[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hacker cracks ESPN




At 09:30 PM 7/10/97 -0400, John Young wrote:
>
>Lynn Harrison wrote:
>
>>Starwave is warning customers about an "intruder" who took credit card
>>numbers from the ESPN and NBA Web sites and then sent messages to the card
>>owners about the alleged security flaws. Will the security breach on the
>>popular sports sites affect emerging e-commerce efforts?
>
>Is this the same story as the one in The Wall Street Journal today
>about Phiber Optic's "accidentally" sending worldwide a security
>test that automatically returns passwords stored on supposedly
>secure systems?

Nope.

http://www.computerworld.com/news/news_articles/970710onlineccard.html

Online credit-card scare an inside job,
          Starwave says 

          Two separate but chilling messages were sent to people who
          purchased items online from ESPNet or the NBA Store this
          week. The first anonymous E-mail told shoppers they had
          been the victims of careless security and that their
          credit-card numbers and addresses were easily available.

          The second message, sent by E-mail and regular mail by the
          World Wide Web sites' host, Starwave Corp., alerted 2,397
          online shoppers that their credit-card information might have
          been misappropriated.

          Starwave said the credit-card information was in a secure,
          encrypted area that was accessed by an intruder who had
          the proper password information. "This was not done by a
          hacker," said Jennifer Yazzolino, a Starwave spokeswoman.
          "They knew how to get in to the system and unlawfully used
          classified information." The area that the intruder broke in to
          was an order-processing system that sends shoppers'
          orders from each site to 1-800-PRO-TEAM, a Florida
          fulfillment company.

          Following the break-in, Starwave called in the FBI and the U.S.
          Secret Service to investigate. It has also implemented a new
          encryption process and changed all system passwords. "We
          think this is a matter of a password either being used
          directly by someone involved with the system or passed along
          directly by someone involved in the system," Yazzolino said. 

          "We relied too much on human integrity."

>Phiber claims he did not know the test would generate a flood of
>passwords to his e-mail address: from corps, mils, and govs. 
>Says he's so sorry, especially because he's still doing
>community service.

One of the articles on the "hack" revealed that it was the INN hole
reported a while back.  The only people who got "caught" by the hack were
people who did not update their software.

>Phiber's employer refused to name the computer corp that installed the
>secure system Phiber was testing. However, experts interviewed said 
>the password snarf feature is, ahem, well-known to experts, and that 
>the only security worth trusting is the one you build and run yourself 
>and test frequently and still makes you lay awake at night shivering in 
>doubt fear and uncertainty -- like guilty-parental senators, TLA directors, 
>and all the world's bearers of the public trust and such fundy druggies.

It also shows what happens when you do not follow even the basic CERT
warnings...

---
|              "That'll make it hot for them!" - Guy Grand               |
|"The moral PGP Diffie taught Zimmermann unites all| Disclaimer:         |
| mankind free in one-key-steganography-privacy!"  | Ignore the man      |
|`finger -l [email protected]` for PGP 2.6.2 key  | behind the keyboard.|
|         http://www.ctrl-alt-del.com/~alan/       |[email protected]|