Slashdot Mirror
RealNames Customer Data Stolen
Sc00ter writes "C|Net News reports 'RealNames, a company that substitutes complicated Web addresses with simple keywords, is warning its users that its customer database has been hacked, and that user credit card numbers and passwords may have been accessed.' Complete story here." Remember when NSI teamed up with Centraal, the creators of RealNames?
The way to fix this problem, quite simply, is to never store the credit card numbers on a public server, or for that matter, any machine that is connected to the net. Before anyone whines that this is too hard to do, let me tell you -- I do things this way.
There are a number of other bonehead things that many e-commerce sites to that are IMHO grossly negligent. The big ones:
Security: It's not that hard.
Mark
Mark
"The perpetrator was able to access a stolen copy of Windows 2000 server. But Gates said there was no evidence that this criminal has actually installed it on his machine and fiddled around with the menu font"
"The perpetrator stole a BMW from some old couple up in the hills. But Jones said there was no evidence the car had been used to do wheelies, or pick up chicks."
"The perpetrator was able to get his hands on a very large amount of stolen hankerchiefs. But Smith said there was no evidence the hankerchiefs weren't sold at a ridiculously low price to a bargain basement store out in the suburbs."
"The perpetrator was able to install Linux on his computer. But Linus said there was no evidence he has read slashdot."
"The perpetrator was able to access customer records, credit card numbers and passwords. But Teare said there was no evidence that any credit card numbers have been used."
--
Computers are useless: they can only give you answers. -- Pablo Picasso
Yes, they are related by the fact that:
- Lots of companies have jumped on the Internet bandwagon without understanding what they deal with
- Lots of companies who have been around for a while have grown to the point of "let's make exclusive agreements, long live marketing"
As a result of both of these there is a lot of sites whose security is at best "relaxed". Worst of all some companies who used to deploy high quality equipment and personnel are dropping to inferior stuff due to the inability to maintain the quality in sight of quantity or even worse due to "exclusive marketing agreements". So the result is lots of dots (in guess which domain).Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I know why they'd have credit cards online. How do you reconcile these three requirements:
I was recently hit with this problem... and didn't find a solution that was secure enough, so we're ditching 2 and doing that seperately.
Are all these attacks recently somehow related?
....well, damm good question, I'll say yes. Not necessarilly because they're committed by the same group of people. But because they are DUE TO the same group of people. Yes, I am of course talking about the group of people, commonly known as "system administrators", "network administrators", the "IS-department" etc.
Without casting blame on anyone, my general experience from all too many years as an independant consultant is, that most of the people in charge of managing security at various sites know next to nothing (if even that much) about what they are doing and what they are up against. I've seen horrifying examples from within the financial sector as well as the public health sector, which makes me everything but surprised when security is violated or sites taken down (sites being used in a more general term than "www-servers").
It's probably not the network administrators who are to blame either - it's their managers and organization who are often clueless as to what is required and therefore hire the first the best guy who can spell "Windows NT" without making too many mistakes. Being a bit harsh - I know - but these days people are hired on "vendor certificates" (as in MCP and CNE) rather than generic skills - for example within networking or computers in general. Having completed a "vendor certification program", one surely must know the products one has been certified for. But that's (unfortunately) no guarantee that the person has the knowledge required to manage a network.
As an example I've time and time again been surprised to see the amount of "MCP's" (and those "microsoft certified engineers" or what their title be), who had superiour skills when it came to managing their NT-boxes - but for whom solving even the simplest networking problems was impossible. Most people who've grown up with computers are very familiar with tools such as ping, traceroute, tcpdump and friends and know some of the working of the commonly used protocol stacks - and most of those new-born administrators are barely familiar enough with networks to know what an IP-address is.
I know it is difficult to find people with good qualifications. I've been looking for some for clients for the past 2 years with little luck. Most applicants put up a blank face when presented with technical questions that goes beyond "point-and-klick". Yet they still get jobs in different companies....
So yeah, I am not surprised....and yeah, those attacks are somehow related...
Just my $0.02
-- "Life is a bitch - and she hates me..."
Hmm ... it seems that not a day goes by without some sort of hacking/DOS incident making the news. Given the somewhat crazy valuation of internet/e-commerce companies, one must wonder how stable the current boom is. Most of these companies don't have much in terms of sales revenue or profit (especially when compared to the traditional brick and mortar business companies), so their valuation (and to some degree their success) depends on the image they evoke. As such, their valuation is really determined by the public believing the great future these companies hope for. How much would it take to shake this confidence? Is 1 incident a day enough to make Joe Public loose confidence? Because once that happens, they money that has been pumped into the .coms might just evaporate very quickly ...
Comment removed based on user account deletion
Potentially the most worrisome (at least to the general public), but least covered in the press of the recent cracker attacks against major websites, early Sunday crackers managed to replace the main page of www.rsa.com with their own message.
Here is the Newsbytes story.
Work for Change & GET PAID!
it does not matter how secure the OS is if you set it up and administer it insecurely
Moving the database to a secure machine that is not accessible from the internet (as well as the other measures this poster lists) is a minimum precaution. True, you have to actually know something about communicating with a DBMS and more than HTML and the server scripting language of your choice. But this is not amateur hour anymore -- not when you are handling live financial information.
In this case, a class action lawsuit is a surefire winner. There's no reason those bozos had to store credit card data in the database.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Hmm - I'm just wondering why this 'further' security wasn't in place to start with.
http://harridanic.com
I suppose, in once sense, that the recent database hacks are all related - people so keen to get their wonderful site onto the net that they forget (aka are too lazy) to worry about basic database security.
You can secure (effectively, not absolutely) a database: there are plenty of architectures, secure SQL gateways available. Even a firewall will help, if you can be bothered to set it up properly.
Is this incident linked to the recent DDoS attacks? I doubt it. Cracking a database requires a more skill than launching a readily available attack tool.
Is e-commerce secure? Probably not, but then neither is ordering over the telephone or letting somebody take your credit card out of your sight. Remember the Dilbert with the waitress and the fur coat?