From: Alan Olsen <alan@ctrl-alt-del.com>
To: John Young <jya@pipeline.com>
Message Hash: 7279b0db4e9a50ca82051a96ea0519da441d9db7d83700970c933a5b58690cc0
Message ID: <3.0.2.32.19970710200813.03f1f290@mail.teleport.com>
Reply To: <1.5.4.32.19970711013002.006d30e4@pop.pipeline.com>
UTC Datetime: 1997-07-11 03:20:57 UTC
Raw Date: Fri, 11 Jul 1997 11:20:57 +0800
From: Alan Olsen <alan@ctrl-alt-del.com>
Date: Fri, 11 Jul 1997 11:20:57 +0800
To: John Young <jya@pipeline.com>
Subject: Re: Hacker cracks ESPN
In-Reply-To: <1.5.4.32.19970711013002.006d30e4@pop.pipeline.com>
Message-ID: <3.0.2.32.19970710200813.03f1f290@mail.teleport.com>
MIME-Version: 1.0
Content-Type: text/plain
At 09:30 PM 7/10/97 -0400, John Young wrote:
>
>Lynn Harrison wrote:
>
>>Starwave is warning customers about an "intruder" who took credit card
>>numbers from the ESPN and NBA Web sites and then sent messages to the card
>>owners about the alleged security flaws. Will the security breach on the
>>popular sports sites affect emerging e-commerce efforts?
>
>Is this the same story as the one in The Wall Street Journal today
>about Phiber Optic's "accidentally" sending worldwide a security
>test that automatically returns passwords stored on supposedly
>secure systems?
Nope.
http://www.computerworld.com/news/news_articles/970710onlineccard.html
Online credit-card scare an inside job,
Starwave says
Two separate but chilling messages were sent to people who
purchased items online from ESPNet or the NBA Store this
week. The first anonymous E-mail told shoppers they had
been the victims of careless security and that their
credit-card numbers and addresses were easily available.
The second message, sent by E-mail and regular mail by the
World Wide Web sites' host, Starwave Corp., alerted 2,397
online shoppers that their credit-card information might have
been misappropriated.
Starwave said the credit-card information was in a secure,
encrypted area that was accessed by an intruder who had
the proper password information. "This was not done by a
hacker," said Jennifer Yazzolino, a Starwave spokeswoman.
"They knew how to get in to the system and unlawfully used
classified information." The area that the intruder broke in to
was an order-processing system that sends shoppers'
orders from each site to 1-800-PRO-TEAM, a Florida
fulfillment company.
Following the break-in, Starwave called in the FBI and the U.S.
Secret Service to investigate. It has also implemented a new
encryption process and changed all system passwords. "We
think this is a matter of a password either being used
directly by someone involved with the system or passed along
directly by someone involved in the system," Yazzolino said.
"We relied too much on human integrity."
>Phiber claims he did not know the test would generate a flood of
>passwords to his e-mail address: from corps, mils, and govs.
>Says he's so sorry, especially because he's still doing
>community service.
One of the articles on the "hack" revealed that it was the INN hole
reported a while back. The only people who got "caught" by the hack were
people who did not update their software.
>Phiber's employer refused to name the computer corp that installed the
>secure system Phiber was testing. However, experts interviewed said
>the password snarf feature is, ahem, well-known to experts, and that
>the only security worth trusting is the one you build and run yourself
>and test frequently and still makes you lay awake at night shivering in
>doubt fear and uncertainty -- like guilty-parental senators, TLA directors,
>and all the world's bearers of the public trust and such fundy druggies.
It also shows what happens when you do not follow even the basic CERT
warnings...
---
| "That'll make it hot for them!" - Guy Grand |
|"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: |
| mankind free in one-key-steganography-privacy!" | Ignore the man |
|`finger -l alano@teleport.com` for PGP 2.6.2 key | behind the keyboard.|
| http://www.ctrl-alt-del.com/~alan/ |alan@ctrl-alt-del.com|
Return to July 1997
Return to ““Lynne L. Harrison” <lharrison@mhv.net>”