A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.

rsync?

Most of us use rsync over SSH with key auth, which means something like RSA-2048 or 4096, or ED25519 (elliptic curve crypto, about the same security as AES-128). It is not even password-based.

So, no, it was not rsync use that left things open. It was just incompetence.

Re:rsync?

[DaHat]

I see your problem...

Most of us use rsync over SSH with key auth

Far too often, it is easy to turn off/on other features of a product which make it less secure, all in the effort to just make it work. Once that's all done, there isn't always a careful examination of what the other implications of their other fiddling is.

I'd be very curious to which which other companies/contractors were involved in this setup, as they and their other customers should probably be thinking about a PCI security audit.

Re:rsync?

[mfh]

Incompetence or intentional.

Re:rsync?

[Elentar]

There's one advantage to using the rsync protocol like this; you can provide file access without creating a user account on the system. Even if you secure that user account (e.g. by using an ssh key and limiting commands init, by setting the shell to /sbin/nologin, using chroots, etc) it's still an account with access on the system. Using rsync in this way is analogous to putting some files on a web server behind Basic Auth. And like using a web server, it should never be used for files that contain sensitive information!

Re:rsync?

[arglebargle_xiv]

Again, it's not the tool, it's the process.

Well, I'd say it's the tool who's using the tool.

unhashed passwords, unencrypted card numbers

sounds very PCI-compliant. Who was their auditor? Mr Magoo?

Re:unhashed passwords, unencrypted card numbers

[ls671]

I can see all the passwords on my linux system in /etc/shadow:

joe:$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1:17275:0:99999:7:::

see? The password for joe is:
$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1

Re:By "synchronize", you mean "backup"

[avandesande]

Why don't you think the backups aren't corrupt? With this level of incompetence they probably never tested a recovery....

ssh-copy-id wide open to the outside or was the us

[Joe_Dragon]

ssh-copy-id wide open to the outside???

I can see some inside account using something like that to sync to an other system but that account should not be open unless they hacked in and got some passwords from an config file. Lot's of software needs DB login info in plain text there.

Old story is Old

[sizzlinkitty]

MacKeeper broke this story late November 2016 - https://mackeeper.com/blog/pos...

Re:By "synchronize", you mean "backup"

[MtHuurne]

I've never heard of rsync mangling data in transit. Are you sure it's not a case of corruption when trying to back up a file while it is being written to? That could happen if you don't create a snapshot of live data, but it's not a problem specific to rsync.

PCI Failure at all levels

[omnichad]

Even storing credit card data at all (instead of processor authorization tokens) is a huge red flag unless they want a mountain worth of additional compliance work.

And then they store it unencrytped....

Laws that protect customer data

Aren't there laws that require companies to protect customer data? There certainly should be.

Re:By "synchronize", you mean "backup"

[omnichad]

I guess they've never heard of one-way syncing and assume it would change the source data.

SSH is the *right* way to do rsync. Rsync protocol

[raymorris]

Using ssh transport instead of the native rsync protocol, which is unencrypted, is the *right* way to do remote rsync with sensitive data. Much like tunneling http over tls is the right way to do http for sensitive data.

You can also do the rsync network protocol bare, using a rsync:// url. That's the wrong way for sensitive data, and the way this developer chose to do it.

Number please..

[Neuronwelder]

It's happened so many times, lost count. How many times have credit cards been exposed to this kind of peril?

Using it wrong (there are many options)

[raymorris]

Unlike most protocols, rsync has a built-in checksum, actually many, many checksums, so it's much more reliable than just about any other protocol. It checksums every few kilobytes.

We backup many terabytes every day and we periodically verify the backups with Sha-2 hashes. I've never found corruption due to rsync. On the other hand, rsync *is* very flexible and there are many options. It's certainly possible to use a set of options that doesn't give you what you want.

Also, if you're backing up live systems, especially databases, using any method, you have to take care that the data doesn't change while your backing it up. That applies to any method of backup. For mysql, see man mysqldump, then back up the dumped files.

The Open Internet

[PPH]

Well, thank goodness that's gone.

Re:By "synchronize", you mean "backup"

[ls671]

It's also an incredibly insecure protocol unless you use a SSH tunnel. Most people don't seem to bother with tunneling rsync via SSH either.

No need for an shh tunnel (e.g. ssh -L:port:target:port)

Just tell rsync to use ssh like this:
RSYNC_RSH='ssh -x -l root '
export RSYNC_RSH

then

rsync -a host:/targetdir .

about mangling the data: you obviously must be doing something wrong. I never had such problems...

Yes, and laws setting max speed on roads

[raymorris]

> Aren't there laws that require companies to protect customer data?

Yes, and there are laws requiring everyone to drive under 65 MPH. It seems that making a law doesn't actually mean people will do anything differently.

Re:By "synchronize", you mean "backup"

You're probably getting corruption because your copying files that are simultaneously being modified by other programs.

This isn't a problem with rsync. If that's your criteria, then it follows that cp is notorious for corrupting files. rsync, scp, attic, borg, they'll all give you garbage if you tell them to do this.

If you want to backup a live filesystem, you need to create a snapshot and then backup the snapshot. That's the only way to make sure your backup is crash consistent.

Re: By "synchronize", you mean "backup"

[cloudmaster]

You allow remote root login? Doh.

Set up a nopasswd sudo rule for rsync and add this to your rsync command: `--rsync-path="sudo rsync".` Then connect as a regular user.