- Hacker, calling himself d3hydr8, posts complete schema of CCAvenue's DB on a mailing list. The post also contains the contents of 'admn_users' table, which include username & passwords in plain text.
- Story is covered all over the interwebs - MediaNama coverage, Pluggd coverage
- CEO, Vishwas Patel "patently" denies that this happened.
Developers should read this
- DON'T store passwords in plain text
- DON'T store encrypted passwords. Store their hash value instead. There's a big difference.
- DON'T use MD5, SHA1, SHA256, SHA512 or your hand-rolled hashing function. Use bcrypt instead. Read why here & here.
Business owners should read this
Here's what business owners can learn about building a tech-enabled business & handling critical public situations:
- Hire good developers. Make sure they read the section above.
- When faced with critical public situations such as security breaches, realize that people will look for more information and they should hear the official response first. If I were CCAvenue, I would be bidding aggressively on "ccavenue hacked" & related terms and be linking off to the official response.
- Ensure that the official response is written like a human, not a lawyer. Secondly, learn to own-up & let your customers know how you're (a) containing the damage, and (b) preventing a repeat incident. The notice on CCAvenue's website does neither.
In my opinion, the official CCAvenue response, reeks of a pathetic attempt to cover-up. They've picked their words like lawyers when they say "no hack has happened at 15:15 hours on 4th May, 2011". The full disclosure made by the hacker does not claim the time of the actual breach. The date+time on the top of the post seems to be the time when the post/email was sent. Also, the Netcraft site-report for CCAvenue clearly shows that their webserver was upgraded on 5th May, a day after the original full disclosure. Pretty fishy, I'd say.
What's your take on this?
What's your take on this?
Good point about MD5 and SHA.
ReplyDeleteThe CCAvenue response is preciously what one would have expected. We are like our politicians - always blaming the opposition party for the "mischief". However I don't think the interpretation of Netcraft report is correct. Since the last 2 pings are at a difference of 1 year, upgrade could have happened anytime in between. Also have a look at this: http://toolbar.netcraft.com/site_report?url=http://ccavenue.com which shows that Apache was indeed upgraded on another server.
Also isn't it also suggested as part of basic hardening of site that you turn off detailed server headers giving the version of Apache and other installed modules? :)
Hmm, probably you're right about the upgrade date, but it could be that the hacker got lazy and looked-up the server ID string on netcraft on 4th may just before publishing the hack. Possible?
ReplyDeleteAnd yeah, hiding server identification is security 101. Not sure whether that's part of PCI-DSS or not.
Thanks for the bcrypt thing Saurabh.
ReplyDeleteI'm glad that my gyaan helped. Where have you used bcrypt, Srikanth?
ReplyDeleteccavenue is a payment gateway website tat gateways the bank and the website"S
ReplyDeleteit got hacked many times
ccaevenue has low security
ReplyDeleteanyone should tell them to upgrade
now hackers are very sharp ,like me and childrens like age of 17 hacking it
sa they say that no hack were done bt this is to inform you tat paytm.com
ReplyDeletelatest hack yesterday
Great article
ReplyDeleteThe business owners failed to provide safety and security to their business. Storing passwords is indeed a very important practice to ensure security. This will also prevent unethical hacking. Hiring good developers is one of the best ways to prevent such hacking activity.
ReplyDeleteEthical Hacking
PBKDF2 (NIST recommends) and scrypt are now the options for password storage.
ReplyDeleteWonderful directory ideas that can help to boost our own web site creating, after i creating web site I will recall these points as well as help make some really good creating.bulk sms service
ReplyDelete