Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Clues on how 8 Million Credit Accounts Exposed?

From: Dave Farber <dave () farber net>
Date: Fri, 21 Feb 2003 14:16:42 -0500

------ Forwarded Message
From: AD Marshall <AD.VICE () ParadoxCafe Net>
Date: Fri, 21 Feb 2003 23:59:24 +0700
To: dave () farber net
Subject: Clues on how 8 Million Credit Accounts Exposed?



From: Ted Bridis <tbridis () ap org> [Original message below]
To: dave () farber net
Subject: RE: [IP] a bit more on 8 Million Credit Accounts Exposed FBI to
Investigate Hacking of Date: Thu, 20 Feb 2003 11:14:31 -0500
Actually, the AP yesterday tracked down the company that was hacked.
http://news.yahoo.com/news?tmpl=story2&cid=528&ncid=528&e=10&u=/ap/20030220/
ap_on_hi_te/credit_card_hack
<...> Data Processors International, based in Omaha, said Wednesday that "an
unauthorized outside party" had tapped into its computer system, prompting a
criminal investigation.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Could the following be clues as to how DPI (Data Processor
International) Corp was cracked? ::

This is a bit confusing to me, but to an associate who's
certified by CompTIA (Security+) and SCNP,
http://www.securitycertified.net/ says the info below,
collected from Netcraft yesterday, suggests the most obvious
way the cracker got in was via the Microsoft IIS packages
they seem to be running, at http://www.dpicorp.com/, packages
which very likely were not updated, and maybe for a very long
time.

Of course, there could have been many other possible holes in
DPI Corp before they actually talked to the press.

Oddly, as well, the same level of detail does not appear at
Netcraft now (for the last hour at least). Netcraft is now
using it's "oldwhats" script (see below -- a mirror URL for
yesterday's [normal?] "whats" script info is included).

- - From NetCraft's "What's that site running?" service,
http://www.netcraft.com/whats/, yesterday (ICT, IndoChina
Time) --:

<start>
OS, Web Server and Hosting History for www.dpicorp.com

OS              Windows 2000
Server          Microsoft-IIS/ 5.0
Last changed    19-Feb-2003
IP address      12.36.215.4
Netblock Owner   DPI MERCHANT SERVICES

OS              unknown
Server          Microsoft-IIS/ 5.0
Last changed    18-Feb-2003
IP address      12.36.215.4
Netblock Owner   DPI MERCHANT SERVICES

OS              NT4/Windows 98       << Note!! Very outdated
Server          Microsoft-IIS/ 4.0   << Note!! Very vulnerable
Last changed    28-Jan-2002
IP address      12.36.215.4
Netblock Owner   DPI MERCHANT SERVICES

OS              NT4/Windows 98
Server          Microsoft-IIS/ 4.0
Last changed    21-May- 2001
IP address      12.22.180.167
Netblock Owner   Dpi Merchant Services
<end>


Today, going to http://www.netcraft.com/whats/ will automatically
transfer you to a URL like this:
http://www.netcraft.com/oldwhats/?host=www.dpicorp.com&Examine=Wait..
                         ^^^^^^^^
That "oldwhats" URL will only provide this information:
   www.dpicorp.com
   www.dpicorp.com is running Microsoft-IIS/5.0 on Windows 2000

When my associate saw this, he involuntarily blurted out "Oh my god!
It's a cover-up!" But we quickly decided we could not draw that
conclusion yet. Netcraft could be undergoing an upgrade or something,
maybe?

There is no obvious notice of changes or technical problems at
Netcraft. The links to Netcraft's "What's that site running?"
service still point to http://www.netcraft.com/whats. And the
The auto-transfer to http://www.netcraft.com/oldwhats is almost
invisible.

We pseudo-mirrored yesterday's Netcraft results at
http://www.viceconsulting.com/cons/servs/infosec/dpicorp/netcraft/
[No edits were made to that page.]

Maybe someone else on this list can enlighten us.

best,
AD

*--------------------------------------------------*
  AD Marshall, VietInfoComm&Edu [VICE]-8 Consulting
  Vietnam Information Communications & Education
  Post:  8A/G8 Don Dat, Q.1, TpHCM, VietNam
  eMail: mailto:AD.VICE () ParadoxCafe Net
*--------------------------------------------------*
  GPG/PGP Public Keys & Fingerprints:
  http://h0lug.sourceforge.net/gpgpgp.html
*--------------------------------------------------*

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPlZas9wPEMH+NY5OEQL7fQCg+PgbRZFL8wRKOd2sHoqtHci7QvIAoLLj
aM2JVW4ZNhLXGfEfva5yd81f
=Voly
-----END PGP SIGNATURE-----


At 23:22 2003.02.20, you wrote:

-----Original Message-----
From: Ted Bridis <tbridis () ap org>
To: dave () farber net
Subject: RE: [IP] a bit more on 8 Million Credit Accounts Exposed FBI to
Investigate Hacking of Database
Date: Thu, 20 Feb 2003 11:14:31 -0500

Actually, the AP yesterday tracked down the company that was hacked.

http://news.yahoo.com/news?tmpl=story2&cid=528&ncid=528&e=10&u=/ap/20030220/
ap_on_hi_te/credit_card_hack

OMAHA, Neb. - A hacker who gained access to millions of credit card numbers
apparently did it by breaking into a computer system at a company that
handles transactions for catalog companies and other direct marketers.

Data Processors International, based in Omaha, said Wednesday that "an
unauthorized outside party" had tapped into its computer system, prompting a
criminal investigation.

[snip...]
-- Dave




------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: