At 09:30 PM 7/10/97 -0400, John Young wrote:

Lynn Harrison wrote:

...

Starwave is warning customers about an "intruder" who took credit card numbers from the ESPN and NBA Web sites and then sent messages to the card owners about the alleged security flaws. Will the security breach on the popular sports sites affect emerging e-commerce efforts?

Is this the same story as the one in The Wall Street Journal today about Phiber Optic's "accidentally" sending worldwide a security test that automatically returns passwords stored on supposedly secure systems?

Nope. http://www.computerworld.com/news/news_articles/970710onlineccard.html Online credit-card scare an inside job, Starwave says Two separate but chilling messages were sent to people who purchased items online from ESPNet or the NBA Store this week. The first anonymous E-mail told shoppers they had been the victims of careless security and that their credit-card numbers and addresses were easily available. The second message, sent by E-mail and regular mail by the World Wide Web sites' host, Starwave Corp., alerted 2,397 online shoppers that their credit-card information might have been misappropriated. Starwave said the credit-card information was in a secure, encrypted area that was accessed by an intruder who had the proper password information. "This was not done by a hacker," said Jennifer Yazzolino, a Starwave spokeswoman. "They knew how to get in to the system and unlawfully used classified information." The area that the intruder broke in to was an order-processing system that sends shoppers' orders from each site to 1-800-PRO-TEAM, a Florida fulfillment company. Following the break-in, Starwave called in the FBI and the U.S. Secret Service to investigate. It has also implemented a new encryption process and changed all system passwords. "We think this is a matter of a password either being used directly by someone involved with the system or passed along directly by someone involved in the system," Yazzolino said. "We relied too much on human integrity."

Phiber claims he did not know the test would generate a flood of passwords to his e-mail address: from corps, mils, and govs. Says he's so sorry, especially because he's still doing community service.

One of the articles on the "hack" revealed that it was the INN hole reported a while back. The only people who got "caught" by the hack were people who did not update their software.

Phiber's employer refused to name the computer corp that installed the secure system Phiber was testing. However, experts interviewed said the password snarf feature is, ahem, well-known to experts, and that the only security worth trusting is the one you build and run yourself and test frequently and still makes you lay awake at night shivering in doubt fear and uncertainty -- like guilty-parental senators, TLA directors, and all the world's bearers of the public trust and such fundy druggies.

It also shows what happens when you do not follow even the basic CERT warnings... --- | "That'll make it hot for them!" - Guy Grand | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano@teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.ctrl-alt-del.com/~alan/ |alan@ctrl-alt-del.com|

At 08:08 PM 7/10/97 -0700, Alan Olsen wrote:

Starwave said the credit-card information was in a secure, encrypted area that was accessed by an intruder who had the proper password information. "This was not done by a hacker," said Jennifer Yazzolino, a Starwave spokeswoman. "They knew how to get in to the system and unlawfully used classified information." The area that the intruder broke in to was an order-processing system that sends shoppers' orders from each site to 1-800-PRO-TEAM, a Florida fulfillment company.

Which, in other words, is an attempt to imply that someone "knew" the password? Note, however, that their press release does say: "who had the proper password *information*".

Following the break-in, Starwave called in the FBI and the U.S. Secret Service to investigate.

IMO, they should hire the person. At least, s/he showed how insecure their "secure encrypted area" was which was more than their own employees did.

It has also implemented a new encryption process and changed all system passwords.

Good luck, fellas.... ********************************************************* Lynne L. Harrison, Esq. | "The key to life: Poughkeepsie, New York | - Get up; lharrison@mhv.net | - Survive; http://www.dueprocess.com | - Go to bed." ************************************************************ DISCLAIMER: I am not your attorney; you are not my client. Accordingly, the above is *NOT* legal advice.