Another e-commerce site has been turned inside out by a cracker. Someone
calling himself “Curador” claims to have stolen the entire sales database of
an unidentified online site, including more than 5,000 credit card numbers.
Around 1,000 of the stolen card numbers were posted by Curador late Monday
night at a personal Website hosted by Xoom.com, the online homesteading site
owned by NBC interactive (NBCI)
. After being notified about the Curador site, Xoom took it offline late
Tuesday morning. The site, minus the credit card data, is mirrored here.
Later Tuesday, Curador resurfaced at Geocities, where he posted what he
claimed was the credit card number of Microsoft chairman Bill Gates.
While the incident echoes the break-in and extortion attempt at
CDuniverse.com earlier this month,
Curador implied his motives were purely
educational.
“Maybe one day people will setup their sites properly before
they start trading because otherwise this won’t be the last page I post to
the NET,” wrote the cracker in a message at his site.
No common shopping patterns were immediately apparent among the handful of
shoppers contacted by InternetNews and whose credit cards were stolen and
posted at the Curador site.
Leslie Lowdermilk, a research analyst in Texas, said she began shopping
online this past holiday season, drawn by the convenience. Noting that card
holders are generally responsible for only the first $50 of
fraudulent charges, Lowdermilk said the incident hasn’t scared her off from
making future online purchases.
“When faced with either going to the mall at Christmas time or sitting in
the
comfort of my own home and shopping, I would much rather shop over the
Internet than face the crowds. I think most places are reputable, and I’ve
know lots of people who’ve done lots of shopping and never had a problem,”
she said.
In the message at the Curador site, the cracker suggests that he exploited a
weakness in Microsoft’s (MSFT)
SQL Server relational database.
“Greetz to my friend Bill Gates, I think that any guy who sells Products
Like SQL Server, with
default world readable permissions can’t be all BAD,” wrote the cracker.
According to Russ Cooper, operator of the NTbugtraq mailing list, SQL server
by default installs some files with world readable permission. But Cooper
denied that Microsoft’s product was inherently insecure.
“Most commercial software packages install with loose or nonexistent
permissions so that you can get them working easier and then lock it down.
And most people don’t,” Cooper said.
Notice of the break-in was sent to HackerNews.com early Tuesday morning.
The
message headers suggest it was sent using a dial-up account at Global
Internet in the United Kingdom.
According to Space Rogue, one of the operators of the HackerNews site and a
security expert with consulting firm AtStake, the victimized site was
apparently storing credit card numbers on its Web server, despite repeated
warnings by security experts that
the data should instead be transferred to a secure server not connected to
the Internet.
“You’d think it was common sense, but every other week we have another
ecommerce site that’s vulnerable and attacked, and I don’t know how long
it’s going to take for people to learn,” said Space
Rogue.