Obligatory
"They've hacked the Jewson lot"
Builders merchant Jewson has confirmed in writing to customers that their privates could have been exposed in a cyber break-in that occurred late this summer. In a letter sent to customers – seen by The Reg – Jewson stated: "As a Jewson Direct customers, we regrettably are writing to inform you that our website (www. …
Had a builder who wore Jewson T-shirts religiously when working. I asked if he had some sort of sponsorship deal with them given the daily use. He said no just a shed load of the T-shirts they'd given him free. Given his lack of interest in IT I doubt he will have been affected by this breach. Going off to Jewson to get something that he was lacking could take a while. Certainly wouldn't have been keen on ordering online and having things delivered.
Some of those can be vulnerable.
Everyone should really be moving to TLS 1.2 by next year at the latest to mitigate against some nasty weaknesses
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
Most of the payment companies told people about this a while ago.
Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available.
"Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available."
It was mentioned that CVV values were among the leaked data. Since these are not supposed to be stored by anyone, I would expect that something was sniffing the traffic to capture the information leaked.
Oh yeah. Big time.
Somewhere on Jewson's site is a link to the payment handler. Doesn't matter if it takes you to the payment handler's page decked out in Jewson finery, if it's an iFrame or some Web 2.0 thingummyjig. Somewhere there's a link. So if you hack into the Jewson site you can change that link and mount a MITM attack.
Which means you can't offload your security problems onto the third-party payment handler. You must ensure that your own site is secure. And periodically monitor that the link hasn't been tampered with (details left as an exercise for the reader, because a clever attacker will take steps to fool such monitoring, like detecting the IP address requests come from).
'As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised.'
Plain text?
'No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure.'
This additional statement makes it look like you don't know what information your systems store. Unless of course you suspect the code that was inserted was possibly stealing card data as it was entered.
In late June, we were having a new shower fitted in our bathroom. Our plumber referred us to the Graham's Plumber Merchants web site (Also part of the same group as Jewson - owned by the French company Saint Gobain) . Unfortunately, the website was unavailble (as were many of the St Gobain group including that of Jewson, Graham's and British Gypsum) and our plumber later said that the Graham's web site was undergoing a cyber attack and even he could not access his online account.
With all these web sites suffering outages at the same time, it makes you wonder what caused this, and whether it is related to this more recent admission of a breach and possible loss of customer's data?
Having ‘worked’ many years ago with Jewsons I can confirm that they are a bunch of planks that are screwed overseen by spanners. As other worth commentards have pointed out.
The high point in our trading relationship was ordering material for a medium sized roof.
We received:-
Roofing felt
Roofing batten
Roofing nails
Velux x 3
Slate chippings 2 x 1000kg bags
What’s wrong with that for doing a roof?
Which plank keyed the order
Who screwed up loading it
Which spannner checked the truck before it left the depot
What you clearly see is that nobody there cared in the slightest. And that is why I will never ever use them for anything ever again. If anyone had thought about it for more than one second they would have spotted the problem. And believe me it was often like that there.
And the whole business is run on Keridge software - let’s not even get me started.
'customers’ names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers “may” have fallen into the hands of an “unauthorised person”'
In this day and age, why isn't such information store in an encrypted form on a machine accessable from the Internet. Who designed and install the system at online builders merchant Jewson. Who is responsible for maintenance and security. I guess the original hack consisted of someone opening a malicious email attachment, the solution being to:
a. Configure your email client to only open msWord docs in the MS Word Viewer, same for Excel etc.
b. Disable automatically opening of URL links in PDF documents.
c. Disable auto-running flash and similar active content.
d. Use a unique email to register with a site.
e. Use a burner phone for two-factor authentication.
f. Never disclose either to any third party.
Is this the state of 'computer' security in the year 2017 AD .. I mean Current Era, wouldn't want to trigger anyone :]