Apparently Freedom Munitions got hacked...
- Thread starter Antihero
- Start date
- Status
herrwalther
Member
- Joined
- May 1, 2013
- Messages
- 8,130
I got the same email. I can't remember what or when I ordered from Freedom Munitions last. Apparently the credit card numbers of people who made orders between October 16 and November 26th of this year are the only ones affected.
CapnMac
Member
Checking back through the records, that hack appears to date to October 2015.
It resurfaces about once every 9-10 months as a question on one forum or another.
There may have been another since then, but I'm not seeing it listed.
It resurfaces about once every 9-10 months as a question on one forum or another.
There may have been another since then, but I'm not seeing it listed.
Thunderchicken
Member
I got the message today. It was from Freedom Munitions and it didn’t say 2015. I ordered something early in the year from them.
Changed my password on the site. My last order predates the alleged hack danger date range. "HACK" is a vague undefined term that is offered as an excuse for no security. Can someone please explain how an interloper can get into the web site and have access to the credit card numbers therein?
The only way I can see it is if the "hacker" can guess the password of the sys-operator and his userid. Go figure!
The only way I can see it is if the "hacker" can guess the password of the sys-operator and his userid. Go figure!
macadore
Member
I didn't know they were still in business.
Telekinesis
Member
There are LOTS of different ways to hack a website, especially if you’re going after specific information from a specific target (and not just sending out generalized malware). They used the term “hack” because if they tell you exactly what their system vulnerability was, that would be giving a roadmap to other hackers to attack their site (and other similar sites who may be running the same software). And if they did publicize what the vulnerability was, most people wouldn’t have a clue what they were looking at anyway.
The actual tactic could be anything from SQL Injection (which may require no password at all), or a man in the middle attack between the company and its credit card processor, or a generalized phishing attack on a large number of employees (and then permission escalation to get to the right information), or a spear phishing campaign on a single individual in the company to get their credentials.
This is only a few of the most likely candidates, each of which could have a text book written on how to use them properly. This of course doesn’t account for zero days (software vulnerabilities that no one knows about yet).
My money is on phishing to get into the company network, then some sort of man in the middle attack to capture the card details as transactions were processed. That makes the most sense to me given only having ~1 month of compromised data. If they hit the servers they would have gotten years worth of information.
PS. Looking at the email I got, the breach seems to be on the e-commerce system’s side, not on freedom munitions site.
One of my previous jobs was as a security specialist at a company that specializes in penetration testing, or ethical hacking, and some of the methods used truly astonished me. Without getting into specifics I can say with certainty that hackers can gain access to pretty much any online data through a variety of measures though using programs to data-mine social media and then guess usernames and passwords is one of the more common.
I still a few good friends working at that company and one of their more recent hacks that actually surprised me was on a very large national bank, one who's name everyone would recognize and that I have my primary checking account at, that my friend was able to grant himself root within 36 hours. In that case the sys admin's username was admin and his password was the bank's name plus the number 1.
Last edited:
CapnMac
Member
Which may mean the email message is automated, and no one has switched it off.
One of the consulting engineers I work with still does not have his vacation notice turned off on his email (from August). So, we are all used to getting an Out Of Office message with an immediate second email.
BTW, the "wings" over my left pocket are from 16 years in information warfare; you want to know how to know the "how" of hack about like how you want to know what's on the kitchen floor. Abstract generalities are your friend.
RetiredUSNChief
Member
BINGO!
This is why I don't participate in a lot of those stupid online "games" people play in social media.
I won't address corporate security, but there is a LOT that people can do for their own PERSONAL security. (Some of which, obviously, carries over to corporations...which are, after all, run by people.)
When people make up passwords, they tend to do so based on human foibles. In general, they want a password they can easily remember that they THINK will be difficult for others to guess. But there are patterns people follow, nonetheless. And this makes determining other people's passwords a less random process than most people would like to believe.
How many people, for example, would consider using a random password generator that would use all 26 letters of the alphabet (upper and lower case), all 9 digits, and 32 non-alphanumeric characters to generate, say, a 17 character long password?
The answer to that is, of course, "darn few".
The answer to that is further reduced to "almost nobody ever" when you consider every site one logs into should have its own unique password, and the numbers of sites people these days routinely access. Several social media sites, various forums, subscription news sites, all kinds of entertainment sites, banking sites, multiple email sites, work computer access, etc.
The fact of the matter is most people pick something that's easy for them to remember. And further, they don't routinely change those passwords for EXACTLY that same reason. And because of this, vulnerabilities exist which others who understand this can exploit, even without the use of spyware.
Sure...it may take a lot of tries to obtain one valid password for a given person. But hackers are cultivating literally MILLIONS of potential victims. If they get just one password from one victim out of every 5,000...they have a toehold. Now they can futher refine their attempts using that one known good password (and maybe any patterns they recognize within it) on muliple websites for those people and discover who is using identical passwords for multiple sites.
Security is serious...but when you allow "convenience" to circumvent "security", then you increase your vulnerability.
This is why security in various sites (banking sites, for example) is multi-layered, with options you can use to your benefit. Multiple unsuccessful attempts may notify an account holder of an attempted hack and request verification or that you reset your password. Logging on from a different location/device may trigger a verification process such as a text to your registered phone for a verification number you must enter to complete the login process. Maybe a requirement to periodically change your password every 3 months.
It all boils down to this:
- Be smart about what you post.
- Be smart about selection and resetting of passwords.
- Take your security as serious as you would expect the sites you log into to do.
- At the first sign of any problems, immediately change your passwords...and do this across the board if there is even a HINT this could be used elsewhere (like if you use the same or similar password patterns in multiple sites).
For your internet buying transactions...consider the following practices to limit any damages if some sites ARE hacked:
- Use what I like to call an "internet credit card". For me, this is an intentionally low credit limit card (mine is $600) which you use to make the vast majority of your internet purchases. If it gets hacked, even if the credit card company should refuse to side with you on a dispute, the potential liability is seriously limited with a small credit limit...unlike using a credit card that can potentially be charged up tens of thousands of dollars.
- For all purchases from sites you don't expect to routinely make purchases from, make your purchases as a "guest" and don't create an account where you save your credit card info to their site.
- If you have accounts on websites which you really don't frequent for purchases any more...close those accounts. You can always buy as "guest", or maybe even create a new account at a later date.
- Change your passwords periodically. ESPECIALLY if a site is hacked.
- Cancel any credit cards or accounts which may have been compromised. Your financial institutions will be HAPPY to send you new credit cards if you even THINK yours may have been compromised. It's in their best interest to do so, too.
- Anything else that throws a monkey wrench in the works.
There are any number of other ways to increase your personal internet security in these matters. And each step you take is a very serious impediment to a hacker. Remember...out of the millions of potential victims, it's the easy ones most hackers are after. Simply make things more difficult and you will have improved your security standing quite significantly.
wiscoaster
Member
I got an email, too. Don't panic. These things happen more often than you know. Just keep an eye on your credit card accounts. Credit card processors and banks are watching pretty close, too. I got fraud alerts on two accounts last year long before I was aware. It's a simple matter of verifying the legitimate charges and disputing the fraudulent charges and getting a new card with a new number. I never lost any money. Yet.
Is there some wood around here anywhere I can knock on???? Oh --- I know!! My HEAD!! < KNOCK KNOCK >
Is there some wood around here anywhere I can knock on???? Oh --- I know!! My HEAD!! < KNOCK KNOCK >
Speedo66
Member
I can't think of any good reason for the consumer why businesses should hold onto your credit card info. I don't mind entering my credit card number each time rather than them retaining it.
"We got hacked", so obviously our taking poor care of your personal info is not our fault. This usually from the same people who tell you how secure your transaction is.
"We got hacked", so obviously our taking poor care of your personal info is not our fault. This usually from the same people who tell you how secure your transaction is.
I did not receive an email and a google search
They can retain it if you let them or until your order clears. They PCI rules require any storage to be encrypted. As stated above, the primary vulnerability is a 'man-in-the-middle' attack which is similar to a wiretap where crooks can find a crack in the system where the CC information is temporarily unencrypted. These happen every day. Your browser and your WI-Fi network are much weaker than the corporate systems (barring stupidity on their part).
BigBL87
Member
Most recently I ordered was May of this year, so looks like I'm fine. I changed my password just to be safe though.
One of the unfortunate things about living in Illinois is I must submit a scan of my FOID card and driver's license to place an online order. So unfortunately, if anywhere I've bought ammo online ever gets hacked, those will be out there.
One of the unfortunate things about living in Illinois is I must submit a scan of my FOID card and driver's license to place an online order. So unfortunately, if anywhere I've bought ammo online ever gets hacked, those will be out there.
zdc1775- you as many others have, without a doubt, have had formal training on the methods of hacking in the service.. I know North Korea has a teriffic training program for it's professional hackers as well as Iran, Russia, etc. etc. You have probably held an advanced ticket from Microsoft. I worked for RCA, Univac, and Unisys on computers since 1964. Unfortunately I was in the hardware repair end of the business. It was not 8 years before I retired that I got into running windows. My knowledge is very limited.
I believe the designers of the system are at fault for the ease of which software can be fooled.
I believe the designers of the system are at fault for the ease of which software can be fooled.
Actually you're wrong on your first point, I was an Infantry Rifleman and member of FAST Company during my time in the military. My job with that company focused on the physical security and infiltration side. Basically I was assigned to case place and occasionally actually break in to them to show their vulnerabilities. But doing that goes hand in hand with helping the cyber security guys access the data so I learned a few things.
But you are correct that the services do have extension cyber training courses. The friend mentioned in the previous post learned to hack while he was in the army and another current co worker spent the last 12 years of his Marine Corps career working at the NSA as part of a cyber unit.
As far as foreign powers, speaking in generalities, I will say that China's hacker teams are massive and good but relatively blunt in their techniques, Russia and Iran's teams are also very good and much more subtle about it, and since those are the only ones I know much about I can't really speak to the others.
- Status
Similar threads
