Slashdot Mirror
Even My Mom Could Hack These Sites
I figured that if I wrote to them saying "I forgot my password, please mail it to me," that would be too obvious. Instead, at the time I had set up shop with these hosting companies, I entered a domain name at the time of creating my account, and asked them to register it on my behalf (long before I had this experiment in mind). Then when I wrote to them recently from my Hotmail address, I sent each of them a message saying: I need to transfer this domain somewhere else, can you give me the login at the registrar where you registered the domain, so I can change the domain settings. Five of the ten companies either (a) gave me the registrar login, (b) transferred the domain to my registrar account on request (even though I never provided any proof that the owner of that registrar account was really me, either), or (c) changed the domain to point to a new IP address that I specified -- all of which, of course, would allow an attacker to take over a site temporarily or even permanently, if it hadn't really been me writing from the Hotmail address.
But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them.
But even for small-time hosting, a 50% success rate for a trick like this is uncomfortably high. So what can we do about it? Well, every problem has a non-solution that requires changing human nature ("People should just stop buying from spammers and they'd go out of business!") and a non-solution that ignores the economics of the situation ("ISPs should devote more resources to stopping spammers on their own network!"). In this case, the corresponding non-solutions would be (a) "People who work for hosting companies should be less gullible" and (b) "ISPs should hire smarter people, without charging more to their hosting customers".
The solution that doesn't require any cheating, though, is to have procedures in place for anything remotely security-related, and drum into employees' heads that they have to follow those procedures. Here's some good news: Of the five companies that fell for the ruse asking for my registrar login information, when I followed up with them saying "Hey, I forgot my account password, can you mail it to me", only two of them actually sent my password to the Hotmail account. To those two, I replied with some terse words about having a six-inch-thick steel door while leaving the window wide open. But at least it was only two out of ten that fell for that ruse, compared to five out of ten that fell for the registrar trick. The difference is that hosting companies have procedures in place to deal with password resets -- a script that sends the existing password, or sends a reset-password link, only to the customer's e-mail address on file.
Similarly, any hosting company that registers domains on behalf of users, should have procedures in place for transferring the domains to users or letting them change domain settings. In fact, of the five companies that didn't fall for the ruse, most of them said "Go to the customer control panel here and log in" -- it wasn't that their guard went up because I was writing from a Hotmail account, it was that they already had procedures in place for a customer wanting to change domain settings, and what's what the idiot-proof book told them to do. Kevin Mitnick always said that the weakest link in any security chain was people. Sometimes the way for ISPs to tighten security is to make the people in the chain act more like machines.
Until then, there are probably many sites out there that are this easy to "hack", using a method that could charitably be called low-tech. After seeing which hosting companies fell for the trick, I pointed out that they had sent the login information to an unverified address and admonished them to be more careful in the future, but I didn't storm out vowing to take all of my business elsewhere -- after all, if 50% of all low-budget hosting companies out there fall for this, what would be the point?
You get what you pay for.
One cannot conclude from the small sample size that 50% of all small, low-budget hosting companies are not security-conscious. Further, if you want to motivate these insecure companies to change their behavior, voting with your feet by taking your business elsewhere is the correct behavior.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I'd go out on a limb and suggest that none of this really occurred and what he's really doing is showing off a huge social experiment about how people will talk about nothing. If he really did find something viable out he would definitely offer up the names and contact information of these companies so that people could complain and drop their services.
Why? It seems to me that it is the most reliable form..
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
for various reasons, i think passwords should be stored in hashed format. it should be impossible for the hosting company to tell me my password. they should just reset it.
of these three options: Cheap, Fast, Secure.
A quick scan of Google would confirm this:
u e
http://www.google.com/search?q=inurl%3Aadmin%3Dtr
I'm not attempting to start a flame-war here, but the percentage of those sites that end in ".php" is remarkably high...
Ah to hell with it, let the flames commence.
*runs*
throw new NoSignatureException();
I don't think there's many people that would fall for the wallet inspector, why would people fall for these social engineering attacks. I know a lot of people who sit down at a computer, and their brain turns off. They are smart people, but anything computer related makes them just lose all intelligence and common sense. People who would have no problem doing something like following instructions to assemble a child's toy, could not do something equally difficult like following instructions for sending an email with an attachment. I wonder if any studies have been done to look into stuff like this.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
A few years ago I wanted to impress it on my boss that the human factor is usually one of the weakest in a security model. So, with him in the room, I called HR and said something like 'Hi Sarah! How are you doing? Didn't you just get back from vacation? Did you have a good time? (...more smalltalk ad nauseum...). Anyway, I'm retarted. I just reset my password, but I must of had caps lock on or something because now I can't get it to work. Can you reset it for me again? Thanks!' No hacking, cracking, phreaking, yadda yadda yadda.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
a 50% success rate for a trick like this is uncomfortably high
It seems that the only thing "uncomfortably high" is the author. If real, a 50% failure rate is deplorable, to the point where it ought to have prompted some righteous moral outrage. This isn't just another intellectual exercise in social engineering, it's a failure of the system. It's equivalent to 5 out of 10 grocery stores accepting a check presented by someone not the account holder and with no signature on it. That sort of behavior wouldn't be socially tolerable, nor should this be.
If it is, in fact, a real event.
The author ought to be immediately forthcoming with the who, what, and when of his experiment if he really wants some serious consideration and feedback.
2: Ill gained PROFIT!!!
It is responsible of the poster to not reveal which companies have weaknesses he has discovered.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
[blatantly stolen from thinkgeek.com]
Social Engineering Expert... because there is no patch for human stupidity.
[/blatantly stolen]
The future isn't here until I can type "car keys" into Google and have it say "You left them in your pants last night."
One swallow does not a summer make.
As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose. Get your fellow sisters to become on average at least as tech-savvy as the average man, and then complain.
Note that men don't complain when allegories about the opposite sex are used. A statement like "His hands were typing at the speed of an old grandmother knitting" won't be met with outrage from men feeling offended because grandfathers could be knitting too.
Take your hardcore feminism elsewhere -- it doesn't belong on
just ask google
thank God the internet isn't a human right.
One should remember, enterprise and small time companies are no longer as easy to distinguish as it used to be. One of my friends run a low budget hosting company and suffers under problems like those others have described, ig. how do you know who is who when you don't have a budget to know your customers.
I on the other hand have worked for a company where hosted sites payed upwards of $50.000 for the site and $500+ for hosting per month, we knew our customers and never had to consider such problems.
Both my friends company and the one I worked for had about the same number of people employed but we cater to different crowds - who is enterprise and who is small time?
Really. Who has 10 different hosting companies to host "some of my websites"?
If this guy actually has 10 businesses or unique sites or whatever (unlikely), wouldn't you pick the one hosting service with the best service plan and just use it?
WARNING! WARNING! You are entering a ethical gray area in which arguments either way have valid points, please give this issue the respect it deserves and don't try to treat this like some cut-and-dry right-or-wrong answer.
I, for one, could put forward the argument that it is the responsibility of the poster to fully disclose to the public, (after first notifying the offenders and waiting a reasonable amount of time), so that those of us who are vulnerable to such a social engineering attack, can know about it and react accordingly.
I'm in between insightful sigs right now...
is it any more responsible for those companies to avoid *their* responsibility to their customers? I say hang 'em high, and let their customers decide if the companies deserve the business.
I'm running a pirated copy of Linux.
He could be choosing providers based on different combinations of bandwidth and space for the projects he's doing. Or they could have had special one-off pricing deals.
Actually, the author never said that all mothers are inept technologically, just that HIS mother was.
While discrimination may be wrong, being overly sensitive to remarks that are true just raises the amount of discrimination and prejudice in the air. I don't know anyone that thinks women should be second class citizens, but I also know very few people who don't hate feminists.
Do not keep all of your eggs in one basket. It's just a very bad idea. Discount hosts have a major tendency to quickly go down hill in terms of service and support. Host 10 domains on the same discount webhost for more than a year or two and suddenly you've got 10 clients screaming at you that their site is down or their email isn't working. Most of these discount hosting companies have very similar features and costs. It really doesn't cost you any more to host 10 domains on 10 different webhosts, as long as they provide the same uptime and service. In fact it saves you problems in the future. Eventually there will be downtime or a webhost will go bad. In stead of having all 10 of your sites experience down time and need to move them all at once, you'll only have to worry about one site. My problem is that I've only found two good discount hosts (and one of them is starting to go bad I think). I'm just glad most of my clients have grown and need their own servers. Otherwise I'd be very nervous.