Network Solutions Suffers Massive Data Breach

dasButcher writes "Network Solutions, the domain registration and hosting service company, suffered a massive security breach that lasted three months and exposed tens of thousands of credit card numbers of its customers and of the businesses that use its hosting and online payment processing service. The company is just beginning the victim notification process. 'There is no information on how the code was planted on the sites. While examination of the code shows that it had the ability to ship data off to a third party, and Network Solutions believes that it did just that, the exact code is not available for public review. There is also no public information as to where the data believed to be stolen was sent.'"

Re:Big companies

[Antique+Geekmeister]

As opposed to the small companies, where they haven't bothered to do any security yet? I'm explaining to a corporate partner right now why using the built-in version of subversion on RHEL with an HTTP setup, and NFS home directories, and using the Kerberos of Active Directory for Subversion passwords, is an exquisitely bad idea. (Your passwords are silently stored in clear text, and available over NFS shares.) The people who knew, and cared, had been told it wasn't on their tasklist. The managers further up assumed that it was safe because it was HTTPS. The mangers in the *middle* hadn't been willing to discomfit people by teaching them to use SSH with keys, or spend the time having to type in passwords. So almost *every user's primary keys* were available to anyone who plugged in a live CD and poked around for NFS mountable home directories and bothered to mount them and look at /home/$USR/.subversn/auth/. This is a long-existing, publicly announced problem. Every environment where I've seen this sort of thing occur has been small: The big companies have a security architect whose job it is to scream about this kind of thing, and to insist that it be addressed. And the big companies are willing to have one person run the daily script to look for these passwords stored in people's home directories. (It only takes one person running an out-of-date OS accessing NFS home directories, or who hasn't updated to subversion 1.6 which at least asks before it stores your passwords.) Or a policy of not having password free SSH keys, and one person to notice their NFS mounted SSH keys without passwords that present the same sort of problem.

I left many years ago...

[Shag]

When they started trying to be the anti-Google, and be as evil as possible. I still remember the time they sent me alarmingly-worded letters about the need to renew a couple domains with them... shortly after I transferred those domains to another registrar.

I've figured all along I was just one of many who were happy to be rid of them. Today? Doubly so.

Re:I left many years ago...

[ionix5891]

karma i say what goes around comes around, pitty innocent people are involved, tho anyone who stayed with them after these controversies deserves what they got

http://en.wikipedia.org/wiki/Network_Solutions#Controversies

Re:I left many years ago...

[generic.individual]

I hate those people. I once stupidly used their site (because it was the first name to pop to mind) to do a whois on a potential domain for a business. The name was simple, my parenters name and my name, and surprisingly not taken. Then I found out why so many people hate these guys. When I did the whois network solutions registered the name I was searching so I now had to either buy that name from them or wait a year for it to be free again. What assholes.

Sucks for the lower downs involved, but I can't help but smile.

Re:Big companies

The small companies don't have the staff or the competencies to handle security. The big companies, on the other hand, just don't care. The main difference is that one is giving the illusion of due diligence and the other isn't.

That's why I prefer small companies. Same general level of risk, but their databases are smaller, so I'm a smaller target.

Not true

[an.echte.trilingue]

once you send the transaction to visa and it is accepted, this information should be PURGED. Period.

Not true. Lots of businesses hang on to your card number, especially if you will do repeat business with them, such as Amazon.

Network solutions is my registrar. They do not keep your CC by default, they ask your permission and there is a very good reason for them to do this. This is why:

My business has a few dozen domain names: our trademarks and a couple of names that are similar (typos that we don't want squatters to snatch up; .com, .net, .be, .fr variants, etc). They were all registered at different times and so there is usually one getting ready to expire every few weeks. We could make it part of the daily routine of one of our developers to check up on all of our domains and repurchase a new registration as needed. This costs money... lots of money if you add it up over a year. Besides, it introduces an element of human error: a few years ago, the company lost its primary domain name because the guy in charge of doing that had left and nobody thought to assign the job to somebody else. It cost us thousands of dollars to buy it back.

Alternatively, we can just allow Network Solutions to keep our CC number and re-register the domain automatically. It is easy and cheap. Of course, this kind of solution requires that Network Solutions not hire a retarded monkey to code its ERM...

Re:Shashib

[rockwood]

Nah - those that did it were eventually caught (after about a 6mo to a year) and they were terminated. Besides, even if I could do it, I wouldn't know what to do with the info afterward.

My main point is that the security holes at NetSol is akin to a block of Swiss Cheese. And in most cases the security breaches and Malware placed on their system go unnoticed for long periods of time.