Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com)

Posted by msmash on from the security-woes dept.

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.

37 comments

  1. rsync? by Anonymous Coward · · Score: 3, Insightful

    Most of us use rsync over SSH with key auth, which means something like RSA-2048 or 4096, or ED25519 (elliptic curve crypto, about the same security as AES-128). It is not even password-based.

    So, no, it was not rsync use that left things open. It was just incompetence.

    1. Re:rsync? by DaHat · · Score: 4, Interesting

      I see your problem...

      Most of us use rsync over SSH with key auth

      Far too often, it is easy to turn off/on other features of a product which make it less secure, all in the effort to just make it work. Once that's all done, there isn't always a careful examination of what the other implications of their other fiddling is.

      I'd be very curious to which which other companies/contractors were involved in this setup, as they and their other customers should probably be thinking about a PCI security audit.

      --
      Help Brendan pay off his student loans
    2. Re:rsync? by mfh · · Score: 1

      Incompetence or intentional.

      --
      The dangers of knowledge trigger emotional distress in human beings.
    3. Re:rsync? by Anonymous Coward · · Score: 0

      You sound like someone telling someone else they should use a hammer with a red handle instead of one with a blue handle.

      Rsync tunneled through ssh is encrypted and offers a lot of options for setting up secure data movement processes. Sure, it's easy for someone to "not use it right", but that's why you set up the process. It's never the tool that you trust - it's the process.

      It's just as easy for someone to uncheck the "don't ever uncheck this" switch in SuperSecureSoftwareYouPaid$$For v3.6.8.2 while they're using it. Again, it's not the tool, it's the process.

      This was most likely a complete boneheaded thing like "it's too hard for me to move this around to the computer I really want to work on it with - I know, I"ll just copy it to the website, download it from there and delete it when I'm done." Somebody thinking that their current needs are more important than following the established processes, and blowing things up. Like usual.

    4. Re:rsync? by Elentar · · Score: 1

      There's one advantage to using the rsync protocol like this; you can provide file access without creating a user account on the system. Even if you secure that user account (e.g. by using an ssh key and limiting commands init, by setting the shell to /sbin/nologin, using chroots, etc) it's still an account with access on the system. Using rsync in this way is analogous to putting some files on a web server behind Basic Auth. And like using a web server, it should never be used for files that contain sensitive information!

      --
      The wheel it turns, around and around, with an ancient rumbling sound.
    5. Re:rsync? by Anonymous Coward · · Score: 0

      I'd be very curious to which [sic] which other companies/contractors were involved in this setup

      The lowest bidder that's who. It was probably an Indian body shop run by the likes of Cognizant, Wipro or Tata, either that or the lowest bidder on rent-a-coder which is even a step down from that, sort of like hiring some random Indian who learned to "build websites" by memorizing bad example code and doing the needful. Incidentally, this is why you never give your credit card to third parties online.

    6. Re:rsync? by arglebargle_xiv · · Score: 1

      Again, it's not the tool, it's the process.

      Well, I'd say it's the tool who's using the tool.

    7. Re: rsync? by Anonymous Coward · · Score: 0

      You can add a forced command on the ssh key entry in the authorized keys file. So long as the user isn't given access to edit their own authorized keys file, you're set.

  2. What DB software is involved? Is it MongoDB? by Anonymous Coward · · Score: 0

    The article is shitty and doesn't even mention the database product(s) involved.

    Does anybody know if it's MongoDB?

    I ask because I remember Slashdot submissions like these:

    and this latest incident sounds similar in many ways. But can anybody confirm if this is indeed the case? Is or is not MongoDB involved?

    1. Re:What DB software is involved? Is it MongoDB? by Anonymous Coward · · Score: 0

      Wow. Just wow. Never miss an opportunity to spread the FUD, eh?

      Captcha: bungle, which is what we are looking at, not a systematic failure of MongoDB to reject unauthorized connections.

  3. By "synchronize", you mean "backup" by Anonymous Coward · · Score: 0

    rsync is frequently and incorrectly used for backup. It's a miracle that the data didn't get mangled in transit. I've seen rsync corrupt data repeatedly in production "backup" systems. It's also an incredibly insecure protocol unless you use a SSH tunnel. Most people don't seem to bother with tunneling rsync via SSH either. There should be a big red warning sign when installing rsync for the first time on a system that you sign in blood that you won't ever use it for backups nor use it on the public Internet.

    1. Re:By "synchronize", you mean "backup" by avandesande · · Score: 1

      Why don't you think the backups aren't corrupt? With this level of incompetence they probably never tested a recovery....

      --
      love is just extroverted narcissism
    2. Re:By "synchronize", you mean "backup" by MtHuurne · · Score: 3, Informative

      I've never heard of rsync mangling data in transit. Are you sure it's not a case of corruption when trying to back up a file while it is being written to? That could happen if you don't create a snapshot of live data, but it's not a problem specific to rsync.

    3. Re:By "synchronize", you mean "backup" by omnichad · · Score: 1

      I guess they've never heard of one-way syncing and assume it would change the source data.

    4. Re:By "synchronize", you mean "backup" by ls671 · · Score: 2

      It's also an incredibly insecure protocol unless you use a SSH tunnel. Most people don't seem to bother with tunneling rsync via SSH either.

      No need for an shh tunnel (e.g. ssh -L:port:target:port)

      Just tell rsync to use ssh like this:
      RSYNC_RSH='ssh -x -l root '
      export RSYNC_RSH

      then

      rsync -a host:/targetdir .

      about mangling the data: you obviously must be doing something wrong. I never had such problems...

      --
      Everything I write is lies, read between the lines.
    5. Re:By "synchronize", you mean "backup" by Anonymous Coward · · Score: 0

      Yeah, I'm gonna go ahead and call straight-up bullshit on your "rsync corrupts data repeatedly" claim. As others have mentioned, it's very easy to create reliable, not-at-all-corrupted backups with it. Years of use with it, never saw an issue (mostly zfs snapshots sent around now, but rsync was good while it lasted).

    6. Re:By "synchronize", you mean "backup" by Anonymous Coward · · Score: 1

      You're probably getting corruption because your copying files that are simultaneously being modified by other programs.

      This isn't a problem with rsync. If that's your criteria, then it follows that cp is notorious for corrupting files. rsync, scp, attic, borg, they'll all give you garbage if you tell them to do this.

      If you want to backup a live filesystem, you need to create a snapshot and then backup the snapshot. That's the only way to make sure your backup is crash consistent.

    7. Re: By "synchronize", you mean "backup" by cloudmaster · · Score: 1

      You allow remote root login? Doh.

      Set up a nopasswd sudo rule for rsync and add this to your rsync command: `--rsync-path="sudo rsync".` Then connect as a regular user.

  4. unhashed passwords, unencrypted card numbers by Anonymous Coward · · Score: 1

    sounds very PCI-compliant. Who was their auditor? Mr Magoo?

    1. Re:unhashed passwords, unencrypted card numbers by Anonymous Coward · · Score: 0, Insightful

      How do "plain-text passwords" even exist? No computer anywhere should have a record of users' passwords. They should be impossible for anyone to look up.

    2. Re:unhashed passwords, unencrypted card numbers by ls671 · · Score: 4, Funny

      I can see all the passwords on my linux system in /etc/shadow:

      joe:$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1:17275:0:99999:7:::

      see? The password for joe is:
      $6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1

      --
      Everything I write is lies, read between the lines.
  5. ssh-copy-id wide open to the outside or was the us by Joe_Dragon · · Score: 1

    ssh-copy-id wide open to the outside???

    I can see some inside account using something like that to sync to an other system but that account should not be open unless they hacked in and got some passwords from an config file. Lot's of software needs DB login info in plain text there.

  6. Old story is Old by sizzlinkitty · · Score: 5, Informative

    MacKeeper broke this story late November 2016 - https://mackeeper.com/blog/pos...

  7. Whew!Thank goodness I don't have a credit card! by Anonymous Coward · · Score: 0

    I think the DB was hacked and the thieves just left the door open when they split.

  8. PCI Failure at all levels by omnichad · · Score: 5, Insightful

    Even storing credit card data at all (instead of processor authorization tokens) is a huge red flag unless they want a mountain worth of additional compliance work.

    And then they store it unencrytped....

    1. Re:PCI Failure at all levels by Anonymous Coward · · Score: 0

      Even storing credit card data at all (instead of processor authorization tokens) is a huge red flag unless they want a mountain worth of additional compliance work...And then they store it unencrytped.

      Who's responsible for frauds resulting from this release? The negligence factor alone here would dictate that it's the merchant's fault. Can the credit card company sue this merchant for losses? It would be interesting to know what the remedy is in this case.

  9. Laws that protect customer data by Anonymous Coward · · Score: 2, Insightful

    Aren't there laws that require companies to protect customer data? There certainly should be.

    1. Re:Laws that protect customer data by Anonymous Coward · · Score: 0

      But, but, that would harm business! It would cost money! Money that companies could be using to surreptitiously take out life insurance policies on their employees, or funneling into their Irish subsidiary that pays no tax, or creating a super PAC, or any of a million other shady activities!

      Why do you hate America?!?

      Sincerely,
      Your local GOP representative

    2. Re:Laws that protect customer data by Anonymous Coward · · Score: 0

      They need to put laws in place so that if your website doesn't have experienced sysadmins constantly monitoring/operating it, then use a credit card processor like stripe.com so that credit card numbers are not stored at the website, but rather at Stripe.

  10. SSH is the *right* way to do rsync. Rsync protocol by raymorris · · Score: 1

    Using ssh transport instead of the native rsync protocol, which is unencrypted, is the *right* way to do remote rsync with sensitive data. Much like tunneling http over tls is the right way to do http for sensitive data.

    You can also do the rsync network protocol bare, using a rsync:// url. That's the wrong way for sensitive data, and the way this developer chose to do it.

  11. Number please.. by Neuronwelder · · Score: 1

    It's happened so many times, lost count. How many times have credit cards been exposed to this kind of peril?

  12. Using it wrong (there are many options) by raymorris · · Score: 1

    Unlike most protocols, rsync has a built-in checksum, actually many, many checksums, so it's much more reliable than just about any other protocol. It checksums every few kilobytes.

    We backup many terabytes every day and we periodically verify the backups with Sha-2 hashes. I've never found corruption due to rsync. On the other hand, rsync *is* very flexible and there are many options. It's certainly possible to use a set of options that doesn't give you what you want.

    Also, if you're backing up live systems, especially databases, using any method, you have to take care that the data doesn't change while your backing it up. That applies to any method of backup. For mysql, see man mysqldump, then back up the dumped files.

  13. The Open Internet by PPH · · Score: 1

    Well, thank goodness that's gone.

    --
    Have gnu, will travel.
  14. Linux by Anonymous Coward · · Score: 0, Funny

    Why these people continue to use Linux is beyond me. I mean year after year of hacked Linux servers doesn't tell you anything?

    Go get a decent UNIX server you clods.

  15. Yes, and laws setting max speed on roads by raymorris · · Score: 1

    > Aren't there laws that require companies to protect customer data?

    Yes, and there are laws requiring everyone to drive under 65 MPH. It seems that making a law doesn't actually mean people will do anything differently.

  16. From Their Website - FuturePets.com by Anonymous Coward · · Score: 0

    Order On-Line [sic] 24 / 7 Totally Secure!

    Who hyphenates online? Hillbilly small business people, that's who. As for their "Totally Secure" online ordering, well let's just say that they're partying like its 1994 with that awful website. It's hideous actually. Who would even think about giving their credit card to these people? Morons, that's who.

  17. Prosecute by Anonymous Coward · · Score: 0

    Prosecute every online company heavily for ANT type of data breech, only then will they do a decent job of security.

    The other day the company who "had the most secure email" was shown to be a sham and they claim it was secure because "none on the customers had been hacked". The guy should be jailed for a statement like that.

    Also, if you use 3rd party software then that software should only be used if the dev team are currently working on the project and it is open for and accreted via a security organisation, this is to stop people using 3rd party php code etc from forums and code repositories.