************************************************************* HOW TO HACK FINANCIAL MARKETS' HAM SANDWICHES ADVISORY NUMBA' 2 --- 23/05/2000 --- Fucking Copywrong (all years) Kitetoa ************************************************************* ---Who we are?--- Kitetoa is a group of french girls and guys. ---What do we do--- We have fun publishing texts on many topics, ranging from philosophy to politics or the global concept of security. We sometime publish books under an Open Content License. We like to point at big companies that have lame security policies. They don't like us much for doing that... ---What we found today...--- Point your browser to http://www.victoire.fr This is a french company called Victoire (Victory). This company produces financial data. This financial data is pushed into other financial web servers here (banks, discount brokers...). Of course, Victoire sells access to this financial data on it's own web server. Vicoires' many web servers have huge security flaws. Using the lamest trick, you can modify financial data that will then be automatically published on Victoires' Web server, and possibly, on other financial sites over the french part of Internet. ---What could possibly be the result of this?--- Small investors (they always are the ones who get screwed. Have you ever seen a institutional investor loose some big money? No. Never. Ok then, let's go ahead because this text is long and I don't want to spend hours on markets rules and descriptions...) will loose their shirts. The markets regulators will look like idiots. Victoire will see tons of trials coming over, and confidence into Internet as a secure way of doing brokerage will fall... ---What we did--- As we always do, we mailed Victoire's admins and let some time pass before we published the story on our server www.kitetoa.com. ---What was the problem? Gib'us details or else, we won't read the rest of this lame text!--- Ok, don't get mad at us... On 03, April 2000, Kitetoa.com has published a story about Zebank (also known as Zeproject) [www.zebank.com and www.zeproject.com]. This sever is going to be an online financial supermarket and is the beloved project of one of the two french billionaires (in francs. Which is not **so** bad. Francs are not liras in the end... Hum... We love Italians, so you guys don't get mad at us for saying this!]. In order to get a lot of publicity, the guys at Zeproject/Zebank had organized a huge teasing campaign (this had been running for months. No one could know what Zebank would really do. All french financial journalists wanted to know...). We looked at the www.zebank.com server. There was only one index.html page with no links. But the Netscape web server was misconfigured. And you could easily list all the Web server's content. So we have been able to see (with a simple browser) all the pages that were being developed on this server. [Don't ask us why they did put the real pages on this server...] Zebank is owned by Europ@web [www.europatweb.com] which is itself owend by LVMH [www.lvmh.com] They really got mad at us for revealing the content of Zebank.com You could think that some people at LVMH would have asked all the subsidiaries to look into their web servers and see if the Netscape bug used by Kitetoa to see the pages in Zebank was there or not. Just in case... Some days later, we mailed the person who's in charge of a financial magazine web's server. This magazine [www.investir.fr] is owned by LVMH... Her server had the same problem than the one at Zebank.com... She said she had informed the persons who host her server. Guess who host the server? <..! ok, I know this might look a bit odd to some of you but it's not **that** complicated ..> The company who hosts www.investir.fr is... [Lights!!!] [Muzak!!!!] *** ---> Victoire [www.victoire.fr] <--- **** ---So... What is it all about?--- * Well, on early April, Kitetoa finds a bug on www.zebank.com one of LVMH's servers. They get mad... * On mid-April, Kitetoa finds another bug on www.investir.fr, another LVMH's server... The guys at Investir tell the admins where the web is hosted: www.victoire.fr, that another LVMH's server has this problem... People at Victoire didn't do anything to correct that problem on www.investir.fr * On mid-may, Kitetoa finds the same bug on Victoire's servers We could have fucked up the french financial markets with this one... ---And so What?...--- One might, again, think that a big group like Luis-Vuitton Möet Hennessycould have a global security policy and that when a big problem arises on a server [the Zebank story], the group looks at all its servers... Well, looks like it's not that simple... Or, maybe, the people there are lamers who don't give a shit if the data they have is secure or not on the servers... Who knows...? ---We had fun again... Thanks to the ones that made us laugh!--- ---Greets--- Go to the greatest pizza hacker in the world, Bacano, for his help defining the "ham sandwich hacking" style. Rfp and the R9 team And all the people at Kitetoa who helped with this "Victoire ham sandwich hack"... ---More Information can be found here--- Find the whole story with hard copies here: http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/ Victoire/victoiresommaire.htm Mail us here: kitetoa@kitetoa.com Flame this guy: webmaster@kitetoa.com ---The Post Scriptum part--- What is described here is, of course, **one** of the many security breaches that Victoire's network showed to a simple browser armored ham sandwich hacker. ******************************THE END********************************