Screaming Penguin - Source Does Matter

Check this MSNBC story in which a Russian security firm provided MSNBC with information on easily accessible credit card numbers. Now this is no shocker. I have personally used a similar technique just to check security on web servers (I never looked for or found credit card numbers, but did check access to web database systems and got in.)The exploit in this incident revolves entirely around the use of Microsoft products. However this is a case of contributory negligence. The main "exploit" was simply using the default "sa" user account for Microsoft SQL server. WHAT?!?!? Yes, these complete idiots, who by the way run actual web commerce companies, left the defaults for everything. Now we are not talking about cheeze whiz basement sites, we are talking about real companies. This is not surprising to me but it is alarming.This is a common exploit and they are many more for both IIS and SQL if they are "default" configured. This is also a small sampling. Try it yourself, do a few port scans (nmap) of sites using ASP (Microsoft run sites guaranteed, virtually, unless its that Chilisoft ASP crap) or sites that reflect IIS on surveys (such as Netcraft.) Select the sites using SQL Server from the results of your scans. Then setup the SQL Enterprise Manager and log on in as administrator. This works more often than you would even imagine. First mistake, these sites use Microsoft products such as IIS and SQL Server. Full of holes. Now, dont misconstrue, these products can be secured through a vigilant security policy and knowledge (including a full time security PhD person to keep up with daily patches and registry edits.) However, these products are prone to security problems because of design and usability flaws. Second mistake, these companies are run by morons. That is a seriously dangerous combination, Microsoft software and morons. The problem is that this time it could affect you!Be careful about your online credit card usage (and other information on the web) but dont freak out and become captain paranoia because of this. Your common sense will help you, and if all else fails your legal liability is still only 50 bucks. Of which most banks (good ones) will not charge you anyway. The honus is on the credit card companies and the merchants, not you. What needs repair, along with these sites, it the authorization of credit cards needs to be more than just a number (at least require a PIN as well, or other information along with the number, information that is to be used by known and used by the consumer only and never stored.) The current system is stupid and as long as credit card companies do business that way fraud will be rampant on the Internet and elsewhere.   MSNBC Credit Card Theft Story