SAN MATEO (01/24/2000) - Out of the blue, your bank issues you a new credit card. Why? Not because the old one expired. Although the bank doesn't publicly admit anything, the explanation during a phone conversation says it all: "The bank decided to issue new cards to all our subscribers for the year 2000."
Yeah, and I like to throw money out the window for no good reason. Chances are that the bank's credit card numbers have been compromised.
For the unlucky ones, similar security breaches have made numerous headlines in the last couple of weeks and show no sign of letting up. Pacific Bell Internet Services recently requested that all of their 330,000 users change their passwords due to a hacker breach and the compromising of the user account database. And then there was CD Universe, whose customer database was reportedly broken into and whose credit cards were held for ransom. It's a brave new world.
Pacific Bell Corp. Internet Services sent the extraordinary request to all their Internet subscribers. The reason? In early December 1999, a 16-year-old member of the group Global Hell used his personal Linux system to reportedly compromise 26 companies, including a number of ISPs (of which Pacific Bell was one). When authorities tracked him down and confiscated his system, they found more than 200,000 Pacific Bell Internet user accounts; the lad had cracked 63,000 of them. As reported by Damian Frisbee, the detective in charge at the Sacramento Valley High Tech Crimes Task Force, in Calif., the full forensics on the Linux system will be completed in the coming weeks with the help of the FBI. Until then the hacker has been released to his parents. Frisbee anticipates the juvenile will be charged with several felony counts, including unlawful access and grand theft.
Although there have been no reports from Pacific Bell of abuse, the company is wisely requesting that every Internet subscriber change their password.
Sometime after sending a second notice, Pacific Bell will shut down the accounts that have not complied. The other 25 companies and ISPs that were affected by this hack have not reacted as proactively as Pacific Bell Internet has. Those silent companies most likely fear the bad publicity from such an admission of compromise. We give Pacific Bell kudos for speaking out honestly and strongly, but unless they fix the holes the hacker found and remove any backdoors he installed, changing passwords will provide little security.
Another hack attack reared its ugly head in early January at CD Universe, an online company in Wallingford, Conn. CD Universe was reportedly compromised, and some 300,000 credit card numbers were pilfered. The hacker, named Maxus, then reportedly published some 25,000 of those numbers on his own Web site.
(There's some brains for you.) This attack is a perfect example of why we remind everyone that Secure Sockets Layer (SSL) is only the beginning for online commerce. If the systems that house the credit cards are not secure, all the SSL encryption in the world won't prevent attackers from obtaining sensitive customer information.
Some media agencies reported that Maxus obtained initial access through a hole discovered in CyberCash's ICVerify product. However, since that initial report, CyberCash officials have denounced the accusations stating, "[ICVerify] is not being used by CD Universe on its Web site. Therefore, the credit card information cited in recent coverage could not have come from ICVerify."
However, we checked with Brett Brewer, vice president of eCommerce at CD Universe, and he stated that his company in fact had been using ICVerify up until the day we called. Take that for what it's worth, but from our perspective CyberCash has a lot of explaining to do.
I wish I could say that these attacks are the work of rocket scientists with mystical powers that only few are graced with, but the truth is that most attacks take advantage of human error (about 50 percent) or misconfiguration by system administrators (20 percent). For example, simple-to-guess or default user names and passwords on both systems and network devices are the most prevalent means of access for attackers.
Sure, some hackers take complicated exploits posted to Bugtraq and exploit them on systems (20 percent). But only a few individuals can actually discover and exploit a new vulnerability such as a buffer overflow, an input validation attack, or an unsanitized CGI script (all of these add up to less than 10 percent of the reasons for most attacks). Then these few folks can give out the exploit to the underground, where they and others can run it against vulnerable servers. But most of the miscreant teenage hacking we hear so much about simply takes advantage of the mundane attacks. Why? Because there are so many vulnerable systems.
How do you think most of the hackers get into your systems? Write to us at firstname.lastname@example.org.
Stuart McClure is an independent security consultant at Rampart Security Group.
Joel Scambray is a consultant at Ernst & Young. They have encountered numerous technologies during their 10 years in information security. They recently wrote the security book Hacking Exposed (Osborne McGraw-Hill).