http://www.newsbytes.com/news/01/169018.html By Brian McWilliams, Newsbytes MALIBU, CALIFORNIA, U.S.A., 14 Aug 2001, 5:11 PM CST A company that aims to protect online merchants against credit card thieves is doing more harm than good, according to three firms recently pilloried by CardCops.com. "For them to blaspheme us and put our customers at risk like that, well, this old boy and I can go out behind the barn real easy," said David Robertson, president of Stic.net, a San Antonio, Texas-based Internet service provider. Stic is one of three online firms alleged by CardCops to be exposing customer credit card data within their sites. The details were recently laid out in a message-board posting linked from the front page of CardCops.com, titled, "Three newly hacked merchants." The link was removed today, although the messages remain. CardCops provides security analysis and hacker tracking services to online merchants. Under what it calls its amnesty program, the company encourages ethical hackers and employees to disclose security flaws they discover at e-commerce sites. An anonymous person originally posted a report on the message board at the CardCops site July 24, disclosing that a large Internet service provider was vulnerable to "various attacks" and was leaving customer data wide open to hackers. Robertson, along with officials from the other merchants, Multiwave Direct and StrawberryNet, all claim they were never contacted by CardCops, and only learned of the alleged security issues as a result of an article published Friday in The Register, a online tabloid for computer news. What's more, representatives of the three companies contend that the article, and CardCops' report, are factually incorrect. The article, entitled "Hacking IIS -- how sweet it is," identified the three firms as examples of how hackers are targeting sites running Microsoft's Internet Information Server (IIS) software. As evidence of the vulnerability at Stic, CardCops Monday provided Robertson with a spreadsheet containing customer data, including credit card numbers. But according to Robertson, the spreadsheet was not taken from Stic's site but instead was lifted from a server running a version of the Unix operating system and operated by a customer, SATEXAS Communications Network. "We provide just an ISDN connection to a company that's running Linux and they got hacked. So how does that make us responsible or a text-book example of the security weaknesses in IIS?" said Robertson. Harry Romero, general manager of Multiwave, acknowledged that the e-tailer's site was defaced by the Code Red Worm last month. Although the IIS vulnerability exploited by the worm could also have enabled hackers to take control of the mwave.com server, Romero insisted that customers were unaffected, and the hole has since been patched. "Not one single credit card has been compromised, and the security of our customers remains intact," said Romero. Rodney Miles, managing director of StrawberryNet, said the Hong Kong-based e-tailer has found no vulnerabilities in its IIS 5.0-based site and has received no complaints from customers or inquiries from law enforcement. "We are extremely upset these allegations have been made with no contact and no proof that we are aware of," said Miles. A scan performed by Newsbytes today revealed that none of the three firms are currently vulnerable to the exploit which enabled variants of the Code Red Worm to infect thousands of Web sites. But Dan Clements, co-founder of CardCops, said hackers sent him a file containing at least 1,000 credit cards obtained from the StrawberryNet site. And CardCops was informed about the vulnerability at Multiwave months ago, he said. According to Clements, he attempted to contact Stic by e-mail on July 30. After receiving no response to his inquiries, on August 5 Clements forwarded information about all three sites to a reporter at The Register. Clements today defended his handling of the incidents, saying the reaction of the firms is typical of companies that have suffered an embarrassing security compromise. "They deny they were hacked, and then they get suspicious and angry. It's a very awkward process when you call up a company and tell them they were hacked," he said. According to Clements, CardCops doesn't always publicize information about sites that are compromised, but the recent attention given to the Code Red Worm and vulnerabilities in IIS prompted him to go public with the intrusions at the three firms. "We're trying to get all of this stuff out of the closet so companies handle it the right way and download the patches and then move on," said Clements. But Robertson, who is vice president of the Texas Internet Service Providers Association, said CardCops is no friend to e-commerce sites. "If they're wrong, they've damaged your reputation. But it's even worse if they're right and they publish the information before reaching you. That puts the hackers a step ahead of you," said Robertson. The CardCops message board is at http://www.adcops.com/CC/messages/5/98.html?997201901_ . Stic.Net is at http://www.stic.net . Multiwave Direct is at http://www.mwave.com . StrawberryNet is at http://www.strawberrynet.com . The Register is at http://www.theregister.co.uk . - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 01:02:06 PDT