Feeds

Guess settles with FTC over cybersecurity snafu

A little hacking goes a long way

  • alert
  • submit to reddit

Seven Steps to Software Security

A little hacking went a long way this week when the Federal Trade Commission announced that Guess Inc. has agreed to overhaul its information security practices, to settle a rare FTC action kindled by young Southern California programmer who discovered a security hole on the fashion retailer's e-commerce site last year.

Jeremiah Jacks, now 20, discovered in February, 2002, that Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all, by Jacks' count. After a week of failed efforts to persuade Guess to fix the vulnerability, Jacks contacted SecurityFocus and provided a URL that demonstrated the hole. A reporter contacted Guess, which then fixed the problem within hours.

The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess, based on language in the company's privacy policy that assured visitors, "All of your personal information including your credit card information and sign-in password are stored in an unreadable, encrypted format at all times." Under the settlement announced Wednesday, Guess is prohibited from misrepresenting the extent to which it protects the security of customers' personal information. The company must also establish and maintain a comprehensive information security program, certified by an independent professional each year for the 20-year life of the order. Any violation of the order can trigger an $11,000 fine.

"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

The Guess case is only the third time the FTC has used its anti-consumer fraud mandate to crack down on e-commerce cybersecurity gaffes -- last year it won a consent decree against Eli Lilly for the inadvertent disclosure of the e-mail addresses of 669 Prozac users, and another one against Microsoft for inflated security claims about the company's Passport identity management service. "We are hoping that these cases send a message to other companies," says FTC associate director Jessica Rich.

Jacks, now working as a programmer in the Orange County office of a Japanese toy company, is bemused over his role in the commission's example-making. "Well, it was a lot of credit cards," he says.

"A Slap on the Wrist"

The FTC approached Jacks shortly after SecurityFocus reported on Guess' security problems, and the programmer says he reluctantly talked FTC attorney Jeff Davidson and other staffers through the intricacies of SQL injection in a series of phone calls. "I remember he was talking about how they were going to indict them or something," says Jacks. "He was freaking me out a little bit, because he told me he might want me to come testify in Washington... That made me a little leery."

Perhaps wary of being seen as allied with hackers, the FTC hasn't officially acknowledged Jacks contribution. But Davidson confirmed last year that he'd been in contact with the coder. Indeed, with the hole already sealed as the investigation began, the commission had little else to go on initially. "When he called me up there was really no proof," says Jacks.

Wednesday's settlement does not constitute an admission of wrongdoing by Guess, and spokesperson Molly Morse says the company's claim that it stored customer information securely was only intended to refer to its use of SSL to encrypt data in transit, between the customer and the Guess website. "They kept a copy of the information unencrypted, so they could keep it for financial purposes," Morse admits. The company says it cooperated with the FTC, and has already upgraded security on Guess.com.

Gartner analyst John Pescatore calls the FTC sanctions a "slap on the wrist." But he adds that dragging Guess' cybersecurity issues into the light of day will help persuade other companies to take security more seriously. "It's a form of disclosure," says Pescatore. "It's causing exposure for the companies that are leaving these things open... That's a lot more meaningful than the audits and $11,000."

In that respect, Pescatore says, the case offers a preview of what life will be like for e-commerce firms when California's mandatory-disclosure law takes effect on July 1st. Called SB 1386, that law says that any company doing business over the Web must disclose security breaches that result in the leaking of a California customer's credit card, drivers license or social security number.

That could mean a lot of disclosures this summer. "There's tons of companies out there that I found SQL injections on," says Jacks, who still pokes around when his normal Web surfing takes him to a new site. "I'm surprised they spent so much time on Guess, when there are so many other companies out there with the same problem."

© SecurityFocus.com

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.