-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 04:44 PM 5/1/2002, Erik Parker wrote:

>Let me know if you find any. From what I heard from a media source, when
>they approached Best Buy about it today, best buy ordered their stores to
>shut off the wireless registers.
>
>My local Best Buy checked out an hour ago, to not have wireless running.
>
>However, Petsmart, and DSW shoes do the same thing.. unencrypted customer
>data.

OK. Let's expand on this a bit-- Let's say that it is all true and the
source was correct in their post about everything.

The clear text CCN in the packet stream is small potatoes. The OP said
that he saw the table names and SQL elements in clear text- this means that
the client-server application itself must be concatenating string variables
into SQL commands and posting them to the server as ad-hoc queries as
opposed to using procedures or propertly formatted data objects (or
something like that). Though I have not seen a POS register system do
this, if the poster was correct, then this one does.

Along with the query information will be the server information and the
credentials used. So, if the information is correct, it would not take
that much recon to gain enough info to compromise the back-end server. Why
worry about a few credit card numbers when you can have them all?

I'm looking forward to seeing the real deal on this... I'd sniff it
myself, but the closest BestBuy to me is way over in Reno, and anyone who
has horked in Reno knows it is almost impossible to get good data with the
casino's all blasting everyone's financial information up and down the
spectrum ;)

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPNCGWIhsmyD15h5gEQLMEACgh9Y/n/MXieBKe+qYGnrzou/Twt8AoOJs
d8LvE0LC0R14vbigkdOv4Oef
=9sGX
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]