Hot Comments
- Re:But what created the law of gravity? (5 points, Insightful) by neiltrodden on Thursday September 02, @08:58AM attached to Hawking Picks Physics Over God For Big Bang
- Is India trying to *stab* its economy? (5 points, Insightful) by FooAtWFU on Wednesday September 01, @10:35AM attached to India Now Wants Access To Google and Skype
- Re:Pfah. (5 points, Insightful) by mini me on Wednesday September 01, @01:06PM attached to Yale Researchers Prove That ACID Is Scalable
- The Principles of the Internet according to AT& (5 points, Insightful) by brennanw on Wednesday September 01, @09:57AM attached to AT&T Says Net Rules Must Allow 'Paid Prioritization'
- Re:Goodbye India (5 points, Funny) by Predius on Wednesday September 01, @10:52AM attached to India Now Wants Access To Google and Skype
14667580
story
Comments: 164 + - IT: Pizza Lovers Suffer Data Breach From Hell on Thursday July 29, @01:12AM
Posted
by
samzenpus
on Thursday July 29, @01:12AM
from the hell-of-a-breach dept.
from the hell-of-a-breach dept.
background: url(//a.fsdn.com/sd/firehose/014/667/594-2-thumb.png); width:130px; height:97px;
security
netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"
Related Stories
I like work; it fascinates me; I can sit and look at it for hours.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
The Good Old Pizza Times (Score:5, Funny)
The problem was that later on we obviously got hungry. This happened many times. Someone had to go get some food. Pizza was the obvious choice. But who would it be? I didn't want to. So we played a game of rock paper scissors. Damn, I lost. I tried to have an another round, but they didn't let me. There was nothing I could do.
I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?
I arrived at the pizza place. The taste was beautiful. I felt like I was home. I walked in and ordered three large pizzas, mine being the double bacon cheeseburger pizza. I felt so hungry. I just wanted to grab the pizza and eat. When the pizzas came, I had to eat there. I also took a few pieces of my friends pizzas because I wanted to taste them. Man I was happy.
Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket. No problems for the vendor, no problems for me, and everything worked greatly. The lesson being - pay with cash.
Re:The Good Old Pizza Times (Score:5, Funny)
I thought the lesson was..
"Don't let your asshole friend go to get the pizza, cause all he'll bring you home is a couple of cold slices"
Parent
What I don't understand... (Score:4, Interesting)
Any shop that tries to get that kind of information out of me gets a flat refusal. Likewise, any venue that tries to take my fingerprints or iris scan.
Parent
Re:What I don't understand... (Score:5, Insightful)
why the hell some outfits feel the need to collect that much information about you just to sell you some food.
Email address: to reset your password if you forget it (you'd want an account so you don't have to type in your address and payment info each time).
Address: should be obvious.
Phone number: to phone in case they don't get an answer at the door.
TFA doesn't mention any extra personal details that were stolen. I don't see what's so crazy about them needing these other details for online ordering.
Parent
Re:What I don't understand... (Score:4, Informative)
http://www.bluemaumau.org/police_and_collection_agencies_love_dominos_database_pizza_lovers [bluemaumau.org]
They store it and happily sell it.
P.S. dominoes pizza is nasty. Try a real pizza place like a smaller mom and pop that wants to make quality instead of the cheapest high profit one they can.
Parent
Re: (Score:3, Funny)
I'll say! If I met a woman by the name of Crudely Indecent, I'd have to ask her the name of the movies she's starred in.
Re: (Score:3, Funny)
This coming from "smooth wombat"... asl?
Re: (Score:3, Funny)
I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?
So, PizzaAnalogyGuy, there seems to have been a little bit of a mix-up. This story wasn't supposed to get published till Christmas and your dream story ended up on /.
Between me and you, don't be expecting anything big under the tree in a few months. You can however, cherish this story, and the fact that you got first post on it.
*sips coffee*
Re:The Good Old Pizza Times (Score:5, Funny)
Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket.
Did you have to move aside the onion you wore on your belt as that was the fashion at the time?
Parent
Yes SIR!!!! (Score:2, Funny)
Re: (Score:2, Informative)
replying due to unintentional mod.
Re:The Good Old Pizza Times (Score:5, Insightful)
I thought the lesson was: If you fetch the chow, you're entitled to a service fee, payable in consumables purchased. Hmmm Lemming Pizza :P~
Parent
Re: (Score:3, Funny)
I had to get up my ass...
That's got to hurt!
Your story reminds me of a High School job I had making pizzas.
It was years before I could eat a pizza that I didn't make myself.
Security audits? (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Interesting)
I wouldn't be surprised if they just had IT security audits done by KPMG and Ernst & Young while the data was being pulled out by the truckload through a gaping hole, just like the Latvian banks...
It's a concern... (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
Its actually a really nice place. Without a doubt the best place I have been outside Australia. Their government is small scale, but it seems to work better that way.
Re:It's a concern... (Score:5, Funny)
So you've just been there and Australia then?
Parent
Re: (Score:3, Insightful)
Actually that's 99.936%, sir.
Oh god, I think I just overexnerded myself. :(
Re:It's a concern... (Score:4, Funny)
To be fair, he was including the sheep.
Parent
SQL Injection (Score:4, Informative)
This isn't news.
Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.
Re:SQL Injection (Score:5, Funny)
Parent
Re:SQL Injection (Score:5, Interesting)
"I'd like to order a large, thin crust, double cheese, pepperoni and drop table..."
No clear the table before you place your order so your pizza gets the priority it deserves.
Parent
Re: (Score:2)
Re: (Score:2, Funny)
Can't believe nobody's made the "it was all fine until Bobby Tables ordered" joke yet: http://xkcd.com/327/ [xkcd.com]
Re:SQL Injection (Score:4, Insightful)
Why else would you Hack into a Pizza chain, other than to order free pizza?
INSERT INTO ORDERS
SELECT [cheese] AS [topping 1], [pepperoni] as [topping 2], [free] AS [price], [asap] AS [priority]
Parent
Re:SQL Injection (Score:4, Informative)
Parent
Hmmm.... (Score:2)
Pizza Woes: A Tale (Score:2, Funny)
It wasn't until I'd consumed it that I realized what was happening. Tom heartily recommended the new bread-disc, imploring I buy it with gusto:
"Pete this triple layer, cheese, anchovy, jalapeno, ape and pepperoni monster will be the takeaway of your life. They put cayenne in the tomato puree and man...just buy it. Gotta be tasted to be believed."
It's hardly common for that man to grant such an endorsement, and the next day I phoned up and got a jumbo 14" , the guy over the phone even said; 'We think you're
Risky.Biz Explaination (Score:5, Informative)
Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.
MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.
Appropriately named web design company (Score:5, Funny)
Check the name of the company that designed the web site. I'm assuming they haven't yet changed design companies, but if I'm wrong apologise to ... .... "Inject Design"
Parent
Re: (Score:3, Interesting)
Risky.Biz
... The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).
Their webdesign company is called "Inject Design Ltd.". Go figure ...
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.
I'm unsure what hashes he is talking about here. Password hashes? What was the weak hash algorithm?
Old news, except for Hell (Score:5, Informative)
The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.
Here's a blog [geekzone.co.nz] by the owner of the geekzone forum [geekzone.co.nz] that initially discovered the problem (because someone received spam from a disposable email address they used with the company.
Hell Pizza is Awesome! (Score:4, Interesting)
It's actually brilliant pizza -- easily the best pie I've ever had outside of the USA (or Italy). Inventive topping combinations and skillfully made. I wish they'd open a franchise here in California.
Re: (Score:2)
I wish they'd open a franchise here in California.
Go ahead and make an order [hellpizza.co.nz]. Your pizza may require reheating on arrival though.
at least they were upfront about it (Score:5, Informative)
I received an email from Hell just under a week ago:
"Dear Valued Hell Customer,
We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation. The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint."
They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.
Re: (Score:3, Insightful)
I appreciated their honesty,
Yeah, they were so honest, they forgot to tell you about the other 229,996 customers...
Sad (Score:4, Insightful)
Sadly, this isn't the only computer system security SNAFU. It isn't often that you hear about it, but many of the systems I have seen are security WTFs. I continue to be amazed at how little some programmers understand about their trade, and I just don't have words for people who think the security of their computer systems isn't important. Getting a system that is completely secure may be too much to expect, but the least you can do is not make it easy for someone to walk right in and do whatever they want with your data after 5 minutes of observing the publicly accessible part of your system!
Re:Sad (Score:5, Insightful)
Okay but how can you make a non-technical customer pay for security? They will go to the cheapest vendor and pay later when it stuffs up.
Parent
Oh noes they know I like seafood pizza (Score:2, Funny)
Re:So Hell Pizza requires Facebook/Twitter UID? (Score:4, Insightful)
A different way to read it is that the other hacks were independent, and the anonymous celeb is saying that Hell is no worse than any of the other organizations which were entrusted with personal information.
Parent
Re: (Score:2)
I think he's indicating that he doesn't care about his personal information because he's already given most of it away on Facebook and Twitter. That, and he's a celebrity - personal life is the coin of that realm.
Re:So Hell Pizza requires Facebook/Twitter UID? (Score:5, Insightful)
Parent
Re:So Hell Pizza requires Facebook/Twitter UID? (Score:5, Funny)
the "celebrity" (quotes because we are talking about New Zealand)
Its obviously Russell Crowe
Parent
Re:Hell Pizza = Pizza in CA (Score:5, Funny)
Parent
Re: (Score:2)
Hell Pizza may suck on the security front (as evidenced by this story), but I have to say they make the best pizza I've ever had, anywhere... and that's a fairly ringing endorsement since I've eaten pizza on pretty much every continent on earth (including classic Italian pizza in Italy, New York pizza in New York, and so on).
It's also worth pointing out that while their security may suck, their web design is pretty awesome... Just playing with the cute little devils on their website [hellpizza.co.nz]
is a great time filler w
Re: (Score:2)
IMHO, Cicero's Pizza in San Jose has probably the best NY-style pizza outside of NY.
Re: (Score:2)