Slashdot Mirror
Network Solutions Suffers Massive Data Breach
dasButcher writes "Network Solutions, the domain registration and hosting service company, suffered a massive security breach that lasted three months and exposed tens of thousands of credit card numbers of its customers and of the businesses that use its hosting and online payment processing service. The company is just beginning the victim notification process. 'There is no information on how the code was planted on the sites. While examination of the code shows that it had the ability to ship data off to a third party, and Network Solutions believes that it did just that, the exact code is not available for public review. There is also no public information as to where the data believed to be stolen was sent.'"
This is exactly why you dont go with the *HUGE* companies. Theres a huge possibility that someone somewhere will target it and get around their security. It just takes one hack and all customers are affected. Security by obscurity is not always such a bad idea; go with the small ones who also can do their shit, and aren't such a big target.
They think "Open disclosure" and "transparency" are things you find in mailing envelopes.
Ehud
Why.. I mean WHY?
Why hold this data, are they all retarded? Its not their data to hold..once you send the transaction to visa and it is accepted, this information should be PURGED. Period.
Released/posted after close of business on a Friday? I'd say this is part of a coordinated effort to say as little as possible about this.
BTW, a better/original story link is here:
http://voices.washingtonpost.com/securityfix/
That I left them some time ago, and that I always use a throw-away credit card numbers online. The best defense against privacy leaks is the one you design yourself, and it better accounts for the possibility of breach at all services you use.
Too bad it isn't always possible to do that easily and in a manner that helps you avoid all risk.
When they started trying to be the anti-Google, and be as evil as possible. I still remember the time they sent me alarmingly-worded letters about the need to renew a couple domains with them... shortly after I transferred those domains to another registrar.
I've figured all along I was just one of many who were happy to be rid of them. Today? Doubly so.
Village idiot in some extremely smart villages.
"After conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions on approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information "
..
At this stage of the game, what are these supreme innovators doing storing raw credit card numbers on a publicly accessible web server. And what's even more incredulous is that no one noticed. Where are all these magic intrusion detection systems. I mean the average ISP has more security in place. Have they been, like Rip Van Winkle, asleep for the past twenty years
Security breach aside, it's a SOX issue to store or transmit CC numbers that way.
SOX may be annoying, but it is meant to avoid scenarios such as this, where a breach would yield that information in the first place.
stuff |
At least you have an option to go somewhere else.
.com for DNSSEC purposes? Network Solutions?
But with DNSSEC, I believe we'd all be stuck with one per TLD.
So who is going to be in charge of
I left them many years ago because:
;)
-Form fields and labels were not consistent throughout their literature.
-Customer service experience held considerable 'vowel-trouble.'
-Overpriced initially as a registrar, and then of course, as a secure host.
Easy-to-deploy, Turnkey!, Just give us your card.
Stuff that matters.
"There is also no public information as to where the data believed to be stolen was sent."
Oh, so that's what all those big emails I've been receiving were! No worries, folks! I've got all the data right here!
I can never figure out which companies are which these days. Is register.com (actually rcomexpress.com) the same thing as Network Solutions?
I work for Network Solutions and we understand that this is a difficult time and we are already taking proactive steps to ease the burden on merchants that may have been impacted by this issue by providing assistance with their customers that may have been impacted. To help affected folks.find information quickly we have setup a website http://www.careandprotect.com./ Thanks, Shashi B
Social Media Swami | Network Solutions | http://blog.networksolutions.com
once you send the transaction to visa and it is accepted, this information should be PURGED. Period.
Not true. Lots of businesses hang on to your card number, especially if you will do repeat business with them, such as Amazon.
.com, .net, .be, .fr variants, etc). They were all registered at different times and so there is usually one getting ready to expire every few weeks. We could make it part of the daily routine of one of our developers to check up on all of our domains and repurchase a new registration as needed. This costs money... lots of money if you add it up over a year. Besides, it introduces an element of human error: a few years ago, the company lost its primary domain name because the guy in charge of doing that had left and nobody thought to assign the job to somebody else. It cost us thousands of dollars to buy it back.
Network solutions is my registrar. They do not keep your CC by default, they ask your permission and there is a very good reason for them to do this. This is why:
My business has a few dozen domain names: our trademarks and a couple of names that are similar (typos that we don't want squatters to snatch up;
Alternatively, we can just allow Network Solutions to keep our CC number and re-register the domain automatically. It is easy and cheap. Of course, this kind of solution requires that Network Solutions not hire a retarded monkey to code its ERM...
weirdest thing I ever saw: scientology advertising on slashdot.
This doesn't surprise me at all. Large organizations are reactive, never proactive. Mcafee's recent XSS issue is a similar situation. Security and auditing is scary to suits, and inevitably generates extra work for them. It's never priority one.
There's nothing that says the data was stored on any publicly accessible server. What is said is that there was a code insertion that could have been used to transfer data out. The attackers probably patched into whatever lame backend system they were using for these transactions and added a little bit of code to simply copy the details out to a URL/irc bot somewhere. Cases like these typically involve some inside help or an ex-employee.
--- I do not moderate.
If you're dumb enough to use them, you deserve what you get.
I know for a fact that they do store credit cards - regardless of what they may or may not claim.
One billing application that allow you to search ALL historical purchases, what, when, card #, address, services etc...
The second for more recent purchases.
Primarily we used a single application - and that application gave you access to the entire database which included minor and major information, such as Name, Address, phone#, email, Your Challenge Question, the HINT tot eh challenge question, CC number, billing cycle and history, DNS, smtp, database passwords (if you host with NetSol), all email users and their passwords under that domain, ftp passwords, website passwords for the GUI designer and much much more!
If you have a domain with them that has other email address setup through the NetSol site, simply login and look at those accounts. Each of those users can change the oringial password you set for them once they log into their online mail. But you will always see the passwords as ****, but don't fret if you forgot one (or they changed it) and want to log into the email account of that user, pull up the source code - they are all in plain text (as of 1 year ago anyway).
They have certain "servers" that handle routing and other processes that are no more than a laptop - that's right, not a server - a laptop.
Oh and your cost of thousands of dollars to buy back your domain name - here is a little bit of info. Many users were irate about New Ventures grabbing doamins faster than anyone else when they expired, sometimes before it was to be released (grace period for renewal after it expired). All employees were told to let the customers know that we were not, nor were we affiliated with New Ventures. A month later at a financial meeting, it was announced that we've been making leaps and bounds in revenues and recently sold a domain name for nearly a million dollars!. A few of us started looking into this as NetSol is a registar supposedly with a set fee for domains. As it turns out New Ventures is in fact a part of NetSol - They're scamming everyone.
When I began working for NetSol, I was happy as a lark - until I got settled in and started digging into the processes, support and resolution chain and blatant lies were were telling people, I was so disappointed. I left not being able to stand the lies anymore. We'd tell people that their issue would have a resolution in 3 days, but they'd never hear from anyone. And in fact when someone would ask for someone higher up the chain of command, (ie: supervisor, etc) the supervisors would tell us to tell them they can't be transferred, get the number and the supervisor will call them in 5-10 minutes... would they be home? Issue is that they would never get a call back... only to call in again and be transferred to level II support once more and talk to yourself again, or a fellow Level II support person near you. We would all talk and discuss the deflection process. At that time their website were also riddled with iframe exploits, constantly being hacked and defaced for over a year and a half.
Unless anyone here actually works for NetSol - no one really knows what I know for a fact that goes on there. Given there history with customers and such, They've probably know about this for a long time.
Never try to beat a professional at his own game!
Wow. I'm so glad I moved from NetSol 8 YEARS ago (my first domain name). They were bad then!
Network solutions are a bunch of yahoos.. Once they made me the technical contact on about 8,000 domains. I got calls from all over from folks saying"Who are you and how did you get to be the technical contact on our domain?" I still have the printouts. About 200 pages(double sided) that list the domains. They have always had their heads up their hoohoos..
When I buy things online I use prepaid visa cards. Nobody has to know my bank account information, social security number or anything. I also give as little information out as possible. The most they will likely find on me, outside of my social security number (which anyone can find with some digging and a few bucks) is my name and address and a frequently empty visa debit account. I've had friends who have had their identity hijacked and it is very hard to convince credit agencies that you really didn't get a credit card and buy all of that stuff. My credit is pretty destroyed, but if that is something you are worried about, it does help to continuously monitor your credit report and score and potentially catch things before time starts working against you.
zosxavius photography
So what's the deal with NS's usage of kolmic.com? Imagine my CTO's surprise when our content filter blocked one of our subsidiary's NS parked domains because of an iframe of kolmic.com with a nice trojan payload. Some googling revealed this isn't an isolated case and NS has been doing some advertising with them for a while.
As a friend once said (in regards to the sex.com and races.com fiascoes): Network Solutions couldn't secure a lava pool against snowmen.
I have used NSI for domain registration in the past, and their hosting for static sites is actually OK - when you don't use them for anything else.
I finally figured out how to have my Google For Your Domain domains point to my hosted areas on NSI's servers for static content, and still use Google services (mail, blog, etc) for everything else.
$10 per domain per year for Google registration beats the hell out of trying to haggle with NSI sales staff when your domains are up for renewal. I have one left that is still registered @ NSI that I'm switching to Google (eNom/GoDaddy) next year. I'll keep my hosting @ NSI though, since I'm not doing any ecommerce with them...
Ask Me About... The 80's!
Another reason to pay with "PayPal"
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"