Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Details Emerge of 2006 Wal-Mart Hack

kdawson posted more than 4 years ago | from the if-sam-were-alive-he'd-be-spinning-in-his-grave dept.

Security 66

plover writes "Kim Zetter of Wired documents an extensive hack of Wal-Mart that took place in 2005-2006. She goes into great detail about the investigation and what the investigators found, including that the hackers made copies of their point-of-sale source code, and that they ran l0phtCrack on a Wal-Mart server. 'Wal-Mart uncovered the breach in November 2006, after a fortuitous server crash led administrators to a password-cracking tool that had been surreptitiously installed on one of its servers. Wal-Mart's initial probe traced the intrusion to a compromised VPN account, and from there to a computer in Minsk, Belarus.' Wal-mart has long since fixed the flaws that allowed the compromise, and confirmed that no customer data was lost in the hack — which is why they did not need to report the breach publicly earlier." This intrusion happened around the same time that Albert Gonzalez's gang was breaking into Marshall's and its parent company, TJX. The MO was quite similar: researching and closely targeting the point-of-sale systems in use. But the article notes that "There's no evidence Wired.com has seen linking Gonzalez to the Wal-Mart breach."

cancel ×

66 comments

Sorry! There are no comments related to the filter you selected.

Why hack 'em... (5, Funny)

SomeJoel (1061138) | more than 4 years ago | (#29739081)

when you can just pay for everything with a million dollar bill [usatoday.com] ?

Re:Why hack 'em... (5, Funny)

Anonymous Coward | more than 4 years ago | (#29739189)

http://www.peopleofwalmart.com/ [peopleofwalmart.com]

Re:Why hack 'em... (3, Funny)

Shakrai (717556) | more than 4 years ago | (#29739259)

I want to personally thank you for ruining my dinner......

Re:Why hack 'em... (0)

Anonymous Coward | more than 4 years ago | (#29741767)

That might save you from looking like some of them ;)

must have been a windows server.... (4, Funny)

Shakrai (717556) | more than 4 years ago | (#29739083)

Someone had installed L0phtcrack, a password-cracking tool, onto the system, which crashed the server when the intruder tried to launch the program.

Linux would not have crashed from a mere userspace program ;) Windows saved the day! Hooray!

Re:must have been a windows server.... (-1, Flamebait)

Eudial (590661) | more than 4 years ago | (#29739265)

Since when has Windows needed user space programs to trigger crashes? It does that just fine on it's own.

Re:must have been a windows server.... (4, Informative)

Hyppy (74366) | more than 4 years ago | (#29739289)

One word: Forkbomb.
:(){ :|:& };:
Yeah, I know any competent admin can protect against it, but still.

Re:must have been a windows server.... (4, Informative)

blhack (921171) | more than 4 years ago | (#29739407)

Linux would not have crashed from a mere userspace program ;)

I have a forkbomb that disagrees with you.

Re:must have been a windows server.... (2, Insightful)

cigawoot (1242378) | more than 4 years ago | (#29739571)

Any idiot who knows about the /etc/security/limits.conf file can fix that

Re:must have been a windows server.... (2, Interesting)

andreyvul (1176115) | more than 4 years ago | (#29739761)

That, and grsec patchset. I tested it on a Athlon XP and it kills a forkbomb after 32000 forks.

Re:must have been a windows server.... (1, Insightful)

blhack (921171) | more than 4 years ago | (#29739763)

That doesn't mean it isn't impossible. Claiming that it is is misinformation.

Re:must have been a windows server.... (0)

Anonymous Coward | more than 4 years ago | (#29740151)

Since when do employers hire competent people as opposed to cheap almost capable ones?

Re:must have been a windows server.... (3, Interesting)

drinkypoo (153816) | more than 4 years ago | (#29742835)

Why don't linux distributions come with this file already configured? you know, with some reasonable limits to prevent fork bombs and the like. I understand why you wouldn't have minimums in there. Seems like a big missed opportunity.

Re:must have been a windows server.... (1)

cigawoot (1242378) | more than 4 years ago | (#29743161)

Because at our Cyber Defense Competitions that we run, I cannot have any fun being an end user by blowing up their sservers in 10 seconds.

Re:must have been a windows server.... (0, Redundant)

AmberBlackCat (829689) | more than 4 years ago | (#29739797)

That means with Linux the poor hackers would have been stuck with using the compromised VPN account to take over the entire system, with no crash or any other evidence...

Re:must have been a windows server.... (1)

melmut (968751) | more than 4 years ago | (#29741953)

I don't think this is true. And I don't think linux is safer. Just give some evidence, please. Or don't say talk about what you don't know. Please.

Re:must have been a windows server.... (1)

Runaway1956 (1322357) | more than 4 years ago | (#29745911)

The evidence is in the billions of dollars that corporate America has spent on prevention and recovery from exploits. For more evidence, tally up the cost that homeowners have paid for prevention and recovery - and don't forget to attach some value to all the time spent re-installing Windows. Again, we are looking at billions of dollars. Every time a Windows based online bank is exploited, you can add to the overall figure.

Only a fool would try to convince you that Linux can't be exploited - but, what has been the total cost of Linux exploits in the past 10 years? A mere drop in the bucket, compared to Windows exploited systems.

Re:must have been a windows server.... (2, Insightful)

melmut (968751) | more than 4 years ago | (#29746609)

Only a fool would try to convince you that Linux can't be exploited - but, what has been the total cost of Linux exploits in the past 10 years? A mere drop in the bucket, compared to Windows exploited systems.

Again, there isn't any evidence. Why would this be? I use the same basic rules for every os I manage, and guess what? I never have to reinstall. Never.

Re:must have been a windows server.... (1)

w0lo (943113) | more than 4 years ago | (#29751329)

To dump the SAM hashes from a live system, you need debug priv (admin) and inject a dll or some code into a key windows process, if anything goes wrong and the process dies, windows BSoD's to protect itself

I don't get it (1)

rodgster (671476) | more than 4 years ago | (#29739107)

Surely they could have dumped the user accounts from AD (like the SAM under NT) and crack all the accounts on a remote machine. Then maybe it wouldn't have even been noticed. And if the POS software was secure, it should not matter if someone downloaded the source code.

Secure software isn't so easy (4, Informative)

syousef (465911) | more than 4 years ago | (#29739175)

And if the POS software was secure, it should not matter if someone downloaded the source code.

That depends on whether the source code was stored separately to certificates/key files and how well the passwords were externalised. You'd be surprised how modern security systems allow and even encourage awful practices in this regard. For example Spring web services and spring security have a bad tendancy of including such things in their config file, which are often bundled up in the application.

It's actually not a trivial problem. If you include everything required for the app to run in the application package/bundle, you inevitably include such things somewhere they shouldn't be (even if that's just a build machine). The best solution I've seen is hardware security modules that don't allow keys and certificates to be exported. They aren't cheap but if you're running a large organisation and have been trusted with potentially millions of credit card numbers it's not exactly beyond the call.

Wal-Mart did not follow basic security practices (4, Informative)

Anonymous Coward | more than 4 years ago | (#29739377)

Forget the POS software and whether it was secure or not.. looks like Wal-Mart did not follow some basic security practices

According to this blog [blogspot.com] :

housed complete backup copies of transaction logs on network-connected UNIX servers, which included at least four years’ worth of unencrypted credit card numbers, cardholder names and expiration dates

used the same usernames and passwords across every Wal-Mart store nationwide

And ofcourse, the intrusion could be traced back to the VPN account of a system administrator who had left the company but his account was not shut down (the report does not implicate the employee)

Re:Wal-Mart did not follow basic security practice (0)

Anonymous Coward | more than 4 years ago | (#29740265)

housed complete backup copies of transaction logs on network-connected UNIX servers, which included at least four years’ worth of unencrypted credit card numbers, cardholder names and expiration dates

The POS controllers only store the current day and the day prior. Complete transaction logs (electronic reciept transcriptions, basically) were kept containing full account numbers up until a few years ago, but have now been purged of all but the last 4 digits of any sort of financial data (credit/debit, gift card, check routing numbers).

Any paper copies of this data should also have cycled to the shredder by now, too.

Re:Wal-Mart did not follow basic security practice (1)

Nefarious Wheel (628136) | more than 4 years ago | (#29740681)

... looks like Wal-Mart did not follow some basic security practices...

Oh, that's so funny it hurts. I think my ears are bleeding.

This wouldn't be a case of "you get what you pay for" now would it?

Re:Wal-Mart did not follow basic security practice (0)

Anonymous Coward | more than 4 years ago | (#29745697)

Posting AC because Wal-Mart is one of our customers... they may have a fuckton of money, but they are VERY stingy with it. They demand all kinds of documentation on support hours over and above what most other places do, and try to play major hardball with us to try to get the price down, which doesn't happen with ANY of our other clients because they realize we provide a unique service that they just can't get anywhere else. The cheapness at Wal-Mart is endemic. And cheapness is a very different beast from thrift.

Re:Secure software isn't so easy (4, Interesting)

plover (150551) | more than 4 years ago | (#29739477)

There's never a reason to have the private keys stored in the Point-Of-Sale application. The credit card data should be encrypted in the POS system using a public key borne on a verified certificate. It doesn't ever have to be decrypted at POS for any reason. Decryption should happen only at the point of authorization, and at the point of settlement with the bank. Those private keys are only in centrally located machines that can be much more easily secured than the thousands of cash registers located in thousands of stores.

The hardest part is ensuring the certificate signatures are valid. You have to ensure the encryption certs weren't replaced with evil certs, and that no rogue root certificate was installed on the POS system.

Now, if you are encrypting at a PIN Entry Device (PED), it's a bit different. PINs are most commonly encrypted using TDES, not public key cryptography. Because those devices actually store secret keys, they fall under the PCI PED guidelines. They store a master key used in a protocol called DUKPT (Derived Unique Key Per Transaction.) The device must pass various tests and analysis, and be physically hardened against an attacker attempting to retrieve the master key. The older ones I've examined used a combination of trip wires, sensor switches, epoxy, 10-layer PC boards, and soldering techniques (BGA packaging) to thwart the bad guys. I'm not saying they're impregnable, but they're physically pretty well secured.

Re:Secure software isn't so easy (1)

fast turtle (1118037) | more than 4 years ago | (#29739795)

Even Better: Don't store CC numbers once you have the payment authorization and transaction ID. It's that damn simple. Once Visa/Master Card/Dinner Club/AmEx authorizes the transaction, the only thing you need is the transaction Authorization ID along with the amount and it's what I don't understand about the entire Credit Card PCI process. Push for this and you'd eliminate many of the reasons to hack Merchant systems for card numbers and I suspect Visa/MasterCard/AmEx would save lots of money on bad charges.

Re:Secure software isn't so easy (1)

Bill, Shooter of Bul (629286) | more than 4 years ago | (#29740341)

Yeah, that's not always true, depending on the processor. But, yes merchants should find a processor that limits the merchant's need to store that info.

Re:Secure software isn't so easy (1)

bendodge (998616) | more than 4 years ago | (#29740837)

What about a system like the one at my workplace that doesn't charge the card right there, but rather does it in a batch at the end of the day? It's useful because I can easily invalidate a transaction a few minutes later if I key in an error, without swiping the card again, instead of having to issue a chargeback. Also, what about machines that are operated offline (eg. a travelling booth). They're pretty common.

Re:Secure software isn't so easy (1)

Chaos Incarnate (772793) | more than 4 years ago | (#29741321)

Then it would store it until the batch is processed—which would be the point at which you have the payment authorization and transaction ID.

Re:Secure software isn't so easy (2, Interesting)

syousef (465911) | more than 4 years ago | (#29739843)

There's never a reason to have the private keys stored in the Point-Of-Sale application.

Way to mis-read what I said. I gave an example that wasn't strictly related to POS terminals of how frameworks encourage poor security practices. Whether it's a certificate, key or password having it embedded in the configuration or the application package is poor security design but also the standard way things work.

The credit card data should be encrypted in the POS system using a public key borne on a verified certificate. It doesn't ever have to be decrypted at POS for any reason. Decryption should happen only at the point of authorization, and at the point of settlement with the bank. Those private keys are only in centrally located machines that can be much more easily secured than the thousands of cash registers located in thousands of stores.

And you shouldn't have to write custom code to get this kind of behaviour, yet you often do.

The hardest part is ensuring the certificate signatures are valid. You have to ensure the encryption certs weren't replaced with evil certs, and that no rogue root certificate was installed on the POS system.

Huh? That's the whole point of a certificate. If it's replaced with an "evil" certificate it won't authenticate at the other end. You'd have to replace them at both ends. Very difficult to do if you're talking about a Hardware Security Module (HSM) that doesn't allow certificate export. You basically have to steal the hardware.

Re:Secure software isn't so easy (1)

plover (150551) | more than 4 years ago | (#29739997)

The hardest part is ensuring the certificate signatures are valid. You have to ensure the encryption certs weren't replaced with evil certs, and that no rogue root certificate was installed on the POS system.

Huh? That's the whole point of a certificate. If it's replaced with an "evil" certificate it won't authenticate at the other end. You'd have to replace them at both ends.

You're assuming the certificate is used immediately to establish a connection. Point of sale terminals are not always on-line, and when they are off-line they must encrypt the authorization request and store it until it can be sent to the settlement system once they're back on-line. In that case, the terminal really needs to assure itself that the certificate is valid, because it might not be able to attempt the decryption until long after the customer has left with your merchandise and their charge card.

You've proven you have no idea (1)

syousef (465911) | more than 4 years ago | (#29740059)

You're assuming the certificate is used immediately to establish a connection.

No, I'm not. Where did I say that?

Point of sale terminals are not always on-line, and when they are off-line they must encrypt the authorization request and store it until it can be sent to the settlement system once they're back on-line.

Encryption and authentication (signing) are two different things. You almost certainly want both but you can encrypt without authenticating and vice versa.

In that case, the terminal really needs to assure itself that the certificate is valid, because it might not be able to attempt the decryption until long after the customer has left with your merchandise and their charge card.

First as you've probably conceded unless you replace the certificates at both ends, you won't authenticate or encrypt/decrypt the message or both so that it's recognised at the other end. So the funds don't get transfered.

As for merchandise leaving the store, once your POS is compromised, it's compromised. You can replace the entire set of certificates. You can even make the terminal pretend it has gone out and connected with the bank and transfered the money. There is NOTHING you can do to ensure that the certificates you have cached and the software you have aren't compromised to allow the sale to go through, since anything you are relying on to authenticate can itself be compromised.

I'm pretty certain you don't know what you're talking about, and that's dangerous if you're advising others on security.

Re:You've proven you have no idea (1)

plover (150551) | more than 4 years ago | (#29740961)

I don't think we're speaking on the topic in exactly the same way here.

I'm trying to solve the problem of "how do I know if this certificate (and signing CA root cert) on this cash register are good? How do I know they are not forgeries?" If I'm on-line, I can use the cert to authenticate a connection to a host, and assuming* I'm not also the victim of a simultaneous man-in-the-middle attack, I can trust that the cert is valid.

*Big assumption here.

But if I'm off-line, I simply have to trust the certs in my possession.

If I'm on-line and a customer gives me their credit card, I will use the cert, establish an authenticated connection to the authorizer, send the encrypted credit info, receive an approval, and send the customer off with his merchandise.

If I'm off-line, I'm taking my chances because I have to proceed without credit approval. Perhaps if it's just a one dollar bottle of soda, I'll accept the risk and approve it. But I still need to assure myself that I'll get paid by the customer's bank, and I also need to protect the customer's data. So I check the certificate I have on the local machine, walk its chain up to the root CA (which I also have on the local machine), and use the cert's key to encrypt the customer's credit info. I then have to store the encrypted data until such time that I'm back on-line and can send it forward. I may be too late to get the credit approved, but I still need to send the credit data to the customer's bank in order to get paid.

At this point it's still all about trust. I have to trust that the certs and key in my possession are not forgeries. If they are, I will have no way of recovering the credit info and getting paid. And if the attacker who replaced my valid certificates with forgeries is somewhere in the system harvesting the data, he alone will have the ability to decrypt the credit info, and use it for his evil purposes. As you said, there is nothing else that can be done at this point. An attacker who owns the system owns the whole system.

As I think we both agreed above, an HSM is about the most reliable way to protect a secret in this case. The best solution would be to perform all encryption in the HSM. That helps defend against the man-in-the-middle attack, again assuming the attacker can't tamper with or replace the HSM. But an HSM can be an expensive option when you're talking about many thousands of cash registers. A TPM chip can securely store enough data to verify a cert, though, and could be used to spot forgeries. (Again, assuming the attacker hasn't replaced the HSM or TPM drivers. An attacker with that level of access is certainly capable of any level of mischief. It always comes down to trusting the systems at some level or another.)

I'm pretty certain you don't know what you're talking about, and that's dangerous if you're advising others on security.

Don't be so quick to take offense if you don't understand the way someone else is going with a conversation. Take a moment to figure out what they mean before you descend into slander. You've been pretty hostile in this little conversation, and I've tried to be civil. Reciprocation would be appropriate.

Re:You've proven you have no idea (1)

syousef (465911) | more than 4 years ago | (#29741397)

But if I'm off-line, I simply have to trust the certs in my possession.

You are way too focused on the cers. If you're off line and your certs have been compromised, so could your code. In which case game over. Any test can be bypassed. If you don't trust your register is secure, require it to be online.

Yes a HSM is the best test you can have. It provides non-repudiation provided you're willing to do forensics to prove the POS terminal hasn't been compromised. So it's a very partial solution. As soon as you go on line, you can authenticate the certificate definitively, but if you're saying by then it's too late, you shouldn't be accepting the transaction. So as you said for soda, perhaps. For a Rolls Royce, certainly not.

Don't be so quick to take offense if you don't understand the way someone else is going with a conversation.

Take a look into my initial message and your response. You made the first attack on what I'd said.

Re:You've proven you have no idea (1)

plover (150551) | more than 4 years ago | (#29743019)

For the most part I'm not worried about attackers because I can't worry about them. As you say, the attacker could bypass any test. Even on-line isn't a guarantee of assurance, as the attacker could be providing me with a false host that matches my false certs. There is no way to determine (or even prevent) compromise on a box I don't physically control. And cash registers aren't of any business value if they're locked up in a secure data center.

The reason I focus on the certs is mostly because I need them to work in the normal, non-attack scenario. I need a high level of confidence that the data I generate now will be readable later.

I certainly meant no offense with that first posting. It was not intended as an attack. I'm sorry it came across that way.

Re:You've proven you have no idea (1)

syousef (465911) | more than 4 years ago | (#29749321)

I certainly meant no offense with that first posting. It was not intended as an attack. I'm sorry it came across that way.

I think for the most part we agree and I'm also sorry if I defended my position too vigorously and made it more personal than it needed to be.

Why? (1)

Tubal-Cain (1289912) | more than 4 years ago | (#29739109)

...no customer data was lost in the hack.

Surely they didn't simply notice it quickly enough that the hacker didn't have time to grab anything... So why go through all the trouble if he's not going to take anything?
Was it just for lols?

Re:Why? (2, Informative)

Tubal-Cain (1289912) | more than 4 years ago | (#29739143)

[l0phtCrack] crashed the server when the intruder tried to launch the program.

Nevermind

Re:Why? (3, Informative)

FooAtWFU (699187) | more than 4 years ago | (#29739153)

The technical term isn't lols, it's lulz.

Now someone mod me informative. :)

Re:Why? (3, Funny)

cigawoot (1242378) | more than 4 years ago | (#29739583)

Done!

Re:Why? (0)

Anonymous Coward | more than 4 years ago | (#29739879)

and undone by posting...

Re:Why? (3, Informative)

Korin43 (881732) | more than 4 years ago | (#29739669)

Plus, you don't just do something for lulz, you do it "for the lulz". You'd think Slashdot users would be more literate..

Re:Why? (0)

Anonymous Coward | more than 4 years ago | (#29740793)

It's "for teh lulz".

LURK MOAR

$200,000 Cash Theft (0, Offtopic)

absurdist (758409) | more than 4 years ago | (#29739163)

I can't help but wonder if it was related to this:

http://www.orlandosentinel.com/news/local/breakingnews/orl-bk-walmart-safe-heist-100909,0,3026268.story [orlandosentinel.com]

Re:$200,000 Cash Theft (1)

cbiltcliffe (186293) | more than 4 years ago | (#29745897)

The server hack took place in 2006.

The $200K cash theft took place in 2009.

You figure it out.

Walhack? (3, Funny)

fenix849 (1009013) | more than 4 years ago | (#29739251)

Did anyone else jump to the same conclusion or have i been gaming too much? Now i might RTFA. :o

Re:Walhack? (1)

Eil (82413) | more than 4 years ago | (#29741037)

Now i might RTFA. :o

This is heresy! This is madness!

Re:Walhack? (1)

otterpopjunkie (1558913) | more than 4 years ago | (#29748793)

banned.

I guess they might have been funding Al-Qaeda... (0)

Anonymous Coward | more than 4 years ago | (#29739277)

It seems kind of silly for the US Attorney General to hack into Marshall's.

Isn't that what the NSA does for him?

This what they for have the lowest cost IT workers (1)

Joe The Dragon (967727) | more than 4 years ago | (#29739445)

This what they for have the lowest cost IT workers and outsourcing IT work.

Re:This what they for have the lowest cost IT work (1)

Dragonslicer (991472) | more than 4 years ago | (#29743955)

This what they for have the lowest cost IT workers

I that you a verb or two.

Re:This what they for have the lowest cost IT work (1)

cbiltcliffe (186293) | more than 4 years ago | (#29745919)

I hope English isn't your first language.

This what they for have....

I assume you mean "This is what they get for having...."

In which case, you're absolutely right.

Albert Gonzales? (1)

bsDaemon (87307) | more than 4 years ago | (#29739531)

But, why would the Attorney General have wanted to hack WalMart? What can this mean? Conspiracy theories abound...

Walm-mart secure like Microsoft, CPOs share awards (1)

GoodNicksAreTaken (1140859) | more than 4 years ago | (#29739731)

Wal-mart's Chief Privacy Officer http://www.microsoft.com/presspass/features/2004/oct04/10-28privacy.mspx [slashdot.org] ">took home a privacy innovation award for non-profits while Microsoft took home the corporate award when she worked for USPS.

Albert Gonzalez (3, Funny)

Jeian (409916) | more than 4 years ago | (#29739817)

Albert Gonzalez, not to be confused with the former US Attorney General, Alberto Gonzalez.

All the more reason... (1)

Lead Butthead (321013) | more than 4 years ago | (#29740015)

to use green backs. Also cultivate the habit of not spending the money you don't have...

SCO Unix success story? (2, Insightful)

yourruinreverse (564043) | more than 4 years ago | (#29740279)

Is this information about POS backends still valid?

FTA:
"Wal-Mart has thousands of servers nationwide, and any one of them crashing would ordinarily be a routine event."

"Someone had installed L0phtcrack, a password-cracking tool, onto the system, which //crashed the server// when the intruder tried to launch the program." [emph. added]

From http://www.sco.com/company/success/story.html?ID=21 [sco.com] :
"Nearly all of the 350 chains using PDI/RMS are deployed on SCO UNIX® technology [...]"

"McLane Co., Wal-Mart's wholesale subsidiary, acquired PDI in 1991. Fischer says one goal of the acquisition was to achieve tighter integration with some of the 30,000 c-stores that McLane serves. However, PDI continues to operate as a stand-alone entity and many of its customers are served by other wholesalers."

Re:SCO Unix success story? (2, Interesting)

thejynxed (831517) | more than 4 years ago | (#29741087)

Dunno, but I know Walmart switched over to RHEL a few years ago for servers and using Fedora/CentOS for workstations.

Even their computerized applicant system is running a modified version of Fedora in many locations. It crashes quite a bit though, so that's how I found out - they run a Windows-based VB6 program via WINE.

I think in some of the newer stores, they've just swapped over to running a Win2k VM inside of VirtualBox or something on Linux and running the app that way.

p1n0y.net (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29740329)

are we dofollow?
lol
http://p1n0y.net

AMERICAN EAGLE jean,Babyphat tracksuit, (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29740439)

Welcome to our website: Http://www.tntshoes.com

We can supply women shoes, brand shoe, safety shoe, clothes, sports products, craftwork and electronic products.
(1) Material:100% authentic leather
(2) High quality sports shoes with reasonable prices
(3) Small trial orders accepted
(4) With original box,
(5) Size: US 8-13, Euro 41-47
(6) Inner packing:1cardoard box

We have various styles sport shoes on the company website. If you ask for details,
please visit our website or contact us directly

  OUR WEBSITE:
                                                        YAHOO:shoppertrade@yahoo.com.cn

                                                                MSN:shoppertrade@hotmail.com

                                                                Http://www.tntshoes.com

Oblig. (1)

corychristison (951993) | more than 4 years ago | (#29740937)

mainpc cory # emerge walmart-hack
Calculating dependencies... done!
 
emerge: there are no ebuilds to satisfy "walmart-hack".
 
mainpc cory # _

Damnit!

Oh well, I tried. I guess I have to pay for stuff now.

compromised VPN account? (1)

master_p (608214) | more than 4 years ago | (#29742879)

What does "compromised VPN account" mean? did the hackers find the password of the user? the article does not explain that.

Active accounts after being let go... (1)

hesaigo999ca (786966) | more than 4 years ago | (#29743385)

One of the first things that stood out, they said was, that a Canadian employee that was let go that still had an active account.
Then another, then another, seems the Canadian admins are not doing their jobs properly, hopefully this was rectified, and scripts were created for easy deletion / or suspension of accounts of employees let go.

user data (1)

j00r0m4nc3r (959816) | more than 4 years ago | (#29745837)

confirmed that no customer data was lost in the hack

That's exactly what the data thieves wanted them to confirm.

No need to warn because no customer data lost? (1)

TheMaTrIxBEL (1269288) | more than 4 years ago | (#29756751)

Ehm, WTF, I don't think customers wouldn't be all to miffed about all that data these chains collect on them being lost. I wouldn't care, I would actually love the option to have them NOT KEEP DATA ON ME. What customers would love to hear and need to be made aware about is if the hackers copied all that data, who gives a freck if it was lost.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?