Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Christmas Cheer

Caveat Emptor: Egghead.com Credit Records Nabbed 164

Voorshwa and at least a dozen others wrote with this news: "Found this one over on ZDNet.com news. Turns out the security over at Egghead wasn't very good. Losing 3.1 million credit card numbers has got to put a damper on a lot of Christmas cheer!! Wish these big companies would learn a little ..." No yoke. It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions. Reader insmod points to coverage at MSNBC as well which mentions that Egghead was not the only site hit this holiday season.
This discussion has been archived. No new comments can be posted.

Caveat Emptor: Egghead.com Credit Records Nabbed

Comments Filter:
  • It is for this and many other reasons that companies should be prohibited from keeping personal information beyond the immediate transaction between the consumer and the company. It's the law in the EU, and it should be the law here.
  • I am a former employee of egghead. I was let go because I downloaded a remote admin tool, so I could connect to my home windows boxen. I also had putty to ssh into my linux boxes. They found those tools to be "hacker tools" so they let me go. The entire IT security team consist of two people. Everret and Ben, they are two 20 something year old punk asses who lack a basic knowledge of computer security. Egghead security consist of daily virus checks of the work stations and a firewall. THATS ALL. Because I am young, they automatically assumed I was a hacker and a risk to security, when I got a job there doing Ecommerce Analyst work at my young age. Young does not equal hacker. I still was never given a reason as to why I was fired, except for that if the media found out I had remote admin tools on my workstations it could be bad publicity for the company. Now this comes along, Im suprised i havent been blaimed for this attempt. Unfortunate, if they would of hired me on as IT security like I wanted to be int he first place, this would of never happened. :P
  • It does answer the question--the refund, if needed, is made to the one-time number, which is linked to your account in AMEX's database. More detailed explanation is farther down in the FAQ, but I thought you'd get it from that.
  • All I wanted to know was: credit cards stolen, yep, they're using Microsoft. This is the exact same type of image mongering, fud slinging, guilt by association that Msft mktng would gleefully use to smear any competitor, so I've no qualms whatsoever whenever something like this shows up in the public prints that puts a big fat egg pie in their face. Tit for tat, bubba.

  • i would tend to agree with you. it will depend on how they got in really. if they broke in due to a porly maintained server, then i would equate the crime to the manager of nordstroms leaving the keys in the front door... sure the crackers are criminals and should be blamed, but the manager should be fired.

    as much as i dislike ms, they cannot be held responsible for mismanagement of their software. if the software was faulty (ie there was a bug and they didnt notify their customers), then hopefully they will be held responsable (although their eula probably obsolves them of that). when the eula bails them out the IT person who made the decision to go with ms should be smacked around with a stick....

    but it's really too early to lay any blame on anyone but the crackers...

    use LaTeX? want an online reference manager that
  • No I don't work for Egghead in Vancouver. I've had a couple of people that are either employeed or contract over there apply for openings we've had. I've worked on 3k's since the mid 80's, great machines. I also looked at ecometry very briefly, it just doesn't fit our business well.

    Part of the reason I believe it's a hole in the firewall is that I control the one in our office. I run it in paranoid mode. Some people in the office don't like it. If there are legitimate business reasons I will open things up, it's just not going to be a free for all.
  • If MC and Visa aren't already doing it, I would expect them to start including a clause in their merchant contracts (which allow merchants to process credit cards) that if the merchant has a large number of credit card numbers stolen, the merchant will have to pay some sort of damages.
  • Since it's my quote, I'll defend against the FUD charge...

    It's a fact that most reported Web Site compromises for Microsoft sites happen via IIS. It's also a fact that most of those are RDS. It's another fact that the last significantly visible break-in was reported as the Unicode ../ bug.

    The quote is definitely based on currently available information. It's also got a greater than 75% lieklyhood of being the true vector of attack. FWIW, we also called the Microsoft vector of attack correctly about two days before MS figured it out.

    I challenge you to take the top 6 IIS exploits and run scans against your ~60 NT sites and report the results. If they're not all virtual servers, I'd bet you'll find at least 30% of them vulnerable to one form of attack or other.

    Given the initial information circulating in the press and in the community, I blamed the attack on incompetent administration. While IIS has more holes per pound than Apache, it's trivial to make any Web server vulnerable, and I was careful to state that it didn't matter *what* server you were running (and Rob quoted that at the very end of the article- so it was obviously clear to him that my intent was to ensure that he understood that the likelyhood of the attack being due to poor administration was fairly high.)

    If you design sites where the DB is on the same server as IIS, you'd better get down off that high horse, you bear some culpability for poor design practices.

    Paul
  • The problem with Tit for tat with open source products that OSS will always come out on the bottom, friend.

    Real people see your little childish assumptions and 'tit-for-tat' name calling and are turned off by OSS and Linux and the whole unix style of doing things.

    So if you want to continue to be childish, fine by me. But realize in the real world, for people who use real products, and have real websites, you aren't scoring any points.

  • AMEX isn't so great, either. I spent the better part of a year trying to get them to remove over US$12,000 in bogus balance transfers to my "Blue" account.

    These transfers were not authorized by me, were from accounts that didn't belong to me, and went through before I had received the card in the mail, or indeed even knew the account number.

    AMEX, when I finally rattled enough cages to get them to look into the matter, removed the charges as 'Fraud'. They refused to explain to me how this fraud occurred, without being subpoenaed. But you figure it out. It was either an inside job, or there was some hacking involved somewhere.

    They pissed me off so badly, I did up an entire website about their piss-poor customer service, and I got threatened by their lawyers over the domain name. The site has been down since the problem was finally fixed, but I just threw it back up into my webspace [home.net] for anyone who's interested in reading it (there are a few things that need to be changed before I make it a permanent part of my forthcoming personal site).

    ~Philly
  • MS is the largest software company in the world. I just went to Borders tonight for some last-minute Xmas shopping. The store is FILLED with books on MS products, and many of them have large, reasonably comprehensive sections on security. There are probably millions of MCSE's and similar MS** professionals out there. The MS KB is FULL of articles on securing the machines. Bugtraq and NTBugtraq are likewise full of articles - good, technical ones - on security flaws, the NT/IIS security model, and security in general. ALl of these comments apply to Oracle, as well.

    Why can't they secure the fscking box, then?

    Personally, I believe that this is not a question based on the techical merits, rather, the social or cultural merits. These kinds of problems are, in the oh-so-eloquent words of my father, "dumb-boy shit".

    I don't think IIS is inherently insecure; I think the computing model promoted by Microsoft - that an accountant, secretary, or poorly-trained nobody can set up a fully functional e-boz site - is the inherent insecurity. That MS's "bring computing power to the masses" crusade is what's biting them on the ass.

  • The backend of the system is MACS or what's now called ecometry from Smith-Gardner. The main part of the system runs on an HP3000. Since until recently there wasn't a secure web server on the 3k they used NT/IIS to front end the system on the web.

    So was it actual access to the 3k?
    A problem with NT/IIS?
    A weakness in the S-G software?
    Bad home grown code on eggheads side?
    Poor security practices?

    The later is my guess... it would be rather hard to get to the 3k if it was firewalled properly.

    By the way the Smith-Gardner software is fairly widely used... if you don't believe me take a look at http://www.ecometry.com/clients/cl_list.htm
  • by evanbd ( 210358 ) on Friday December 22, 2000 @06:09PM (#542541)
    Shouldn't EggHead be held responsible for the loss of those CC#'s? As in, there were plenty of industry-accepted techniques for securing CC#'s that they didn't use. Shouldn't they be legally responsible for, at the very least, all costs to the credit card company of dealing with bogus charges and replacements on those cards? I really don't think the credit card company should have to pay. suppose it costs $10 worth of time and resources to reprint a CC. thats thirty seven MILLION dollars that I really don't want to pay for in the form of interest rate hikes. I think the CC companies should file a lawsuit demanding recompense. Yes, it was bad luck that it happened to egghead. but they were negligent. In the same sense that if I don't put a fence around my pool and some kid drowns in it, I am responsible because I was negligent. Perhaps that very direct cost to egghead would help wake up the industry to this very real danger.
  • To start, I wasnt calling your quotes FUD. I was referring the post I replied to, which the author basically claimed that you could show this to your boss as proof not to use MS products.

    But onwards.

    The sites I administer would all pass the top 6 IIS exploits tests. Most are virtual servers though, so my job is relatively easy.

    I think the main point I was trying to make was that, even if the site was cracked due to a known, published IIS bug, the data loss is entirely Egghead's fault. The data was unencrypted (or at least it seems that way based on current information) and that was a major problem.

    To me, my philosophy about security is two-fold. First, I want to try to make my boxes as secure as possible. I get all the latest patches, fixes, etc etc. I know that's not enough though. Bugs and holes are gonna be used before they can be patched by MS. The second thing I like to try to do is to make any hack pointless. Data is routinely encrypted and/or hashed (where applicable) so that if a hack is managed that data is worthless. Looking at one of my databases unencrypted is worthless - you cant even get e-mail addresses or mailing address out of it.

    So I guess what I am saying is that OS/Server choice is almost irrelevant in the real world, except for the typical price/preference aspect. All it takes is one crack/hack/bug/hole to have your site opened up, and all servers/OS's will sooner or later have on exposed. So the real test of security comes not on how patched your box is, or what OS, but rather, how well your site is designed.

    Finally, about the DB practices.

    I have heard all of the typical admonitions about running IIS and the database off the same box. Frankly, I don't see the problem. But because I try to practice what I preach, I run most of my databases off of one clustered database server, which doesnt have a path to the Internet.

    Have a nice Christmas, I enjoyed your post.

  • =
    As a person who has developed literally hundreds of smaller- to mid-size e-commerece sites, it always astounds me to find the number of people who assume that IIS is inherently insecure.
    =

    As a person who administers scores of NT boxes that currently services over 500 domains in both a dedicated server and shared-hosting environment, I can assure you that IIS is "inherently" insecure. By this I mean that extraordinary steps are required to provide an acceptable level of security, security is not inherent in the software by any means.
    If you foolishly believe that IIS is secure, take a look at

    http://www.securityportal.com/list-archive/bugtr aq /2000/Dec/0202.html

    and start from there, it's really just the tip of the iceberg. IIS has no suexec-type mechanism, so there is very little security flexibility and compartmentalization, as you can see from the content at the URL above it is even possible to execute ASP code in the SYSTEM context. Unless of course you have made manual registry changes to obscure keys. How exactly does that meet the "inherently secure" definition? It's not like it's just one issue, either. The software is plagued with poor design.
    While I am on a roll here, should I touch on the issues with the FTP service, since it is part of IIS? How about the fact that users can walk all over the directory tree because the software doesn't support the equivalent of chroot jailing? How about the fact that when frontpage extensions are installed on the web site and anonymous FTP is enabled, the _vti_pvt directories become warez repositories because the "everyone" user has read and write access to that directory? Some of the largest hosting facilities in the US, such as Interland, have been waiting for an answer from MS on that one.
    I had better stop now.

    badtz-maru
  • ;-)

    1. I never shopped online there
    2. When I shopped at their old brick and mortar stores, the credit card I used then has long since expired, and I cancelled that credit card account.
    3. Any kiddie can find a script to generate fake numbers that pass the crc tests that they use.
    That being said, since I do shop online from time to time, you would expert that they could do better. That is a rather large amount of plastic.

    Maybe that is how Saddam Hussein is paying for all of those Sony PS2s

  • I think the real problem is that most of the hacking that goes on in the US does not originate from the US. It's really hard for the US government to deter or prosecute hacking in other countries. Most of the hacking I have seen lately has originated in the former Soviet Union. By some Soviets, hacking is even encouraged ( http://www.infowar.com/hacker/99/hack_122199a_j.sh tml ). I recently read somewhere that the US government has actually come out and tried to recruit hackers in the US, saying that they can't pay as much as hacking can provide, but that they have some really neat equipment. Egghead bears some responsibility, but I don't think they can be held totally responsible. New exploits are found all the time and it's kind of hard to release a patch to prevent an exploit, unless you know it exists. GroundZero
  • Is it any suprise that they are using MSIIS for there server? Or that the crackers almost certainly used a well-known exploit? Or that their server software probably did not have the most up to date patches installed?

    This doesn't even begin to address the issue that I (and apparently others that have commented above) feel that storing CC#'s after the transaction has finished is highly negligent. When you go to a restaurant, do they maintain a database with your CC# to speed up your next purchase? NO! If they did, there would be serious hell to pay. So why to e-tailers (god I hate e-words) feel that it is an acceptable practice? And then they have the nerve wonder why people have little confidence in purchasing online. It's because we are not morons!!!

    Security is always less strong than it's weakest link. It's about time that people start taking that fact seriously.

  • Yet another quality site run on Microsoft software .

    My personal rule of internet purchasing: Go to Netcraft, figure out what software they are running, and if it is MS, it is not worth the risk to buy there.

    Analysis of www.egghead.com
    The site www.egghead.com runs Microsoft-IIS/4.0 on NT4/Windows 98

  • Its an Oracle database. I worked there, I know.
  • by jallen02 ( 124384 ) on Friday December 22, 2000 @03:33PM (#542549) Homepage Journal
    BZZZZT

    You can store the transaction number which does not contain the CC number at all or a way to generally access the account AND just MAYBE the last 4 numbers of the card.

    I have written several e-com sites and dealt with cybercash and authorize.net... customers HAVE gotten their money back on purchases but we dont store credit cards plain and simple.

    And if you REALLY must store them oh please oh please encrypt the damn things and store the private key EXTERNALLY, the simple version is you have to type the thing eery time, typically we make the customer enter it in twice just for verification because I personally have only worked with one site where we stored (encrypted using a public key with priavte keys far from the net) which was only for bad cases or customer service, the process to retrieve a CC from the DB was pretty easy but still took human intervention.

    Overall if your storing them as plain text you DESERVE to be hacked big time.

    That is just how it is

    Excuse the formatting of my post I just wanted to mention this, thanks.

    Jeremy

  • by alecto ( 42429 ) on Friday December 22, 2000 @03:35PM (#542550) Homepage
    This incident underscores the usefulness of one-time credit card numbers, such as those provided by American Express' Private Payments [americanexpress.com] service. This service allows the cardholder to generate an account number for each transaction. So if that number is stolen from a merchant's database later, it's useless. This also comes in handy for preventing unauthorized billings from the same merchant later on.
  • There are two ways you can spend money using your credit card. In meatspace, you hand a cashier your credit card, they run it through a machine, enter the amount to charge, its deducted, and if they're smart, they'll ID you to confirm that it really IS your credit card, or at the very least, you have the same name as the cardholder. Then you sign the receipt.

    The other method is calling someone on the phone, or using the internet, reciting the credit card number and expiration date, giving some personal information and the charge goes through, no signiture required, no problem until someone (hopefully YOU) gets the bill.

    Well, credit card companies, at the option of the cardholder, should be able to implement some type of confirmation scheme to prevent anyone with your credit card number from actually using it. For instance, if I provide my credit card to a company, I would then have to validate the transaction (by phone or web page) using information not provided to the merchant before the money would actually trade hands. For convienence, this could also be done in advance, or allow a certain merchant to always be authorized, so although that merchant could always charge the card, nobody else would be able to.

    Since the service would be an optional one for cardholders, it would not infringe on anyone's convience if they're not willing to go through the extra effort to avoid having their card maxed out by someone ten thousand miles away. We have to assume that credit card numbers will get stolen and distributed. You can't rely on the security of some website or server to keep that information safe, as you have no control over that security.
    Perhaps I'm missing something obvious here, but this seems like a good idea to me.

    -Restil
  • the one thing i haven't seen answered is, what should I do if my card got stolen? Get rid of this one? Mommy's gonna be PISSED. :-(

    This is awful, 3.1 million! Wow. Please let me know what we should do, if its safe to use the same one (and monitor it well), or if that's a bad idea...

    Mike Roberto
    - GAIM: MicroBerto

  • No no you missed what I was saying.

    There is a difference between not being secure, and being inherently insecure.

    I am saying that IIS is insecure. But my point was that MS could make IIS secure, ie, its not so fundamentally insecure that you'd have to throw it away.

    I agree that IIS is insecure, but I dont agree that it is fundamentally a bad model. IIS could be workable, but MS needs to get moving on it.

  • why do all these companies insist on storing credit cards in plain text, let alone storing them at all? is it really that hard for people to pull out their wallet and type in their card number each time they want to buy something?

    if these companies insist on storing credit cards on their servers, why not encrypt them? since just about every site that would store your credit card makes you login with a username and password, why not encrypt them with that account's password? this way if the security is comprimised, they'd have to brute force every single account to get each one's credit card number. if you use a strong password on the system, you won't be subject to the site's lame security should their database get illegally accessed.
  • =
    I agree that IIS is insecure, but I dont agree that it is fundamentally a bad model. IIS could be workable, but MS needs to get moving on it.
    =

    I agree with you.

    badtz-maru
  • Thats probably true. Its not so much IIS as the mentality that anyone can setup a secure box that brings them down.

    MS has tried to extend that "computer to the masses" thing to servers, and its not just a valid point.


  • The major credit card companies (Mastercard or Visa) charge the retailer 2% on every transaction - Discover and American Express probably charge even more. Althought I'm sure that schemes similar to yours would probably work, the cost of implementing them would likely be higher than just accepting the costs of credit card fraud.
  • I may be an idiot, but the fact is that Microsoft would not allow that box to be cracked, secure or not. Unplugging the network cable is the most effective security as far as they were concerned.

    Sunday August 08, @05:29AM EDT
    % lynx www.windows2000test.com
    Looking up www.windows2000test.com first.
    Looking up www.windows2000test.com.
    Making HTTP connection to www.windows2000test.com.
    Alert!: Unable to connect to remote host.
    lynx: Can't access startfile http://www.windows2000test.com/
    47 %
    The windows2000test site is still not reachable.

    bash$ telnet www.windows2000test.com 80 Trying 207.46.171.196... telnet: Unable to connect to remote host: Connection refused

    C:\WINDOWS>ping www.windows2000test.com
    Pinging www.windows2000test.com [207.46.171.196]
    with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 207.46.171.196:
    Packets: Sent = 4, Received = 0, Lost = 4
    (100% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
  • by x-empt ( 127761 ) on Friday December 22, 2000 @02:41PM (#542559) Homepage
    But why have they not contacted me? Email is an EASY way to contact customers, yet they haven't.

    They keep your CC# on file indefinately, even if you have your account suspended. I honestly don't know why they keep your CC# in the databases?

    This is always the problem with all these sites that a broken into.

    Plus, for pete's sake.... deny (YES DENY) all select requests on the tables that contain cc#s... if your database can't deny SELECTs then you need a new DB server!
  • Encrypting data in a database that a server uses means that the server has to have the key. That lowers the value of the encryption. It also doesn't provide a good scale point- that doesn't mean it isn't a good thing, it means that it's not always a likely thing.

    There's been ongoing debate in the INFOSEC community and computing community at-large about the culpability of a vendor who knowingly fields bad software (the 32,000 known Win2k bugs fly immediately to mind)- in the automotive industry a manufacturer who knowingly fielded an unsafe product on such a scale would be sued into the poorhouse. Bridgestone/Firestone probably unkowningly fielded unsafe tires, and if they'd not done the recall, Congress and/or the court system would have stepped in because of the fact that they knew after the fact that the adhesive wasn't good and didn't rush to pull out the products until they had to. It's only the computer field that really hasn't felt the pain of product liability- licenses notwithstanding it's bound to get a legal precedent sooner or later.

    Like many others, I feel that eventually we'll see some manufacturer culpability, and I don't like the idea of it at all. I'm even more worried about its impact on free software. Though with freee software the potential is probably less because you can pick what you use and fix it if it doesn't meet expectations, with commercial closed-source, the vendor picks when it hits the market and how it functions.

    The thing I have little tollerance at all for is the lack of responsibility being placed on the attacker. We should be vilifying the hell out of people who have the ultimate responsibility for producing badness and creating victims out of consumers irregardless of the culpability of either manufacturers, retailers, adminsitrators or anyone else in the chain. In a lot of states, if a motorist has a chance to avoid an accident and doesn't- regardless of their fault in creating the accident conditions, then they bear responsibility. We need to focus more on that responsibility on the behalf of attackers.

    On the DB thing:

    Typically, running the DB off the same box give you the problem that the entire database is on the same likely to be compromised machine. So are the keys to the database, and that means that it's significantly easier for an attacker to grab all the cookies and go home to eat them. Also, SQL Server is its own nightmare of twisty waiting-to-be-exploited passages (as is Oracle for anyone out bias-hunting.)

    Happy Holidays,

    Paul
  • Err... exactly how is this Christmas cheer?

    I'm lucky enough not to be hit. I like to buy computer junk locally. I have had trouble with stuff, and it's easier to get service from a reputable local dealer who you can visit during lunch or after work. Better prices than the large chains, too. And the University Bookstore has all the good books and software that you are hard to find otherwise.

  • This does not sound like a troll to me.

    Maybe not a typical troll. Maybe more of a social hack, or a very sad sort of troll. Of course, I can't say 100% it isn't real, and this is somewhat a matter of gut feeling, but here's what seemed wrong to me:

    Yes, I've already posted this, but someone moderated it down and I just want to have people hear my message. Please don't moderate this down so others can hear me.

    If I had a week, I wouldn't waste any of it trying to get modded up. Express and move on. There's a lot to wrap up before I go.

    Hello, I'm a Linux kernel hacker.

    Hello, I'm the thing most respected in this forum.

    I just wanted to talk to the community one last time.

    Slashdot is mostly a user community.

    I'm uploading the latest versions of my code so they'll be out there before I'm gone.

    For a regular contributor, it think this would be too obvious to say, and "uploading the latest verions of my code" has too much of an aura around it, and uses only terms known to a user. Wrong jargon level.

    The reason I'm posting anonymously is I don't want people to find out about my illness over Slashdot. I want to spend my last remaining days with my family, not a bunch of people calling me and wishing me luck.

    Too much of a tease. Also, sounds like more of a sad fantasy.

    I get angry when people in the Linux community do stuff for themselves. A person may suggest a feature and people will say, "You got the source, go ahead and make it." Why not take the time to help that person if they have trouble? Maybe they'll learn and help you later, or maybe they don't have time to do it themselves (too much work, new baby, cancer).

    Some of this might be real. "Take the time too..." would have been believable. "I get angry when..." smells seriously fishy. No one with a high level of skill has time to answer everything in the net that they have the knowledge to answer. Also, teaching is it's own reward. "Maybe they'll help you later" is bargaining form the POV of the side asking for help.

    Ugly guess: "I'm pissed someone else won't build what I want, so I'll die of cancer."

    Also, "do stuff for themselves" sounds totally wrong. Good programmers program "for themselves", ie. because it's fun.

    You'll probably see a small release about my death when it happens, maybe it'll be on Slashdot, maybe it won't.

    Didn't quite peg the bogometer, but this one got close. If he knows this is going to happen, there's absolutely no reason to say it here. Also, I don't think people say when-I'm-gone's" when they're really dying. And who cares if it's on Slashdot?

    But a good message otherwise. Heck, I hope even trolls have a nice Christmas.

  • Reason this comes under Christmas Cheer: FBI secretly suspects that the CCs were lifted by Santa whose normal Elvin work force were all laid off, due to their jobs being shipped overseas under NPFTA (North Pole Free Trade Agreement). The only way he could fulfill his duty was to acquire 3 million CCs. 3 million x $5000 limit = $15 billion. Enough for him to buy a $5 toy from Etoys.com for every Christian child on earth.
  • I get a lot of those mailings too. I probably shouldn't be saying anything, but I got a VERY interesting piece of mail the other day. Now, I don't want to jinx it or anything, but according to the letter I received, I may already be a winner of 10 million dollars. I don't want to get my hopes up, because I don't think everything's been finalized, but the letter seemed pretty official. Imagine, out of all the people who must have entered the contest, they chose me as the finalist. I'm so excited.
  • Can you really blame them? Egghead just felt they had to give _something_ to crackers for Christmas!

    Actually, this somewhat concerns me too as my credit card was probably on file there.. Hopefully it's just an old expired one. :/

    -mikey
  • The real problem is why the fuck they are storing credit card info on publicly accesable servers? Even the most basic secure layout should have the database behind a router and a firewall that has restrictions and ACL's tighter than a nun's ass. That's what pisses me off the most.
  • by TWX_the_Linux_Zealot ( 227666 ) on Friday December 22, 2000 @02:47PM (#542567) Journal
    "It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions."

    It's even WORSE when databases are cracked! I can easily call my credit card company when I have a dispute to a charge or suspect my credit card is screwed, but if millions of card numbers are stolen, then millions of people have to deal with it. Credit card companies probably don't like having to notify or handle millions of irate customers with disputed charges, and probably don't like having to re-print new cards for all of these cardholders. This is really sad, that this was even able to happen, and that Egghead left the credit card numbers on their server. If they'd be backed up to another computer that only has a hard connection while the backup is in place then this would much more difficult.

    "Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
  • Dude don't be so sure you wont get looked into.
    Alot of things like this can come from former employees who were let go and might have grievences, and might know a thing or two about computer security or how things were running in the office.
    This just adds to the stack of things im mad at Egghead about, Including my $35 ram that never got shipped....
  • I don't get this. It would be technologically trivial for the merchant to forward the credit card number and acount info off to the CC companies, and get back some a big n-bit number, consisting of enough information for the CC company to identify the card and the merchant authorized to use the card. Then, the merchant could totally forget the CC number forever, and just use the ugly number it got back from the CC company for any future correspondence with the CC company.

    It's a long way from being a perfect system, but unlike other processes I could think of in the 30 seconds it took me to read the slashdot blurb, it wouldn't involve putting any additional software on the consumers machine, and it wouldn't involve any change in the habits of the consumer. And it wouldn't be painfully difficult to implement it for new e-commerce sites, and it wouldn't be particularly difficult to retrofit onto old e-commerce sites, either.

    Oh well -- it wouldn't be much harder to implement a much more secure system than I described (i.e., the merchant wouldn't know the CC number either), but it seems credit card numbers are generally considered "disposable" by now, anyhow. There is certainly no effort made by anyone to actually keep the silly things secret.
  • I know that it's more convienient but in the name of security why keep it in your customer's profile at all? I try, the best I can, to avoid sites that insist on keeping my credit card associated to my profile on their site. Sure keep the first few digits or whatever but I'd really love if some of these sites gave me the OPTION to save my credit card into my profile or not. Really, if I were VISA or Mastercard or who ever I'd virtually require that all online retailers DO NOT store credit card info for anything more than the amount of time it takes to verify and clear the purchase. This amounts to maybe 60 seconds maximum.

    I once went so far last year as emailing a site to tell them that their site was COMPLETELY insecure. Sure they used a cert and my transaction was encrypted but after looking at the action assoicated to the credit card form I realized all they were doing was sending my credit card and all my info to a mail account using formmail.cgi. So I didn't buy anything from them. That simple. The company was a small DVD company in Canada that are not even in business any more.

    So I ask people, why the heck do these companies insist on saving our credit card info at all? Shouldn't we have to give them permission to save this info? I don't care if they save my address, phone number but when it comes time to purchase ask me what my credit card number is, I'd really prefer it.

    Later.

    Syn Ack
    paulm@nospam.spider.org | PM1819
  • Apache is known to have zero security flaws.
  • However, Robertson said such holes should have been patched.

    "It really doesn't matter what Web server you are running ... if you are not keeping up with patches, you're insecure."

    I couldn't have said it better myself.

  • [This was the note I received from Egghead regarding whether or not my credit card # was stolen or not.]

    Subject: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO
    Date: Sat, 23 Dec 2000 09:43:41 -0800
    From: "Egghead.com Special Update"
    To: mcdan@CSI.COM

    Dear Customer,

    Egghead.com has discovered that a hacker has accessed our computer
    systems, potentially including our customer databases. While there
    is no indication that any customer information has been compromised,
    as a precautionary measure, we have taken immediate steps to protect
    you by contacting the credit card companies with whom we work. They
    are in the process of alerting card issuers and banks so that they
    can take the necessary steps to ensure the security of cardholders
    who may be affected.

    We wish to underscore that we have taken these steps as precautions.
    We have no information at this time to suggest that any credit card
    information has been compromised. We are investigating this possibility,
    and we are doing everything we can to proactively protect you. If you
    would like further information, you may wish to contact the issuer of
    your credit card to determine what steps they are taking. We regret any
    inconvenience this may cause you.

    We issued a press release on this matter earlier today. It is appended
    below this message. If you have additional questions, please call our
    customer service team at 1-800-EGGHEAD (344-4323).

    Respectfully,

    Jeff Sheahan
    President & CEO
    Egghead.com, Inc.

    [There was a press release below this but I cut it out. It was standard business stuff.]
    --
  • Dude. Straight up. I would have been more sympathetic if egghead admitted their full guilt. "We're sorry, due to a piss-poor Operating system ridden with bugs,and our general lackluster knowledge of Security, We've been 0wn3d.." But i think their attitude, is completely wrong. They are trying to ignore guilt. They go as far as owning up to the guilt, just by sending the letter. Egghead, its your duty to let us know from the beginning straight up the truth,and not try to save your sorry ass stock prices any longer. I strongly believe, orders are going out to sell sell sell internally right now, and their hoping the can last long enough before delisting , to get their money back :) Once the guilt is in the open, their gone.
  • OK then, why not ship the CC#'s out a serial port or USB to a computer that is not connected to any of your networks and store them there?
  • This sort of thing just ticks me off so much! I absolutely LOVE shopping online. Disneystore.com is a fav of mine as well as a number of other mall-type store sites (how could i NOT love having a shopping mall in my room? I mean, seriously.) And eBay?-hello, it's not only shopping, but it's like a fun game too!
    But when sites are stupid about the way they handle customer accounts (though i generally only trust credit card numbers to fairly reputable companies, like disney) I'm the one who ends up looking irresponsible.
    As if my parents don't already think i'm a slack off, good-for-nothing college student with poor judgement half the time anyway, they then hear about all these sites that have been "hacked" or "craked" or WHATEVER (as if my parents have ANY idea what that is, anyway- even less than myself) They just can't believe that i would be dumb enough to do any online shopping and how could they have raised such a dumb daughter who'd just throw money away like that over the untrustworthy newfangled internet shit. geez....
    Wow, that was random, thanks for listening....
  • synchronously while the customer waits (ick!!!!!),

    Personally, the wait is never that long and I prefer the knowledge that my card was processed while placing the order rather than having to wait for an email to come whenever it does (like the next day).

    I like ecommerce sites that require me to re-enter my card (or give me the option to not store CC#) because I am confident that when (not if) their security measures are compromised, my CC# will not be given away. Additionally, it protects me from a different kind of fraud, the kind where someone I work with accesses my computer while I dash out for a cup of coffee or discovers my password to an ecommerce site and buys stuff they want.

    You're idea of a secondary ID code with the CC processor and processor keeps credit card number is a good balance between convenience and security, but still doesn't protect against someone masquerading as the buyer and simply redirecting shipments.

    I like the idea (haven't tried it) of AMEX's disposable credit card numbers.

  • The credit card companies should no longer allow Egghead to be a merchant for their cards. This would effectively put Egghead out of business. (However I'm sure Egghead would reach a settlement with the CC companies in order to keep their merchant status and stay alive. Also I'm sure there's some massive contract between Egghead and the CC companies that *might* prevent this.)
  • As an Egghead customer, I just received this spam..err target marketing bulk e-mail from the CEO:

    Return-Path: <owner-CUSTOMERSERVICE*jry**INAME*-COM@MORPHEUS .EGGHEADLIST.COM>
    Received: from chmls12.mediaone.net ([24.147.1.148]) by
    chmls14.mediaone.net (Netscape Messaging Server 4.15) with ESMTP
    id G61HU900.US2 for <jaredcat@ne.mediaone.net>; Sat, 23 Dec 2000
    16:18:09 -0500
    Received: from smv664-leg.mail.com (lmtp09.iname.net [165.251.8.91])
    by chmls12.mediaone.net (8.11.1/8.11.1) with SMTP id eBNLI7e22988
    for <jaredcat@mediaone.net>; Sat, 23 Dec 2000 16:18:07 -0500 (EST)
    Received: from promo2.eggheadlist.com (promo2.eggheadlist.com [204.106.181.12])
    by smv664-leg.mail.com (8.9.3/8.9.1SMV2) with ESMTP id QAA05037
    for <jry@INAME.COM> sent by <owner-CUSTOMERSERVICE*jry**INAME*-COM@MORPHEUS .EGGHEADLIST.COM>; Sat, 23 Dec 2000 16:18:07 -0500 (EST)
    Message-Id: <200012232118.QAA05037@smv664-leg.mail.com>
    Received: from morpheus (morpheus.eggheadlist.com) by promo2.eggheadlist.com (LSMTP for Windows NT v1.1b) with SMTP id <4.0002D8CC@promo2.eggheadlist.com>; Sat, 23 Dec 2000 11:14:13 -0800
    Date: Sat, 23 Dec 2000 09:43:41 -0800
    From: "Egghead.com Special Update" <specialdeals@PROMO1.EGGHEADLIST.COM>
    Subject: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO
    MIME-Version: 1.0
    Content-Type: text/plain; charset=ISO-8859-1
    To: jry@INAME.COM
    X-MIME-Autoconverted: from quoted-printable to 8bit by smv664-leg.mail.com id QAA05037
    Content-Transfer-Encoding: quoted-printable
    X-MIME-Autoconverted: from 8bit to quoted-printable by chmls12.mediaone.net id eBNLI7e22988

    Dear Customer,

    Egghead.com has discovered that a hacker has accessed our computer
    systems, potentially including our customer databases. While there
    is no indication that any customer information has been compromised,
    as a precautionary measure, we have taken immediate steps to protect
    you by contacting the credit card companies with whom we work. They
    are in the process of alerting card issuers and banks so that they
    can take the necessary steps to ensure the security of cardholders
    who may be affected.

    We wish to underscore that we have taken these steps as precautions.
    We have no information at this time to suggest that any credit card
    information has been compromised. We are investigating this possibility,
    and we are doing everything we can to proactively protect you. If you
    would like further information, you may wish to contact the issuer of
    your credit card to determine what steps they are taking. We regret any
    inconvenience this may cause you.

    We issued a press release on this matter earlier today. It is appended
    below this message. If you have additional questions, please call our
    customer service team at 1-800-EGGHEAD (344-4323).

    Respectfully,

    Jeff Sheahan
    President & CEO
    Egghead.com, Inc.

    Press Release:

    Contact:
    Joanne Hartzell
    Egghead.com, Inc (650) 470-2713
    John Stodder, Shoreen Maghame
    Edelman Worldwide, (323) 857-9100

    Egghead.com Investigates Breach of Company Computer Systems
    Company Undertakes Immediate Precautionary Measures
    MENLO PARK, Calif., December 22, 2000 - Egghead.com ®, Inc. (Nasdaq:
    EGGS), released the following statement today:
    "Egghead.com has discovered that a hacker has accessed our computer
    systems, potentially including customer databases. As a precautionary
    measure, we have taken immediate steps to protect our customers by
    contacting the credit card companies we work with. They are in the
    process of alerting card issuers and banks so that they can take the
    necessary steps to ensure the security of cardholders who may be affected.

    "Simultaneously, we have retained the world's leading computer security
    experts to conduct a thorough investigation of our security procedures
    and an analysis of this breach. We are also working with law enforcement
    authorities, who are in the process of conducting a criminal investigation.

    "For many months, we have been in the process of strengthening our security
    systems in an effort to combat the increasing, industry-wide problem of
    malicious hacking. We are committed to providing the highest security
    standards in the industry, a process that has been ongoing and has
    involved a considerable investment on the part of our company. Those
    principles will continue to guide us going forward."

    About Egghead.com: Egghead.com is a leading Internet direct marketer of
    technology and related products. With an emphasis on Small- to Medium-sized
    Business (SMB) customers, Egghead.com offers a wide range of products from
    computer hardware and software, consumer electronics and office products,
    to sporting goods and vacation packages. Its Clearance, After Work and
    Auction formats offer bargains on excess and closeout goods and services.
    Egghead.com combines broad selection, low prices, and excellent service
    to provide an outstanding online shopping experience for businesses and
    consumers. Egghead.com is located on the Internet at http://www.egghead.com

    This press release contains forward-looking statements that involve
    risks and uncertainties, including but not limited to statements relating
    to steps taken to protect our customers. These forward-looking statements
    are based on information available to the company at the time of this
    release and we assume no obligation to update any such forward-looking
    statements. The statements in this release are not guarantees of future
    performance. Actual results could differ materially from current expectations
    as a result of numerous factors. For example, our ability to protect our
    customers from potential misuse of private information is limited, and the
    impact of compromised computed security on our business is unpredictable.
    Other risks and uncertainties associated with the business are detailed in
    our most recent Forms 10-K and 10-Q which are on file with the SEC and
    available through www.sec.gov

    Shoreen Maghame
    Edelman Worldwide
    (323) 857-9100 ext. 231
    e-mail: shoreen.maghame@edelman.com

    Due to our desire to ensure every person who may be affected has been notified,
    you may be receiving this message even if previously expressing a desire not to
    receive email from Egghead.com. If this is the case, please be assured you will
    not be receiving promotional emails from Egghead.com in the future.

    To be removed from our mailing list please go to:
    http://promo2.eggheadlist.com/blist.asp?e=JRY@IN AM E.COM
  • The company who issued me my MasterCard has a pretty neat program aimed at preventing problems with situations just like this.

    You basically get a new credit card number valid for x number of months and with a credit line of y dollars (you specify the details). You use the new number for one purchase and you're done with it.

    Now, skip ahead a few months to the day the online retailer's database is cracked. The one-month valid card with the $90 credit line you used is long since expired, so you have no reason to worry.

    MBNA (my issuer) isn't alone in providing services like these. I suspect that as cracking continues, you'll see a lot more people paying attention to the extra services their credit card company is trying to tell them about.

    ck
  • Another credit card security issue I have observed is where the ecommerce site puts the CC expiration date on the "receipt" page that a lot of people print out as a record because it usually contains the order number.

    Most people may miss this security feature. Since it is common to write your account number on the check when making a payment, the credit card companies came up with the guideline of asking for the expiration date, because (unless you're a dork or using ecommerce software written by dorks) the expiration date is printed only on the credit card itself. Not a foolproof defense against fraud, but a reasonable stop-gap measure that is now being compromised by some of the "larger" ecommerce sites.

  • Don't blame IIS because of clueless admins. I don't recall windows2000test.com ever being hacked.

    I agree with you on the IIS/clueless admins thing, but if I recall correctly windows2000test.com was too busy being continually rebooted and "down due to weather" to be hacked.

    -Legion

  • Almost not worth replying to, but

    "as I really could care less if you make rich businesses pay"

    does irk me some, as "businesses" that get hit with fraud

    1. either pass those costs on to consumers (or other businesses which deal with consumers - our whole society is based on CONSUMING), which ultimately affects you and me.

    or 2. pay employees less because they have to 'eat' the cost associated with the fraud. If you worked at one of those 'rich businesses' you'd probably care very much if you were going to get paid less (or NOT get the pay increase you deserve - same thing in the long run) due to fraud.

  • Linux is not Redhat.

    windows2000test.com was not "hacked" because
    1) No services were running
    2) Whenever a breach was imminent, they took it off the network

    I bet you think NT is C2 Secure too!
  • Probably doesn't mean much, but Oracle running on what OS? Sun? NT? W2k? Linux? Thanks for any more insider light you can shed on this.
  • Thanks for the response.

    FYI, on the encryption I use, typicall what happens is this:

    The data from the server is stored in plain-text format in the database. A third (and final machine) I have constantly polls the database looking for data that is not encrypted. This box is not connected to the net, and it holds all the keys. It contacts the db server (which also is not connected to the interenet, FYI) and does the encryption. Typcially, an unencrypted row is in the DB for less than 30 seconds.

    Anyways, you have some excellent points about responsibility.

    My point has been, was, and is that security is more about the design and implementation than a catchy number of bugs (32,000 for Win2k) or an OS zealotry. You and I probably know of machines on both sides of the isle that have been hacked to pieces. We also both probably know of machines that we thought were rock solid secure, and turned out to be insecure.

    Thansk for the dialog.

    Dan

  • Monkeys is a compliment!

    I prefer to think of them as drunken, dyslexic chimpanzees.
  • First, you're not quite right with regard to who loses with credit card fraud. The bank that issues the credit card occasionally, but rarely, eats the loss. Generally, it's the merchant who accepted the stolen card number who loses. Exactly which rules apply in a particular situation is far from simple. If by saying "CC company" you're referring to Visa or Mastercard then the CC company has nothing to do with it. They are just associations of banks that provide a brand and a set of standards; they're not real companies that you actually do business with.

    Second, while you're right that in the near term there's no impact to the card holder, don't kid yourself that it will never hurt. You'll notice that both of those entities who stand to pay for the fraudulent charges make 100% of their income from you and people like you. What do you think they do with those additional costs? Further, this costs you and me even if the thief never uses the stolen numbers. How much do you think it's going to cost all of the banks involved to reissue the 3.1 million cards? I'll give you a hint: The industry figures that on average it costs approximately $8 to replace a card. You do the multiplication.

    Fraud costs all of society, ultimately. In this case, I hope they find some way to make Egghead liable for at least a part of the damages for any abuse of the stolen card numbers. I wish they could be held liable for the banks' costs in reissuing all of those cards as well. Oh, and I hope the bozo that stole the numbers gets a very large, very hairy and very friendly cellmate.

  • Sounds good... now instead of securing ecommerce databases, we need to secure the American Express 'one time cc' database.
  • Woohoo, yet another Micro$hit IIS hacked!!! Microsoft surely makes crackers go Ka-Chingg!! ;)

    Any of you guys remember that a few weeks ago (or was it last week?) creditcards.com that uses Microsoft Windows NT was hacked and about 3 million credit cards was stolen? Again and again and again. Even Microsoft itself has been hacked twice this year, plus another www.microsoft.si hacked.

  • Imagine how fast this would be modded down if they used apache and got 0wned. Oh the horror! they fought the good fight and lost.

    You act as though linux or anything OSS has never had a buffer overflow or security issues.
  • Ok, I don't know much about credit cards since I've never used or owned one. I basically know how they work though, you have a limit as to how much you can spend, then you pay the people who gave you the card or whoever the ammount you spent on stuff and if you're a good spender you can get the limit increased. I think that's right..

    ok so here's what I wanna know...

    If someone gets my CC number, what can someone do with it. I really don't know so that's why I'm asking. I mean, it's just a number... Don't you need more than that to make evil/good use of the whole credit card?

    Yeah this is kind of a stupid question, but I've just never used one or even asked about it. So I'm just curious now :)

    ----------
  • Oh and another thing, if the system really was compromised, and the FBI gets involved. First thing they are gonna ask for are list of employees who have come/gone in the last 6mo/1yr.
  • Search bugtraq for apache and ssh some time. Anything can be hacked if you don't know whats going on. How many versions of redhat were 0wnable out of the box?

    Don't blame IIS because of clueless admins. I don't recall windows2000test.com ever being hacked.
  • You kno what, Headline News said earlier this week that most people are still unwilling to shop on line. There were three reasons given, below in order.

    1) The consumer prefers to see the gift before purchase

    2) The consumer prefers not to give out his or her credit card on line

    3) The consumer finds many Web sites difficult to navigate

    All of these are problems of consumer confidence and arise from the need of the customer for accountability. Individual protections against unauthorized purchases are inapplicable in the case of a DB crack due to reasons of scale mentioned in above posts.

    So what is the solution?

    Buy locally.

    If an individual merchant decides to cheat you, YOU can go down there with YOUR baseball bat or YOUR neighborhood constable and confront the jerk.

    If the merchant defrauds many people, a MOB of folks with baseball bats,or preferably their team of lawyers, can do the same thing.

    The average e biz, for reasons of security, will be wanting to move to data havens pretty soon. For the same sovereignty based reasons a data haven is appealing to such firms, they will have no way of tracking and enforcing national laws against crackers.

    We need international standards systems w/r/t privacy, personal information, fraud, security and intellectual property. For once, let's create safe and sensible structures BEFORE the net's growth beats us to the curve.
  • You so funny! Too bad you so stupid! A one time CC is only one use, so if the DB is compromised there is nothing to lose - you have already used up the CC account.

  • No, I didnt sign any sort of NDA. Two, What exactly did I tell you that Egghead hasnt already told us? I didnt say anything very informative, essential that they just have 3-4 databases, unstead of 15. How is that a map to hacking egghead? To be honest, I dont even know how how many databases they have relate at all to get access to the databases. If I would of given you IPs (which I dont have) and logins and passwords (which I dont have) and exact versions of all the softwar eon the DBs (which I also have no clue about) that would be another thing. But all I told the slashdot community was that there are 3-4 databases, and the schedule in which they update (how is that important to keep secret? Alot of companys, like banks, tell you there servers update your accounts at midnight, or whatever). Just shedding some light that no matter what DB the intruder gained access to, they still would of got almost the entire customer DB.
  • i doubt any of them have this information on a publicly accessable server. however, the web server has to be able to access the db server somehow, so an attack on the web server will yield access to the database server.
  • Oh great, this again. It was on CNBC tonight and my dad called me into the room to watch it with him. He then raised his eyebrows as if to point out how crazy I am for giving out my credit card online.

    Although these disclosures and media attention are useful for letting card holders know about it (thus reminding them to check their statements), I have to compliment CNBC on something: They took the time to explain the difference between a CC# stolen during a transaction and one stolen later on from a database. Kudos to them.

    REGARDLESS, I am forced to point out once again that we do "risky" things every day. Having your card # stolen from a database is no different than handing it to the guy making $5 an hour at Olive Garden and having him jot down the card info when he leaves with your check.

    Granted, one might point out that getting a card stolen online might mean more people will abuse it and make illegal purchases. I counter that arguement with the fact that being one of 300,000 known stolen cards means media attention which would result in you getting advance knowledge to go over your statement with a fine-toothed comb, which you might not do (but always should regardless) if some random waiter stole your card to buy a few DVDs.



  • The company has no download policy. There is some sort of unwritten policy I guess, but no terms of usage that we were ever shown when we started working there. Never signed a computer usage agreement, never saw one, and they admitted thier is not one, but it should be assumed that I should know not to download things on my work computer. To make things worse, they have a double standard. They dont mind if you download napster and winamp and play mp3s (I know some peopel tehre with a 20+gig mp3 collection on their work computer), but they do if you download other things. The director of business sales (who I worked undeR) told me they look the other way for music and mp3s, but what I did they cant look the other way. Because the tools I downloaded could possible be used in a malicious way! (Or so they claim). The thing is, I never installed anything, the security they have in place would not allow me. I downloaded and had a zip file on the HD, but could not install it. I got fired over a zip file on my HD.
  • As someone already pointed out, security at financial institutions tends to be much better than at ordinary online stores. But in addition to that, in theory, someone obtaining the Amex one-time card customer database wouldn't necessarily have any direct way to profit from that - unless the database included a permanent credit card number (which in theory, it wouldn't necessarily have to), or gave the thief a way to generate bogus one-time numbers (which also shouldn't be possible, in theory.)

    In practice, I wouldn't be surprised to find that Amex's database does include the customer's permanent credit card number, but that's an implementation detail. There's no question that any way you look at it, one-time numbers really do add significant security.

  • Im 17.5 Years old. Ive been told by multiple people that I should sue for discrimination, because it is fairly obvious they they fired me because they fault threatened by my knowledge at this young age. I have neglected too for multiple reasons. One being I dont want to get a reputation for sueing my employer, that doesnt help when trying to get a new job. Two, and the biggest reason, I dont have the money for a lawyer and would not know where to start.
  • You're absolutely right. But you could turn this around: get yourself an Amex or Discover card with the one-time number capability (see the other messages here about one-time card numbers), and explain to your parents how you've taken steps to ensure that your web transactions are secure. Then they'll be impressed by what a smart and savvy daughter they have!
  • Not sure to be honest, but according to another insider that posted in this forum, it was a HP 3000 server running NT and IIS.
  • It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions.

    Be it a hole in SSL or a lazy/stupid box admin that opens up the door for crackers and script kiddies to get access to your info, the fact remains that you have an annoyance on your hands. Canceling card, getting new card, notifying ISPs and other of the change in information.

    I'd rather spend the time to drive to the mall, I can look at women in tight pants at the mall. Hell, maybe even score a phone number.

    LK
  • You articulated your troubles with them very well. I hope they eventually own up to their mistake and give you the apology you deserve! My thought on AMEX and its "no pre-set spending limit" is that I know there's a limit, just not what it is--however, the first time they ever decline a charge would be the last--then I could use your confetti idea :).
  • Actaully if it was a Linux/Apache box, it wouldn't have gotten 0\/\/|\|3D in the first place.
  • by Col. Panic ( 90528 ) on Friday December 22, 2000 @04:19PM (#542614) Homepage Journal
    We're in continuous crisis mode here," said a consultant

    At least the cracker could use one of those numbers to send the sysadmins a recovery care package:

    pizza

    Mountain Dew

    1/2 ton of candy in Christmas colors

    151 proof "eggnog"

  • If you don't connect a box to the Net, you can't send it data (I condsider anything connected to a box connected to the Net to be connected to the Net, so that's possibly symantics in a first vs. second order connection, but I think an important distinction.)

    I'm curious as to why you'd poll the database looking for unencrypted data versus arbitrating all DB access through a data broker that ensured it? In either case, the Web server has to be able to request and obtain the clear data, and while stored procedures are obviously the way to go, I've been hard-pressed to come up with a way to rate-limit the server's access to critical data if the server needs it (obviously CC#'s aren't the type of data a Web server needs access to, and stored procedures and second servers for customer service reps. fill that need quite well.) Especially in the "hundreds of thousands to millions of customers" category where queries per second are sometimes hardware limited instead of DB limited.

    I've also asked folks to implement middleware changes in the past that would disallow any wildcard query and alert like hell on them. That helps reduces worst-case exposure pretty significantly even though it's not a 100% ideal solution.

    My point on the number of bugs was twofold- first of all, I think that it's indicitive of the legal climate that such realities could be aggressively tilted toward contributary negligence. Secondly, one of the things that we rely on in the security community is history. Historical exposure provides significant help in determining relative security. For instance, BIND, which I now refer to as the "Sendmail of the 90/00's" has historically been insecure. Choosing DNSCache is more than likely going to produce a more secure system. It obviously shouldn't be the sole criteria, but I think it's important to add historical context to any architecture design decision.

    OS Zealotry has such a limited place in any technical discussion or plan that it's minor, no matter what side the zealot fall on, but number of bugs does indeed indicate quite a bit once you normalize the results somewhat.

    I've found history and current bug severity and number to be accurate in chosing firewall vendors, and in choosing at what point a firewall vendor has changed development/QA processes enough to significantly impact functionality (it's a shame there's not a money-back critical bug metric in software contracts.) 32k bugs says one good and one bad thing. It says a lot for the QA process and a bad thing about the development/release process. But then I originally worked on mainframes where you got a couple hours of scheduled downtime a year if you were lucky and vendors who produced significant recurring bugs got thrown out on their asses quite quickly.

    I'm pretty happy working to secure alomst anything, but there are a lot of choices that I wouldn't make to host data *I* personally was responsible for the security of (Irix springs immediately to mind in its non-trusted varient.)

    You should pause and ask yourself what the catchy number of bugs says about the design and implementaton of Win2k. The reason for its slow adoption curve is because that spoke volumes to a lot of people. Granted only a portion of those bugs have a significant security context, but security is but one piece of the whole. Win2k is where NT should have started in regards to features and stability, and I've little personal patience for any vendor who wants me to pay for QA (MS certainly isn't the only vendor on my list, just the extreme case.)

    In an ideal world, we'd have easy to use and administer compartmented systems. Compartmented systems fly in the face of Microsoft's productivity in producing OS', and I see that as a potential problem moving forward- we're only starting to see the tip of that iceberg now in process-based protection mechanisms failing with very recent MS products. As usual though, security is always about compromise and securing what you have instead of what you might want. In an ideal world, OS' are commoditized to a point where it doesn't really matter which one you use and you can pick secure ones for secure purposes. That however flys in direct competition with every commercial OS vendor. It'll be really interesting to see what IBM does with AIX. SGI actually gamed it out early, but it doesn't seem to be overly important that IRIX is basicly EOL'd as far as their sales go.

    Ah well, if the world was the way I'd like it to be, I'd be looking for interesting work...

    Happy Holidays,

    Paul
  • Thier is not 15 databases. They have Worfin, and Blue which are the main databases. Then thier is Lectroid which ARC (the software the customer service and sales reps use). Worfin is the main database, which is live, and Blue is updated at midnight. Lectroid (and I think one more, I forget its name) are updated in semi real time. So, if they cracked one database, and not another, it really doesnt matter. They have identical content, except that they might be one day behind in content then another database. So best case senario, they hacker got all the data upto the day before, I didnt get any new customer data the day he hacked it. Which is neglible when you think about how many credit cards he stole whole. And Im quite sure they would know which one was stolen, unless the IT people are stupider then they were when I left egghead.

  • If your CC number is stolen, just call the Credit Card company and have them cancel the charges. The only people who lose any money in thefts like these is the CC companies themselves, because it is actually cheaper to let things like this slide than it is to pursue legal action or even track the people down. And, frankly, I don't think I will be crying for them any time soon.
  • Um, actually all Visa card numbers begin with the number four. Get your facts straight
  • [We can take this to e-mail if you'd like]

    NT4 Stability:

    It's a combination of hardware, load and additional softare. These days it's *extremely* difficult to depend on a single motherboard being manufactured for more than 2 quarters, so I'm leary of anything that's hardware-finicky or driver related (having just had to try to track down some video and Ethernet chipset stuff, I'm particularly sensative to this at the moment.)

    I've seen certified hardware with unescapable problems and random issues, though not as often as grab-bag stuff.

    Bugs:

    In the best environment, 2/3ds of bugs are known- while most won't have a direct security context, 1% of them would be pretty significant. I don't like at all the fact that Microsoft will release a product that they've no intention whatsoever of ever fixing/finishing. Instability has been a next release selling point for them, and that bothers me a lot, but mostly morally.

    Some people like the idea of microkernels, I'm not convinced they have any real-world advantages, and side with Linus on that front. Given the APIs, I'm not sure that Win2k qualifies as "micro" anything ;)

    You should try Apache under NT, it's been threaded for what about 2 years now? The server is modular enough that if you spend some time with it, you can pare it down pretty significantly, and it handles named virtuals as well as anything.

    ACLs are only a beginning. If you want to see how a secure OS is built (secure to the level of potentially being able to give out writable CGI directories and open shell accounts and not worry about compromise) check out http://www.rsbac.de. That's the major advantage of an Open Source OS, for a relatively miniscule sized chunk of code (not to belittle the effort, the effort was and is tremendous) RSBAC gives us role based stuff (No more superuser compromise), full ACLs, Mandatory Access Control, compartments, malware control, and the European Privacy Model. Better yet, it's not just an implementation, it's a framework for creating new security paradynes. It's securelevel taken to the next level. That's where small *secure* dedicated machines should spring from. Best of all, it's still able to run normal programs. The only thing it could really use is more socket-oriented stuff, but there's already enough to use and gain from significantly as a base for secure systems.

    Don't even get me started about Exchange- you *can't* pare it down, SQL Server is monsterous- very secure doesn't come in packages that large without a lot of dedicated work that MS will never do because it's not profitable. Lovebug's spread had help from Exchange's architecture issues.

    They've already got massive version control issues with the current Service Pack/Hotfix stuff adding more products would be a death knell for QA. Regression testing is probably their longest lag time to fix on critical issues and why SPs take so long to get out and can't have last-minute fixes incorporated.

    Given the inroads Linux has made into the high side, it's inevitable that MS will have problems down the road getting the successor to Win2k adopted since Win2k is at least mostly-stable.

    Personally, I don't think Embedded NT stands a chance against Linux/*BSD. But I've been wrong before. Twice ;) I just don't think that 2k brings anything significant to the table to make it worth the embedded device premium- you've still got the same driver difficulty issues and none of the source to fix them. Hardware's getting cheaper- why spend those revenue dollars on driver development? That's why "embrace and extend" and MS-only features are necessary to them, they're not scaled to compete any other way at the low end where volume would devalue their mid-and high end stuff. That's also why they need desktop and server OS merging.

    Back to real-world stuff- It's certainly possible to run real-world sites on NT, and we have no problem certifying our customers that do so once they've gotten through the essentials, but the level of dillagence for IIS is higher than that for Apache (mod_rewrite's last bug is the only significant security sensative Apache bug for a while now if you've configured conservatively.) Obviously because on-going reporting and testing are a part of our business, IIS is good for our model. Just like Word and the Macro Virus problem though, I personally think there are a lot of better choices that make more secure platforms. Beta was better than VHS though- and now the only Beta is the broadcast stuff, not consumer stuff (that wasn't one of the times I was wrong though, I went VHS all the way ;) )

    BTW: I was serious in the first post about trying the top few exploits against your IIS servers- the last time I saw someone do it on what seemed to be well-managed sites, the results were astounding.

    Best wishes,

    Paul
  • I'm sure the guys(or girls) with 3.7 million credit cards are pretty cheerful right about now.
  • Its actually a bit harder to use than everyone on slashdot wants to believe. If you order something sent to an address other than the one listed on the credit card company, chances are they'll call you to confirm it. Even if they don't most people will catch unauthorized use pretty quickly, and under federal law you're only liable for up to $50 of unauthorized purchases. Only real problems start if you don't catch the credit card use fast enough, and let the thieves go wild for an extended period of time. And then unless you have an unrealistically high credit limit they won't be able to charge too much before they're maxed out.
    --
  • You can also use one-time credit card numbers with Discover [novusnet.com].
  • All ye need is the registered name and address of the card holder, the card number, and the expiry date. And if one bit is in a database, likely all bits are.
  • Fucking Egghead.

    I typically avoid e-commerce site that require me to "register" before I can buy, however I do happen to a "registered" egghead customer :(

    First off you have to give them a user name/password which after a while you start using the same username/password unless you have a very good memory. Typically passwords are stored unencrypted on a database somewhere so that you (or some devious social engineer) can retrieve your password if you forget it. Once your username/password is compromised then a simple script can test for other accounts at major e-commerce and/or stock trading sites.

    Also, I prefer to have the store where I buy from wipe out my cc number after processing the order instead of leaving it around for some disgruntal employee to access.
  • Regarding my previous comments on "Security being the red-headed stepchild of computer science because consumers are too stupid to know or care about it".

    Education can be painful. But in the end, it's better to learn a lesson than not.
  • Maybe they figure that not telling users is a form of damage control. Sure, maybe some people will get upset if this sort of thing happens and you don't inform those who may have been affected. Then again, if you send out a message to all your customers telling them that some hacker has their credit card number, you know your phone is going to be ringing off the hook. I certainly wouldn't be happy to sign my name to that sort of letter. Maybe they feel that they would lose more customers by admitting fault than by keeping mum.


    This is not to say that I think keeping silent is right (taking responsibility for your mistakes is the Right Thing To Do), but it is certainly understandable.

  • by blinko ( 97812 ) on Friday December 22, 2000 @03:04PM (#542670) Homepage
    Here's a telling excerpt from the article.

    >Hacked servers by Microsoft
    >Robertson said that Egghead.com is using Microsoft's Internet >Information Server, a common e-business server, as the platform for >its online service.

    >IIS is known to have had many security flaws.

    Show that to your boss.

    --
  • They need to keep your card number around for at least a while. If you are dealing with an online merchant, the merchant is not allowed to charge your card until items are shipped. However, the merchant will authorize your card immediately, or at least pretty quickly. In addition, the merchant may need to credit you account in the future for whatever reason. At any rate, the merchant needs to hold onto your card number for some time. Here's what typically happens:
    1. You check out for a new game on Tuesday.
    2. The merchant authorizes your card to make sure that it can charge the $43.64 that the game costs. Note that there is no charge yet, but the merchant has reserved $43.64 for it to take later when it ships the game to you.
    3. On Wednesday, the company ships the game to you.
    4. On Thursday, the warehouse updates the accounting system so that it knows the game has shipped.
    5. Thursday evening, the company charges the $43.64 that it reserved early during the card authorization.
    6. Monday comes, and you receive Virtual Barbie instead of Tom Braider. What's the difference? You tell me, but you wanted Tom Braider, so you call the company.
    7. Their customer service representatives apologize and promise to credit your account for the $43.64.
    8. Ten minutes later, the credit to your account is performed, and you don't have to give your card number again. Plus, the customer service rep never has to know your card number because it is already in the merchant's database, and access to the actual number is, hopefully, tightly controlled.
    The point is that the company needs your card to be able to process monies later. There is a point at which the liability of keeping card numbers exceeds the usefulness gained, and apparently many companies have chosen that time poorly. I imagine that those who do purge records from their main systems keep the card numbers for at least as long as they would typically provide a money-back return to the customer. Also note that online merchants are not the only ones who keep these records. All companies follow a similar process, but online companies always have their systems connected to the Internet in some way, which makes them more obvious targets.
  • Does anyone know how the numbers were stolen? Were they obtained purely from the outside, or with inside help? Were the numbers encrypted in the database? So far, I haven't seen an account of how the theft occurred.
  • When I logged on to Slashdot, the sight was pretty grim.
    Their god is Linus Torvalds and they'd live and die for him.
    They believe in source code, and not in the corporate way.
    So I'll go to "slashdot dot org" and post a comment and saaaaayyy....

    HEY THERE MISTER SLASHDOTTER! Merry fscking Christmas!
    Put down that disk of core dumps, and hear my holiday wishes...
    In case you haven't noticed, it's Jesus's birthday
    So get off your penguin-loving butt and fscking celebrate!

  • Most likely, this has nothing to do with using IIS. This likely has to do with incompetance somewhere in the chain of command.

    I have done literally hundreds of small business size e-commerece sites. I never, ever, ever store the CC's for more than 1 day. After a day, all that gets stored is a hash number.

    In one case, a site that I did was actually hacked. Someone guessed a password that client used (you might have seen it in Hackers the movie, seriously). You know what they got? Encrypted customer lists, a product database that was 100% public anyways, and MD5-hashed CC numbers. Completely worthless. Plus the fed's tracked him down by some miracle and no he's fucked.

    So my point is that site design is everything, and the server is absolutely bordering on irrelevant.



  • Me either! ;)

    Seriously, getting 10-20 minutes worth of interview into a few lines of quoted text, you always hope that the reporter will understand and report the gist of what you said.

    The sad part is that over two years after it's been fixed, RDS is still the #1 attack vector for IIS. It's _really_ getting difficult to point to Microsoft as partially responsible for releasing crappy code when fixes that are eons old are never applied. If we could get wu-ftpd, sunrpc, RDS and the unicode ../ bugs out, we'd at least raise the bar a couple notches.

    Paul
  • This is a typical load of FUD.

    The fact is, you have no idea what caused this crack. For all you know

    It was an inside job

    The database was physically copied from the server (btw, its an ORACLE db)

    Someone guessed a password used by a moron who had access to the data

    The site was poorly designed and resulted in a major break in

    A previously known IIS bug was exploited because it wasnt patched.

    Your blaming this break-in, based on currently available information, on a MS product is completely assine. Thats like saying that since slashdot was broken into earlier this year that Linux is insecure. The fact that it was a default password-crack would be irrelevant to that type of logic.

    As a person who has developed literally hundreds of smaller- to mid-size e-commerece sites, it always astounds me to find the number of people who assume that IIS is inherently insecure. Out of probably 150 sites, 90 of which run on Apache/*nix, and the remainder using IIS/NT, I have had 4 break ins. Three from password cracks due to my clients choosing stupid passwords (really really dumb) and one using an exploit in IIS that was 2 yrs old and unpatched because of a moron at an ISP. And what did they get even then? Lets see.. an encrypted database that was useless to them, and five years in a federal-pound-me-in-the-ass prison.

    Site design and implementation is 50% of overall security, competent administration is the other 50%. OS and Server platform barely show up as a blip on the radar screen.

  • I used to work for a consulting firm who had a lot of startup online-store-making clients. One of these folks emailed us a plaintext file full of credit card numbers from their database. They just didn't know any better! Your credit card number, like your CC# and favorite member of Wham, are not safe.

I've looked at the listing, and it's right! -- Joel Halpern

Working...