RealTime IT News

Another Cracker Posts Stolen Cards Online

Another e-commerce site has been turned inside out by a cracker. Someone calling himself "Curador" claims to have stolen the entire sales database of an unidentified online site, including more than 5,000 credit card numbers.

Around 1,000 of the stolen card numbers were posted by Curador late Monday night at a personal Website hosted by Xoom.com, the online homesteading site owned by NBC interactive (NBCI) . After being notified about the Curador site, Xoom took it offline late Tuesday morning. The site, minus the credit card data, is mirrored here.

Later Tuesday, Curador resurfaced at Geocities, where he posted what he claimed was the credit card number of Microsoft chairman Bill Gates.

While the incident echoes the break-in and extortion attempt at CDuniverse.com earlier this month, Curador implied his motives were purely educational.

"Maybe one day people will setup their sites properly before they start trading because otherwise this won't be the last page I post to the NET," wrote the cracker in a message at his site.

No common shopping patterns were immediately apparent among the handful of shoppers contacted by InternetNews and whose credit cards were stolen and posted at the Curador site.

Leslie Lowdermilk, a research analyst in Texas, said she began shopping online this past holiday season, drawn by the convenience. Noting that card holders are generally responsible for only the first $50 of fraudulent charges, Lowdermilk said the incident hasn't scared her off from making future online purchases.

"When faced with either going to the mall at Christmas time or sitting in the comfort of my own home and shopping, I would much rather shop over the Internet than face the crowds. I think most places are reputable, and I've know lots of people who've done lots of shopping and never had a problem," she said.

In the message at the Curador site, the cracker suggests that he exploited a weakness in Microsoft's (MSFT) SQL Server relational database.

"Greetz to my friend Bill Gates, I think that any guy who sells Products Like SQL Server, with default world readable permissions can't be all BAD," wrote the cracker.

According to Russ Cooper, operator of the NTbugtraq mailing list, SQL server by default installs some files with world readable permission. But Cooper denied that Microsoft's product was inherently insecure.

"Most commercial software packages install with loose or nonexistent permissions so that you can get them working easier and then lock it down. And most people don't," Cooper said.

Notice of the break-in was sent to HackerNews.com early Tuesday morning. The message headers suggest it was sent using a dial-up account at Global Internet in the United Kingdom.

According to Space Rogue, one of the operators of the HackerNews site and a security expert with consulting firm AtStake, the victimized site was apparently storing credit card numbers on its Web server, despite repeated warnings by security experts that the data should instead be transferred to a secure server not connected to the Internet.

"You'd think it was common sense, but every other week we have another ecommerce site that's vulnerable and attacked, and I don't know how long it's going to take for people to learn," said Space Rogue.