Slashdot Mirror
RealNames Customer Data Stolen
Sc00ter writes "C|Net News reports 'RealNames, a company that substitutes complicated Web addresses with simple keywords, is warning its users that its customer database has been hacked, and that user credit card numbers and passwords may have been accessed.' Complete story here." Remember when NSI teamed up with Centraal, the creators of RealNames?
Since more security quite well can increase complexity it might make things even worse than better. To be wise is always easy - afterwards.
Since when was there a sales tax levied on domain names??
Besides joker.com sucks.
I'll buy American, Thank-you.
Oi fishlips!
You wouldn't be using Slipshod.org as an advertising medium would you?
You poorly monied sack of mealy rabbit raisins.
Wingnut
He would spend less time with his lovers, but water buffalo season ends soon, so he has to get it all in.
Moderate this DOWN !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !
that we should boycott anything that has the word 'Real' in it because he is the only real thing that you need to know about. When he comes down from Mt. GNU and delivers the tablets the idol worshippers will be punished. They will have to comb the crumbs out of his beard.
huh?
Jeez, calm down, its not the end of the world. Actually I think we should moderate this up, its quite interesting. I think I'm going to take 'em up on the offer and register a few myself. You've got to admit thats a pretty competitive price...
Maybe you should read Clients are from Mars, Servers are from Venus.
10 million dollars in Monopoly money. I can buy you all. HAHA.
I call it American Pride. There is nothing wrong with that. Besides no one is advertising here, it is simply a sig...
Or have you forgot, a signature can be whatever that person wants it to be. The comments made on Slashdot are sincere and are not trolls, flamebait or redundant but positive contributions to the slashdot community as a whole.
I think the only person who is not welcome around here is yourself and other similarily close minded individuals. I have been commenting and posting on Slashdot for months... I'm quite convinced that I'm as welcome as any other slasdottee. I'm sorry you feel so strongly otherwise. I hope that you can find the courage to bury the hatchet...
Need I say more?
Brother, if you carry a flask, there's something much more valuable than water to fill it...
Back in your box, you eye offending, lean witted, yeasty motley-minded, tickle-brained bladder of nauseating pimple squeezings.
Have a banana on me.
Wingnut
glass. Drop it and it breaks.
According to a telnet to port 80, here is their problem:
Microsoft IIS/4.0
realgrits were stolen and the thieves poured the hot realgrits down their opensource pants. thank you.
He knows ASCII and hex. All bow down!
The warranty on gold has run out. There's $1,000bn of Gold in Eros. It's just a matter of time before someone starts harvesting asteroids and the price of these "precious metals" drops from jewelry to industrial prices.
Rather than to shove your beliefs down someone else's throat, why not get an account and turn the sigs OFF? Hmmm?
I gotta respond to this...
I find it amusing that a <i>consultant</i> is criticizing sysadmins..
<b>Every</b> consultant I've ever met was a complete bonehead...
Example comments: "What do you mean I have to TELL you when I
want to use your DNS servers to host my domain? I've already told
Network Solutions! You guys are just crooks - now, make it work, or
I'll take my business elsewhere!"
or
"Your mail server isn't working properly - when I dial up through my
friend's account, I can't send email, it tells me 'relaying denied' -
you have to fix this so I can send email!"
(I do get your point, but let's not make generalizations unless we're
willing to accept the consequences..)
Give credit to them for at least admitting their error! thats better than most businesses would do.
***I guess this will have a sobering effect on the market. Only thing is, will the bubble burst now? It looks like all companies, not just Internet, are somewhat overvalued.****
Nah...not all are overvalued, in fact there are some that are pretty much on the mark. Look at AAPL (Apple computers) for example.
What your seeing is basically the latest "Gold Rush" There are a lot of people who are afraid of missing out on getting in on the ground floor of the next Coke or Disney or GE.. or whatever.
We are still in the early stages of the whole Internet/WWW/digital data revolution and IMHO it's not going to burst in the near future. I do think that some of the "trendy" stocks can be very dangerous, some of the Linux companies included.
Be smart and enjoy the ride.
Um, in case you haven't figured it out yet, the point of Slashdot isn't to break the latest news, it's to give us a chance to comment and reaspond to current 'geek' news. Last week falls under the "current" category in my book.
Inflation hurts people who do not accumulate wealth, though. This is due to the time lag between CPI increases and wage increases. People on fixed incomes and minimum wage who live from paycheck to paycheck and don't have assests that are appreciating.
Study your economic history more. The gold/silver standards had some horrible effects. The US went through periods of rapid deflation and inflation throughout the 1800s. Though deflation was a bigger concern. This has a horrible stagnating effect on the economy. The 30's and 40's are not a good starting place for comparison because of the effects of the Great Depression and WWII.
When it comes down to it, the value of a currency is determined by a market - a Gold/Silver standard just adds a level of indirection. Gold & Silver have to be evaulated. There is no way around it - it adds complexity, risk, and provides no benefit. Because lets face it, what is a person going to do with gold/silver? You can't eat it, or effectively use it for shelter or clothes. After a little bit of it quickly loses personal value for jewlery, and it only useful for currency (on the margin) just like paper.
Slothmonster
This is very very true. Frankly, if this gives the money men a kick in the head to realize that marketroids just talk a lot of shit and you got to listen to your techs, then I won't be sad if more of this shit happens. It's hard to convince non-technical people that they should not be, e.g., switching to NT because the techs are cheaper, and it's harder to convince the suits to give proper authority to tech persons - that being a suit doesn't mean shit - you know about how to present and analyze financial data better than your techs, and that's it. Fucking assholes *needed8 a wakeup call.
From: RealNames@bayarea.realnames.com
To: [email]
Subject: REALNAMES URGENT SUBSCRIBER ISSUE: PLEASE READ IMMEDIATELY
Date: Fri, 11 Feb 00 09:49:01 GMT Standard Time
X-Mailer: WC Mail
Dear [name],
You may have heard, through recent and widespread media coverage, that several Internet companies have been plagued by the irresponsible and malicious activities of so-called "hackers". RealNames, unfortunately, has also fallen victim to this.
Within the last 24 hours we have identified a situation that may have resulted in our subscriber information database being compromised, including password information. We are writing to you, our valued Personal Keyword subscriber, to make you immediately aware of the situation and the actions we are taking to minimize any adverse impacts. We have no evidence to-date that any subscriber has been adversely impacted by this situation. However, because password records may have been taken from our database, we have initiated a change of all subscriber passwords to ensure the highest level of security. Your current password is no longer valid and a new password has been assigned to you.
Your new password information is provided below, along with the login ID we have on file for your account.
Login ID: [login]
New Password: A###-#####-A###
Please log in to your account immediately, using this new password information, to ensure that it is working properly. You can access your account directly at http://web.realnames.com/Virtual.asp?page=Eng_Corp orate_Login. If you have any questions or have any difficulty in accessing your account, you may send us an email at support@realnames.com. DO NOT REPLY DIRECTLY TO THIS E-MAIL MESSAGE.
We greatly regret this situation and the inconvenience that this malicious hacker attack may have caused you. Please be assured that we are doing everything possible to resolve this matter quickly, including working with federal law enforcement authorities, and that we are working hard to prevent any similar situations from occurring in the future.
Sincerely,
Keith Teare,
CEO/Founder and Chairman of the Board
RealNames Corporation
Keithteare@realnames.com
(:::UID=#######:::)
You can safely leave credit card numbers lying around on a server or in a database accessible from the server IF you encrypt it with a public key, and keep the private key offline somewhere.
You're probably right, but who cares about webpage hacks anyway? Those are the least of our worries.
By chance, did you notice Mysql's little "feature" allowing remote access to the database simply by supplying the 1st character of the password? All versions are vulnerable except for the day old latest release. I guess you need to filter that too.
I would think the most clueful consumers would feel the same way.
What did you expect? They're running IIS/NT, how could they ever HOPE to be secure?
I want to have a cryptographic protocol, more like this: the merchant says my bill comes to (say) $73.95 and presents me with an invoice. I authorize the invoice with my private key and transmit it back to the merchant. The merchant presents the authorized invoice to my bank, which verifies the authorization and transfers the money from my account to the merchant.
No more lost CC numbers (if you lose your private key you are about as hosed as if you lose your CC now: call your bank immediately). No more overcharges (I hate it when I buy something and the merchant hits me with a shipping fee that I didn't notice). No more mass compromises a la Netcom and Realnames. No more zillion pieces of paper lying around the typical restaurant with CC numbers on them.
Check out E-Gold. You can trade in gold, electronically. You can use it, among other places, at the Anonymizer.com.
Mark
Mark
The way to fix this problem, quite simply, is to never store the credit card numbers on a public server, or for that matter, any machine that is connected to the net. Before anyone whines that this is too hard to do, let me tell you -- I do things this way.
There are a number of other bonehead things that many e-commerce sites to that are IMHO grossly negligent. The big ones:
Security: It's not that hard.
Mark
Mark
If this situation had been reversed, I bet it would have been all over /.
SPF support for most open source mail servers can be found at libspf2.
...and make sure the key to decrypt them isn't on the same server as they are stored on. (At the very least) Best if machine the decryption key is on is not even connected to the internet, at least not directly.
Sounds pretty obvious, but many a programmer goes half-way for security, and leaves something simple out/does something dumb, that leaves a hole.
For an interesting view of what is alleged to be the real reason why the U.S. went off of the gold standard (so that the rich could get richer moving in and out of the currency markets)see Taylor Caldwell's "Captains and Kings".
I see even classic Slashdot is now pretty much unusable on dial up anymore.
"The perpetrator was able to access a stolen copy of Windows 2000 server. But Gates said there was no evidence that this criminal has actually installed it on his machine and fiddled around with the menu font"
"The perpetrator stole a BMW from some old couple up in the hills. But Jones said there was no evidence the car had been used to do wheelies, or pick up chicks."
"The perpetrator was able to get his hands on a very large amount of stolen hankerchiefs. But Smith said there was no evidence the hankerchiefs weren't sold at a ridiculously low price to a bargain basement store out in the suburbs."
"The perpetrator was able to install Linux on his computer. But Linus said there was no evidence he has read slashdot."
"The perpetrator was able to access customer records, credit card numbers and passwords. But Teare said there was no evidence that any credit card numbers have been used."
--
Computers are useless: they can only give you answers. -- Pablo Picasso
You know, any fraud perpetrated with these credit card numbers is going to get covered either by RealNames or some other middleman company in the credit card business.
So who is going to sue whom? Is Visa going to sue RealNames? Is Bank Of America going to sue RealNames? Will RealNames just have to eat any fraudulant purchases made with these cards, and then sue their contract network administrators?
Certainly the RealName customers aren't going to get harmed (other than the minor hassle of being issued a new card), so what grounds would they have for a lawsuit?
--
Business. Numbers. Money. People. Computer World.
Yes, they are related by the fact that:
- Lots of companies have jumped on the Internet bandwagon without understanding what they deal with
- Lots of companies who have been around for a while have grown to the point of "let's make exclusive agreements, long live marketing"
As a result of both of these there is a lot of sites whose security is at best "relaxed". Worst of all some companies who used to deploy high quality equipment and personnel are dropping to inferior stuff due to the inability to maintain the quality in sight of quantity or even worse due to "exclusive marketing agreements". So the result is lots of dots (in guess which domain).Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Gold has no intrinsic value. Oxygen, now THAT has intrinsic value.
Currency systems are only what you make of them.
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
I didn't say water and air made good currency. I said they had intrinsic value. Anything non-essential to life has implied value. 'nuff said.
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
Yes, but what about the new "horses". If they were stolen once, then shouldn't RealNames do something to protect future customers data?
-BrentLet's not get paranoid here, the problems with these internet DOS and break in attacks all have one thing in common. There is Never Security Anyway on these computers to prevent this.
Trying to blame some innocent government agency that would never Never Sanction Abuse of the power they have been given is just immature.
Of course, what would easily fix this problem is to allow the proper government groups more power in regulating the internet. Let's face it, privacy is dead and anyone who wants to keep privacy must be a criminal living in the woods waiting to snipe federal agents.
So support better regulation of the internet, you'll be glad you did when you no longer have to fear DOS attacks from some evil hackers.
Finkployd
The idea is that you don't have to risk sending your CC number over and over again, unfortunately some companies don't seem to understand that if their going to hold onto CC numbers they should:
a) store them on a machine not directly connected
to the internet,
b) encrypt them,
c) give users the choice of keeping their CC
number or not.
CIA Industries - Running the world for fun and profit
Yes it looks like they do run IIS/NT on their front end, but can you tell what the backend really is just from looking it up at Netcraft? This break-in may not mean that the front end webserver was cracked, it would more likely mean that a backend database machine was broken into.
$ telnet web.realnames.com 80
Trying 216.86.227.154...
Connected to web.realnames.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Mon, 14 Feb 2000 18:30:36 GMT
Connection: Keep-Alive
Content-Length: 11376
Content-Type: text/html
Expires: Mon, 14 Feb 2000 18:30:36 GMT
Set-Cookie: ASPSESSIONIDGQGGGGOP=CJKDLDFCJOOOOOOJGBBLMONM; path=/
Cache-control: private
Connection closed by foreign host.
I know why they'd have credit cards online. How do you reconcile these three requirements:
I was recently hit with this problem... and didn't find a solution that was secure enough, so we're ditching 2 and doing that seperately.
messing is a yellow metal to. It's not an element, but it is metal...
----------------------------------------------
the pun is mightier than the sword
Actually, in my opinion, keeping credit card data on any system at all accessible from the net for more than a few minutes should be called criminal negligence. Sue them out of existence _and_ throw them in jail.
Id argue that e-commerce very much _needs_ such a setback. What's the use of encrypting with ssl or anything when the real risk is the morons on the recieving end keep the creditcard info accessible for every script kiddie and their dog anyway?
You're perfectly right, of course. Investing in stocks in companies doing what any guy in a basement could do is only playing a pyramid game. Very popular in countries such as Albania, but you'd imagine investors in more industrial parts of the world would have better sense.
You'd think that at some point these damned companies that collect sensitive information would start treating it like it was sensitive. I wonder if it'd be possible to put the screws to some of these guys?
Are all these attacks recently somehow related?
....well, damm good question, I'll say yes. Not necessarilly because they're committed by the same group of people. But because they are DUE TO the same group of people. Yes, I am of course talking about the group of people, commonly known as "system administrators", "network administrators", the "IS-department" etc.
Without casting blame on anyone, my general experience from all too many years as an independant consultant is, that most of the people in charge of managing security at various sites know next to nothing (if even that much) about what they are doing and what they are up against. I've seen horrifying examples from within the financial sector as well as the public health sector, which makes me everything but surprised when security is violated or sites taken down (sites being used in a more general term than "www-servers").
It's probably not the network administrators who are to blame either - it's their managers and organization who are often clueless as to what is required and therefore hire the first the best guy who can spell "Windows NT" without making too many mistakes. Being a bit harsh - I know - but these days people are hired on "vendor certificates" (as in MCP and CNE) rather than generic skills - for example within networking or computers in general. Having completed a "vendor certification program", one surely must know the products one has been certified for. But that's (unfortunately) no guarantee that the person has the knowledge required to manage a network.
As an example I've time and time again been surprised to see the amount of "MCP's" (and those "microsoft certified engineers" or what their title be), who had superiour skills when it came to managing their NT-boxes - but for whom solving even the simplest networking problems was impossible. Most people who've grown up with computers are very familiar with tools such as ping, traceroute, tcpdump and friends and know some of the working of the commonly used protocol stacks - and most of those new-born administrators are barely familiar enough with networks to know what an IP-address is.
I know it is difficult to find people with good qualifications. I've been looking for some for clients for the past 2 years with little luck. Most applicants put up a blank face when presented with technical questions that goes beyond "point-and-klick". Yet they still get jobs in different companies....
So yeah, I am not surprised....and yeah, those attacks are somehow related...
Just my $0.02
-- "Life is a bitch - and she hates me..."
This sounds good, but it becomes very cost/time prohibitive with database growth. Accessing a database takes time anyway, as does generating a report or searching for data ... now imagine performing (insert favorite encryption technique here) on just 1,000,000 records of 20 fields apiece;Every search, sort, merge, add ... very CPU expensive. Unless you have the resouces to procure a behemoth of a machine, it's going to bog alot of stuff down.
Now granted, I'm no security or DB expert, and I'm not claiming to be; I'm just putting it in my perspective. Certianly, for small databases/companies, this may very well be the solution. And larger companies that can afford to do so, I'm sure do. Mid-range companies, however, I'm doubtful can. If there is a better solution, by all means, tell me; I enjoy learning.
Hmm ... it seems that not a day goes by without some sort of hacking/DOS incident making the news. Given the somewhat crazy valuation of internet/e-commerce companies, one must wonder how stable the current boom is. Most of these companies don't have much in terms of sales revenue or profit (especially when compared to the traditional brick and mortar business companies), so their valuation (and to some degree their success) depends on the image they evoke. As such, their valuation is really determined by the public believing the great future these companies hope for. How much would it take to shake this confidence? Is 1 incident a day enough to make Joe Public loose confidence? Because once that happens, they money that has been pumped into the .coms might just evaporate very quickly ...
Ok you want security, its going to cost you $1000 an hour. You don' like it, take a fsck hike cause some teenager is going to take you down. Sure my billable rate seems high but my sites don't get hacked (well the real old one does from time to time but hey its a damn old box {10+ yrs} and its like the pet you can't let be put to sleep).
The scary thing is there are people much better than me out there for securing boxes. Are you one? If so why they he0x6c0x6c aren't you asking for your fair share?
The marketteers that run this crud are making billions.
Comment removed based on user account deletion
...that the ever-lovable ``gnulix guy'' lives under a pseudonym. :-)
...signed, the ever-lovable gnulix guy!
Encrypt those damn f* CC numbers ! There's nothing as secure and cost effective as encryting the database (and storing the private key out of the server of course !). Any system is supposedly crackable, but we have yet to see a cracker brute-forcing a 2048 bit/PGP encrypted CC number...
I'm wondering what sort of security they managed to buy/write and integrate in 48 hours. It was either a very small problem, a basic oversight, or 48 hours work won't solve very much.
An Eye for an Eye will make the whole world blind - Gandhi
Work for Change & GET PAID!
Potentially the most worrisome (at least to the general public), but least covered in the press of the recent cracker attacks against major websites, early Sunday crackers managed to replace the main page of www.rsa.com with their own message.
Here is the Newsbytes story.
Work for Change & GET PAID!
If you go to a shop, they take your credit card, send the information through electronically and the payment process starts. They do not keep a copy of your credit card information forever!
Why are these internet companies doing this. We should get it stopped. I don't think that these databases should be allowed to keep hold of our information longer than necessary to complete the transaction.
Gold is itself not immune to inflation. The difference is that while inflation in paper money is controlled by the people who issue the paper, inflation in gold is totally dependent on external events. Find a big new source of gold and its value drops. This is not farfetched. It happend to the spanish in the 16th century.
Also bear in mind that the price of gold is today about what it was twenty years ago, despite the fact that inflation has just about doubled prices over that time period.
A gold backed currency works on the theory that it prevents the government from mucking with things too much. The government can't create new gold like it can new paper money, and this prevents governments from causing too much inflation. But it does not prevent any control. Imagine what would happen to the price of gold if the US government decided to sell everything in Fort Knox tomorrow... And it also depends on the amount of gold in circulation being basically related to the size of the population.
The cake is a pie
Just for kicks, I through the following numbers into my calculator with my salary: Inflation of 10% a month. Salary increase of 5% a month. In other words, a salary not keeping up with inflation. Yet over that time, my food+housing costs actually decline in real terms, because while my food costs double, my monthly mortgage is effectively halved. Since my mortgage is a lot higher then my food cost, I am actually better off even with inflation increasing faster than my salary, at least in the short term!
Then add to that the fact that the value of my house goes up 1.79 times.
(All this ignores the secondary effects, being that all those lower mortgage payments hurt the banks, which make it harder for companies to borrow, which causes layoffs, which could take my salary to $0, etc, etc.)
The cake is a pie
it does not matter how secure the OS is if you set it up and administer it insecurely
Moving the database to a secure machine that is not accessible from the internet (as well as the other measures this poster lists) is a minimum precaution. True, you have to actually know something about communicating with a DBMS and more than HTML and the server scripting language of your choice. But this is not amateur hour anymore -- not when you are handling live financial information.
Really. What is the problem with highly encrypting things like credit card information?
I've got a credit card, and I avoid using it. I acutally only use it for paying hotels and at airports. I don't understand how people can use credit cards online: the vendor has all information to pay himself twice or as many times as he likes! Or someone who steals the information can do this too.
u se
I'm actually more afraid of the vendors than the thieves.
One day I rented a car in Antwerp, Belgium. The contract said "unlimited kilometers". Well, when I brought the car back, the company charged me for excess kilometers, saying that I had gone over the limit specified in the "General Terms & Conditions" to which the contract refers, but which are not specified in the contract. He charged me without my consent: he actually paid himself from my funds. I complained about this to my bank,because it violates the general conditions for the use of the credit card. These general conditions say that I must sign the slip in order to pay. Nonetheless, the Bank Card Company refused to refund this payment. Even though I would probably win the case in court, because I may have agreed to the contract, I have never agreed to the payment, regardless of the contract, the Bank Card Company knows very well that it's not worth going to court for 200$.
If you generalize this case, it means that companies may very well state in their terms and conditions that, for example, a subscription to a magazine will silently be renewed, and that they are allowed to charge your credit card at the end of every term. They may add all kinds of costs in small print that you've never seen and charge you for that too.
I don't want a payment method in which a vendor could potentially serve himself a second time without my consent! It's too risky because it's simply inviting abuse! That's why credit cards are simply too dangerous to use frequently.
An online payment system should open 3 secure connections at the same time:
customer clearinghouse
vendor---token2,confirmation,amount->clearingho
The vendor should never,ever see the information that the customer transmits to the clearinghouse (token1) to validate the payment.
I think that one way to make it less attractive for these people to hack those sites is to try and ignore 'm a bit more. I wonder how many money they can make with the stuff in the databases they hacked and if its really worth the effort.
The best way offcourse would be to stop using cards on the net alltogether. And I just can't understand why nobody has come up with something else. The electronic wallet (chipcard) is allready very common to use. You load it up & have some amount of money on it. Want to pay online? Hookup a cardreader to your pc and when you need to pay you just insert the card.
Sure; even this system can be tampered with but I'd rather loose 100 guilders which was stored on my chipcard then the whole amount of money I may spend on my creditcard (which lies around 78.000 guilders iirc).
In this case, a class action lawsuit is a surefire winner. There's no reason those bozos had to store credit card data in the database.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Hackers do spoof to hide their origin address, but what these perps did was to change URLs to a box in China.
My thought is: due to the control the Chinese Gov't exerts on their populaces boxes, and even stronger one would suppose on a 'government site'; how come there was a page waiting at the other end? (allegedly).
threadeds blog
Hmm - I'm just wondering why this 'further' security wasn't in place to start with.
http://harridanic.com
Just did a quick check in Netcraft. Not surprisingly, the site is hosted on an NT/98 server. I am shocked when people acutally use an NT machine to run a web site on the Internet (I guess NT can host a low traffic, zero-security intranet). We have a client want to use NT & IIS as the Server, SQL Server 7.0 as the backend database, and Windows CE as the Terminals. I laughed my a*s off and ask how much incentive Microsoft gave to you. Of course, the project manager told me the software is almost free from Microsoft if they actually get the project done and online. None of these e-commerce site thought about using Linux not because they are ignorant, but because Microsoft did a good job in marketing, I actullay heard a sales from Microsoft said, "If Linux is good, why is it free?" What the fsck he's talking about. Matt
The quality metric of an encryption algorythm is the ratio of times that conversion from plaintext to cyphertext and back takes with and without the key. Frankly, we aren't talking about anything really high tech as far as the encryption requirement goes. You even have the advantage of a small, uniform-length plaintext, of which much of the crack-useful data can be stripped. (For instance, you could use 2-3 bits for the type of CC header, instead the actual 3-4 digits usually used.)
Also no expert, but with a little experience, your search algorythms will give you more efficiency issues.
IP is just rude.
Is there any torture so subl
I saw this on CNN about a dozen times last week. Emmet, I recommend you spend less time with your friends / lovers and more time watching the news.
$5 / month hosted VPS on linux = awesome!
What if the page hack actually subtley changed the web site instead of "owning" the home page. I bet there are a few of them around, unreported and unfixed. As web applications grow this kind of unathorized entry could be a real menace. For now I'm glad the www crackers are having fun because it should make it harder for the feds sneak in via the web door.
I worked at an ISP and people building web sites for big clients seemed quite happy to put the database INSIDE the web space. Happy that ftp would protect them and that not publishing the url to the db was enough to keep it safe. I did manage to help the few I spotted but god knows how many were content to do that. Frontpage Extensions use an _private directory that is excluded from the web space but if doodz can hack in I don't know what they can get to and extract.
Changing form pages to direct the script elsewhere or changing the scripts themselves to do something different are two exploits. If the overall result to the website is the same how long before someone notices?
Hopefully Webpage hacks are important because their footprints help make better bolts for the stable doors.
RSA getting done is ironically funny.
Servers are only as safe as their weakest link.
Which is the weakest NT, Redhat, sysadmin, dept. budget, webmaster, client demands, browesr?
As each tier presents itself the complexity opens holes on it's own as the application often overeaches the capabilities of one of the functional units. "Get the job done" can "Do the right thing" in the mind of the person who pays the piper.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
FROM: RealNames@bayarea.realnames.com
.oO0Oo.
Dear Real Names User,
We've been 0wn3d.
Your new password will be IOWNYOU
Please log in and change it so we can all get access.
J R Cracker
p.s. please do not reply to this e-mail as it is fake. I just put FROM: RealNames@bayarea.realnames.com in the header but you probably don't know that and trust an email just by the from address.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
If you have a PDQ machine in your shop you are instructed to keep the bottom copy of the slip for your own reference.
We stored ours in the cellar. You are not told for who long to keep them. We ended up shredding them regularly. Anyone who broke into our shop could run off with plenty of slips.
btw. We don't have this shop any more.
While they were there they could steal the computer with all of our customers details too. We have a monthly subscription for which we keep a copy of the CC number. We keep 'em encrypted but a client program decypts them so someone can type them into the PDQ every month.
I know it all sounds lax on the security front but I'm telling you because it's a real world example of how a real small business runs itself. CC's are not secure by any stretch. Thinking otherwise is dumb.
.oO0Oo.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Are all these attacks recently somehow related? It makes you begin to wonder. Technically any online business is at risk, since most businesses have some form of database that is hooked to the internet and also stores sensitive information such as credit card numbers.
The question is, how do you protect yourself, and of course someone is always going to come along and figure out how to break through that barrier as well. I still think e-commerce is very insecure however the internet has forced us to adopt it so I guess we are not left with much of an alternative... Any suggestions?
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
They are trying to create a general mood of worry in the public to justify new "security" laws. Why so many different sites cracked in such a short time? Who has the resources and the knowledge for that? There's No Such Agency...
From the /. moderator guidelines: If you can't be deep, be funny
Gold has an intrinsic value, it's the only yellow metal, is present in nature in about the right abundance to be valuable but not too hard to find, and is one of the most resistant metals to corrosion.
Gold, as mentioned in a bank ad I once saw, has a "5000 years warranty".
From the /. moderator guidelines: If you can't be deep, be funny
Anyway, brass is not very resistant to corrosion and it's too easy to obtain. Good for very small value coins.
From the /. moderator guidelines: If you can't be deep, be funny
Why don't we just stop using credit cards over the net, and start using good old reliable paper money... "But Teare said there was no evidence that any credit card numbers have been used" There's a nice way of putting it.."Yeah, they stole your money but we have no evidence that they're spending it.."
Why do they keep credit card numbers same database anyway? Wouldn't it be a lot more secure to move them to a separate billing database with much more restricted access?
Any time you give your credit card out over the internet you need to make sure that you trust the company that you are dealing with. Is it any suprise that Real Networks, a closed source, litigous, profit hungry company, didn't protect their customers? After all, they already paid for their upgrades, so it was time to move on to the next round of suckers.
--Laplace
The middle mind speaks!
It seems that somebody created a fictitious company with the name _RealNames to do this. It's terrible, how long will this go on?
it is quite possible that because of this break-in someone could steal someone else's realname. can you imagine the potential horrors? and before you know it, there are going to be realname impersonators out there. microsoft..com anyone?
-hemos
I'm hemos., aka Jeff. Bates.. I help run this site, along with Rob. Malda.. I handle books, and generally posting storie