The hackers showed no Christmas spirit. In December, online
electronic retail storep? www.Egghead.com" Egghead.com found itself
under attack from a hacker who was trying to steal custom credit
card records from its servers, writes Danny Bradbury
Obviously spooked by the incident, in which the hacker was
caught red-handed, Egghead decided to inform the credit card
companies and hand over 3.7 million customer credit card details,
so that they could make the necessary security arrangements.
After the intrusion was detected, the company worked with a
security consultancy to find out whether any of the records had
been compromised. The online retailer now believes that it stopped
the hacker in time.
"All this has done is speed our security process up," said
company spokeswoman Shoreen Maghame, adding that the company had
already budgeted for security enhancements this quarter. However,
none of this will do anything to reassure a customer base that is
still concerned about online security and privacy.
The real issue is that online retailers are putting revenue
growth and market share above security, said Jonathan Gossels, vice
president of US-based security consultancy SystemExperts and former
director of business development for the Open Software Foundation.
"Security is a low priority," he said. "Over and over again, we
hear companies saying that they are growing too fast to make their
sites secure."
The incident occurred almost a year after online retailer
CDUniverse had 25,000 credit card numbers stolen from its site and
posted on the Internet when it refused to give in to blackmail.
Press reports of other such hacks have littered the news, and
credit card companies such as Visa have issued zero liability
guarantees to try and lure customers on to the Internet.
"Credit card companies are applying risk analysis while looking
at the cost of transactions on the Web compared to paper
transactions," said Gossels. He believes firms will shoulder some
of the inevitable fraud on the Internet as long as it is offset by
the reduced overhead associated with online transactions.
According to Gossels, a security audit for online retailers
taking credit cards is out of the question, because there are very
few online traders that could call themselves hacker-proof. For the
time being, credit card companies are willing to take the risk -
but if online revenues do not measure up in the long-term, or if
online fraud becomes too much of a problem thanks to careless
retailers, then the situation may change.
Top e-commerce slip-ups
Common mistakes that SystemExperts has seen being made by
companies doing business online:
- Web problems (trusting input data, running server as root,
using default configuration)
- Not designing fail-over plans for a denial of service
attack
- Assuming that one part of the security design "fixes" other
problems, such as assuming that SSL makes you secure
- Making modems available with direct access to routers,
gateways, and hosts
- Not applying the most recent OS or application
patches
- Designing the network in terms of inside/outside, instead of
appropriate access, and relying too much on firewalls
- Depending on manual reviews of events and logs
- Not testing Internet readiness through penetration
analysis
- Using default OS or application parameters, including passwords
and default-enabled services
- Using unencrypted administrative access and making it reachable
from the Internet
- No escalation policy, or even no detection (meaning that a
company may not know that it has been broken into)
Internet security resources
There are organisations that can help combat inadequate security
and protect companies from infiltration. These include the System
Administration, Networking and Security (Sans) Institute,
(www.sans.org), formed in 1989 as a forum to help
share information about security issues. Sans runs the Global
Incident Analysis Center, which detects new security threats and
makes information about them available online.
The Cert Coordination Center, operated by Carnegie Mellon
University (www.cert.org) is another information hub that
circulates data about Internet security threats, while the Center
for Internet Security (www.cisecurity.org) is a not-for-profit
organisation with methods and tools to help secure networks.