Server. Every time a client specifies a really slow, memory intensive RDBMS, I specify SQL Server. It hasn't happened yet.
This problem is easy to fix.. (Score:3)
They hit the hail on the head andthis problem should be easy to fix, but there are more programmer orented problems that are not so 3easy to fix:
These script langauges which deposite form variables in the global namespace (like PHP and VBScript) there is a god chance of programmer created problems which are not so easy to track of fix. Example: programmer keeps copy of web site PHP code at home.. Programmer gets fired.. Programmer paws through code and finds a weakness since the code was in PHP and allowed form submits to mess wit the global name space.
Also, VBScript has the problem that most people using it do not know how to protect the strings that are going into an SQL query.
I know these problems seem milder because the exploits may need to be diffrent for diffrent web sites, but I would expect to see tools (maybe even AIs) which manage to automate some of the process of exploiting these holes. Government funded hackers (like in China) may have access to profesors and people who could do the research to find statisticaly probable weaknesses in custom software.
I'm not really tring to slam PHP and VBScript, but I do see a lot more potential for PHP and VBScript programmers making the same mistake over and over then with other langauges.
Jeff
Here's Some Real Irony (Score:3)
Oracle security measures are routinely ignored (Score:3)
Over the past year or so I have done DBA consultancy for some of our customers, going into sites and helping with their database administration. Very often, I find that the default passwords of privileged database users have never been changed. Try it sometime: the user system, who can read and change any data in the database, has the default password manager, and the user sys, who can start up and shut down the database, has the default password change_on_install. (Some people apparently don't notice that the latter password is a hint.)
Oracle installs a default "listener" that is open on port 1521. Many e-commerce sites have their web and DB servers on the same machine, and don't need any external TCP/IP connections to the database. Even those that do can be set up so that connections are only permitted from a limited number of IP addresses. But this, too, is almost never done. So there's your opening: get an Oracle client to connect to port 1521 on your target machine, log in as system/manager, and in many cases you'll own the whole database.
Another thing: many people routinely do their Oracle admin work by logging as the "oracle" user, the owner of the Oracle software. Few seem to understand that this user is like root: you don't log in under that name unless you absolutely have to, because any mistake you make can be disastrous. What you do is make users with DBA responsibilities members of the group "dba", so they can run the admin software but can't delete anything critical. In fact, you need to be "oracle" far less often than you need to be root -- after installation, you should never log in as "oracle" again. And yet there are admins who work as "oracle" all day long. Even worse: it seems that the most common password chosen for the "oracle" user is, you guessed it, "oracle"!
We could accuse the administrators of laziness and cluelessness. But the real blame lies with management, who want to set up a cheap e-commerce site without paying the price for DBA's who know what they're doing, or for the training that their current admins need. Many of the admins I've worked with have told me that the boss stuck the Oracle CD's in their hand one day and told them to go run a database. That's a surefire formula for an insecure site.
Re:Windows 2000 (Score:2)
Of course, that just got this comment labeled a troll because it doesn't proclaim it to suck, but hey - the truth hurts. Deal.
And then we accuse MS of FUD ? (Score:2)
In this very situation, you are combining two things.
First, the database administrators (who might not be MCSEs... Without praising the MCSE program, one thing it does put emphasis on is long, hard to guess passwords with short expiration times) made the stupid mistake of using the default username for their database and putting no password, or a stupid password. That's like leaving the root password blank, and allowing root to log in via telnet ! It's a stupid mistake made by people who probably didn't get any kind of training. Probably not the kind of people you'd normally hire to run your server... Such a person running your linux server would give you a very vulnerable server, as vulnerable as those.
Second thing is, they were using a version of IIS that had not been patched for the last two years. Okay, it shouldn't have been defective in the first place. But look at 2 year old linux distributions ! Anybody with a good root package is able to crack a linux box that's been left alone for the past 2 years ! Use one of the buffer overflows in one of the various flawed daemons, if it's 2 years old, it's probably vulnerable... If you don't patch your system, no matter what OS it runs, it will be vulnerable.
Who should be blamed here, the OS or the administrators ? I think the answer is obvious. A bad administrator will cause similar problems in any old OS.
Re:Good tactic (Score:3)
Your middle name method is pretty clever...
One of the things that one can do to limit the value of the credit card he uses, and therefore defend against most fraud, is to use a card without anymore money than you wish to spend.
Three possibilities I can think of.
First, an Incentive Card if you can find any. Those come with fixed values, they're not credit cards, but you can spend up to their fixed value anywhere that takes credit cards. www.aies.com sells them, I believe. That way, you keep changing CC# very often.
www.webcertificate.com offers a similar product, and you can add money with your real credit card (processing fee of 1.50$ by 50$ you add). You don't get a physical card, but only a mastercard number you can use to make purchases. It works great for me.
The third method is to use a Visa Debit Card and deposit the amount you wish to use before every transaction... That's a bit of trouble, but combined with online banking it can be made easy. I use www.x.com to do that. You open an account with them, and they send you a visa debit card you can use like a credit card. But the balance availaible is only what you deposit in it. You can deposit up to 500$/6 months with another credit card, and as much as you want by check.
Any of those ways, you have a "credit card" without credit. It only has as much money as you want. I'm sure you can understand the implication of that.. Even if somebody steals it from you, you don't lose anything more than the value that you put on it, which is probably only the value of the item that was there in the first place. And as they're issued by banks, they will let you contest charges as well as with a real credit card.
Hope this has been helpful.
---
P.S. If you sign up for x.com, you have the option of referring somebody. If you feel generous, refer francois@bradet.com . You don't lose anything if you don't refer me. If you feel this whole thing sounds like a commercial endorsement and you don't like such things, please let me know by moderating me down. If you really what I just wrote is bad, let me know at francois@bradet.com and I'll apologize. I'm just trying to share my knowledge.
Good tactic (Score:5)
Whenever I make an online purchase, I use the name (or first initial) of the company as my own middle name. That way, if someone steals my personal info, emails me spam, or any number of invasions, I will know instantly from the name on the billing which I company I should never use again.
Of course, this does nothing to prevent your information from actually being stolen in the first place...
-konstant
Yes! We are all individuals! I'm not!
Re:Why Not Use Credit Cards over the Net? (Score:2)
The CC number has to be cleartext when its sitting on MY computer when I type it in. It also has to be cleartext on THEIR computer when they submit it to the CC company. I trust my system is fairly well set up and secure. I don't trust the peon's on the other end to have done the same. THAT is why I dislike ordering online.
There are also the issues of extent. A waiter can only copy so many CC numbers a day; a thief can only steal so many purses a day. But, an online site can store thousands of CC numbers in an insecure database.
But you are right.. The biggest danger isn't monetary loss (because of the $50 limitation of liability), but rather hassle and annoyance.
slashdot? (Score:3)
But more seriously, what this shows us is that people don't pay attention to what they are doing before they do things. If you don't do something as simple as set a password on your database, it should come down to the same thing as leaving the key in the ingition, the car running, and noone in the car, in the third lane of a four lane highway in rush hour. Insurance won't cover it. People have to be careful when they start up a business that they are doing everythign right.
If you are thinking of starting an ecommerce site, then higher a security professional to come in and take a look at it. They are out there, they are there for a reason. Credit card numbers are a very personal thing, and having them publically available is just plain bad, even if its not on purpose.
In legal terms, if you kill someone and didn't mean to, its called 'involuntary manslaughter' and you still go to jail.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
Re:Instructions for being Paranoid (Score:2)
True - could be said of that. Mind you, the card is used in my company, so yeah, I do check it daily (mostly 'cos it's almost always close to limit lately
Do you check you checking account everyday?
The business ones, yes. My personal one? Shit no (mostly 'cos it's close to empty all the time
You see, it takes about 5 - 10 minutes per day to check transactions against my accounts (two checking accounts, a transfer account, a cash management account and the credit card). Maybe it's paranoid or obsessive/compulsive, but then again, maybe it's 'cos I'm running a company? (My other company has an accounts person - he does the checking for me on those accounts and I just take a peek at the current balances, etc
Do you check the stash of money under your bed everyday too?
Shit no - I ditched that ages ago. Too insecure - the cockroaches were robbing me blind. As to the uncut diamonds in the fish tank - now that's a different matter
Instructions for Using Your Credit Card (Score:3)
Here we go with some simple instructions for how to use your credit card and not get burnt:
1. Make sure you can check your credit card statement on-line as required.
2. Record all purchases in a database (Quicken, MYOB, MS-Money, text file, spreadsheet, whatever!)
3. Check your credit card statement on-line as often as you can (once per day is good
4. If you find anything you didn't write down, start screaming to your card issuer!
Even if you never travel over seas, purchase from catalogs or purchase from the 'net, you should be doing this. If you don't, you're just asking for trouble. At the least, you should check your monthly statements - doing it daily makes it quicker to get the dispute resolution process started
I frequently travel to "worrying" places, use my card at cafes/restaurants, purchase over the 'net and so on. I check things and (touch-wood
Stop whining, stop expecting the government/corporations/mommy & daddy/whatever to protect you. Get off your ass and take responsibility for your actions.
Same goes for those setting up e-commerce sites. One of my companies does it and we get third-party security reviews (we charge more, but we don't want penny-pinchers as clients - they always come back to haunt you
Roblimo Paronoia (Score:3)
It's good to be careful like Roblimo and careful whom you give it too. However it's more important to know your rights and that your not responsible for such charges.
Why Not Use Credit Cards over the Net? (Score:5)
First of all, if someone makes a purchase with your credit card, but you haven't actually lost the card, then you are liable for nothing. You have nothing to use!
Credit card theft and fraud occur without the internet. Your wallet/purse can get stolen. In that case, you are liable for up to 50 dollars. A waiter or clerk can copy down your numbers.
The risk isn't any greater at all, but fear tactics from the media like this MSNBC story don't give a sense of proportion.
Re:You work for Microsoft, don't you? (Score:2)
You work for Microsoft, don't you? Well, in my book, the browser isn't part of the OS!
A browser may not be part of an operating system in some sense, but it's part of the Windows OS. It's as much a part of Windows 2000, as Windows Explorer was part of Windows 95. In Microsoft's mind, it's as essential as bash/tsh etc would be to redhat.
So while it's not part of the kernel (what you would probably consider part of the OS) it's a major part of Windows, and is hugely important - windows would be useless without a shell for most people.
Who cares if the shell just happens to be able to render HTML (just like most shells of yesteryear can render ASCII).
IE technology & IIS etc are important to windows 2000 cause they provide objects and libraries that are used as other parts of the OS. IE for HTML Help, It's XML DOM etc. IIS comes with MTS, which is becoming essential for load balancing and stabalizing COM+.
This guy goes around claiming Win2K is the best OS available, but its own backup program cannot understand its own filesystem?
Who said Win2K's backup couldn't understand it's own filesystem. Am I missing something here? Since when was windows 2000's backup program restricted to 8.3?
NOT Microsoft's fault (for a change) (Score:2)
I won't assault Robin this time :), because this time I'm alert to the fact that these aren't his own words -- he just happens to bite on sensationalist articles...
If all other security issues having to do with administration vs. the OS itself could be considered muddy, this one isn't. I don't see how others' bad coding and administration is Microsoft's fault, does anyone else?
Even though the language ultimately corrupts itself, should Larry Wall be the person to blame for shoddy Perl scripts? Should we blame Linus Torvalds if the root password to Slashdot's SQL box is successfully guessed? I don't think so.
--
Re:Shooting the Messenger? (Score:2)
This is not just an ONLINE problem... (Score:2)
The point is, whenever you use your credit card, there is a risk involved. That does not mean, however, that we should not address this particular problem.
Another Good tactic-- preventative, even (Score:2)
In a way, checking on a site's html-headers is the same as glancing at the fry-cook's hands to see if they're dirty-- a guy with clean hands can still sneeze on your burger, but it's still a little peace-of-mind.
Re:Why does the media overlook the bigger point he (Score:3)
Of course, since Microsoft is the scapegoat of the computer industry, people will blame the company if any of their software is involved in any way. eBay is a prime example; when the people who blame eBay find out that it was Sun's and not Microsoft's fault for the problems, they do not shift the blame to Sun, but rather shrug off the problems, and pretend to play down the incident. eBay's outage in the summer, which cost well over one and a half BILLION dollars in market capitalization, is one of the biggest industrial blunders in history, and was 100% to blame on a bug in the Solaris operating system. Yet Microsoft continues to receive the blame for it.
It is really getting out of control. There are people who really think Microsoft is to blame for the Year 2000 problem the Year 2038 problem, the Internet worm, et cetera, ad nauseum. It is so incredibly trendy to blame Microsoft that any industrial problem whatsoever is blamed on them if they had any involvement whatsoever - without even GLANCING at what the real problem was or who really was to blame.
The real problem (Score:2)
Do I tag my home adress to my keys? NO!
Do I walk around with a card in my wallet, containing in plain text form all information required to purchase stuff online. YES!
If our computers were cracked because i had a postit with UID/PW I would be in serious trouble with my boss.
If a pick pocket would break in because I told him where my keys went, I would probably get nothing from my insurance.
But the plain text information on a plastic card is enough to spend my money! Hello!
Of course I might be able to prove that a transaction was not valid and eventually get my money back, but that would take lots of work.
Where I live, a CC purchase must be validated with either a PIN-code or a signature. Get my number if you want to. You still dont have access to my money without forging my signature or getting my code.
Enter the net. Thousands of opportunities to buy stuff online in my name. Once my number is out, I just have to trash my card.
Thats the problem with CC numbers on the net.
M$ releases hot new cracking tool - SQL Server (Score:2)
I used to worry about my CC info ... (Score:2)
At worst case, you are only liable for $50.00, regardless of the actual fraud.
The media made all of us think that Y2K would be a big deal, and I have the same opinion when it comes to credit card information.
Since the begining of e-commerce on the web, the media has been talking about how people could steal your credit card information. Be careful, someone could steal your credit card info. In addition, even if you deal with a reputable site, someone could use a packet sniffer and steal your credit card that way.
Please. My credit card number is not the kind of information that I worry about people getting. I'm more worried about disturbed individuals getting my home address and mistaking me for an abortion doctor. Or someone stealing my social security number, getting a job under my SS number, and not paying taxes.
Have you ever known anyone who had their life ruined because someone stole their credit card? IMHO, people have more to fear from the debt that can be caused by credit cards that the $50.00 limit on fraud purchases. People's lives have been ruined when they had their SS number stolen, not their CC info.
So who is pushing the media to push the masses to care so much about their CC info. The CC companies, as they are the ones who have to pay the fraudulent charges after $50.00. And we, as a whole, are falling for it in the same way that we fell for Y2K and Pauly Shore.
I have used a credit card on numerous web sites and have sent it in plain-text e-mails to pay for merchandice. If sending your plain text CC information was so sensitive, it wouldn't be printed on every receipt.
Wouldn't it be more effective in eliminating CC fraud to only print the last 5 digits on the receipt and omit the expiration date, making sure that someone can't just dumpster dive for my info?
As for the story, at least SQL Server can be configured to be secure. One of the companies I did work for was using FileMaker Pro 4.* as their web server. However, all you have to do is guess the username and leave the password field blank, and FileMaker (when doing the query) will assume the blank password field is a wildcard. Hence security is only as far away as the username. This "feature" is even present in the e-commerce example web site that ships with FileMaker Pro 4.*.
We laughed. And then went to Apache.
Not really about the DB server.... (Score:3)
Any time you can get a credit card number via a normal database query it is a security hole.
I will say it again -- anytime you can query your database and get a credit card number it is a security hole. If you are not saving the information to a non-internet connected system, or encrypting with strong encryption before writing it to disk, you are playing fast and loose with customer information.
The simple rule should be this -- an unencrypted credit card number should never be written to disk, not even for a moment.
Saying this once. (Score:2)
Geez what a lot of trash (Score:3)
-Wanrat
hehe it's 10pm, do you know where your credit card is?
This Is Probably A Good Thing... (Score:5)
But anyway, all the attention to this issue is probably a Good Thing. Popular Internet e-commerce servers are bound to have quite a bit of credit card numbers, along with other goodies such as the name of the owner and the expiration date, floating around, and it's time that a people became more clueful about how to handle this situation.
Face it: any setup where both your webserver and database server are available from the Internet is a major security risk. The way most e-commerce shops, especially those running at hosting companies, are set up today (webserver and database server on the same machine, or at least the same network without any access controls) is simply asking for trouble.
Here are a few reasons why: ::$DATA issue, although most clueful providers will fix it quickly.
Software bugs - and no, not running any Microsoft products won't get you off the hook. In fact, I guess the cozy little MySQL password security exploit that was discovered recently is way worse than the
Untrusted staff - how easy is it for a rogue operator at your provider, or a lowly-paid temp working for the shop itself, to run a complete copy of the credit card file?
General data security - in other words: hey, do you know who else has access to your shared database server, or where the backups go at night?
All of the above leads to a few conclusions:
1. Partitioning - Web and database server functionality should be separated as much as possible: having your database on a separate machine and fitted with proper access controls (i.e. only accepting connections from trusted hosts and using proper authentication in addition to that) is pretty much a requirement.
2. Encryption and access controls - Even with proper partitioning in place, most of your customer details need to be encrypted using a non-trivial scheme, and proper access controls need to be put in place. Make sure only the right people have access to your data, and log every access. Disable bulk commands, except during the backup window, if possible.
Now, which percentages of sites is operating as described above today? My guess would be less than 10%, leaving enough room for on- and off-line crackers to steal whatever information they want. It's not consumer problem per se (since credit card companies have pretty extensive consumer protection from fraud...), but still a lot needs to be done before the general public will truly get a warm fuzzy feeling about on-line shopping...
Trust Based Method Open to Abuse (Score:2)
Trust, unfortunately, is one of the easiest things to abuse. After all, most of the merchants have not earned our trust. We just take their word for it, i.e., the only reason we trust them is because they us to trust them.
Old though I am a sentimental old fool who believes in trust, I think it is about time that we moved out of this trust based method of transaction and entered a much more secure form of on-line funds transfers.
E-cash, and e-cheques sound promising. For example, a if someone mugs you and gets 10 quid ( sterling pounds ) off you, your damage is only that 10 quid. However if someone steals a credit card from you, the damage can be quite considerable. Of course, you, the user, may not bear the brunt of the damage - the merchant and the bank most probably will - but the muggers earning potential is only limited by your credit ceiling.
Same way, if someone steals a 100 dollars of e-cash or e-cheques, the potential loss is only that amount.
I hope some of the e-commerce companies and banks give this a serious thought.
A simple, elegant solution.. (Score:2)
Re:Is this really a new problem...? (Score:2)
1. Customer is only liable for $50 *if* its after 30 days from time a fake charge was made. If the consumer notices the charge before, then the credit card company eats the bill (and consequently puts more requirements on existing laws (see # 2) and merchants for greater secuirty)
2. Alot of these problems could be corrected with strong encryption - but since its not feasible to run a global web site with strong encryption for US users and weaker encryption for non-US...this is a mute point...But once credit card companies start losing $$$ because of this, congress will suddenly have a new outlook on the whole issue.
3. Fixed credit card numbers will be a thing of the past within the next 5 years or so.. A much better approach is to have valid session id's. That is, dynamic credit card "numbers" that are good for one transaction and one transaction only..that way if the merchant you did business with has crappy security and that information gets released to the world at large...doesn't matter because the number is no longer valid...
4. and finally, #1 was *really* put into effect by the govt (it is called Reg D) to make consumers comfortable using credit cards period. The reason for this is it makes the IRS's job much easier come audit time. Umm...you had $30k of credit card bills that all got paid last year, so now we know you made at least $30k...
-deep_magic