Hell Pizza Hell: database security was lacking?
Everyone heard about the Hell Pizza database leak, but what is only now showing up in the media is a story that seems to be developing for more than twelve months. Back in August 2009 some Geekzone users reported receiving spam on email addresses used only with Hell Pizza's online ordering system.
At the time someone posted in our forums on behalf of Hell Pizza saying "we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed."
Fast forward thirteen months to this week and blog Risky.Biz published "I know what you ate last summer" where it reveals that "multiple intruders have compromised Hell Pizza's 400mb (sic) database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries."
It continues "When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.
"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."
The New Zealand media found the story, and the NBR published "Hell Pizza: customer database could have been hacked". Chris Keall contacted Hell Pizza director Warren Powell who said "Everybody gets hacked into, even the Pentagon." He also added "The potentially stolen data was "of no value to anyone."
That's the problem. The data is valuable to spammers and for anyone who would like to try any of those 230,000 passwords in other sites - it's a known fact that many Internet users simply reuse the same password in different sites. This can potentially lead to identity theft. This is serious business.
According to a story on Stuff "Hell's director Warren Powell told NZPA he is unaware of any breach in security, and IT staff have so far found nothing proving information has been stolen."
Now comes the interesting part... Mr Warren Powel said to Stuff "If there is breach of security it will appear, data would have been removed and therefore it would appear as a download. We'll be able to find out the day and the computer it was downloaded to and we'll be able to prosecute this person if they exist."
They won't find anything. If Risky.Biz is correct, the old Hell Pizza ordering system was developed with poor attention to security, and the application running on the user's browser was communicating directly with the database.
This means any connection to the database would be considered valid, therefore those "dedicated, monitored firewall" wouldn't do any good.
It also means anyone could issue commands to the database and receive a response with that data - in which case it wouldn't appear as a download at all, but as a normal web request in the web server logs.
I tried contacting Hell Pizza via email but received no reply.
People on Geekzone noticed the Hell Pizza Ireland website could still be running the old, apparently vulnerable version of the ordering system. Currently both Hell Pizza Australia and Hell Pizza UK are returning server errors, with messages that lead us to believe they too were running the apparently vulnerable site version until recently - perhaps taken down to prevent further access to data?
I was alerted by one of the Geekzone users of further evidence that there was a vulnerability on the old Hell Pizza ordering system, and a Google search reveals the existence of a script that was there only to execute SQL commands - so vulnerable in fact that even Google found it and cached a result:
In an email sent to customers this week, Stu McMullin, Hell Pizza Director says "Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website."
Juha Saarinen reminded us, via Twitter, of the Privacy Commisioner's Privacy Breach Guidelines.
How long since Hell Pizza had knowledge of this security breach? Or did they only realise something was happening after Risky.Biz contaced them? If they did have knowledge, why wasn't it disclosed before? Will we see other New Zealand companies working to improve their IT security practices after seeing this happening?
Other related posts:
New Zealand cell site location maps
Broadband in New Zealand according to OECD
Did Twitter really take in consideration these DMCA notices?
Comment by rassnor, on 26-Jul-2010 08:19
Passing an SQL query via URL is a dumb move from the start, I'd be talking/yelling at the developers who thought that was a good idea.
As astroboy said, did they not store their passwords with one way hashing/encryption like every other sensible website on the internet? Who developed their website?
Comment by Kyanar, on 26-Jul-2010 09:38
Based on the comments from Hell, I'd say they were not in fact hashing passwords (regardless, they probably used MD5 even if they did, and as such most passwords can relatively easily be cracked anyway).
Spikefin Interactive was responsible for that atrocity.
Comment by xurizaemon, on 26-Jul-2010 09:42
@astroboy - I'd heard (perhaps on the risky.biz podcast?) the passwords were only hashed, and thus could be extracted with time and CPU on the part of the attacker. But on re-reading the article at http://risky.biz/hell there's no indication of whether there was any form of hash or encryption on the passwords.
There are plenty of sites which still appear to store passwords plaintext (TradeMe being the biggest NZ example of a site which will email you back your password, suggesting recoverable storage of some form).
Safe password practice is to assume that any remote site is storing your password in eight foot high neon lights while emailing it directly to forums in .ru, .cn and .br ;)
Comment by BlueToothKiwi, on 26-Jul-2010 10:37
You said, "How long since Hell Pizza had knowledge of this security breach?... If they did have knowledge, why wasn't it disclosed before?"
I got notified last week with an email (with an option to unsubscribe - which I promptly did). The point about the password is a valid one - I have a habit of not using same password in multiple web sites - though as I get older I find it harder and harder to remember 33 or so passwords in my head!!"
Anyway here is the email I got - which I think goes someway towards taking ownership - but prevention in the first place would have been better:
"Dear Valued Hell Customer,
We have been approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation. The samples that we received included details of four customers from 2006, including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website.
We apologise for the incident and any inconvenience that this may have caused.
Sincerely,
Stu McMullin – Director Hell Pizza
We acknowledge that some of you have asked to be removed from the database and we have only included you for the purposes of this notification. "
Comment by richms, on 26-Jul-2010 13:12
Businesses cant really remove people from their database as so many privacy nuts request, as the database is the businesses records.
Also they are allowed to contact people that have opted out of emails for things like this so I am puzzled why they even put that link into the email
Comment by Datacraft, on 26-Jul-2010 16:16
Does anyone know who developed the website?
Comment by raab, on 26-Jul-2010 17:31
I own several domains, all of which are hosted by google apps. It never occurred to me, despite how menial it is, to use a random email address for the purposes of something like hells pizza
I will be doing this in future so that if there's ever a case that the site is breached then I can just delete the email account
Comment by Sycophant, on 26-Jul-2010 21:19
"as I get older I find it harder and harder to remember 33 or so passwords in my head!!"
Consider creating unique passwords for each site based on a common primary password, so for maybe your base password is "t15sta7" then add two or three characters on based on the site it's for - so maybe "gz" for GeekZone - although that's a little obvious to a human, so perhaps make it a practice to pick the 1st and 4th characters for example, and insert into positions 2 and 6 in your passowrd, so it's now tg15szta7
Something like that anyway, so it's a simple base you can remember and a predictable (to you) pattern of customisation for each site.
You could still maintain completely unique passwords for very important sites (banking etc).
Comment by meesham, on 27-Jul-2010 00:45
I use passwordmaker, it's a plugin for Firefox (as well as other browsers) that generates a password for you based on a master password. It basically uses your master password as well as the domain name to generate a hash, so you have different passwords for each site. For super sensitive sites like internet banking and email I have separate password but for the rest I've found it much easier to keep track of all the passwords.
Comment by Janice Taylor-Gaines, on 27-Jul-2010 02:40
This is a GREAT article, despite the dismay of breaches and data insecurities, in that it keeps one of my pet concerns front and center: Security. In David Scott's words, everyone needs to be a mini-Security Officer today. I think Mr. Scott, the author, is right: Most individuals and organizations enjoy Security largely as a matter of luck. For some free insight (and free is good!), check out his blog, "The Business-Technology Weave" – you can Google to it. Anyone else here reading I.T. WARS? It reflects much of what is said here. I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston's Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). "In the realm of risk, unmanaged possibilities become probabilities." Keep "security" front and center! Great stuff.
Comment by Steffen, on 27-Jul-2010 10:15
There's something else going on at Hell too, to which I have had very little response to date.
Their credit card processing system on their website asks for your CVC number from your card. This is just as well, since their deliver drivers rarely, if ever, look at your card on delivery. The thing is, I discovered a couple of weeks ago that you can use any three numbers in the CVC field, and it will still accept your payment.
I haven't tried it in the last 10 days, so it may have been fixed. No one from Hell has gotten back to me to say there's been a resolution though, so I assume it's still an issue.
With this, and the security breach, does anyone want to give them their credit card info anymore?
Comment by dman, on 28-Jul-2010 00:16
I'm disappointed Spikefin has won awards:
http://www.ictcapital.com/news/news-list/silverstripe/?page=creative-hq-
Comment by Kyanar, on 28-Jul-2010 09:24
@steffan - you might want to email the guys at Mobi2Go/Third Screen Interactive about that - they provide the CC processing for Hell Pizza now. I got a response in two days flat from them when I let them know that they were not allowing Orcon 020 phone numbers, so I'm sure they'll get back to you quick smart.
Comment by Private, on 7-Dec-2011 18:32
I know I'm a bit late on this post, but I can remember back when that first website was launched, having a poke around and being shocked with the sql_engine.jsp, which then moved to sql_engine2.jsp.
After a few years the website was replaced (by spikefin) with a shiny new one (seemingly free of SQL injection attacks), but for some reason the old one returned yet again with sql_engine2_secure.jsp. It entertained me that anyone could ever think that prepending 'SELECT ' to the start of the query would make it more secure, especially because the server would parse and execute nested and multi queries.
The interesting thing about the whole story is that nobody seemed to pick up on was the way the 'static' content of the site was loaded from an xml file, and after adding a couple of ../'s to the start of the URI, you were able to browse the contents of almost the entire server. From this I concluded two things;
1. Apache was running as root
2. Whoever coded the site had even less idea of data sanitisation than I initially thought.
Having read access to the server wasn't really enough to do any damage, but it was plenty to read the dsn, which was present in multiple files. (not so) Coincidentally, the database connection was also being established as root.
What I tried next shocked me, not only because ssh was open on port 22 of the production server with no apparent IP restrictions, but root login was enabled and the password was the same as that of the database server.
Now, I could have done some damage, but I'm a nice person so all I really did was look at some logs. Interestingly, there was actually some fairly good logging practise for such a vulnerable system. They were using an external syslog server for most things, but all the apache logs were on that machine. This was almost pure gold - about 99% of the time, the flash application was POSTing to sql_engine, while illegitimate queries were coming in on the query string, complete with IP addresses and payload sizes.
It's funny that the first thing most people (at least 50) tried was SELECT * FROM customer WHERE name = [their_name]
That's got to be almost as stupid as the people who made the site to begin with?
Add a comment
Please note: comments that are inappropriate or promotional in nature will be deleted.
E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.
Comment by astroboy, on 26-Jul-2010 05:57
" it's a known fact that many Internet users simply reuse the same password in different sites. This can potentially lead to identity theft. This is serious business"
Does this mean that Hell didn't encrypt user passwords?