Forwarded From: phreakmoi <hackerelite@deathsdoor.com>
http://www.wired.com/news/news/technology/story/15665.html
Crackers Snag Credit-Card Info
by James Glave
3:50 p.m. 16.Oct.98.PDT
Three teenagers claim to have stolen approximately 8,000 electronic
invoices for online credit-card orders placed over the past two years
through a Web electronics retailer.
"This shows a disgusting lack of security on the Internet," said one of
the crackers, who provided a sample of the data to Wired News this week to
support the claim.
"Thank God we aren't poor people, or con artists.... [We did this] purely
for fun."
The 16-year-old cracker, who spoke on condition of anonymity, said that
the teens broke into the Web servers of Dalco Electronics, an Ohio-based
computer accessories retailer, over the weekend of 3-4 October. He said
the group installed software that allowed them to pilfer 4.3MB worth of
archived credit-card orders and a 15MB Microsoft Office inventory
database.
The cracker supplied Wired News with a file that contained copies of 583
credit-card orders for computer equipment purchased online between January
1996 and March 1998. Though many of the credit cards in the file have
passed their expiration dates, others have not.
A Dalco spokesman declined to comment, saying that the person qualified to
explain the matter was unavailable.
The teenagers, all Americans, said they launched their attack by uploading
a File Transfer Protocol server program known as Serv-U to the Dalco
server. With the program's default directory set to the target machine's
hard drive, and the program running in the background, the crackers said
they were able to browse the directories and steal the data.
"It was rather clever," boasted the cracker in an interview conducted over
Internet Relay Chat, a global and largely anonymous text-based chat
network.
He said that what he called Dalco's poorly configured Windows NT 3.5
server allowed his team to gain high-level administrator access to the
unencrypted databases. He said on Thursday that he had since erased all of
the data from his own machine without passing it on to anyone, but could
not speak for the other two crackers involved.
One security expert said that leaving so many invoices in plaintext on a
machine connected to the Internet was almost an invitation to disaster.
"At that point they were asking for it," said Scott Ellentuch, a
computer-security consultant with The Telecom Security Group. He said that
a better procedure would be to process online orders and then immediatley
erase them.
"Most consumers are worried that once they enter their credit card that it
gets to the Web site securely via encryption," Ellentuch said. "But then
what most companies do is they turn around and email it plaintext to
themselves or store it in databases that, if someonce can get access to,
are very vulnerable.
"A lot of mom and pop [operations] can't keep up every time Microsoft ...
comes out with a security advisory. Big companies can do that but the
little guy can get overwhlemed."
Another network administrator agreed that smaller e-commerce Web sites
were more vulnerable to attack.
"All these e-commerce sites are coming up but [those who run them] are not
fully understanding of all the security risks," said Max Schau, a network
administrator. "While they are encrypting credit cards sent over the Net,
they are not necessarily encrypting it on the server.
"They store it, someone gets in, and away they go."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Oct 19 09:19:50 1998