Updated: 24.11.2002; 11:49:19 Uhr.
disLEXia
lies, laws, legal research, crime and the internet
        

Friday, December 29, 2000

Re: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO (RISKS-21.16)

There is another implicit risk in these stories which I am always quick to bring to the attention of my would-be B2C e-commerce clients.

Suppose you have 500,000 VISA/MC numbers in your computer, and suppose you have strong cryptographic SSL connections and all that certificate jazz to ensure the customer and the e-store are who they say they are. Let's also say that I am an organized crime boss who knows you have those charge card numbers and have the means and desire to rack up just $20 worth of purchase from each of them for a cool fast million dollar profit ... now (and here's the kicker) what is to stop me from offering your system administrator some tidy sum (even 10%!) to just slip in a floppy disk and grab me a copy of the data?

Related to this, I asked a leading e-commerce Web site architect if the DLL that contained the personal information access username and password might be used by _any_ program that ran on the server (in java, a class can be made accessible _only_ to a restricted set of applications). The answer was that they hadn't thought of that.

Gary Lawrence Murphy TeleDynamics Communications Inc Business Innovations Through Open Source Systems: http://www.teledyn.com

[Simson Garfinkel commented: I simply do not understand why companies insist on keeping the old VISA/MC numbers in their computers.] [Gary Lawrence Murphy via risks-digest Volume 21, Issue 18]
0:00 # G!

Re: Seattle Hospital Hacked (RISKS-21.14)

The first response to intrusion news stories by most organizations is almost formulaic: deny the attack, make (often false) allegations that this could never happen HERE, attack the credibility of the source of the news, and lastly take a stand against such heinous activity. The response by the UWMC to the intrusion into their network generally follows the formula.

They started back-pedaling the next day: "We have received the first tangible evidence from news-gathering organizations that someone did, in fact, gain criminal access to a limited number of administrative databases that contain some confidential information on at least 5,000 cardiology and rehabilitation medicine patients treated at our hospital," said Tom Martin, director and chief information officer for University of Washington Medical Centers Information Systems. >From MSNBC: "Hospital Confirms Hacking Incident" 2000-12-8

For more complete coverage, I recommend going to where the story broke: www.SecurityFocus.com and search on "University of Washington Medical Center"

The original UWMC announcement, however, is still true. Read it carefully, they worded it so that they never actually denied the attack.

Dan Theunissen, dan.theunissen.no.spam@ieee.org ["Daniel Theunissen" via risks-digest Volume 21, Issue 18]
0:00 # G!


Maximillian Dornseif, 2002.
 
December 2000
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Nov   Jan
Search
about this disLEXia thing
presentations
scientific publications
logner Texts
my old homepage
categories in this weblog
Subsections of this WebLog
bloging by me
german language content
hacks
computer investigations
computer incidents
going to court
events and conferences
statistics and the like
privacy
main page

Subscribe to "disLEXia" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.