Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
3080 posts

Uber Geek
+1 received by user: 499

Trusted
Subscriber

  # 356182 25-Jul-2010 20:43
Send private message

freitasm:

Sorry folks for bringing this back to life... But things have happened that made me remember this thread.

It appers that Hell Pizza's database was compromised, thanks to a SQL Injection attack, about the same time you started receiving those spam.

According to http://risky.biz/hell:

I have sent an email to Hell Pizza asking for confirmation on this story but it sounds very familiar...


The NZ Herald just covered this today, and they have the director Warren Powell on record stating that it was an employee responsible for leaking the database, and they haven't been able to locate the actual source of the breach.  Sounds like he just might be lying.  Especially since they have Risky.biz quoting in the same article that it is most assuredly not an employee responsible, but a giant security flaw.

I don't know about you, but with that sort of attitude toward customer security, Hell Pizza most assuredly will never be getting my business again.




I finally have fibre!  Had to leave the country to get it though.


BDFL - Memuneh
63371 posts

Uber Geek
+1 received by user: 13886

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 356189 25-Jul-2010 20:56
Send private message

From reading the risky.biz site it seems Spikefin did a poor job of issuing SQL commands directly from the Flash website to the database server. Anyone "listening" could just emulate those commands and retrieve records at will...

Having firewalls (as they claim) would do nothing to block traffic that was, for all intent, "legitimate".





 
 
 
 


3080 posts

Uber Geek
+1 received by user: 499

Trusted
Subscriber

  # 356283 26-Jul-2010 00:33
Send private message

Hell Ireland is using the old vulnerable version. Hell Australia and United Kingdom are currently down with a JSP Database exception, which I'd assume means they are vulnerable too.

Canada's is not vulnerable as they have migrated to Mobi2Go like New Zealand has.




I finally have fibre!  Had to leave the country to get it though.


3080 posts

Uber Geek
+1 received by user: 499

Trusted
Subscriber

  # 356287 26-Jul-2010 00:39
Send private message

Holy crap, GOOGLE has actually INDEXED and CACHED some of the SQL query results (with customer data - well, a customer's name anyway)

I guess this answers how the "hackers" got the info then?




I finally have fibre!  Had to leave the country to get it though.


Mr Snotty
8620 posts

Uber Geek
+1 received by user: 4514

Moderator
Trusted
Lifetime subscriber

  # 356302 26-Jul-2010 01:32
Send private message

Kyanar: Holy crap, GOOGLE has actually INDEXED and CACHED some of the SQL query results (with customer data - well, a customer's name anyway)


I nearly coughed up my pizza. That is some bad security there. Don't they know how to use SQL?! I don't think I will be hiring the web design company behind this anytime soon, heck at our Datacentre we attempt to make sure our customers are secure from this sort of thing.

It seems that their UK site is down, this site is hosted here in Christchurch too. I think there's a bit of bad management there with the way the sites are managed, since their main NZ site is hosted with Netspace in Wellington, it's a bit all over the place.




942 posts

Ultimate Geek
+1 received by user: 29


  # 357501 28-Jul-2010 00:08
Send private message

dontpanic42: The issue has just made the news in few more places.

http://tvnz.co.nz/national-news/hacker-claims-have-hell-pizza-passwords-3670977
http://www.techday.co.nz/netguide/news/hell-pizza-customer-database-compromised/17171/1/

Looks like Hell pizza have now taken the matter to the police.


LOL!!! A person HELPS them out and they respond by sending them to the Police....   oh hang on, why am I laughing...  this is also really SAD and WRONG! Seriously, what the hell Hell!


maknz: Terrible. Might try and delete my account.

Edit: Hell have just issued a statement: http://www.facebook.com/photo.php?pid=4362601&id=43522837224


I fully agree with this guy (2nd comment on facebook):

Kelvin Yong Why not have this typed out as a note on Hell Pizza's profile, so it's searchable and more useful? Search engine can't "read" text in the image.

If I was conspiracy minded I would sooo be believing that too right now, but surely there is another explanation?! (but good to see later they made a note as well, conspiracy theory squashed? :P But Hell only admits it was due to Kelvin's "insistence" that this happened.... !!)

However this comment:

Steve McAteer this is pretty responsible for a company ! Most companies would simply try to keep it quiet...obviously one day coming back to bite them on the ass, so well done HELL, i wish all companies we're this open, transparent and honest...keep it up, hopefully the theory will spread !

I read that again with a mixture of laughter (because it is so far from reality...) and sadness... (for the same reason!)

Another clueless customer:

Danny Collings Kelvin get ova ur bad self , hell have it covered i have mates that work in hell ..its being taken care of.. and the customers who are affected in anyway have or are about to receive e-mails to let them know ...
if you really wnt to throw ...something around go to the hells web page and grab a little devil to toss , ps most customers of hells trust them to do the right thing they have so enough already with you making ur point ova and ova and ova ..........if this gets u pissy well it proves my point u need to chillax !

Correct me if I'm wrong, but did EVERY customer get an email? As that is how many which got breached. Besides, Kelvin was spot on the money.

Another person (Amanda Easterbrook, very long comment so won't quote it all) accused RiskyBiz as the only person doing wrong here because she said he is trying to extort money!! :o wtf






942 posts

Ultimate Geek
+1 received by user: 29


  # 357506 28-Jul-2010 00:26
Send private message

Oh dear... Spikefin Interactive list their *awards* on their site (how does that happen?):

http://www.spikefin.com/company/

I can't wait until they had a "media coverage" tab :P

More funny goodness:
http://www.spikefin.com/development/
"Our core competencies lie in technologies such as Flex, Flash, Actionscript, HTML/CSS, Objective C, Java and MySQL".

Spikefin can help you build highly interactive applications that can run in Flash-enabled browsers or on the desktop using AIR. Our development team are specialists in Flex, a open-source framework that deploys consistently on all major browsers and operating systems.

Flex?s rapid prototyping means you can see your ideas unfold and refine them throughout the development process. It?s fast and transparent development that keeps you in control. Outsource your project with confidence.

Less waiting. More action. Watch as your ideas come to life with Flex?s rapid prototyping.

Transparent development. Outsource with the confidence of a development cycle you can see.

Enterprise-grade. But sexy. Make business intelligence intuitive and sexy with Flex?s advanced data visualisation components.

=========

haha, we can't fault them with their advanced data visualisation.... the whole world can see it!




BDFL - Memuneh
63371 posts

Uber Geek
+1 received by user: 13886

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 357535 28-Jul-2010 07:42
Send private message


Kelvin Yong
Why not have this typed out as a note on Hell Pizza's profile, so it's searchable and more useful? Search engine can't "read" text in the image.

If I was conspiracy minded I would sooo be believing that too right now, but surely there is another explanation?! (but good to see later they made a note as well, conspiracy theory squashed? :P But Hell only admits it was due to Kelvin's "insistence" that this happened.... !!)


Kelvin is our very own ex-moderator Chiefie. That's why he's clued up.
However this comment:


Steve McAteer this is pretty responsible for a company ! Most companies would simply try to keep it quiet...obviously one day coming back to bite them on the ass, so well done HELL, i wish all companies we're this open, transparent and honest...keep it up, hopefully the theory will spread !

I read that again with a mixture of laughter (because it is so far from reality...) and sadness... (for the same reason!)

Another clueless customer:

Danny Collings Kelvin get ova ur bad self , hell have it covered i have mates that work in hell ..its being taken care of.. and the customers who are affected in anyway have or are about to receive e-mails to let them know ... if you really wnt to throw ...something around go to the hells web page and grab a little devil to toss , ps most customers of hells trust them to do the right thing they have so enough already with you making ur point ova and ova and ova ..........if this gets u pissy well it proves my point u need to chillax !

Correct me if I'm wrong, but did EVERY customer get an email? As that is how many which got breached. Besides, Kelvin was spot on the money.

Another person (Amanda Easterbrook, very long comment so won't quote it all) accused RiskyBiz as the only person doing wrong here because she said he is trying to extort money!! :o wtf



People who don't understand the risks of lack of privacy and security on the Internet. They probably didn't read the whole thing, didn't understand how and why, and have no idea of the impact of this in their lives.





8033 posts

Uber Geek
+1 received by user: 390

Trusted

  # 357700 28-Jul-2010 13:17
Send private message

The original version of the site was probably developed about 10 years ago so it's understandable (but not excusable) how secure coding practices weren't adhered to.

Sql injection problems are extremely common with old sites.

1267 posts

Uber Geek
+1 received by user: 166


  # 357707 28-Jul-2010 13:29
Send private message

SQL injection is one thing, but this was pretty sloppy, it wasn't just forgetting to escape a string or something, it was sending complete unchecked SQL across the wire.  Even 10 years ago (really, 10 years, in flash?) that would have been pretty obviously a bad idea.




---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


3424 posts

Uber Geek
+1 received by user: 700

Trusted

  # 357744 28-Jul-2010 14:48
Send private message

seriously who thought this was a good idea?

https://www.hellpizza.com.au/sql_engine.jsp?RUN_ANY_QUERY_YOU_LIKE

but at least it was over https :P, so glad i never ordered pizza using their online site.

8033 posts

Uber Geek
+1 received by user: 390

Trusted

  # 358029 28-Jul-2010 23:40
Send private message

Oh wow, that is not but bad practice it's retarded practice.

22073 posts

Uber Geek
+1 received by user: 4685

Trusted
Subscriber

  # 358031 28-Jul-2010 23:42
Send private message

Its the sort of thing you would do in a quick and dirty mockup to demo something on a controlled environment. Then someone deployed it as is. Well thats what I expect happened.




Richard rich.ms

942 posts

Ultimate Geek
+1 received by user: 29


  # 358371 29-Jul-2010 13:52
Send private message

sleemanj: SQL injection is one thing, but this was pretty sloppy, it wasn't just forgetting to escape a string or something, it was sending complete unchecked SQL across the wire.  Even 10 years ago (really, 10 years, in flash?) that would have been pretty obviously a bad idea.
it wasn't just that, they had a whole comedy of errors. Like storing passwords as plain text, no matter how many years we are talking about you can't call that secure




1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07


Techweek starting around NZ today
Posted 20-May-2019 09:52


Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.