"L.D. Best" wrote:
> Mel,
>
> Well said.
>
> On Mon, 10 Jan 2000 19:51:00 +0000, Mel Evans, Registered Arachne User wrote:
> > Caveat Emptor! Let the buyer beware!
>
> However, according to network news this date, even legit businesses can
> be dangerous.
>
> It seems this young man in Russia decided to hack into a music sales
> site -- and he did it well enough to collect about 300,000 credit card
> numbers. He then informed the store and asked for $300,000 American ...
> or he'd both sell the cc#s *and* let the press know. When the store
> didn't pay, CC#s started appearing on a website ... many [how many they
> won't say] were posted for the world to see until the site was shut
> down.
>
> They don't know who did it. They don't know how. [You can bet some
> poor bottom-of-the-ladder programmer will be blamed.] They don't even
> know who would have jurisdiction over the culprit should s/he be found.
>
> l.d.
Cracking websites is not such hard work. Actually it is VERY
EASY. (I do not mean YAHOO or something very big, like AV or
Microsoft, i mean small commercial servers).
I have two (after 4 month one door still opened) sites in
my practice. I never tryed to crack something after that.
Both of them running under MS IIS 4.0.
One was shopping card which sell Zepter saucepans.
Credit cards files was hard encrypted, SSL, but there
was log file with numbers of cards (~2000 numbers),
addresses, names, phones, PINs in pure unencrypted text.
I do not need them, but anyway.... (yeah, i'm rude person,
but i do not want to steal money, i prefer that peoples give
me money and don't wish to take them back). I still have
that numbers...
Anyone purchase Zepter online near 6 months ago ?
Second was site of some department of EC. It was in french,
so i do not know about what it is. I wrote mail to admin,
got no answer and after 4 months i still have root
permissions at them. Crazy idiot this admin, i can say...
All this i did after reading one article at security-
dedicated site (L0pht if someone need to know).
It take almoust 20 minutes for both. Security
hole was found with oneword request via AltaVista.
Moral: do not believe in SSL, shop can hold numbers at
server unencripted.
Sergei
--
