[ISN] Holes expose retail data

From: InfoSec News (isnat_private)
Date: Fri May 10 2002 - 01:31:39 PDT

  • Next message: InfoSec News: "[ISN] Microsoft says penalty will let hackers run wild"

    http://www.computerworld.com/securitytopics/security/story/0,10801,70840,00.html
    
    Date: May 06, 2002
    Author: Bob Brewin and Dan Verton
    
    White-hat hackers last week discovered vulnerabilities in the wireless
    networks of two major retailers' holes that they claimed exposed data
    that appeared to include customer information.
    
    On May 1, an anonymous hacker posted a message on an online security
    mailing list stating that he had discovered holes in the wireless LANs
    operated by Best Buy Co. Later that day, Jonas Luster, co-founder of
    security consultancy D-fensive Networks Inc. in Campbell, Calif., told
    Computerworld that he had conducted a test of networks operated by a
    San Jose outlet of The Home Depot Inc. and found similar
    vulnerabilities.
    
    Best Buy said it shut down its wireless LANs shortly after the initial
    report surfaced. The San Jose Home Depot network, which Luster said
    exposed what appeared to be SQL database queries, shut down May 2, he
    said.
    
    Don Harris, a Home Depot spokesman, declined to say whether the
    company had turned off its wireless LAN in the San Jose store.
    
    Spokeswoman Jennifer Bohuslavsky said Eden Prairie, Minn.-based Best
    Buy on May 1 deactivated its "wireless temporary cash registers,"  
    which transmit information via a wireless LAN connection. "These
    registers are not Best Buy's main register terminals and represent a
    small percentage of our transactions," she said.
    
    Bohuslavsky declined to provide any security or deployment details on
    the wireless network used by Best Buy throughout its 480 stores.
    
    Dave Ellis, vice president for information systems at Atlanta-based
    Home Depot, sharply denied a published report that hackers had
    captured data from wireless point-of-sale terminals or cash registers
    in any of the company's 1,200-plus stores. "That dog does not hunt,"  
    Ellis said. "All our registers are hard-wired."
    
    Ellis declined to discuss Home Depot's wireless LAN security or
    whether white-hat hackers could have penetrated its wireless network.
    
    John Pescatore, an analyst at Gartner Inc., said the fact that someone
    was able to sniff data from a Best Buy wireless LAN indicated to him
    that the company hadn't turned on the simplest form of security
    available on any 802.11b wireless LAN: encryption based on the Wired
    Equivalent Privacy (WEP) protocol. Not turning on WEP is "just
    stupid," Pescatore said.
    
    Dennis Eaton, chairman of the Wireless Ethernet Compatibility
    Alliance, a wireless LAN industry group in Mountain View, Calif., said
    that, in fact, most users fail to turn on WEP, despite widespread
    publicity about the inherent lack of security in wireless LANs.
    
    Rick Doten, a program manager at security consultant NetSec Inc. in
    Herndon, Va., said that only 30% to 40% of enterprises turn on WEP,
    though some companies run more powerful forms of encryption.
    
    Pescatore said enterprises also routinely fail to change the
    factory-default Service Set Identifier (SSID) on their wireless LAN
    access points. Access points broadcast the SSID in packet headers so
    access cards in PCs or handheld computers can find the LAN.
    
    Doten said the failure to properly secure wireless LANs is being
    exploited by what he called wireless LAN "war drivers" who use
    freeware tools such as NetStumbler to locate access points.
    
    Wayne Slavin, the San Diego-based founder and webmaster of
    Netstumbler.com, said there have been more than 200,000 downloads of
    the company's software. He said that to date he has identified over
    25,000 access points in the U.S. and Canada, with more than 80%
    broadcasting in the clear. "[That's] a pretty scary statistic," Slavin
    said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 10 2002 - 04:43:54 PDT