RE: [Alpacasite] Hacking: Can Anyone Explain This?

Hi Dave,

Sorry to hear of your troubles :(

**********************
The only advance notice we had that something funny might be going on is
that the on-line store had a couple of "orders" sent to us that were either
completely blank (no data fields completed), or contained computer code.
The site is encrypted, so we didn't have too much concern about these
annoying "orders" at the time they came in.

The reason we are fairly certain that the access took place through Suzy's
website is because the offensive e-mail that was subsequently transmitted
from her e-mail address referenced unique information (e.g. phone number +
marketing tagline) available only on the website. Our webmaster told us to
change our e-mail password immediately to a "very secure" password
(consisting of a lengthy sequence of upper- and lower-case letters, numbers,
and special characters). Previously, we had used a password that was short
and consisted of only letters.

Can anyone with some computer savvy explain this to me? How did these
hackers discover our password, and why is the use of a "very secure"
password a deterrent? Also, other than changing this password regularly,
are there any recommendations on how to prevent our website from being a
portal to our e-mail? We also have two firewalls in place, so we feel that
our PC itself is protected...or is it? Doesn't Yahoo have a firewall of
some sort in place to protect its customers? Is there any reason to be
additionally concerned about the (apparent) attempts at accessing our
on-line store? As I mentioned, information containing credit card
information is encrypted for transmission; but are there other precautions
we should be taking as a double-safeguard? **********************

The orders with computer code are a clue, sounds like they stuffed in a
query to your database engine that returned information from the database.
If so then this would be an issue that would need to be cleared up in way
the store is programmed
If you send me the computer code in the offending order I can analyze it

If your customer email addresses are stored there then that may be the only
compromise that happened.
Anybody can send out email proposing to be anybody else fairly easily, they
would not have to have your wife's yahoo password to do that.

One way to steal passwords is a brute force method of trying every
permutation of characters, numbers etc.
The more different types of characters you have and the more you have, the
longer it will take for a program to deduce it

A little discrete math
A password using only lowercase letters 6 letters long has 26*26*26*26*26*26
permutations 308,915,776
A password using lower and uppercase letters 6 letters long has
52*52*52*52*52*52 permutations 19,770,609,664
A password using lower and uppercase letters and 12 symbols 6 characters
long has 64*64*64*64*64*64 permutations 68,719,476,736

So using upper and lower and symbols and lots of them really protects
against this method of breaking into accounts cause it takes a heck of lot
longer to go through the combinations.

Every time somebody accesses your website the IP address of the computer
accessing it is logged and Yahoo should be able to figure out where the
attack came from and depending on the store software and database engine
logging exactly how the data was stolen.

If you had total control of the code for the store then you could implement
some custom code for encrypting all the data in the database so it could not
be compromised so easily.

Cheers,
Richard MacKinnon.

AlpacaStation.com ASC - Quality and Health By Design
AlpacaBooks.com - The Reference Site for Alpaca People

Nova Scotia, Canada

Home Of

RFA Vania - one of the finest 3 year old alpacas
AFD 16.8 SD 3.2 CV 19.3 >30 0.6 Curve 52.5

Jolimont Peruvian Ivano - sire of RFA Vania and many other fine alpacas

------------------------ Yahoo! Groups Sponsor --------------------~-->
Put more honey in your pocket. (money matters made easy).
http://us.click.yahoo.com/F9LvrA/dlQLAA/cosFAA/jO1qlB/TM
--------------------------------------------------------------------~->

Opinions and postings on this list are the sole responsibility of the person posting the message. The accuracy and content of each message in no way reflect the opinions of the administrator or Yahoo.

List administrator - Rick Horn - All American Alpacas alpacas@alpacaweb.com
http://aaalpacas.com

TO CHANGE OPTIONS visit http://groups.yahoo.com/group/Alpacasite/join
Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/Alpacasite/

<*> To unsubscribe from this group, send an email to:
Alpacasite-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/