US man 'stole 130m card numbers'

Noreen · Aug 18, 2009, 12:16:49

QuoteUS prosecutors have charged a man with stealing data relating to 130 million credit and debit cards.

Officials say it is the biggest case of identity theft in American history.

They say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain................

http://news.bbc.co.uk/1/hi/business/8206305.stm

Rik · Aug 18, 2009, 12:17:15

It's really quite frightening, isn't it.

somanyholes · Aug 18, 2009, 14:34:39

Mr edward wilding doesn't have clue what he's talking about.

A badly written article on a bad subject.

Rik · Aug 18, 2009, 15:39:49

In what way, So?

somanyholes · Aug 18, 2009, 20:58:06

where to start....

ok

QuoteIt "exploits any vulnerability in a firewall and inserts a code to gather information," he explained.

This isn't a vulnerability in the firewall it'self, the vuln exists in the web service. The firewall merely passes what it is configured to pass and block whatever it is configured to block. The vulnerability is the person or persons who configure/ maintain the firewall AND WEBSERVICE!

QuoteHowever, he added that this case probably "involved extremely well researched, especially configured codes, not standard attack codes downloaded from the internet"

By this he means they weren't a script kiddie and actually knew how to use sql statements, wow so one of a few million people could have done it, so i think the extremely well researched bit goes out of the window here.

for reference here is a link to some sql injection info http://michaeldaw.org/sql-injection-cheat-sheet

and here is a link to sql injection including statements on how to attempt to bypass filters ( firewalls, ips, web application firewalls) http://ha.ckers.org/sqlinjection/ so the filter evasion link here didn't exactly require extreme research!

Quote"The real vulnerability [for cardholders], I suspect, is internet and telephone transactions. But this is a failure in the configuration of [corporate] firewalls," he said.

Again blaming the firewall, not the poorly configured webservice that allowed this attack in the first place. The firewall tries to block the attack, it's not necessarily it's fault the attack got through. I also wonder how the firewall is going to to stop information being leaked by a telephone call...

Bit of a round up

Unfortunately many companies seem to create badly designed services and then stick some sort of firewall in front of it and expect it to perform miracles. A lot of the time these devices are just dumped in and expected to secure whatever lies behind it with little effort by the administrators. More effort should be made to secure the webservice it'self. You know the saying, put sh** in get sh** out.

Technology doesn't secure systems, people do and they use their minds.

Mr wilding knows as much about security as I do about tossing the caber

gizmo71 · Aug 19, 2009, 07:34:59

Quote from: somanyholes on Aug 18, 2009, 20:58:06
Unfortunately many companies seem to create badly designed services and then stick some sort of firewall in front of it and expect it to perform miracles.

I've lost track of the number of times I've had arguments with developers and mangers here about "special characters". It usually goes something like this:

"Giz, we've got a problem with special characters!"
"There are no special characters."
"What do you mean? There are all these things the user can type in that make our system fail! They're bad characters!"
"They're just characters. Why don't you fix the system to accept any characters?"
"We'd have to change all the code! It's too hard! Can't we just stop them entering single quotes?"
"What about people whose names include single quotes? Won't they be a bit upset?"
"Um... hadn't thought of that... er..."
"Leave the thinking to me in future. And fire all those useless developers while you're at it."

I think I'm going to have "There are no special characters" made into a T-shirt. Unfortunately I'm now the "special character guru", which even more unfortunately means that people come to see me after they've irretrievably cocked it up instead of before they've written it when it can still be made to cope with any characters.

Amusing side story: F*rd had all IT people do an online course on script and SQL injection attacks. All real noddy stuff. Of course I passed with flying colours, and when I got to the end of the course, there was an option to print out a certificate saying I'd passed. In front of this was a pop up box asking me to confirm or edit my name, presumably so that if my name in the corporate directory isn't quite what I want on the certificate I can adjust it.

Naturally I wondered what would happen if I attempted to mount a script injection attack using that input box.

I succeeded.

Got an excellence award for that one.

somanyholes · Aug 19, 2009, 07:47:11

QuoteIn front of this was a pop up box asking me to confirm or edit my name, presumably so that if my name in the corporate directory isn't quite what I want on the certificate I can adjust it.

Naturally I wondered what would happen if I attempted to mount a script injection attack using that input box.

I succeeded

ohh the irony. Love it

somanyholes · Aug 19, 2009, 08:14:51

relevant

http://michael-coates.blogspot.com/2009/08/sql-injection-leads-to-heartlands-130.html

Rik · Aug 19, 2009, 09:07:46

Thanks, guys, enlightening and amusing.

Technical Ben · Aug 21, 2009, 00:05:48

Quote from: gizmo71 on Aug 19, 2009, 07:34:59

I've lost track of the number of times I've had arguments with developers and mangers here about "special characters". It usually goes something like this:

Oh my... I had the worse one a while back. A customer had bought an insurance policy off us, on the internet. The internet service somehow accepted a number (3) to be entered in the name. So it was "3mith" instead of "smith" (quite literally the name smith. It's that common!

). Then the customer had been debited. Meanwhile (through some unkown system I know nothing of) it is transferred to our in house software, that does not accept numbers in the name.
Customer is now debited quite a sum of money, receives no documents, and we have no way to access the corrupt file.
Not being in IT/programming myself I had to just send a report to our IT department and hope someone sorted it.

I could give hundreds more examples of bad programming decisions in my business.