Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
scottjpalmer
5912 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #248406 18-Aug-2009 22:56
Send private message

I didn't get it this time round

 
 
 

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).
kingjj
1728 posts

Uber Geek

ID Verified
Trusted

  #248423 19-Aug-2009 00:29
Send private message

savag3: I wonder if the third party email marketing system they have used (mailprimer.com) has been compromised. That might explain why emails used at other companies have been spammed as well.



Thats a good suggestion! I also recieved this email a few weeks ago and again three times over last two days. It came to an account I use for Hell Pizza and ten dozen other sites, so I can't place blame there. My email address however is a combo of three words, one of which is spelled incorrectly so if it is a dictionary attack its a clever one.

freitasm
BDFL - Memuneh
76854 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #355259 23-Jul-2010 10:33
Send private message

ukoda:
Bee: Interesting...
I got it 3 times last night too... how did it get our email addresses? what have we all signed up for that has sold/leaked our email address???

I received it using the email address I signed up to with Hell Pizza.  The email address was hell@mydomain so it is possible that they just created the email address but I think it more like Hell Pizza, or their site operator either sold it or were compromised.

I have had this kind of problem with the House of Travel too and they, off course, denied any fault and tried to blame me by suggesting I had used the email address somewhere public.  The catch with that theory is it was a unique email address just for them.  One suggestion I had heard was that cross site scripting could be the cause of such email adress leakage.  I'm not sure how likely that is?


Sorry folks for bringing this back to life... But things have happened that made me remember this thread.

It appers that Hell Pizza's database was compromised, thanks to a SQL Injection attack, about the same time you started receiving those spam.

According to http://risky.biz/hell:


When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as "about 50 steps of fail".


I have sent an email to Hell Pizza asking for confirmation on this story but it sounds very familiar...






Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 




bazzer
3438 posts

Uber Geek

Trusted

  #355288 23-Jul-2010 11:45
Send private message

"I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."

Yeah, right.

wazzageek
1090 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #355425 23-Jul-2010 16:03
Send private message

"I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."


Given that Mauricio has posted something pointing to a remote connection available directly to the database, the claim that the web servers are being dedicated, monitored firewalls is moot - any attempt to talk to the database will result in the rules in the firewall claiming "Legitimate traffic".

.... unless someone is also monitoring logs from the firewalls very closely ....

I'm thanking my lucky stars that all the information that I've given hell pizza is unique to hell pizza (with the obvious exception of my name and address ...)

Perhaps smoeone would like to produce something that is less ... "flashy" for ordering pizzas? :-) 

freitasm
BDFL - Memuneh
76854 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #355426 23-Jul-2010 16:05
Send private message

I was just pointed to a Privacy Breach Guidelines document (http://privacy.org.nz/privacy-breach-guidelines-2/?highlight=data%20breach) which obviously wasn't followed by Hell.

Note this document pre-dates the alleged breach by eighteen months.





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


sleemanj
1480 posts

Uber Geek


  #355441 23-Jul-2010 16:22
Send private message

From skimming that risky document, sounds like the developers broke a cardinal rule of web application development NEVER TRUST ANYTHING FROM THE CLIENT

And not in just a "oh, we should have escaped that string" way, but in an "oh, really you mean we shouldn't accept entire SQL queries from the browser and execute them then?" way!

If this is accurate, well, words fail me. And they fail security!





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...




freitasm
BDFL - Memuneh
76854 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #355471 23-Jul-2010 17:23
Send private message

Interesting to see Hell Pizza did not reply to an email I sent them requesting more information on this.

It shows complete disregard to their customers' privacy, and lack of transparency in dealing with this breach.





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


MackinNZ
450 posts

Ultimate Geek

Lifetime subscriber

  #355474 23-Jul-2010 17:30
Send private message

All this AND the quality of their Pizza's and service have gone majorly downhill in the last year or so. Not good for Hell Pizza Co.

dontpanic42

1574 posts

Uber Geek


  #355499 23-Jul-2010 18:27
Send private message

The issue has just made the news in few more places.

http://tvnz.co.nz/national-news/hacker-claims-have-hell-pizza-passwords-3670977
http://www.techday.co.nz/netguide/news/hell-pizza-customer-database-compromised/17171/1/

Looks like Hell pizza have now taken the matter to the police.

freitasm
BDFL - Memuneh
76854 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #355509 23-Jul-2010 18:40
Send private message

dontpanic42: Looks like Hell pizza have now taken the matter to the police.


After someone raising the possibility here, 18 months ago? Sure they should've known for some time?





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


dontpanic42

1574 posts

Uber Geek


  #355516 23-Jul-2010 18:53
Send private message

freitasm:
dontpanic42: Looks like Hell pizza have now taken the matter to the police.


After someone raising the possibility here, 18 months ago? Sure they should've known for some time?



A bit of a worry isn't it?!? Surprised

oldmaknz
536 posts

Ultimate Geek


  #355520 23-Jul-2010 19:09

Terrible. Might try and delete my account.

Edit: Hell have just issued a statement: http://www.facebook.com/photo.php?pid=4362601&id=43522837224

robbyp
1199 posts

Uber Geek


  #355561 23-Jul-2010 21:28

bazzer: "I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."

Yeah, right.


Using interspire software doesn't  make you immune. I use interspire software myself for client websites, and ALL software can suffer from compromises, espeically if you don't keep it up to date with the latest versions.

kingjj
1728 posts

Uber Geek

ID Verified
Trusted

  #355587 23-Jul-2010 22:53
Send private message

Does anyone know when Hell's launched their latest iteration of their website? Ordering today noticed a brand new website which required us to re-join and re-enter our details. Could this be linked to the re-emergence of this email issue?

OT //

Completely off topic now but remotely relevant I was in a Hell Pizza store this evening waiting for my order when a woman slipped over on the wet floor and hurt her back. The staff there had no idea what to do. One wondered over and asked her if she was alright, when all he got back was tears he wandered back to the counter and got a wet floor sign. Another staff member eventually asked her and her boyfriend if she would like an ambulance, it was up to a customer to get a blanket from her car to cover the woman and keep her calm... complete fail.

// OT

1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

HP Unveils Broadest Consumer Portfolio of AI-Enhanced Laptops
Posted 3-Mar-2024 18:09


Samsung Tab S9 FE Review
Posted 3-Mar-2024 18:00


Norton Genie Review
Posted 3-Mar-2024 17:57


Synology Introduces BeeStation
Posted 23-Feb-2024 14:14


New One UI 6.1 Update Brings Galaxy AI to More Galaxy Devices
Posted 23-Feb-2024 10:50


Amazon Echo Hub Available in New Zealand
Posted 23-Feb-2024 10:40


InternetNZ Releases Internet Insights 2023
Posted 20-Feb-2024 10:31


Seagate Adds 24TB IronWolf Pro Hard Drives for Multi-user Commercial and Enterprise RAID Storage Solutions
Posted 19-Feb-2024 16:54


Seagate Skyhawk AI 24TB Elevates Edge Security Capacity and Performance
Posted 9-Feb-2024 17:18


GoPro Releases Quik Desktop App for macOS and Introduces Premium+ Subscription Tier
Posted 9-Feb-2024 17:14


Ring Introduces New Ring Battery Video Doorbell Pro
Posted 9-Feb-2024 16:51


Galaxy AI Transforms the new Galaxy S24 Series
Posted 18-Jan-2024 07:00


D-Link launches AI-Powered Aquila Pro M30 Wi-Fi 6 Mesh Systems
Posted 17-Jan-2024 20:02


Newest LG 4K Lifestyle Projector Doubles as Art Objet
Posted 9-Jan-2024 15:50


More LG Smart TV Owners Set To Enjoy the Latest webOS Upgrade
Posted 9-Jan-2024 15:45









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup