Northwest Airlines warns customers Web information not securegreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread |
Northwest Airlines warns customers Web information not secure Monday, January 10, 2000 THE ASSOCIATED PRESS EAGAN, Minn. -- Northwest Airlines is alerting customers who recently made purchases on its Frequent Flier Web site that their credit card numbers and personal information were unprotected because of a programming glitch.Link to story: http://www.postintelligencer.com/business/bizfil12.shtml
-- Carl Jenkins (Somewherepress@aol.com), January 10, 2000
I heard about this. It was caused by a Y2K problem.
-- (martinSS@relkor.org), January 10, 2000.
Story Link.
-- Mad Monk (madmonk@hawaiian.net), January 10, 2000.
ENCRYPTION KEYS VULNERABLE, RESEARCHERS WARN - Mon, 10 Jan 2000 10:37:14 GMT - Doug Brown, Inter@ctive WeekHackers can break into servers and steal encryption keys
Researchers at an English company announced Wednesday that they found a way to pluck from Web servers "keys" that provide access to private data stored on servers, such as credit-card numbers.
The revelation that hackers can break into servers and steal encryption keys could have repercussions throughout the electronic commerce landscape. Companies have long struggled with ensuring customers' privacy in the face of increasing hacker ingenuity, but encryption keys were generally believed to dwell in a safe haven.
"It's a pretty big deal," said Tom Hopcroft, president of the Massachusetts Electronic Commerce Association. "Currently, people feel that their keys for credit-card numbers are pretty safe, because they are on a server with a lot of other data, where they might be hard to find."
In light of the discovery that encryption keys are readily open to attack, companies must find ways to prevent their discovery, Hopcroft added. "The loss of consumer confidence could cripple the phenomenal growth of electronic commerce," he said. "A lot of that [growth] is because we don't have a fear of giving out our credit-card numbers over the Internet."
Alex Van Someren, president of nCipher in Cambridge, England, said the discovery of a method for retrieving encryption keys revolves around research conducted by his brother Nicko, chief technology officer and co-founder of nCipher, and Adi Shamir of the Weizmann Institute in Israel, co-inventor of the RSA encryption system, the base for much current encryption technology.
The researchers published their initial findings at the Financial Cryptography '99 conference in February 1999. The research, Alex Van Someren said, laid a theoretical framework for an encryption key retrieval method.
Now, he said, the researchers have demonstrated a concrete method for finding and stealing encryption keys from servers.
The technology centers on this: There is a general assumption that encryption keys will be impossible to find because they are buried in servers crowded with similar strings of code. What the researchers discovered, however, is that encryption keys are more random than other data stored in servers. To find the encryption key, one need only search for abnormally random data.
Hopcroft compared the method to classic Cold War tactics.
"The United States developed quieter and quieter submarines, but they made them so quiet it was quieter than the ambient noise around them," he said. "So the Soviets could search for quiet spots."
The problem could be particularly nettlesome for smaller companies, because many of them run their Web businesses on servers shared by other companies.
All a hacker would have to do, Hopcroft said, is set up an account with an Internet service provider hosting a company's Web site, "go into that server and root around looking for the keys of other companies. With [the key] there is no way for me to be distinguished from a legitimate business owner."
Van Someren said nCipher decided to go after encryption keys because "we make products that redress these problems." The company offers a hardware solution to the problem of encryption-key security.
Van Someren noted that it's possible that others - hackers, in particular - already have discovered the path to the once-hidden encryption keys.
"We haven't seen any evidence of real attacks occurring, but if it were to occur, there would not necessarily be any trace left behind that it had occurred," he said.
Peter Neumann, a computer security researcher at SRI International in Menlo Park, California, said the discovery stands as just one more demonstration of "how flaky our infrastructure is."
"Every operating system can be broken into one way or another, and the servers aren't an exception," he added. "We need a great deal more security than we have at the moment as we enter into electronic commerce. And the bottom line is we should be a little bit more cautious about depending upon cryptography as the answer to all of our problems, because it isn't. It's very difficult to embed it properly into a system."
Bruce Schneier, a world-renowned cryptography expert and chief technology officer at Counterpane Internet Security in San Jose, echoed Neumann.
"Security vulnerabilities are inevitable, because of the complexity of the product, the rush to market, all of these things," he said. "So the vulnerabilities, we see them every week. The only solution is to build security processes that take into account the fallibility of the products."
Of the nCipher discovery, he said: "Let's say we fix this one. We're not magically better. We've fixed one little thing."
http://www.zdnet.co.uk/news/2000/1/ns-12502.html
-- Cheryl (Transplant@Oregon.com), January 10, 2000.
This might have an ever-so-insignificant effect on NWA's trade ......
-- (squirrel@huntr.com), January 10, 2000.
ENCRYPTION KEYS VULNERABLE, RESEARCHERS WARN - Mon, 10 Jan 2000 10:37:14 GMT - Doug Brown, Inter@ctive WeekHackers can break into servers and steal encryption keys
Researchers at an English company announced Wednesday that they found a way to pluck from Web servers "keys" that provide access to private data stored on servers, such as credit-card numbers.
The revelation that hackers can break into servers and steal encryption keys could have repercussions throughout the electronic commerce landscape. Companies have long struggled with ensuring customers' privacy in the face of increasing hacker ingenuity, but encryption keys were generally believed to dwell in a safe haven.
"It's a pretty big deal," said Tom Hopcroft, president of the Massachusetts Electronic Commerce Association. "Currently, people feel that their keys for credit-card numbers are pretty safe, because they are on a server with a lot of other data, where they might be hard to find."
In light of the discovery that encryption keys are readily open to attack, companies must find ways to prevent their discovery, Hopcroft added. "The loss of consumer confidence could cripple the phenomenal growth of electronic commerce," he said. "A lot of that [growth] is because we don't have a fear of giving out our credit-card numbers over the Internet."
Alex Van Someren, president of nCipher in Cambridge, England, said the discovery of a method for retrieving encryption keys revolves around research conducted by his brother Nicko, chief technology officer and co-founder of nCipher, and Adi Shamir of the Weizmann Institute in Israel, co-inventor of the RSA encryption system, the base for much current encryption technology.
The researchers published their initial findings at the Financial Cryptography '99 conference in February 1999. The research, Alex Van Someren said, laid a theoretical framework for an encryption key retrieval method.
Now, he said, the researchers have demonstrated a concrete method for finding and stealing encryption keys from servers.
The technology centers on this: There is a general assumption that encryption keys will be impossible to find because they are buried in servers crowded with similar strings of code. What the researchers discovered, however, is that encryption keys are more random than other data stored in servers. To find the encryption key, one need only search for abnormally random data.
Hopcroft compared the method to classic Cold War tactics.
"The United States developed quieter and quieter submarines, but they made them so quiet it was quieter than the ambient noise around them," he said. "So the Soviets could search for quiet spots."
The problem could be particularly nettlesome for smaller companies, because many of them run their Web businesses on servers shared by other companies.
All a hacker would have to do, Hopcroft said, is set up an account with an Internet service provider hosting a company's Web site, "go into that server and root around looking for the keys of other companies. With [the key] there is no way for me to be distinguished from a legitimate business owner."
Van Someren said nCipher decided to go after encryption keys because "we make products that redress these problems." The company offers a hardware solution to the problem of encryption-key security.
Van Someren noted that it's possible that others - hackers, in particular - already have discovered the path to the once-hidden encryption keys.
"We haven't seen any evidence of real attacks occurring, but if it were to occur, there would not necessarily be any trace left behind that it had occurred," he said.
Peter Neumann, a computer security researcher at SRI International in Menlo Park, California, said the discovery stands as just one more demonstration of "how flaky our infrastructure is."
"Every operating system can be broken into one way or another, and the servers aren't an exception," he added. "We need a great deal more security than we have at the moment as we enter into electronic commerce. And the bottom line is we should be a little bit more cautious about depending upon cryptography as the answer to all of our problems, because it isn't. It's very difficult to embed it properly into a system."
Bruce Schneier, a world-renowned cryptography expert and chief technology officer at Counterpane Internet Security in San Jose, echoed Neumann.
"Security vulnerabilities are inevitable, because of the complexity of the product, the rush to market, all of these things," he said. "So the vulnerabilities, we see them every week. The only solution is to build security processes that take into account the fallibility of the products."
Of the nCipher discovery, he said: "Let's say we fix this one. We're not magically better. We've fixed one little thing."
http://www.zdnet.co.uk/news/2000/1/ns-12502.html
-- Cheryl (Transplant@Oregon.com), January 10, 2000.
Look what this hacker did.SAN FRANCISCO -- A mysterious computer intruder has tried to extort $100,000 from an Internet music retailer after claiming to have copied its collection of more than 300,000 customer credit-card files, which could be used by others to charge purchases online or by telephone ....
On Friday Mr. Levy's company began alerting journalists to the existence of a World Wide Web site that the blackmailer had been using for two weeks to distribute perhaps 25,000 [of 300,000] of the stolen card numbers to thousands of other people ...
Before the Maxus site was shut down, a traffic counter on the site indicated that several thousand visitors had downloaded more than 25,000 credit-card numbers from the system since Dec. 25.
In one of his e-mail messages Sunday, Maxim said that he had been involved in the illegal use of credit cards since 1997. Originally, he wrote, he had tried to create a legal online company that would take payments with a credit-card processing system.
But then, he said, he found he could subvert ICVerify, a credit-card verification software program. The program is sold by Cybercash Inc., an electronic-commerce security company based in Reston, Va., whose software is widely used by e-commerce merchants.
``In 1998,'' he wrote, ``I hacked into a chain of shops and got ICVerify (Cybercash) program with necessary configuration files for transferring money.''
He said that with the ICVerify program he had been able to make a charge on a credit card and then give a chargeback refund to a second credit card, a system that he said gave him an ``almost anonymous'' offshore credit-card account. He also claimed that he had been able to obtain cash from an automatic teller machine using this account, after performing ``tricks'' with ICVerify.
CD Universe employs ICVerify on its site, but Greenspan said that the company was not ready to conclude that the blackmailer had manipulated the software to obtain the customer information.
Cybercash said Sunday that it was investigating the claims. Its chairman, Daniel Lynch, said that about a year ago the company had found a security flaw in ICVerify, but had created a software ``patch'' for it and notified its clients. He said he did not know if all clients had installed the patch, though ...
http://www.mercurycenter.com/svtech/news/breaking/merc/docs/extort0110 00.htm
FYI - CyberCash is same company involved with double/triple credit card billing.
I think I'm gonna hold off on any Internet purchases for a while. I'd already decided to not use my credit card. My Y2K "cash stash" has come in handy.
-- Cheryl (Transplant@Oregon.com), January 10, 2000.
Wouldn't it be convenient for credit card co's and websites with "glitches" to blame hackers.Hope they find those hackers soon and report their names.
-- (Just@n.observation), January 10, 2000.
More on on-line hacking, security breach ...Hacker Steals Credit Card Information From Online Retailer - By Diane Scarponi Associated Press Writer - The Associated Press
http://ap.tbo.com/ap/breaking/MGI7ZLTIA3C.html
-- Cheryl (Transplant@Oregon.com), January 10, 2000.