Sanding our assholes with 150 grit. Slowly. Lovingly.

Why web security matter

http://news.bbc.co.uk/2/hi/business/8206305.stm

This is why web security matters.

Bank of America is pretty secure.  Wells Fargo kind of lags.

I am pretty sure that citi is also pretty good.
Permalink Bot Berlin Banned Forever 
August 18th, 2009 10:32am
>"The real vulnerability [for cardholders], I suspect, is
>internet and telephone transactions. But this is a failure in
>the configuration of [corporate] firewalls," he said.

Huh? That's bullshit. The real vulnerability is somebody copying and pasting code from a "teach yourself sql in 21 days'" web page.

Firewalls can help against sql injection, but they can only do so much.
Permalink Colm 
August 18th, 2009 10:36am
Hacking crappy web code is common.

Also, I hear sniffing on unsecure routers and internet hardware is also common.
Permalink Bot Berlin Banned Forever 
August 18th, 2009 10:38am
Crappy web code is trivially easy to get in.  And certain technology, like classic ASP, makes it really easy.

Although my favorite had to be a site that built SQL in Javascript.  That audit did not go well.  The funny thing is that I warned that particular developer about that problem years before I did the audit, back when I was an employee of the company.  Management let it slide though, because he produced a massive amount of code.  Code with bad holes, but there sure was a lot of it.
Permalink Send private email Clay Dowling 
August 18th, 2009 11:02am
"US man 'stole 130m card numbers'"

Funny. I thought the numbers were pretty much public knowledge. Seeing as how they're printed on the front of the fucking card. Fucking hell, I hate lazy reporting. Oh yes, and BBC? You can "insert a specially designed code" right up... there... so far up we can see it waving from just behind your tonsils.
Permalink Gerald Hoppy 
August 18th, 2009 1:16pm
Anyway, http://news.bbc.co.uk/2/hi/science/nature/8206280.stm is a much better story...
Permalink Gerald Hoppy 
August 18th, 2009 1:17pm
The beeb story is missing way way too much information to be useful at all. Asuming this is the same break-in from last year, sql injection had exactly nothing with the break-in. Alternatively, if this is a separate incident, then Heartland needs to be put out of business before they bankrupt every credit card holder in the US.

Prior thread on the issue:
http://www.crazyontap.com/topic.php?TopicId=44851

In particular:
>The forensic teams found that hackers "were grabbing numbers with sniffer malware as it went over our processing platform," Baldwin says. "Unfortunately, we are confident that card holder names and numbers were exposed."

>Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."
http://www.bankinfosecurity.com/articles.php?art_id=1168&rf=012209eb 

>The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

>“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.

>Payment security experts pretty much agreed that hiding files in unallocated disk space is a fairly well-known tactic. But it requires such a high level of access—as well as the skill to manipulate the operating system—that is also indicates a very sophisticated attack.
http://www.storefrontbacktalk.com/securityfraud/heartland-sniffer-hid-in-unallocated-portion-of-disk/ 

http://www.pciknowledgebase.com/index.php?option=com_content&view=article&id=70:pci-and-the-hartland-payments-breach&catid=19:in-the-media&Itemid=100
http://www.theregister.co.uk/2009/01/20/heartland_payment_breach/

Heartland has no clue how many credit cards were exposed by this attack because they had no clue how long it was operating.

They only started looking for the hack when auditors were looking at temp files and started asking "what created these temp files, and why is PII in them?"
Permalink Peter 
August 18th, 2009 2:20pm
Oh yeah, and they only released news of that breach DURING the inauguration, hoping that it would get lost in the hooplah.

Indictment:
http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf

>This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls.
http://securosis.com/2009/01/20/heartland-payment-systems-attempts-to-hide-largest-data-breach-in-history-behind-inauguration/

More articles on it:
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505
http://www.wired.com/threatlevel/2009/01/card-processor/
http://www.wired.com/threatlevel/2009/05/heartland-breach-cost-company-126-million-so-far/ 

40% of the transactions that the company processes come from small to midsized restaurants.
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html?hpid=topnews
Permalink Peter 
August 18th, 2009 2:28pm
The TV news put it something like: "the hackers were able to bypass electronic firewalls using a sophisticated software application called SQL Injection Attack".

Oh noes! What hope do we have when the evil hackers can get their hands on such powerful and advanced tools? The government should ban them!

In other news; police have put out an APB on Little Bobby Tables . . .
Permalink Kthx Bai 
August 18th, 2009 4:24pm
Yes, yes, yes. But what about THE ZOMBIES?
Permalink Gerald Hoppy 
August 18th, 2009 4:50pm
I talked to one of the AV (anti-virus, not film-strips) guys at work about this.  He said that once a cracker can install a driver on your system (needed to access the non-formatted part of the disk), it's game-over anyway.
Permalink xampl 
August 18th, 2009 9:28pm
Once someone can isntall anythign at all I would think it is game over.

What I want to know is that if they knew unallocated disk space was a vulnerability, then why the hell wasn't all their drive space allocated?

Or is this different from simply not allocating space to a given partition and something more akin to just not formally registering with the file system, but still somehow getting written to disk?
Permalink JoC 
August 19th, 2009 9:49am
In a file allocation table, you can mark the sectors/clusters as "not to be used."  Most utilities will ignore those areas of the disc.

http://en.wikipedia.org/wiki/File_Allocation_Table
Permalink Peter 
August 21st, 2009 12:25pm

This topic is archived. No further replies will be accepted.

Other topics: August, 2009 Other topics: August, 2009 Recent topics Recent topics