[ISN] Crackers Snag Credit-Card info

From: mea culpa (jerichot_private)
Date: Sat Oct 17 1998 - 20:16:29 PDT

  • Next message: mea culpa: "[ISN] Suspected Pakistani "Intelligence Operatives" Hijack Army Site"

    Forwarded From: phreakmoi <hackerelitet_private>
    Crackers Snag Credit-Card Info
    by James Glave 
    3:50 p.m.  16.Oct.98.PDT
    Three teenagers claim to have stolen approximately 8,000 electronic
    invoices for online credit-card orders placed over the past two years
    through a Web electronics retailer.
    "This shows a disgusting lack of security on the Internet," said one of
    the crackers, who provided a sample of the data to Wired News this week to
    support the claim.
    "Thank God we aren't poor people, or con artists.... [We did this] purely
    for fun."
    The 16-year-old cracker, who spoke on condition of anonymity, said that
    the teens broke into the Web servers of Dalco Electronics, an Ohio-based
    computer accessories retailer, over the weekend of 3-4 October. He said
    the group installed software that allowed them to pilfer 4.3MB worth of
    archived credit-card orders and a 15MB Microsoft Office inventory
    The cracker supplied Wired News with a file that contained copies of 583
    credit-card orders for computer equipment purchased online between January
    1996 and March 1998. Though many of the credit cards in the file have
    passed their expiration dates, others have not.
    A Dalco spokesman declined to comment, saying that the person qualified to
    explain the matter was unavailable.
    The teenagers, all Americans, said they launched their attack by uploading
    a File Transfer Protocol server program known as Serv-U to the Dalco
    server.  With the program's default directory set to the target machine's
    hard drive, and the program running in the background, the crackers said
    they were able to browse the directories and steal the data.
    "It was rather clever," boasted the cracker in an interview conducted over
    Internet Relay Chat, a global and largely anonymous text-based chat
    He said that what he called Dalco's poorly configured Windows NT 3.5
    server allowed his team to gain high-level administrator access to the
    unencrypted databases. He said on Thursday that he had since erased all of
    the data from his own machine without passing it on to anyone, but could
    not speak for the other two crackers involved.
    One security expert said that leaving so many invoices in plaintext on a
    machine connected to the Internet was almost an invitation to disaster.
    "At that point they were asking for it," said Scott Ellentuch, a
    computer-security consultant with The Telecom Security Group. He said that
    a better procedure would be to process online orders and then immediatley
    erase them.
    "Most consumers are worried that once they enter their credit card that it
    gets to the Web site securely via encryption," Ellentuch said. "But then
    what most companies do is they turn around and email it plaintext to
    themselves or store it in databases that, if someonce can get access to,
    are very vulnerable.
    "A lot of mom and pop [operations] can't keep up every time Microsoft ... 
    comes out with a security advisory. Big companies can do that but the
    little guy can get overwhlemed."
    Another network administrator agreed that smaller e-commerce Web sites
    were more vulnerable to attack.
    "All these e-commerce sites are coming up but [those who run them] are not
    fully understanding of all the security risks," said Max Schau, a network
    administrator. "While they are encrypting credit cards sent over the Net,
    they are not necessarily encrypting it on the server.
    "They store it, someone gets in, and away they go." 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:08:16 PDT