Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
Minimalist
5528 posts

Uber Geek
+1 received by user: 439

Moderator
Trusted
Lifetime subscriber

  # 248406 18-Aug-2009 22:56
Send private message

I didn't get it this time round

Baby Get Shaky!
1609 posts

Uber Geek
+1 received by user: 412

Trusted
Subscriber

  # 248423 19-Aug-2009 00:29
Send private message

savag3: I wonder if the third party email marketing system they have used (mailprimer.com) has been compromised. That might explain why emails used at other companies have been spammed as well.



Thats a good suggestion! I also recieved this email a few weeks ago and again three times over last two days. It came to an account I use for Hell Pizza and ten dozen other sites, so I can't place blame there. My email address however is a combo of three words, one of which is spelled incorrectly so if it is a dictionary attack its a clever one.

 
 
 
 


BDFL - Memuneh
63363 posts

Uber Geek
+1 received by user: 13861

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 355259 23-Jul-2010 10:33
Send private message

ukoda:
Bee: Interesting...
I got it 3 times last night too... how did it get our email addresses? what have we all signed up for that has sold/leaked our email address???

I received it using the email address I signed up to with Hell Pizza.  The email address was hell@mydomain so it is possible that they just created the email address but I think it more like Hell Pizza, or their site operator either sold it or were compromised.

I have had this kind of problem with the House of Travel too and they, off course, denied any fault and tried to blame me by suggesting I had used the email address somewhere public.  The catch with that theory is it was a unique email address just for them.  One suggestion I had heard was that cross site scripting could be the cause of such email adress leakage.  I'm not sure how likely that is?


Sorry folks for bringing this back to life... But things have happened that made me remember this thread.

It appers that Hell Pizza's database was compromised, thanks to a SQL Injection attack, about the same time you started receiving those spam.

According to http://risky.biz/hell:


When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as "about 50 steps of fail".


I have sent an email to Hell Pizza asking for confirmation on this story but it sounds very familiar...






3295 posts

Uber Geek
+1 received by user: 211

Trusted

  # 355288 23-Jul-2010 11:45
Send private message

"I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."

Yeah, right.

Go Hawks!
918 posts

Ultimate Geek
+1 received by user: 61

Trusted
Subscriber

  # 355425 23-Jul-2010 16:03
Send private message

"I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."


Given that Mauricio has posted something pointing to a remote connection available directly to the database, the claim that the web servers are being dedicated, monitored firewalls is moot - any attempt to talk to the database will result in the rules in the firewall claiming "Legitimate traffic".

.... unless someone is also monitoring logs from the firewalls very closely ....

I'm thanking my lucky stars that all the information that I've given hell pizza is unique to hell pizza (with the obvious exception of my name and address ...)

Perhaps smoeone would like to produce something that is less ... "flashy" for ordering pizzas? :-) 

BDFL - Memuneh
63363 posts

Uber Geek
+1 received by user: 13861

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 355426 23-Jul-2010 16:05
Send private message
1267 posts

Uber Geek
+1 received by user: 166


  # 355441 23-Jul-2010 16:22
Send private message

From skimming that risky document, sounds like the developers broke a cardinal rule of web application development NEVER TRUST ANYTHING FROM THE CLIENT

And not in just a "oh, we should have escaped that string" way, but in an "oh, really you mean we shouldn't accept entire SQL queries from the browser and execute them then?" way!

If this is accurate, well, words fail me. And they fail security!





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


BDFL - Memuneh
63363 posts

Uber Geek
+1 received by user: 13861

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 355471 23-Jul-2010 17:23
Send private message

Interesting to see Hell Pizza did not reply to an email I sent them requesting more information on this.

It shows complete disregard to their customers' privacy, and lack of transparency in dealing with this breach.





422 posts

Ultimate Geek
+1 received by user: 92

Subscriber

  # 355474 23-Jul-2010 17:30
Send private message

All this AND the quality of their Pizza's and service have gone majorly downhill in the last year or so. Not good for Hell Pizza Co.



1574 posts

Uber Geek
+1 received by user: 11


  # 355499 23-Jul-2010 18:27
Send private message

The issue has just made the news in few more places.

http://tvnz.co.nz/national-news/hacker-claims-have-hell-pizza-passwords-3670977
http://www.techday.co.nz/netguide/news/hell-pizza-customer-database-compromised/17171/1/

Looks like Hell pizza have now taken the matter to the police.

BDFL - Memuneh
63363 posts

Uber Geek
+1 received by user: 13861

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 355509 23-Jul-2010 18:40
Send private message

dontpanic42: Looks like Hell pizza have now taken the matter to the police.


After someone raising the possibility here, 18 months ago? Sure they should've known for some time?







1574 posts

Uber Geek
+1 received by user: 11


  # 355516 23-Jul-2010 18:53
Send private message

freitasm:
dontpanic42: Looks like Hell pizza have now taken the matter to the police.


After someone raising the possibility here, 18 months ago? Sure they should've known for some time?



A bit of a worry isn't it?!? Surprised

536 posts

Ultimate Geek


  # 355520 23-Jul-2010 19:09

Terrible. Might try and delete my account.

Edit: Hell have just issued a statement: http://www.facebook.com/photo.php?pid=4362601&id=43522837224

1163 posts

Uber Geek


  # 355561 23-Jul-2010 21:28

bazzer: "I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."

Yeah, right.


Using interspire software doesn't  make you immune. I use interspire software myself for client websites, and ALL software can suffer from compromises, espeically if you don't keep it up to date with the latest versions.

Baby Get Shaky!
1609 posts

Uber Geek
+1 received by user: 412

Trusted
Subscriber

  # 355587 23-Jul-2010 22:53
Send private message

Does anyone know when Hell's launched their latest iteration of their website? Ordering today noticed a brand new website which required us to re-join and re-enter our details. Could this be linked to the re-emergence of this email issue?

OT //

Completely off topic now but remotely relevant I was in a Hell Pizza store this evening waiting for my order when a woman slipped over on the wet floor and hurt her back. The staff there had no idea what to do. One wondered over and asked her if she was alright, when all he got back was tears he wandered back to the counter and got a wet floor sign. Another staff member eventually asked her and her boyfriend if she would like an ambulance, it was up to a customer to get a blanket from her car to cover the woman and keep her calm... complete fail.

// OT

1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07


Techweek starting around NZ today
Posted 20-May-2019 09:52


Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.