[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: [WEB SECURITY] CardSystems was a Web Application Hack
- From: "Mann, Sarah X \(UK - London\)" <sxmann@xxxxxxxxxxxxxx>
- Subject: FW: [WEB SECURITY] CardSystems was a Web Application Hack
- Date: Tue, 18 Apr 2006 18:43:06 +0100
------_=_NextPart_001_01C6630F.B5B9FBBD
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
the FTC report describes it as a SQL injection attack:
http://www.ftc.gov/os/caselist/0523148/0523148complaint.pdf
=20
In September 2004, a hacker exploited the failures set forth in =
Paragraph 6 by using an
SQL injection attack on respondent's web application and website to =
install common
hacking programs on computers on respondent's computer network. The =
programs were
set up to collect and transmit magnetic stripe data stored on the =
network to computers
located outside the network every four days, beginning in November 2004. =
As a result,
the hacker obtained unauthorized access to magnetic stripe data for tens =
of millions of
credit and debit cards.
________________________________
From: Argeniss [mailto:lists@argeniss.com]
Sent: Tue 18/04/2006 18:25
To: Jeremiah Grossman
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] CardSystems was a Web Application Hack
What I have heard (from a trusted source) is that a SQL Injection
vulnerability was exploited, the attacker created a Job in the database
server that pulled out new records every 4 (?) days. This is a very easy
attack since most database servers allow scheduling of actions as Jobs.
We have developed similar and new attacks that allows to steal complete
databases from Internet, I hope we will be presenting this at next Black
Hat :)
Cesar.
Jeremiah Grossman escribi=F3:
> Most are already familiar with the infamous CardSystem incident where
> hackers stole 263,000 credit card numbers and exposed 40 million more.
> What remained a mystery is how exactly the hack occurred since what we
> knew was mostly scattered rumors and theories.
>
> Bill Pennington pointed me to a new article in Information Security
> magazine (April 2006) describing some new details.
>
> Security Survivor All-Stars
> =
http://informationsecurity.techtarget.com/magLogin/1,291245,sid42_gci1175=
858,00.html
>
>
> *Unfortunately I've not be able to find an online version that doesn't
> require a subscription.
>
> "In September 2004, hackers dropped a malicious script on the
> CardSystems application platform, injecting it via the Web application
> that customers use to access account information. The script, =
programmed
> to run every four days, extracted records, zipped them and exported =
them
> to an FTP site."
>
> This reads to me like it was a web application hack, but its difficult
> to derive what class of attack. If I had to guess, it was probably was
> an OS Commanding issue in order to write executable code onto the
> file-system.
>
>
>
> Regards,
>
> Jeremiah-
>
>
>
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>
> .
>
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
=20
Sir Digby Jones to join Deloitte. Learn more =
www.deloitte.co.uk/digbyjones=20
=20
IMPORTANT NOTICE
If you have received this e-mail in error or wish to read our e-mail =
disclaimer statement and monitoring policy, please refer to the =
statement below or contact the sender.
This communication is from Deloitte & Touche LLP. Deloitte & Touche LLP =
is a limited liability partnership registered in England and Wales with =
registered number OC303675 and its registered office at Stonecutter =
Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom. Deloitte =
& Touche LLP is authorised and regulated by the Financial Services =
Authority. Deloitte & Touche LLP is the United Kingdom member firm of =
Deloitte Touche Tohmatsu ('DTT'), a Swiss Verein whose member firms are =
separate and independent legal entities. Neither DTT nor any of its =
member firms has any liability for each other's acts or omissions. =
Services are provided by member firms or their subsidiaries and not by =
DTT.
This communication and any attachments contain information which is =
confidential and may also be privileged. It is for the exclusive use =
of the intended recipient(s). If you are not the intended recipient(s) =
please note that any form of disclosure, distribution, copying or use of =
this communication or the information in it or in any attachments is =
strictly prohibited and may be unlawful. If you have received this =
communication in error, please return it with the title "received in =
error" to IT.SECURITY.UK@deloitte.co.uk then delete the email and =
destroy any copies of it.
E-mail communications cannot be guaranteed to be secure or error free, =
as information could be intercepted, corrupted, amended, lost, =
destroyed, arrive late or incomplete, or contain viruses. We do not =
accept liability for any such matters or their consequences. Anyone who =
communicates with us by e-mail is taken to accept the risks in doing so. =
When addressed to our clients, any opinions or advice contained in this =
e-mail and any attachments are subject to the terms and conditions =
expressed in the governing Deloitte & Touche LLP client engagement =
letter.
Opinions, conclusions and other information in this e-mail and any =
attachments which do not relate to the official business of the firm are =
neither given nor endorsed by it.
------_=_NextPart_001_01C6630F.B5B9FBBD
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML xmlns:eXclaimer=3D"http://www.exclaimer.co.uk"; =
xmlns:msxsl=3D"urn:schemas-microsoft-com:xslt" =
xmlns:exc=3D"http://www.exclaimer.co.uk/rtf";>
<HEAD>
<META http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3DUTF-16">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7226.0">
<TITLE>Re: [WEB SECURITY] CardSystems was a Web Application Hack</TITLE>
</HEAD>
<BODY >
<DIV>
<DIV id=3DidOWAReplyText42190 dir=3Dltr>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>the FTC =
report describes it=20
as a SQL injection attack:</FONT></DIV>
<DIV dir=3Dltr><A=20
href=3D"http://www.ftc.gov/os/caselist/0523148/0523148complaint.pdf";>http=
://www.ftc.gov/os/caselist/0523148/0523148complaint.pdf</A></DIV>
<DIV dir=3Dltr> </DIV></DIV>
<DIV dir=3Dltr><FONT face=3D"Times New Roman">
<P align=3Dleft>In September 2004, a hacker exploited the failures set =
forth in=20
Paragraph 6 by using an</P>
<P align=3Dleft>SQL injection attack on respondent’s web =
application and website=20
to install common</P>
<P align=3Dleft>hacking programs on computers on respondent’s =
computer network.=20
The programs were</P>
<P align=3Dleft>set up to collect and transmit magnetic stripe data =
stored on the=20
network to computers</P>
<P align=3Dleft>located outside the network every four days, beginning =
in November=20
2004. As a result,</P>
<P align=3Dleft>the hacker obtained unauthorized access to magnetic =
stripe data=20
for tens of millions of</P>
<P align=3Dleft>credit and debit cards.</P></FONT><BR>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Argeniss=20
[mailto:lists@argeniss.com]<BR><B>Sent:</B> Tue 18/04/2006 =
18:25<BR><B>To:</B>=20
Jeremiah Grossman<BR><B>Cc:</B> =
websecurity@webappsec.org<BR><B>Subject:</B> Re:=20
[WEB SECURITY] CardSystems was a Web Application =
Hack<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=3D2>What I have heard (from a trusted source) is that a =
SQL=20
Injection<BR>vulnerability was exploited, the attacker created a Job in =
the=20
database<BR>server that pulled out new records every 4 (?) days. This is =
a very=20
easy<BR>attack since most database servers allow scheduling of actions =
as=20
Jobs.<BR>We have developed similar and new attacks that allows to steal=20
complete<BR>databases from Internet, I hope we will be presenting this =
at next=20
Black<BR>Hat :)<BR><BR><BR>Cesar.<BR><BR>Jeremiah Grossman =
escribió:<BR>>=20
Most are already familiar with the infamous CardSystem incident =
where<BR>>=20
hackers stole 263,000 credit card numbers and exposed 40 million =
more.<BR>>=20
What remained a mystery is how exactly the hack occurred since what =
we<BR>>=20
knew was mostly scattered rumors and theories.<BR>><BR>> Bill =
Pennington=20
pointed me to a new article in Information Security<BR>> magazine =
(April=20
2006) describing some new details.<BR>><BR>> Security Survivor=20
All-Stars<BR>> <A=20
href=3D"http://informationsecurity.techtarget.com/magLogin/1,291245,sid42=
_gci1175858,00.html">http://informationsecurity.techtarget.com/magLogin/1=
,291245,sid42_gci1175858,00.html</A><BR>><BR>><BR>>=20
*Unfortunately I've not be able to find an online version that =
doesn't<BR>>=20
require a subscription.<BR>><BR>> "In September 2004, hackers =
dropped a=20
malicious script on the<BR>> CardSystems application platform, =
injecting it=20
via the Web application<BR>> that customers use to access account=20
information. The script, programmed<BR>> to run every four days, =
extracted=20
records, zipped them and exported them<BR>> to an FTP =
site."<BR>><BR>>=20
This reads to me like it was a web application hack, but its =
difficult<BR>>=20
to derive what class of attack. If I had to guess, it was probably =
was<BR>>=20
an OS Commanding issue in order to write executable code onto =
the<BR>>=20
file-system.<BR>><BR>><BR>><BR>> Regards,<BR>><BR>>=20
Jeremiah-<BR>><BR>><BR>><BR>><BR>><BR>>=20
---------------------------------------------------------------------<BR>=
>=20
The Web Security Mailing List<BR>> <A=20
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>><BR>>=20
The Web Security Mailing List Archives<BR>> <A=20
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>><BR>><BR>><BR>&g=
t;=20
.<BR>><BR><BR>--------------------------------------------------------=
-------------<BR>The=20
Web Security Mailing List<BR><A=20
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR><BR>The=20
Web Security Mailing List Archives<BR><A=20
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><BR></FONT></P></DIV>
</DIV>
<DIV> </DIV>
<DIV><SPAN CLASS=3D"376245408-11042006"><FONT FACE=3D"Verdana" =
SIZE=3D"2">
<FONT COLOR=3D"gray" SIZE=3D"1">Sir Digby Jones to join Deloitte. =
Learn more </FONT><A HREF=3D"http://www.deloitte.co.uk/digbyjones";><FONT =
COLOR=3D"gray" SIZE=3D"1">www.deloitte.co.uk/digbyjones</FONT></A><FONT =
COLOR=3D"#000000"> </FONT>
</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1"><STRONG>IMPORTANT =
NOTICE</STRONG></FONT>
</DIV>
<DIV>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1">
<FONT COLOR=3D"#808080" SIZE=3D"1">If you have received this e-mail in =
error or wish to read our e-mail disclaimer statement and monitoring =
policy, please refer to the statement below or contact the =
sender.</FONT>
</FONT>
</DIV>
<DIV>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1">
<FONT COLOR=3D"#808080" SIZE=3D"1">This communication is from Deloitte =
& Touche LLP. Deloitte & Touche LLP is a limited liability =
partnership registered in England and Wales with registered number =
OC303675 and its registered office at Stonecutter Court, 1 Stonecutter =
Street, London EC4A 4TR, United Kingdom. Deloitte & Touche LLP =
is authorised and regulated by the Financial Services Authority. =
</FONT>
</FONT>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1">
<FONT COLOR=3D"#808080" SIZE=3D"1">Deloitte & Touche LLP is the =
United Kingdom member firm of Deloitte Touche Tohmatsu =
(‘DTT’), a Swiss Verein whose member firms are separate and =
independent legal entities. Neither DTT nor any of its member =
firms has any liability for each other’s acts or omissions. =
Services are provided by member firms or their subsidiaries and =
not by DTT.</FONT>
</FONT>
</DIV>
<DIV>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1">This communication and =
any attachments contain information which is confidential and may also =
be privileged. It is for the exclusive use of the intended =
recipient(s). If you are not the intended recipient(s) please note =
that any form of disclosure, distribution, copying or use of this =
communication or the information in it or in any attachments is strictly =
prohibited and may be unlawful. If you have received this =
communication in error, please return it with the title "received in =
error" to </FONT><A HREF=3D"mailto:IT.SECURITY.UK@deloitte.co.uk";><FONT =
FACE=3D"Verdana" COLOR=3D"gray" =
SIZE=3D"1">IT.SECURITY.UK@deloitte.co.uk</FONT></A><FONT =
FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1"> then delete the email and =
destroy any copies of it.</FONT>
</DIV>
<DIV>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1">E-mail communications =
cannot be guaranteed to be secure or error free, as information could be =
intercepted, corrupted, amended, lost, destroyed, arrive late or =
incomplete, or contain viruses. We do not accept liability for any =
such matters or their consequences. Anyone who communicates with =
us by e-mail is taken to accept the risks in doing so. </FONT>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1">When addressed to our =
clients, any opinions or advice contained in this e-mail and any =
attachments are subject to the terms and conditions expressed in the =
governing Deloitte & Touche LLP client engagement letter.</FONT>
</DIV>
<DIV>
<FONT FACE=3D"Verdana" COLOR=3D"gray" SIZE=3D"1">Opinions, conclusions =
and other information in this e-mail and any attachments which do not =
relate to the official business of the firm are neither given nor =
endorsed by it.</FONT>
</DIV></BODY></HTML>
------_=_NextPart_001_01C6630F.B5B9FBBD--
Brought to you by http://www.webappsec.org
Search this site
|