FW: [WEB SECURITY] CardSystems was a Web Application Hack
Mann, Sarah X (UK - London)
sxmann at deloitte.co.uk
Tue Apr 18 13:43:06 EDT 2006
the FTC report describes it as a SQL injection attack:
In September 2004, a hacker exploited the failures set forth in Paragraph 6 by using an
SQL injection attack on respondent's web application and website to install common
hacking programs on computers on respondent's computer network. The programs were
set up to collect and transmit magnetic stripe data stored on the network to computers
located outside the network every four days, beginning in November 2004. As a result,
the hacker obtained unauthorized access to magnetic stripe data for tens of millions of
credit and debit cards.
From: Argeniss [mailto:lists at argeniss.com]
Sent: Tue 18/04/2006 18:25
To: Jeremiah Grossman
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] CardSystems was a Web Application Hack
What I have heard (from a trusted source) is that a SQL Injection
vulnerability was exploited, the attacker created a Job in the database
server that pulled out new records every 4 (?) days. This is a very easy
attack since most database servers allow scheduling of actions as Jobs.
We have developed similar and new attacks that allows to steal complete
databases from Internet, I hope we will be presenting this at next Black
Jeremiah Grossman escribió:
> Most are already familiar with the infamous CardSystem incident where
> hackers stole 263,000 credit card numbers and exposed 40 million more.
> What remained a mystery is how exactly the hack occurred since what we
> knew was mostly scattered rumors and theories.
> Bill Pennington pointed me to a new article in Information Security
> magazine (April 2006) describing some new details.
> Security Survivor All-Stars
> *Unfortunately I've not be able to find an online version that doesn't
> require a subscription.
> "In September 2004, hackers dropped a malicious script on the
> CardSystems application platform, injecting it via the Web application
> that customers use to access account information. The script, programmed
> to run every four days, extracted records, zipped them and exported them
> to an FTP site."
> This reads to me like it was a web application hack, but its difficult
> to derive what class of attack. If I had to guess, it was probably was
> an OS Commanding issue in order to write executable code onto the
> The Web Security Mailing List
> The Web Security Mailing List Archives
The Web Security Mailing List
The Web Security Mailing List Archives
Sir Digby Jones to join Deloitte. Learn more www.deloitte.co.uk/digbyjones
If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender.
This communication is from Deloitte & Touche LLP. Deloitte & Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom. Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority. Deloitte & Touche LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu ('DTT'), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other's acts or omissions. Services are provided by member firms or their subsidiaries and not by DTT.
This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title "received in error" to IT.SECURITY.UK at deloitte.co.uk then delete the email and destroy any copies of it.
E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte & Touche LLP client engagement letter.
Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity