The Category5.TV Newsroom

Here are the stories we're following for the week of Wednesday September 25, 2019

Chipotle Mexican Grill has been leaving money on the table, thanks to an apparent bug in the restaurant chain's e-commerce operation.

Chipotle Mexican Grill has been leaving money on the table, thanks to an apparent bug in the restaurant chain's e-commerce operation.

Last week, Jason Grigsby, co-founder of app development firm Cloud Four, published his analysis of the eatery's online order form. The webpage code, he claims, contains an error that he estimates is costing the company millions in lost sales.

While attempting to submit an order, Grigsby encountered two error messages, one indicating that the website had been unable to save his credit card number – despite having not checked the box to allow this – and the other being a general submission error.

The errors happened every time he tried to use his browser's autofill capability but not when the data was entered manually. Upon further scrutiny, he noticed that his credit card's expiration date kept being changed after the date was filled in.

Based on Chipotle's publicly reported average order value of $16-$17 and assuming that fixing autofill would increase transactions by half a percentage point, Grigsby estimates that Chipotle could clear an extra $4.4m in sales annually by eliminating this bug.

While he regularly sees problems with autofill on sites, Grigsby says, "Chipotle was just a useful example I encountered and unlike most companies, they happen to have provided some information in their financial reports that made it possible to take a guess – albeit a wild guess – at what the financial impact might be."

Source: www.theregister.co.uk

Sent to us by: Roy W. Nash

Payment card thieves have hacked the Click2Gov bill paying portals in 8 cities.

Payment card thieves have hacked the Click2Gov bill paying portals in 8 cities.

In 2017 and 2018, hackers compromised systems running the Click2Gov self-service bill-payment portal in dozens of cities across the United States, a feat that compromised 300,000 payment cards and generated nearly $2 million in illicit revenue.

Now, Click2Gov systems have been hit by a second wave of attacks that’s dumping tens of thousands of records onto the Dark Web.

Researchers with security firm Gemini Advisory said late last week that the new round of attacks began in August and have so far hit systems in eight cities, six of which were compromised in the previous episode.

Many of the hacked portals were running fully up-to-date systems, which raises questions about precisely how the attackers were able to breach them. Click2Gov is used by utilities, municipalities, and community-development organizations to pay bills and parking tickets as well as make other kinds of transactions.

While the breaches affect eight cities located in five states, payment cards belong to people in all 50 states have been compromised. Some of the card holders didn’t live in the cities that were affected but transacted with the breached portals, possibly because of past travels to those cities or because holders owned property there.

The cities with hacked portals are Bakersfield in California, Pocatello in Idaho, Broken Arrow in Oklahoma Ames in Indiana, and in Florida, Deerfield Beach, Palm Bay, Milton, and Coral Springs have all been impacted.

People who have made transactions to Click2Gov systems should check their payment-card statements regularly over the next few weeks.

Source: arstechnica.com

Sent to us by: Roy W. Nash

The German Ministry of the Interior wants to take back control of their 'digital sovereignty', cutting dependency on Microsoft and looking for alternatives.

The German Ministry of the Interior wants to take back control of their 'digital sovereignty', cutting dependency on Microsoft and looking for alternatives.

I'll call the Federal Ministry of the Interior "BMI" from here, due to the German name of those letters which I won't attempt to pronounce.

The headline comes from an official statement where the Federal Minister of the Interior Horst Seehofer states that “in order to ensure our digital sovereignty, we want to reduce dependencies on individual IT providers. We are also considering alternative programs to replace certain software. This will be done in close coordination with other EU countries.”

BMI commissioned a strategic market analysis from consultants PwC, resulting in a paper that was published last month. The paper examines the risks inherent in IT dependency on commercial software vendors, with a particular focus on Microsoft because of the heavy use of its products and the way they are interconnected, especially Microsoft Office, Windows, Windows Server and Office 365.

Oracle and SAP also get a mention, with a recommendation for future examination, though PwC's analysts seem less concerned about them because they occupy individual product segments (database and ERP) rather than being pervasive.

The current trend towards integrated cloud-based offerings such as Office 365, Dynamics 365 and AI-driven applications on Azure gives the customer enhanced value but also increases lock-in because the added value comes from using them together.

The analyst identifies several pain points. The first is data security. Telemetry transfers data to Microsoft, the user has limited insight and control over this, and it may contain personal data and the report warns that this raises concerns surrounding GDPR.

In addition, dependence on cloud services raises the risk of outages or remote deactivation of software licenses.

The report also adds that subscription pricing means the potential for uncontrollable costs. It suggests that Microsoft has the power to hoist prices or change the licensing rules.

There is also an intriguing claim that using cloud services may reduce in-house IT competence, because the need to support on-premises software is reduced, and therefore threaten the federal administration's ability to innovate.

Beyond diversifying their software by breaking it up amongst several vendors, or negotiating to have control over telemetry data, the recommendation is clear: build and use more open source software.

The report references several examples, including Munich's largely failed attempt to replace Windows and Office with Linux and OpenOffice, subsequently reversed, and the more successful efforts of the French police force to use Linux, LibreOffice and other open source applications.

The report suggests that it is easy to identify advantages in switching away from expensive proprietary software, but often hard to accomplish. They say to be realistic, ensure user acceptance, do the necessary training, and proceed step by step.

Source: www.theregister.co.uk

Sent to us by: Roy W. Nash

An anonymous bug hunter has publicly disclosed a zero-day flaw in the popular vBulletin forum software than can be exploited over the internet to hijack servers.

An anonymous bug hunter has publicly disclosed a zero-day flaw in the popular vBulletin forum software than can be exploited over the internet to hijack servers.

A simple HTTP POST request can be abused by an attacker to remotely execute commands on the targeted vBulletin server without any authentication. That would allow hackers to commandeer web servers powering the forum software, steal data, tamper with information, launch assaults on other systems, and so on.

It can be done in fewer than 20 lines of Python code. This is a very, very, bad thing.

The zero-day exploit code is verified to work against supported versions of vBulletin from 5.0.0 to the latest 5.5.4 build, and there is no known patch available, and the creators of vBulletin have yet to comment on when one might be released.

Meanwhile, security professionals are marveling at the simplicity of the exploit and the extent to which vulnerable boards can be pwned by the attack.

vBulletin's customer base includes a number of large companies, sports teams, and entertainment groups that are now exposed until such time as the developer can figure out a fix. And that's assuming their server admins are on top of patching.

Websites running vBulletin version 5, first released in 2012, are advised to keep a close eye on their servers and make sure nobody is attempting to exploit the vulnerability and use it as a springboard for further attacks. Better yet, maybe just pull the plug completely until a fix is released or some type of mitigation is available.

Source: www.theregister.co.uk

Sent to us by: Roy W. Nash