CardCops Accused Of Sloppy Police Work

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/169018.html

By Brian McWilliams, Newsbytes
MALIBU, CALIFORNIA, U.S.A.,
14 Aug 2001, 5:11 PM CST
 
A company that aims to protect online merchants against credit card
thieves is doing more harm than good, according to three firms
recently pilloried by CardCops.com.

"For them to blaspheme us and put our customers at risk like that,
well, this old boy and I can go out behind the barn real easy," said
David Robertson, president of Stic.net, a San Antonio, Texas-based
Internet service provider.

Stic is one of three online firms alleged by CardCops to be exposing
customer credit card data within their sites.

The details were recently laid out in a message-board posting linked
from the front page of CardCops.com, titled, "Three newly hacked
merchants." The link was removed today, although the messages remain.

CardCops provides security analysis and hacker tracking services to
online merchants. Under what it calls its amnesty program, the company
encourages ethical hackers and employees to disclose security flaws
they discover at e-commerce sites.

An anonymous person originally posted a report on the message board at
the CardCops site July 24, disclosing that a large Internet service
provider was vulnerable to "various attacks" and was leaving customer
data wide open to hackers.

Robertson, along with officials from the other merchants, Multiwave
Direct and StrawberryNet, all claim they were never contacted by
CardCops, and only learned of the alleged security issues as a result
of an article published Friday in The Register, a online tabloid for
computer news.

What's more, representatives of the three companies contend that the
article, and CardCops' report, are factually incorrect.

The article, entitled "Hacking IIS -- how sweet it is," identified the
three firms as examples of how hackers are targeting sites running
Microsoft's Internet Information Server (IIS) software.

As evidence of the vulnerability at Stic, CardCops Monday provided
Robertson with a spreadsheet containing customer data, including
credit card numbers. But according to Robertson, the spreadsheet was
not taken from Stic's site but instead was lifted from a server
running a version of the Unix operating system and operated by a
customer, SATEXAS Communications Network.

"We provide just an ISDN connection to a company that's running Linux
and they got hacked. So how does that make us responsible or a
text-book example of the security weaknesses in IIS?" said Robertson.

Harry Romero, general manager of Multiwave, acknowledged that the
e-tailer's site was defaced by the Code Red Worm last month. Although
the IIS vulnerability exploited by the worm could also have enabled
hackers to take control of the mwave.com server, Romero insisted that
customers were unaffected, and the hole has since been patched.

"Not one single credit card has been compromised, and the security of
our customers remains intact," said Romero.

Rodney Miles, managing director of StrawberryNet, said the Hong
Kong-based e-tailer has found no vulnerabilities in its IIS 5.0-based
site and has received no complaints from customers or inquiries from
law enforcement.

"We are extremely upset these allegations have been made with no
contact and no proof that we are aware of," said Miles.

A scan performed by Newsbytes today revealed that none of the three
firms are currently vulnerable to the exploit which enabled variants
of the Code Red Worm to infect thousands of Web sites.

But Dan Clements, co-founder of CardCops, said hackers sent him a file
containing at least 1,000 credit cards obtained from the StrawberryNet
site. And CardCops was informed about the vulnerability at Multiwave
months ago, he said.

According to Clements, he attempted to contact Stic by e-mail on July
30. After receiving no response to his inquiries, on August 5 Clements
forwarded information about all three sites to a reporter at The
Register.

Clements today defended his handling of the incidents, saying the
reaction of the firms is typical of companies that have suffered an
embarrassing security compromise.

"They deny they were hacked, and then they get suspicious and angry.
It's a very awkward process when you call up a company and tell them
they were hacked," he said.

According to Clements, CardCops doesn't always publicize information
about sites that are compromised, but the recent attention given to
the Code Red Worm and vulnerabilities in IIS prompted him to go public
with the intrusions at the three firms.

"We're trying to get all of this stuff out of the closet so companies
handle it the right way and download the patches and then move on,"
said Clements.

But Robertson, who is vice president of the Texas Internet Service
Providers Association, said CardCops is no friend to e-commerce sites.

"If they're wrong, they've damaged your reputation. But it's even
worse if they're right and they publish the information before
reaching you. That puts the hackers a step ahead of you," said
Robertson.

The CardCops message board is at
http://www.adcops.com/CC/messages/5/98.html?997201901_ .

Stic.Net is at http://www.stic.net .

Multiwave Direct is at http://www.mwave.com .

StrawberryNet is at http://www.strawberrynet.com .

The Register is at http://www.theregister.co.uk .



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.