Keeping an e-commerce site secure can be a tough job. In the past 2 weeks, I've read news reports about Egghead and CreditCards.com suffering network intrusions that might have compromised customers' private information, including credit card and billing information. Egghead CEO Jeff Sheahan sent email to the company's customers on Monday stating that the company had stopped the network intrusion in progress, and even though 7500 customer credit card accounts registered with the company show signs of fraud, he thinks no customer credit cards were actually compromised during the break-in.
The CreditCards.com story, however, is much worse. An intruder managed to break in to the company's network and download some 60,000 credit card numbers. The intruder then attempted to extort money from the company in exchange for not revealing the credit card information and the opportunity to fix the company's security woes. CreditCards.com refused to pay, and as a result, the intruder posted the credit card numbers on the Internet for the world to see. I think the company was right to refuse the extortion attempt; what bothers me is that this is not the first time this particular intruder has made such a bold attempt.
According to an MSNBC report, another company came forward on the heels of the CreditCard.com news to say it had been intruded upon in the exact same fashion, with the exact same demands after the break-in. The company also claimed that this hacker is suspected in more than a dozen similar extortion attempts. This news bothers me because I hadn't heard about these break-ins; apparently, none of the victims made the information public. Had these companies made that news public, other site operators might have read the news and become concerned enough to keep a closer eye on overall security.
It's certainly a private corporate decision whether to make security break-in information public knowledge. After all, such news can tarnish a company's reputation. On the other hand, such news fosters deeper concern in the minds of many security administrators, so sharing it is truly beneficial.
Nonetheless, I learned about some new technology this week that shows promise for eliminating this type of break-in where back-end information is exposed to intruders. An Israeli firm, Whale Communications,"http://whalecommunications.com" has a new patent-pending technology called e-Gap, which places an air gap between Internet-exposed servers and back-end systems.
e-Gap is a hardware- and software-based solution that sits between hosts as a common data work area. e-Gap's SCSI-based memory bank serves as a virtual disk (which Whale Communications calls an e-disk) that is used by both hosts but never connected to both hosts simultaneously. e-Gap continually switches the e-disk connection between both hosts: When one host writes to the e-disk, e-Gap switches the e-disk connection to the other host long enough for it to read the data. After the host reads the data, e-Gap falls back to its constant switching back and forth.
e-Gap sounds like promising technology; however, some debate about the product has appeared in the past on the Firewall Wizards mailing list. "http://www.nfr.com/firewall-wizards" Be sure to read about the e-Gap technology, and until next time, have a great week!