From vin@shore.net Mon Feb 20 17:10:20 EST 1995
Article: 21527 of alt.security
Path: caen!math.ohio-state.edu!howland.reston.ans.net!news2.near.net!news3.near
.net!noc.near.net!shore.shore.net!slip-4-29.shore.net!user
From: vin@shore.net (Vin McLellan)
Newsgroups: alt.security
Subject: Facts on Mitnick & Netcom Credit Cards
Date: Sat, 18 Feb 1995 11:14:56 -0500
Organization: Technical Translators Guild
Lines: 88
Message-ID: 
NNTP-Posting-Host: slip-4-29.shore.net

   There  are  several haggling threads in various newsgroups reacting to
   Netcom's spinmeister statement about Kevin Mitnick's reported theft of
   Netcom customer credit cards records. The NY Times had reported Netcom
   had  lost  20,000  credit  card  records,  but the Netcom CEO issued a
   statement on-line that seemed to imply that was an exaggeration.

   Mark Seiden -- a firewall expert credited with helping Shimomura et al
   nail Mitnick -- finally stepped into snowstorm after David Sternlight,
   a Netcom subscriber, reported:

> >Netcom has said that only the credit cards of those having shell accounts
> >MIGHT have been compromised and that those are a minority of their
> >customers.

   Said Seiden:

     if this is what netcom said, it is neither complete nor correct.

     since  there  seems  to  be  a  lot  of spin, misinformation, spin,
     disinformation and spin floating around, here's some info about the
     credit card issue.

     there are two files.

     file one contains around 32000 customer records.

     although  i  don't  have  the  (netcom  actual) database schema, it
     appears  that  each record contains name, address, phone number for
     the  account name and a responsible party, credit card number (when
     one was used -- not everybody used a credit card), expiration date.
     there  are  some  int-valued and boolean fields also. It's an ascii
     file,  and i'd guess it's an export from the real database, judging
     by some of the dirty data in it.

     based  on  the  presence  of  around 500 ip addresses in the netcom
     allocation,  this  file  includes records for ip-speaking customers
     also.

     file  two  appears to be a monthly charge file, containing an entry
     for each of 21635 charges done that month.

     though  netcom  could certainly say, i have little data on which to
     base  a  conclusion  of  the  date  of *creation* of either file at
     netcom.  the credit card expiration dates appear to range from 1/94
     to '99.

     if  i had to make an educated guess, i would say they were snatched
     in very early '94, since it would be difficult for netcom to charge
     to  an  expired  card,  and based on the identical expiration dates
     (based on superficial examination) that the two files were snatched
     at the same time.

     there's  no  point in my speculating how mitnick got the files, nor
     how  many  other  people  have copies of them, what their intent or
     intentions were, nor what (if any) use anyone has made of them, and
     i'm  not sure which of those issues are even relevant to the charge
     to  the  charge  of  possession. he certainly had possession of the
     files, period, full stop.

   Where Sternlight had, on the basis of the press reports, doubted:

> >Somehow the above doesn't seem to me to add up to 20,000. I think this whole
> >thing has been blown out of proportion. There was never an authoritative
> >statement in the same sentence that 20,000 cards have been compromised and
> >that all 20,000 were at Netcom. We know Mitnick was also mucking around on
> >the Well.

   Responded Seiden, authoritatively:

     yes,  these  are  all (and only) netcom records, i think there's no
     question about that.

     there  are  other  ISPs  with  a privacy problem. colorado supernet
     sniffed  sessions (sniffed by mitnick) contain a number of customer
     social security numbers.

     mitnick's  recent  activity  on  the  well  seemed  to  have mainly
     consisted  of  becoming  root, snooping on the mail of at least one
     journalist  and  keeping  his  (sizeable)  primary stash of goodies
     there, but there are lots of recently sniffed sessions of mitnick's
     activities  both  at  the well and at netcom which could make clear
     what  he  did  and  didn't  do.  i  expect them to be introduced as
     evidence in the trial.

> 
> -- Mark Seiden, mis@seiden.com.

-- 
Vin McLellan+The Privacy Guild++Technical Translators' Guild = MULTI-LINGUAL te
ch writers, hw/sw engineers, Ph.ds: *  BICULTURAL TRANSLATORS  FOR HIRE * (617)
 884-5546