[ISN] CardCops Accused Of Sloppy Police Work

From: InfoSec News (isnat_private)
Date: Wed Aug 15 2001 - 22:59:55 PDT

  • Next message: InfoSec News: "[ISN] Dutch Cryptographer Cries Foul"

    By Brian McWilliams, Newsbytes
    14 Aug 2001, 5:11 PM CST
    A company that aims to protect online merchants against credit card
    thieves is doing more harm than good, according to three firms
    recently pilloried by CardCops.com.
    "For them to blaspheme us and put our customers at risk like that,
    well, this old boy and I can go out behind the barn real easy," said
    David Robertson, president of Stic.net, a San Antonio, Texas-based
    Internet service provider.
    Stic is one of three online firms alleged by CardCops to be exposing
    customer credit card data within their sites.
    The details were recently laid out in a message-board posting linked
    from the front page of CardCops.com, titled, "Three newly hacked
    merchants." The link was removed today, although the messages remain.
    CardCops provides security analysis and hacker tracking services to
    online merchants. Under what it calls its amnesty program, the company
    encourages ethical hackers and employees to disclose security flaws
    they discover at e-commerce sites.
    An anonymous person originally posted a report on the message board at
    the CardCops site July 24, disclosing that a large Internet service
    provider was vulnerable to "various attacks" and was leaving customer
    data wide open to hackers.
    Robertson, along with officials from the other merchants, Multiwave
    Direct and StrawberryNet, all claim they were never contacted by
    CardCops, and only learned of the alleged security issues as a result
    of an article published Friday in The Register, a online tabloid for
    computer news.
    What's more, representatives of the three companies contend that the
    article, and CardCops' report, are factually incorrect.
    The article, entitled "Hacking IIS -- how sweet it is," identified the
    three firms as examples of how hackers are targeting sites running
    Microsoft's Internet Information Server (IIS) software.
    As evidence of the vulnerability at Stic, CardCops Monday provided
    Robertson with a spreadsheet containing customer data, including
    credit card numbers. But according to Robertson, the spreadsheet was
    not taken from Stic's site but instead was lifted from a server
    running a version of the Unix operating system and operated by a
    customer, SATEXAS Communications Network.
    "We provide just an ISDN connection to a company that's running Linux
    and they got hacked. So how does that make us responsible or a
    text-book example of the security weaknesses in IIS?" said Robertson.
    Harry Romero, general manager of Multiwave, acknowledged that the
    e-tailer's site was defaced by the Code Red Worm last month. Although
    the IIS vulnerability exploited by the worm could also have enabled
    hackers to take control of the mwave.com server, Romero insisted that
    customers were unaffected, and the hole has since been patched.
    "Not one single credit card has been compromised, and the security of
    our customers remains intact," said Romero.
    Rodney Miles, managing director of StrawberryNet, said the Hong
    Kong-based e-tailer has found no vulnerabilities in its IIS 5.0-based
    site and has received no complaints from customers or inquiries from
    law enforcement.
    "We are extremely upset these allegations have been made with no
    contact and no proof that we are aware of," said Miles.
    A scan performed by Newsbytes today revealed that none of the three
    firms are currently vulnerable to the exploit which enabled variants
    of the Code Red Worm to infect thousands of Web sites.
    But Dan Clements, co-founder of CardCops, said hackers sent him a file
    containing at least 1,000 credit cards obtained from the StrawberryNet
    site. And CardCops was informed about the vulnerability at Multiwave
    months ago, he said.
    According to Clements, he attempted to contact Stic by e-mail on July
    30. After receiving no response to his inquiries, on August 5 Clements
    forwarded information about all three sites to a reporter at The
    Clements today defended his handling of the incidents, saying the
    reaction of the firms is typical of companies that have suffered an
    embarrassing security compromise.
    "They deny they were hacked, and then they get suspicious and angry.
    It's a very awkward process when you call up a company and tell them
    they were hacked," he said.
    According to Clements, CardCops doesn't always publicize information
    about sites that are compromised, but the recent attention given to
    the Code Red Worm and vulnerabilities in IIS prompted him to go public
    with the intrusions at the three firms.
    "We're trying to get all of this stuff out of the closet so companies
    handle it the right way and download the patches and then move on,"
    said Clements.
    But Robertson, who is vice president of the Texas Internet Service
    Providers Association, said CardCops is no friend to e-commerce sites.
    "If they're wrong, they've damaged your reputation. But it's even
    worse if they're right and they publish the information before
    reaching you. That puts the hackers a step ahead of you," said
    The CardCops message board is at
    http://www.adcops.com/CC/messages/5/98.html?997201901_ .
    Stic.Net is at http://www.stic.net .
    Multiwave Direct is at http://www.mwave.com .
    StrawberryNet is at http://www.strawberrynet.com .
    The Register is at http://www.theregister.co.uk .
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 01:02:06 PDT