EU probes Oracle-Sun deal, cites open-source issue

By AOIFE WHITE , 09.03.09, 10:50 AM EDT

Business-logic flaw in Sears.com Web application could have let hackers brute-force attack the retailer's gift card database

Sep 01, 2009 | 03:49 PM

By Kelly Jackson Higgins
DarkReading

A newly discovered vulnerability on Sears.com could have allowed attackers to raid the retail giant's gift card database.

Alex Firmani, owner of Merge Design and a researcher, this week revealed a major security hole on Sears.com that could allow an attacker to easily steal valid gift cards -- a heist he estimates could be worth millions of dollars. Firmani says he alerted Sears about the flaw, and that Sears has since "plugged" the hole by removing the feature that let customers verify and check their gift-card balances.

The vulnerability was a business logic flaw in a Web application that handles gift card account inquiries; Firmani was able to stage a brute-force attack that could grab all valid, active Sears and Kmart gift cards from the company's database.

Firmani says the site wasn't auditing verification requests, which allowed him to verify gift card and PIN combinations using a homegrown PHP script that automatically submitted the requests. "I wrote a PHP script to hammer their verification server. It happily replied with thousands of verification responses per minute," he says.

The Sears application relied on client-side cookies to halt brute-force verification attempts, which Firmani says wasn't effective. "They should know where the verification requests come from, log them all, and be able to disable the verifications when they have a malicious attack," he says. "It doesn't appear to me that they had any server-side control over how many verifications were done."

Jeremiah Grossman, CTO of WhiteHat Security, says this type of flaw is probably fairly common on retailer Websites. And unlike a cross-site scripting or SQL injection bug, this business logic flaw is different: "It basically lets an attacker defraud Sears.com directly," Grossman says.

Firmani's discovery came on the heels of reports of multiple cross-site scripting (XSS) vulnerabilities on Sears' Web pages that were abused by an attacker to deface the Website.

"I thought this was notable with Sears being a Fortune 50 company," he says. "I have not tested many other large retailers, but I would hope most of them take better care than this. For smaller sites that write their own gift-card verification code, I'd expect just as many are vulnerable."

Firmani, who says he discloses Website flaws to site owners in order to highlight common Web application security issues, suggests that Sears require a valid user account login before allowing a verification request to be sent. "You could then record the number of verification requests and lock out any offending accounts automatically and without relying on client-side cookie," he wrote in his disclosure paper. "Recording requests server-side would be a more reliable way of handling repeat request offenders."

Another option is recording to a server-side database IP addresses of users verifying their gift cards, he said, as well as using a "number-used once" scheme in the verification form or logging all verification requests and using a script to shut down the response server if more than a specifically designated number of requests arrive per minute, he said.

"Security these days is less about what version of Apache you're running and more about custom-written Web applications. With Web apps given unfettered database access, it becomes a simple matter of exploiting less-than-solid Web application programming," Firmani says. "Finding holes in home-brewed Web app code is much easier than exploiting a root-escalation bug on a Linux server, but both often have similar database access."

 

U.S. stock futures are trading mixed this morning, pointing toward a somewhat positive open, despite weakness on the Nasdaq due to poorly received earnings from Hewlett-Packard (HPQ). The leading PC and computer peripherals manufacturer reported a 13% plunge in first-quarter earnings after the close last night. Other companies in focus this morning include Whole Foods market (WFMI), which is 16% higher ahead of the open following solid quarterly results, and Sprint Nextel (S), which gained about 3% in pre-market activity due to a narrowed quarterly loss. Wall Street's mood could shift dramatically, however, as key economic data, including the January producer price index (PPI), are slated for release later this morning.

Checking in on currencies and commodities, the U.S. Dollar Index is taking a breather following a strong rally earlier this week. At last check, the index was off 0.92% at 87.19 in pre-market activity. Gold futures, meanwhile, have gained a mere $2.40 an ounce to trade at $980.60 in London, with traders closely watching the equity markets for signs of strength. Finally, crude oil futures are on the mend, with the March contract up 3.32% at $35.77 per barrel in electronic trading.

After the close last night, Hewlett-Packard (HPQ: sentiment, chart, options) reported a fiscal first-quarter profit of $1.9 billion, or 75 cents per share, compared with a profit of $2.1 billion, or 80 cents per share, last year. Revenue rose 1% to $28.8 billion from $28.5 billion. Excluding 1-time items, HPQ earned 93 cents per share. Analysts were looking for earnings of 93 cents per share on $31.9 billion in sales. For its second quarter, the company expects earnings of 70 cents to 72 cents per share, or an adjusted 84 cents to 86 cents per share. Sales should fall 2% to 3% from a year earlier, which would equal $27.5 billion to $27.7 billion. The figures were well below the current consensus estimate for 89 cents per share on $30.95 billion in sales.

Whole Foods Market (WFMI: sentiment, chart, options) reported that net income fell 17% from the year-earlier quarter due to slowing store traffic and legal costs. Whole Foods posted a first-quarter profit of $32.3 million, or 20 cents per share, down from $39.1 million, or 28 cents per share, last year. However, earnings topped analyst expectations for 19 cents per share. Sales were flat at $2.5 billion. Comparable-store sales fell 4% compared with a 9% gain last year.

Finally, Sprint Nextel (S: sentiment, chart, options) said it lost $1.62 billion, or 57 cents per share, narrowing its loss from the same quarter last year of $29.31 billion, or $10.31 per share. Revenue for the quarter was $8.43 billion, compared to $9.85 billion. Analysts had expected sales of $8.55 billion. "In tough economic times, we're generating substantial cash and reducing costs to ensure we remain financially sound. We already have the cash on hand to be able to meet our debt service requirements at least through the end of 2010," said Dan Hesse, Sprint Nextel chief executive.

Earnings Preview

Today, Apache (APA), CVS Caremark (CVS), Newmont Mining (NEM), and Crocs (CROX) are slated to step into the earnings confessional. Keep your browser at SchaeffersResearch.com throughout the day for more.

Economic Calendar

On the economic front, the Street must digest the January producer price index (PPI), the core PPI, January's leading economic indicators, the February Philadelphia Fed's manufacturing index, and the weekly reports on U.S. petroleum supplies and jobless claims. We round out the week on Friday with the consumer price index (CPI) and the core CPI.

Market Statistics

Equity option activity on the CBOE saw 1,251,244 call contracts traded on Wednesday, compared to 1,098,962 put contracts. The resultant single-session put/call ratio slipped to 0.88, while the 21-day moving average held at 0.75.

**The volume data shown above is from the Nasdaq and NYSE exchanges only. It does not include regional volume activity, which means that other daily volume quotes you see may be higher.**

Microsoft said Tuesday it has opened a new research center in Switzerland to develop internet telephony software, also known as Voice-over-IP.

The U.S. tech giant said the center, located in Zurich, will grow from 45 to 200 staff over the next three years.

Microsoft Corp. (nasdaq: MSFT - news - people ) said in a press release that the site complements three other centers developing communications software in Beijing, China; Hyderabad, India; and Redmond, Washington.

NEW HAVEN, Connecticut (AP) -- A judge cleared the way Wednesday for gay marriage in Connecticut, a victory for advocates stung by California's referendum that banned same-sex unions in that state.

Some couples planned to celebrate by immediately marching to New Haven City Hall to get marriage licenses. At least one ceremony was scheduled Wednesday morning on the New Haven green.

Some of the eight couples who successfully challenged a state law prohibiting gay marriages last month wept as Judge Jonathan Silbert entered his judgment, based on a state Supreme Court ruling.

The judge's order marks "the end of a very long journey toward equality," said their attorney, Bennett Klein.

"Each of the plaintiffs asked me to convey to the court how proud they are to be citizens of this state," Klein said.

"It's a great day for Connecticut," plaintiff Robin Levine-Ritterman said.

The Connecticut Supreme Court ruled 4-3 on October 10 that same-sex couples have the right to wed rather than accept a civil union law designed to give them the same rights as married couples.

Peg Oliveira, 36, a yoga teacher and educational consultant, and Jennifer Vickery, a 44-year-old lawyer, planned to wed on the New Haven green Wednesday. They have a 3-month-old baby.

"We're thrilled and we don't want to wait one minute," Oliveira said earlier. "I want to show the folks who worked so hard to make this possible that we are very grateful and we don't want to wait any longer to be able to say the words 'We are married."'

Manchester Town Clerk Joseph Camposeo, president of the Connecticut Town Clerks Association, said clerks were advised by e-mail shortly after 9:30 a.m. they could start issuing the licenses.

"The feedback I'm getting from other clerks is that we're all at the ready, but no one really has a sense yet of what kind of volume we're going to get," he said.

According to the state public health department, 2,032 civil union licenses were issued in Connecticut between October 2005 and July 2008.

The health department had new marriage applications printed that reflect the change. Instead of putting one name under "bride" and the other under "groom," couples will see two boxes marked "bride/groom/spouse."

Only Connecticut and Massachusetts have legalized gay marriage. The unions were legal in California until a statewide referendum to ban gay marriage narrowly passed last week. The vote has sparked protests and several lawsuits asking that state's Supreme Court to overturn the prohibition.

Constitutional amendments to ban gay marriage also passed last week in Arizona and Florida, and Arkansas voters approved a measure banning unmarried couples from serving as adoptive or foster parents.

However, Connecticut voters last week rejected the idea of a constitutional convention to amend the state's constitution, a major blow to opponents of same-sex marriage.

The Family Institute of Connecticut, a political action group that opposes gay marriage, condemned the high court's decision as undemocratic. Peter Wolfgang, the group's executive director, acknowledged banning gay marriage in Connecticut would be difficult but vowed not to give up.

"Unlike California, we did not have a remedy," Wolfgang said. "It must be overturned with patience, determination and fortitude."

The state's 2005 civil union law will remain on the books, at least for now. Same-sex couples can continue to enter civil unions, which give them the same legal rights and privileges in Connecticut as married couples without the status of being married.

State Rep. Michael Lawlor, D-East Haven, co-chairman of the legislature's Judiciary Committee, said lawmakers will have to decide the fate of the civil union law.

"We'll definitely be taking this up," he said. The new legislative session opens in January.

Wall Street headed toward a lower open Wednesday, as investors try to assess how bad the global economic slump is and worry about the trend in consumer spending.

The market, which fell for the second-straight session on Tuesday, will get an update from Treasury Secretary Henry Paulson on the government's financial rescue package at 10:30 a.m. EST. There are no major economic reports due to be released during the session.

There was fresh evidence that the financial crisis is causing consumers to tighten their purse strings.

Department store operator Macy's Inc. reported a loss of $44 million for the third quarter as results were weighed down by charges related to a consolidation of several divisions. The consumer electronics chain Best Buy Co. cut 2009 guidance on fears that consumer spending will erode even further.

A big drop in consumer spending is a major concern since it drives more than two-thirds of the U.S. economy. Investors are also awaiting the government's retail sales figures on Friday and earnings from Wal-Mart Stores Inc. on Thursday.

Battered shares of the top U.S. automakers might again come under pressure. House Speaker Nancy Pelosi wants Congress to support a financial bailout for the troubled U.S. auto industry, which is suffering under the weight of poor sales, tight credit and a sputtering economy.

President-elect Obama, when he met with President Bush at the White House on Monday, urged Bush to support aid for struggling automakers, and Democrats in Congress have begun drafting legislation that would give General Motors, Ford and Chrysler access to $25 billion of the rescue funds.

Dow futures shed 59, or 0.69 percent, to 8,578. Standard & Poor's 500 futures dropped 4.60, or 0.52 percent, to 888.40. Nasdaq 100 index futures stumbled 10.20, or 0.84 percent, to 1,212.80.

On Tuesday, the Dow fell nearly 180 points as it became clearer to investors that it's going to be hard to rely on the average consumer to pull the economy out of its downturn. The market also closed lower amid similar concerns on Monday.

Government bond prices, which did not trade Tuesday because of Veterans Day, moved higher as investors looked for safer investments. The three-month Treasury bill's yield fell to 0.21 percent from 0.22 percent late Monday, and the yield on the benchmark 10-year Treasury note fell to 3.74 percent from 3.76 percent late Monday.

Lower yields indicate stronger demand.

Crude slipped below $59 a barrel Wednesday on the growing realization that global economic growth next year will slow more than originally feared, cutting demand for crude products such as gasoline. Light, sweet crude was down 85 cents to $58.48 a barrel, after earlier falling as low as $58.55, in electronic trading on the New York Mercantile Exchange.

In corporate news, American Express Co. is said to be seeking about $3.5 billion from the U.S. government to help boost its balance sheet, according to a report in The Wall Street Journal citing people familiar with the situation. AmEx, the No. 4 U.S. credit card issuer, won approval Monday from the Federal Reserve to become a bank holding company.

Prudential Financial Inc. said late Tuesday its 2008 annual dividend will be roughly half of what it paid out to shareholders last year. The insurer said it will pay a dividend of 58 cents per share on Dec. 19 to shareholders of record at the close of business on Nov. 24. Last year, the company paid a dividend of $1.15 per share.

After the closing bell, semiconductor equipment maker Applied Materials Corp. and Computer Sciences Corp., an information technology outsourcing firm, are also set to report.

Overseas, Japan's Nikkei closed down 1.29 percent and Hong Kong Hang Seng fell 0.73 percent. In European trading, London's FTSE 100 was up 0.52 percent, Germany's DAX fell 0.22 percent, and France's CAC-40 added 0.11 percent.