Re: Wlan @ bestbuy is cleartext?

["Deus, Attonbitus" <Thor () HammerofGod com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 04:44 PM 5/1/2002, Erik Parker wrote:

> Let me know if you find any. From what I heard from a media source, when
> they approached Best Buy about it today, best buy ordered their stores to
> shut off the wireless registers.
>
> My local Best Buy checked out an hour ago, to not have wireless running.
>
> However, Petsmart, and DSW shoes do the same thing.. unencrypted customer
> data.


OK.  Let's expand on this a bit-- Let's say that it is all true and the 
source was correct in their post about everything.

The clear text CCN in the packet stream is small potatoes.  The OP said 
that he saw the table names and SQL elements in clear text- this means that 
the client-server application itself must be concatenating string variables 
into SQL commands and posting them to the server as ad-hoc queries as 
opposed to using procedures or propertly formatted data objects (or 
something like that).  Though I have not seen a POS register system do 
this, if the poster was correct, then this one does.

Along with the query information will be the server information and the 
credentials used.  So, if the information is correct, it would not take 
that much recon to gain enough info to compromise the back-end server.  Why 
worry about a few credit card numbers when you can have them all?

I'm looking forward to seeing the real deal on this...  I'd sniff it 
myself, but the closest BestBuy to me is way over in Reno, and anyone who 
has horked in Reno knows it is almost impossible to get good data with the 
casino's all blasting everyone's financial information up and down the 
spectrum ;)

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPNCGWIhsmyD15h5gEQLMEACgh9Y/n/MXieBKe+qYGnrzou/Twt8AoOJs
d8LvE0LC0R14vbigkdOv4Oef
=9sGX
-----END PGP SIGNATURE-----