Egghead scrambles to gauge damage

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2668562,00.html

By Robert Lemos and Ben Charny, ZDNN
December 22, 2000 12:37 PM PT

Egghead.com scrambled on Friday to gauge how much of its
3.7-million-customer database had been stolen by intruders during an
online theft, which experts believed happened the day before.

"We're in continuous crisis mode here," said a consultant from
physical and electronic security firm Kroll Worldwide--the experts
called in when Egghead discovered the intrusion on Thursday. The
consultant asked not to be named.

On Friday, Egghead.com Inc. acknowledged that the company's servers
had been hacked by network intruders and its customers' credit-card
numbers potentially stolen.

"Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including our customer databases," said the
online electronics and computer retailer in a statement early Friday.

"As a precautionary measure, we have taken immediate steps to protect
our customers by contacting the credit-card companies we work with."

Entire customer database? Sources inside the credit-card industry told
ZDNet News late Thursday that Egghead had turned over the names of 3.7
million credit-cards holders, any number of whom whose data could have
been compromised.

"It's unclear, how much, if any of that has been compromised, and we
have provided this information to the credit-card companies as a
precautionary measure," said Shoreen Maghame, spokeswoman for Egghead.

In its October earnings release, Egghead stated that 3.6 million
customers had registered to bid on or buy products using its service.
Thursday's precautionary measure suggests that the company considered
its entire customer database to be at risk from the break-in.

Egghead co-chairman Jerry Kaplan said Friday there was "no evidence"
to suggest that any of the credit cards had been taken. At the same
time, he could not say for certain that the database had not been
pilfered.

"Somebody broke into the Web site, that doesn't mean the customer data
was compromised," Kaplan said.

A team of auditors called in by Egghead expect to know within the week
whether any credit card data was compromised, Kaplan said. He knew of
no complaints about bogus charges surfacing from Egghead customers.

On Thursday, Egghead.com executives denied any break-in, and company
officials did not respond to requests for comment until later that
night.

Friday morning, the company acknowledged the intrusion in an
early-morning press release.

By late Friday morning, law enforcement sources confirmed that
Egghead.com had contacted them and that they were investigating the
case.

Largest heist ever? Analysts and industry watchers say the Egghead.com
break-in highlights the general lack of security that companies have
for their servers.

"Server protection is really out of control," said Avivah Liton of
researchers Gartner Group. Given the numbers, the heist is, far and
away, the largest credit-card database infiltrated by cyberthieves to
date.

A year ago, online music seller CD Universe lost more than 300,000
credit cards to a Russian thief, while earlier this month online
credit-card clearinghouse Creditcards.com lost another 55,000.

Egghead's inability to determine how many of its customers had been
compromised may mean that the company does not have a real-time
auditing system in place, said Paul Robertson, senior developer for
security service firm TruSecure Corp.

"If you don't know how many credit-card numbers you lost, you are
giving a quick, blanket, worst-case answer--and then finding out what
happened afterwards," he said.

Hacked servers by Microsoft Robertson said that Egghead.com is using
Microsoft's Internet Information Server, a common e-business server,
as the platform for its online service.

IIS is known to have had many security flaws. The two most common
exploits are the remote data services flaw--used often by "script
kids" to deface Web servers--and a relatively new Unicode exploit that
can result in an attacker gaining complete control of the server.

However, Robertson said such holes should have been patched.

"It really doesn't matter what Web server you are running ... if you
are not keeping up with patches, you're insecure."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".