Feeds

Guess settles with FTC over cybersecurity snafu

A little hacking goes a long way

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

A little hacking went a long way this week when the Federal Trade Commission announced that Guess Inc. has agreed to overhaul its information security practices, to settle a rare FTC action kindled by young Southern California programmer who discovered a security hole on the fashion retailer's e-commerce site last year.

Jeremiah Jacks, now 20, discovered in February, 2002, that Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all, by Jacks' count. After a week of failed efforts to persuade Guess to fix the vulnerability, Jacks contacted SecurityFocus and provided a URL that demonstrated the hole. A reporter contacted Guess, which then fixed the problem within hours.

The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess, based on language in the company's privacy policy that assured visitors, "All of your personal information including your credit card information and sign-in password are stored in an unreadable, encrypted format at all times." Under the settlement announced Wednesday, Guess is prohibited from misrepresenting the extent to which it protects the security of customers' personal information. The company must also establish and maintain a comprehensive information security program, certified by an independent professional each year for the 20-year life of the order. Any violation of the order can trigger an $11,000 fine.

"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

The Guess case is only the third time the FTC has used its anti-consumer fraud mandate to crack down on e-commerce cybersecurity gaffes -- last year it won a consent decree against Eli Lilly for the inadvertent disclosure of the e-mail addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. "We are hoping that these cases send a message to other companies," says FTC associate director Jessica Rich.

Jacks, now working as a programmer in the Orange County office of a Japanese toy company, is bemused over his role in the commission's example-making. "Well, it was a lot of credit cards," he says.

"A Slap on the Wrist"

The FTC approached Jacks shortly after SecurityFocus reported on Guess' security problems, and the programmer says he reluctantly talked FTC attorney Jeff Davidson and other staffers through the intricacies of SQL injection in a series of phone calls. "I remember he was talking about how they were going to indict them or something," says Jacks. "He was freaking me out a little bit, because he told me he might want me to come testify in Washington... That made me a little leery."

Perhaps wary of being seen as allied with hackers, the FTC hasn't officially acknowledged Jacks contribution. But Davidson confirmed last year that he'd been in contact with the coder. Indeed, with the hole already sealed as the investigation began, the commission had little else to go on initially. "When he called me up there was really no proof," says Jacks.

Wednesday's settlement does not constitute an admission of wrongdoing by Guess, and spokesperson Molly Morse says the company's claim that it stored customer information securely was only intended to refer to its use of SSL to encrypt data in transit, between the customer and the Guess website. "They kept a copy of the information unencrypted, so they could keep it for financial purposes," Morse admits. The company says it cooperated with the FTC, and has already upgraded security on Guess.com.

Gartner analyst John Pescatore calls the FTC sanctions a "slap on the wrist." But he adds that dragging Guess' cybersecurity issues into the light of day will help persuade other companies to take security more seriously. "It's a form of disclosure," says Pescatore. "It's causing exposure for the companies that are leaving these things open... That's a lot more meaningful than the audits and $11,000."

In that respect, Pescatore says, the case offers a preview of what life will be like for e-commerce firms when California's mandatory-disclosure law takes effect on July 1st. Called SB 1386, that law says that any company doing business over the Web must disclose security breaches that result in the leaking of a California customer's credit card, drivers license or social security number.

That could mean a lot of disclosures this summer. "There's tons of companies out there that I found SQL injections on," says Jacks, who still pokes around when his normal Web surfing takes him to a new site. "I'm surprised they spent so much time on Guess, when there are so many other companies out there with the same problem."

© SecurityFocus.com

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.