Hacker taps into 24,000 credit cards

[InfoSec News <isn () C4I ORG>]

http://www.the-times.co.uk/news/pages/sti/2000/06/25/stinwenws01002.html

June 25, 2000

A COMPUTER hacker has breached the security of a pioneering internet
service provider to obtain the names, addresses, passwords and credit
card details of more than 24,000 people.

The victims include scientists at the top-secret Defence Evaluation
and Research Agency, senior officials in the government, BBC bosses
and executives at companies such as Shell, Barclaycard and Halifax.

The hacker, an information technology consultant, says that he
targeted Redhotant to expose security lapses.

The Kent-based company is at the forefront of a new style of internet
provision: subscribers pay as little as 30 a year for unlimited access
to the web with no additional phone charges. It aims to attract half a
million users in Britain, but its critics say it is failing to cope
with demand.

Trading standards officers are investigating complaints that people
have had difficulty getting online, although the company claims to
have a line for every nine customers.

The company, which has taken up to 1.5m in subscriptions, says it
plans to double capacity. Last week it was offline for several days
and blamed a technical hitch after a thunderstorm.

The consultant who obtained the details of Redhotant's subscribers
broke the data protection law but says he did it only out of public
interest to highlight lack of security.

He used a proxy, a device normally used for disguising the identity of
a user, as an intermediary to search the site for files.

Among them he found the customer database. Only those connected to the
company's internal network are supposed to access it. The hacker got
around this by typing in: "referrer: the intranet site".

He said: "It was child's play. I didn't actually need to hack in the
normal sense because I didn't need any passwords. It was like rooting
around in bins for a key and then finding there was a wide-open side
entrance.

"Redhotant's biggest mistake was keeping its own records on the same
disk and machine as all its services."

He added: "I sent them a couple of e-mails alerting them to the
problem but they ignored it. The lesson is simple. Don't put anything
on a website that you wouldn't put on a billboard."

Redhotant is part of the Jak internet group, which operates from
offices near the Channel Tunnel in Kent.

Kevin Packwood, a director, said he was unaware of the security
breach. He said: "I would be very surprised if somebody could get that
far. Our security measures should have been able to see it happening
and alarms would have sounded."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".