July 1, 2003 at 11:02 am
It even happens to the big boys. The prize? A package of 500,000 credit card numbers with customer names and addresses.
http://www.theregister.co.uk/content/55/31478.html
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
July 1, 2003 at 11:11 am
I guess this brings up the issue of why was PetCo even storing the credit card numbers in the first place...I've heard of some situations where the vendor would need to apply multiple debits on the card for large purchases, but I can't imagine many things on the PetCo site that would fall under this category...I think it may be a best practice NOT to store card details in a database, particularly a web storefront database, or at least a WORST practice to store the information for onesy-twosy transactions, like the ones probably found on PetCo's site...
July 1, 2003 at 11:16 am
I agree wholeheartedly with you. In the case where the company is small and can't afford two servers, you might can understand why. But not when you're big enough to have this many customers. What's ironic is that the security researcher checked PetCo.com based on the FTC complaint against Guess.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
July 1, 2003 at 11:38 am
What I love is the statement "Security Researcher" that is being thrown around these days. WHat is the difference betwen him and the kid down the street who reports the same flaw but they call a hacker even thou he did nothing more than find and report.
July 1, 2003 at 11:57 am
Hacker is actually misused by the media for what it originally meant: someone who dug into a system to figure out how it works. It used to be a revered term.
It's actually a question of motive:
Security Researcher - looks for vulnerabilities, is generally responsible about reporting them to the appropriate party. The fact that some practice open disclosure blurs this. Generally, therefore, someone who investigates, finds, and reports.
Cracker - A more appropriate term than hacker. Someone who investigates for malicious reasons. For instance, a person who would find he/she had access to the credit card numbers and then would have turned around and used them for personal gain (identity theft, for instance).
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
July 1, 2003 at 12:28 pm
>>(hacker) ..It used to be a revered term.
Still is where I'm standing 🙂
>>It's actually a question of motive:
>>Security Researcher - looks for
>> vulnerabilities, is generally responsible
>> about reporting them to the appropriate
>> ..... the fact that some practice open
>> disclosure blurs this. Generally,
>> therefore, someone who investigates,
>> finds, and reports.
You are eloquent and on the money as always. I've a lot of respect for not only the skills, but also the morality of a lot of the players here (an example being e-eye).
Even open disclosure, with all its perils -- particularly when the disclosure comes in the form of a ready-rolled exploit + readme for dummies -- is better than allowing companies to "get away" with security through obscurity.
What I wonder about is the business model for some of these "researchers", and the obvious potentials for conflict of interest (The AV crowd being probably the most obvious, but let's leave them for a moment). How do you make cash from your research, assuming that you follow decent disclosure process? Microsoft have started giving "props" in the documentation of their patch documentation, but this is surely only valuable as a marketing tool.
Do you work as consultants to corporate clients -- tipping off your clients ahead of time? Does that model really work if everybody knows that you will not make your work public until there is a fix? Are you tempted to "demonstrate" the power of an exploit -- particularly if you get frustrated with the response of an ISV?
Is the advertising value cost effective simply to generate premium-priced security-audit/consultancy work?
Any views? Anyone worked in this field, and made it pay (or otherwise?)
Edited by - planet115 on 07/01/2003 12:34:12 PM
July 1, 2003 at 12:55 pm
quote:
Even open disclosure, with all its perils -- particularly when the disclosure comes in the form of a ready-rolled exploit + readme for dummies -- is better than allowing companies to "get away" with security through obscurity.
Agreed. GreyMagic Software practiced open disclosure of 9 javascript vulnerabilities in IE. Their reasoning was Microsoft didn't play nicely with them the previous few times. Without being privy to the details, no one can say if they were justified in their relationship with Microsoft. However, they didn't use the info to blackmail Microsoft, hence the company being placed into the security researcher category.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
July 1, 2003 at 1:26 pm
Yeah, people with a clue. By the way speaking of MS and AV, did you see where they are finally going to start offering an AV product themselves. Personal opinion, the darn thing should be free to keep 90% of the problems they create from bugging (yes PUN time) us.
July 1, 2003 at 2:41 pm
quote:
Are you tempted to "demonstrate" the power of an exploit -- particularly if you get frustrated with the response of an ISV?
To this I would say no. Reporting on an exploit and demonstrating it are two different things. Here's an example where things can go very bad for the one doing the demonstration.
http://www.eff.org/Legal/Cases/Intel_v_Schwartz/
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
Edited by - bkelley on 07/01/2003 2:43:52 PM
K. Brian Kelley
@kbriankelley
July 1, 2003 at 10:31 pm
Hi all
Funny enough we had a panic session with our apps re sql injection attacks along with cross scripting problems. Generally speaking here, its the tardyness of developers thats the issue. I come from an old school developer background where our C development lecturer (ex-military) would knock off assignment marks quicker that a rabbit on fire without correct parameter validation. People get sloppy (copying and pasting existing code is a classic) and worse still, a small startup.com app (probably like petco.com), that turned from a small app with 2 users into 500k users and big $ turn over, never to review that old code that had inline SQL in their ASP's!
The comments from petco were funny re not finding any other evidence, of course, most of the db ops that can be done wont be tracked via the webserver logs (esp if they were hex encoded).
Another thing with credit cards, why arent they being encrypted ? strange.
Cheers
Ck
Chris Kempster
Author of "SQL Server 2k for the Oracle DBA"
Chris Kempster
www.chriskempster.com
Author of "SQL Server Backup, Recovery & Troubleshooting"
Author of "SQL Server 2k for the Oracle DBA"
July 2, 2003 at 9:55 am
Please don't demonstate a vulnerability. I like full disclosure, but contact the company first and explain you "stumbled" upon this. Maybe even use an anonymous hotmail account. Or better yet, contact BugTraq or CERT and let them know. If nothing gets done in a reasonable time frame, which I would put at a month, I'd probably suggest contacting a press organization and let them handle it.
Demonstrating it makes you look bad and opens you up to potential legal actions.
Steve Jones
July 2, 2003 at 6:50 pm
A fair comment Steve.
Thinking about way to protect your apps, the new .net module and handler managed via the http api is a fantastic way of quickly implementing an application firewall to prefiler any incoming/outgoing request from your ap. Previously this was a pain, restricted to c++ programming with isapi. The app firewall is probably the single best way to go, and be 100% sure you covered all client facing pages.
Cheers
Ck
Chris Kempster
Author of "SQL Server 2k for the Oracle DBA"
Chris Kempster
www.chriskempster.com
Author of "SQL Server Backup, Recovery & Troubleshooting"
Author of "SQL Server 2k for the Oracle DBA"
July 3, 2003 at 2:52 am
I've been looking at e-commerce and one of the options open to me as a developer is to route the payment method through a known credit card provider. In the case of my client they have chosen Barclays bank so this means that all credit card details are handled by the bank systems and not mine.
I think the cost of proper secure transaction handling should be part of the business plan. Given the costs of hardware/software/hosting these days this doesn't have to be prohibitively expensive.
I don't have a problem with people who want to find out how things work, but I do have a problem with people who break into systems with the intent to screw up other people's work.
I would prefer to spend my time coding apps to aid my business rather than devoting a lot of time and effort fighting toe-rags. I've had to spend a lot of time designing an elaborate security scheme to protect, frankly, boring data and yet I've had to do it because in the past, some moron thought it would be funny to vandalise it.
July 3, 2003 at 4:59 am
Steve, I agree with you *in priniciple*, especially if you have come across security
bug by chance -- although I don't think I can match your humility 🙂
However, I found Brian's example of the Schwartz case very interesting, and in only a few links I came across: http://www.lightlink.com/spacenka/fors/jeffrey/ovs/cs14.html
Obviously I can't vouch for the accuracy of these particular accusations of horrendous
corporate practice, but the concept of organisations and individuals lying, cheating
and abusing any process that they can get away with is something I think most people have experienced first hand. When it happens in a technical field (where say, one discovers beyond any doubt that a product or service does not do something claimed of it, but this discovery -- and the finder with it -- are covered up / rubbished / flat out denied by 'professionals', it seems even less just. Whistleblowers are pretty much universally reviled and while this is understandable (nobody wants to be betrayed by someone on their 'side') I don't think it's always helpful. Expecting a standard of behaviour by third parties (in Steve's example anonymous early disclosure to the vendor) only makes sense if you can expect -- and enforce -- a similar standard of behaviour from the vendor.
I'm not sure we can expect all software companies to adhere voluntarily to such high standards -- especially when doing so will cost them (in the short term at least). There needs to be a foil. I suppose that CERT/Bugtraq may fulfil this role (I'm not familiar with them beyond knowing of their existence and having read a bulletin or two). Steve suggests letting the press handle disclosure -- fair enough, and pragmatic -- but why should someone be scared into handing over their discovery to a third party? If it's a technical issue, why does it have to be treated as a public relations issue, and will this really get the best fix? And, showing my hubris again, why *shouldn't* the finder get proper acknowledgment for their work?
</rant> 🙂
So my question is, is there a role for professional security researchers? How should they be regulated and, again, how do they earn revenue?
There are recent cases of corporations using the DMCA to stiff even academic research -- http://www.theregister.co.uk/content/55/30692.html -- that are simply chilling. If the law ultimately supports this kind of censorship (and I surely hope it will not), then that leaves the only direct revenue stream as blackmail, with a potential secondary market in theft/fraud/espionage. This is clearly not desirable, and that's why I see the need for a legitimate revenue stream from such work. I'm sure such a balance has already been found by many companies, I'm just interested in the mechanics.
July 3, 2003 at 5:30 am
quote:
In the case of my client they have chosen Barclays bank so this means that all credit card details are handled by the bank systems and not mine.
I looked at the Barclay's offering -- the main motivation being to try and put some distance between myself and CNP credit card fraud. It looked OK, but worked out very expensive with a small (<£10,000 per month) turnover. How did you get on with them?
Viewing 15 posts - 1 through 15 (of 17 total)
You must be logged in to reply to this topic. Login to reply