Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIPC Warns Of E-Commerce Vulnerabilities

Posted by ryuzaki0 on from the hack-and-slash-attack dept.

SueZVudu writes: "In an announcement yesterday, the National Infrastructure Protection Center said that there has been an increase in hacker activity aimed at US e-commerce sites. They're mainly exploiting three known vulnerabilities in Windows NT systems, but Unix systems have been targeted as well. Basically, they point out the holes in MicroSoft's SQL system and warn that such attacks are on the rise. You can see the story here." There've been a number of stories like this lately -- not just Microsoft, but the number of attacks is continuing to rise, and some people have been talking about more CERT [?] s regarding "super" DDOS [?] attacks.

13 of 78 comments (clear)

  1. standard cc verification is a built-in exploit by gempabumi · · Score: 3

    Basically, to buy anything on the net, all you need is:

    a) a name
    b) a credit card number
    c) a zip code

    And that's all - your transaction will be authorized. Whoever thought up this system should be awarded with the "I killed e-commerce" trophy.

    I run a free email service in Southeast Asia. Anyway, every once in a while we get complaints from some disgruntled person in the states about how one of our accounts is using their cc number. Generally, when this happens, we check the account, and usually we find a trail of purchases, along with the names and addresses to which the products were sent. We immediately lock the account.

    Then we try to figure out what to do next. Our choices:

    1. Alert the FBI? Un/fortunately the FBI has no jursidiction here. They can't do anything.

    2. Alert the local auithorities? Well, there is _no_ law in this country. None whatsoever, sadly. And in a case like this, which would require some technical intelligence on their part, the local police would get so confused that they would probably throw us in jail. I'm not exaggerating.

    3. Archive the files and wait. Yep.

    An estimated 80% of the cc transactions originating in this country are with stolen cc numbers. So, if you have online cc processing on your site, MAKE SURE you block any requests originating with 202.* Of course, experienced kiddiez can use proxy servers, but you'll cut down the percentage.

    A friend of mine has an online gift shop, and fake orders where sent through his system for weeks. Every request which is _verified_ by the cc authority and later cancelled cost him $5. He tried to notify the bank where the stolen numbers where coming from and got no response - they didn't care. Why should they, they were making $5 on every fraudulent transaction.

    e-commerce sites are going to get killed by this when more unscrupulous people figure out how easy it is to order goods over the internet. as i said, all it takes is a name, a cc number, and a zip code.

  2. Re:I see a different trend... by pheonix · · Score: 3

    Actually, I hate to admin the truth to this one, and I wish I had some moderator points to up this one some.

    What makes this worse though isn't just the MCSE process. It's the age discrimination that does occur to a great degree on 30-35 year old IT workers. You take your most experienced group and disregard them as "too old" or "too expensive" in favor of the more hours-flexible, inexpensive (generally), and inexperienced. Of course we're going to have these problems. This just doesn't happen in most other job arenas.

    Oh well, enough ranting for me, these problems should resolve themselves somewhat when the job market corrects itself to some extent.

  3. WORD! by Otis_INF · · Score: 3
    So true... The exploits mentioned in the article are so old and well known, there are patches available for all of them since april this year (some even earlier), if the admins still haven't applied these patches, they don't know what they're doing. I know a few of these admins, in fact they work for big corporations here in Holland, and they say "Well, we have the corporate wide policy to be on patchlevel X (or service pack Y) and all our servers have to be on that level otherwise we get confusion"...

    No that's no joke, but reality. They simply don't understand that if a server is behind a firewall but still connected to the internet, it still can be very vurnerable. So they don't see the need to apply all these patches and configuration settings.

    I did the MCSE course myself a couple of years back, just to get that raise ;) and it's true: if you get the title you think you're AdminGod who knows everything. When you're then sent to a real life situation with servers running all kinds of weird software that affects your work but you don't know that software, you understand how that 16 year old kid must feel, you described perfectly.

    I went back to programming right away... :) Much more fun. ;)
    --

    --
    Never underestimate the relief of true separation of Religion and State.
  4. "super" DDOS attacks by FattMattP · · Score: 3
    some people have been talking about more CERTs regarding "super" DDOS attacks.
    Yes, these "super" DDOS attacks can bring a site to its knees. The XMAS attack is one of the most devastating, hitting the servers of e-commerce companies from many infected computers around the globe. It seems to only happen only around December 1st through December 25th, then mysteriously stop. These attacks also leave eXtra Masstive Attack Signatures (XMAS) in the form of many hits on a site -- particuarly to resource intensive pages such as online catalog pages -- and sometimes many orders, keeping both credit card verification and product delivery channels clogged for days.

    Something MUST be done about this!

    --
    Prevent email address forgery. Publish SPF records for y
  5. We all knew this would happen. by treat · · Score: 3

    Everyone knew that the commercialization of the internet, and bringing millions of people onto it, would cause this to happen.

    Consider the original IRC network, EFnet. It's essentially dead - completely unreliable and virtually impossible to connect to. Because of people DOSing the servers.

    I liked the net a whole lot more when it was just us geeks.

  6. Okay, but will this problem ever go away? by Green+Monkey · · Score: 3
    We're always hearing about how there's still a problem with security on the Internet, but is this really something to be surprised about? Eliminating illegal cracking completely is just never going to happen. Material goods have been around for thousands of years and we still theft. Why should we expect online transactions to be any different?

    I don't mean to be a pessimist, but it's inevitable that e-commerce will occasionally be subverted. It goes with the territory; we don't live in a perfect world and trying to make sure things always are secure is a waste of programming and marketing time.

    Internet security paranoia has gone on for far too long, mostly because the mass media thrives off creating terrifying hoaxes to show on the 6-o'-clock news. (This in spite of a recent PC Data survey that showed e-commerce transactions are more likely to be legit than mail order ones.) At one time, e-commerce was somewhat insecure and unreliable. But those days are over; there's no reason someone should be biting their nails after ordering from Amazon.com or CDNow. It's time to stop perpetuating the cracker myth and put our efforts into actually building the next-generation e-commerce infrastructure.

    --

    Green Monkey

  7. How appropriate... by Johnath · · Score: 3

    ... that securityfocus has just recently started up a new mailing list to handle the Secure Programming questions whose lack of answers lead to a lot of these problems. Of course, site admins should keep up on Bugtraq postings for whatever software they use, but it's the secprog list that is discussing the development of safe programming techniques and identification of dangerous constructs.

    To get more information and potentially sign up, click here.

  8. Old issue by Calle+Ballz · · Score: 5

    The NIPC is way behind the times. These exploits have been out for a while now, they are nothing new. Just because a certain ammount of sites are getting hit just recently doesn't mean that extra precaution should be made now. The precautions should have been taken a long time ago. Microsoft can put out some pretty secure stuff if the gaping holes like the MDAC vulnerability are closed. They forgot an even bigger IIS vulnerability as well. The new UNICODE vulnerability affects IIS 4.0 and IIS 5.0. It's the easiest vulnerability that I have seen yet. http://target/scripts/..%c0%af../winnt/system32/cm d.exe?/c+dir. Sorry to come off strong, but if people would just pay attention to the resources out there like www.securityfocus.com then articles like these wouldn't be so common.......dick

  9. Hello Mr Sysadmin by Cmdr.+Marille · · Score: 4

    Is patching really that hard?
    Now unfortunately they don't mention which sites where affected and what the crackers actually did.
    What I find really disturbing is the fact that for all of the 3 exploits(which are rather old) patches or configuration changes were avaiable. So you can bash Microsoft to death here for letting such security holes happen but at least they patched it. The question is wether or not the patches were avaiable before( I mean one of the holes was found in 99!)

    Is it really that hard to patch your system regulary as an Sysadmin? You are responsible for a e-commerce system and you don't fiond the time to patch your system? I guess most people don't even bother to read securityfocus or a similar ressource or at least the MS security bulletins.

    I guess a lot of corporations still think a security audit is some kinf of luxury and even more don't seem to remembers that it's not done with one check, security is soemthing you have to take care of constantely.
    And what are we going to see?
    People talking about master "hackers". In those cases the measures to close those holes seem pretty trivial(if the patches were avaiable on time, which you can't judge now).

    --

    "Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
  10. What MS needs is... by Trevor+Goodchild · · Score: 4


    ...a way to patch these holes automatically. Maybe they could develop a scripting language that could be run through an email client and then just mail the patch to everyone for auto-execution.

  11. Why are they complaining?? by James+Foster · · Score: 3

    If theres increased hacker activity... shouldn't e-commerce sites be happy?? I mean, it's not everyday you get people coming along and improving your site for free. If they had malicious intent (in which case they'd be crackers) then I could understand.

  12. The real cost of all this... by Phaid · · Score: 3

    A lot of posts on this thread are of the "when will it all end, what can we do about it" nature. And others on the theme of "it was better when it was just us geeks".

    The reason the Internet is such a great tool for communication, and also the reason that it is so easily abused, is that every node on the network is empowered. Everyone is able to send and receive at will, limited by the amount of bandwidth that they have. This is also its weakness, in that the model "trusts" its users not to abuse the system. Originally, when the network was all military and education, this was a reasonably safe assumption.

    But we've seen what happens when everyone trusts everyone else. Someone comes along and abuses that trust - like the Morris worm in 1988. So we try and secure our individual sites, which means that administrators have to be smart and knowledgeable because the nature of the traffic coming to their sites is not predictable. And, as ever, if we can't protect ourselves, someone's going to want to jump in and do it for us.

    My fear is that eventually the business side of the Net - its use as a money making tool - will overtake its other uses. That the "solution" to the problem of hacking and DDOSing will be to limit the traffic that flows through the network. That, essentially, the internet will turn into a giant content-delivery engine with just enough interactivity to allow you to Add Item to your Shopping Cart.

    Of course, the fact that commercial sites use crummy, easily hacked software tends to push in favor of these sorts of limits. Almost makes you wonder if they're doing it on purpose...

  13. I see a different trend... by SupahVee · · Score: 5
    I dont think that the problem lies with bigger and badder vulnerabilities, it lies with the fact that the people who are admin'ing these servers have not paid their dues properly.

    Hear me out on this one.

    The industry has been so cheapened by the fact that any yahoo that can read a book can pass an MCSE exam and get a 70k/yr job doing admin work on so-called "high-end" NT servers. When in reality this is like sending a kid who just got his driver's license at 16 to run the Indy 500. No driver's license or MCSE certificate can substitute for real world experience at the helm.

    And that comes out over time when you have inexperienced people out there. Common, fairly simple bugs and holes which come about through the normal life of software, become more serious when you don't have people with experience to handle them properly and do simple things like, say, remove the default configuration on software that is wide open like wu-ftpd and IIS. (Not to pick on any OS in particular, there)

    I think the NIPC warning just signifies from them what most of us (/.'ers and the like) have known for quite some time, that vulnerabilities are more serious when you don't have qualified people to take care of them

    --
    "See, we plan ahead! That way, we never have to do anything now."