Slashdot Mirror
Network Solutions Suffers Massive Data Breach
dasButcher writes "Network Solutions, the domain registration and hosting service company, suffered a massive security breach that lasted three months and exposed tens of thousands of credit card numbers of its customers and of the businesses that use its hosting and online payment processing service. The company is just beginning the victim notification process. 'There is no information on how the code was planted on the sites. While examination of the code shows that it had the ability to ship data off to a third party, and Network Solutions believes that it did just that, the exact code is not available for public review. There is also no public information as to where the data believed to be stolen was sent.'"
Why.. I mean WHY?
Why hold this data, are they all retarded? Its not their data to hold..once you send the transaction to visa and it is accepted, this information should be PURGED. Period.
Released/posted after close of business on a Friday? I'd say this is part of a coordinated effort to say as little as possible about this.
BTW, a better/original story link is here:
http://voices.washingtonpost.com/securityfix/
This is exactly why you dont go with the *HUGE* companies. Theres a huge possibility that someone somewhere will target it and get around their security. It just takes one hack and all customers are affected. Security by obscurity is not always such a bad idea; go with the small ones who also can do their shit, and aren't such a big target.
Small registrars can suck just as much as the big ones. All you can do is go by reputation: unfortunately, by the time a company has gotten popular enough to gain a good reputation, it probably has begun to start thinking more about money than quality.
The higher the technology, the sharper that two-edged sword.
As opposed to the small companies, where they haven't bothered to do any security yet? I'm explaining to a corporate partner right now why using the built-in version of subversion on RHEL with an HTTP setup, and NFS home directories, and using the Kerberos of Active Directory for Subversion passwords, is an exquisitely bad idea. (Your passwords are silently stored in clear text, and available over NFS shares.) The people who knew, and cared, had been told it wasn't on their tasklist. The managers further up assumed that it was safe because it was HTTPS. The mangers in the *middle* hadn't been willing to discomfit people by teaching them to use SSH with keys, or spend the time having to type in passwords. So almost *every user's primary keys* were available to anyone who plugged in a live CD and poked around for NFS mountable home directories and bothered to mount them and look at /home/$USR/.subversn/auth/. This is a long-existing, publicly announced problem. Every environment where I've seen this sort of thing occur has been small: The big companies have a security architect whose job it is to scream about this kind of thing, and to insist that it be addressed. And the big companies are willing to have one person run the daily script to look for these passwords stored in people's home directories. (It only takes one person running an out-of-date OS accessing NFS home directories, or who hasn't updated to subversion 1.6 which at least asks before it stores your passwords.) Or a policy of not having password free SSH keys, and one person to notice their NFS mounted SSH keys without passwords that present the same sort of problem.
When they started trying to be the anti-Google, and be as evil as possible. I still remember the time they sent me alarmingly-worded letters about the need to renew a couple domains with them... shortly after I transferred those domains to another registrar.
I've figured all along I was just one of many who were happy to be rid of them. Today? Doubly so.
Village idiot in some extremely smart villages.
"After conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions on approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information "
..
At this stage of the game, what are these supreme innovators doing storing raw credit card numbers on a publicly accessible web server. And what's even more incredulous is that no one noticed. Where are all these magic intrusion detection systems. I mean the average ISP has more security in place. Have they been, like Rip Van Winkle, asleep for the past twenty years
I know for a fact that they do store credit cards - regardless of what they may or may not claim.
One billing application that allow you to search ALL historical purchases, what, when, card #, address, services etc...
The second for more recent purchases.
Primarily we used a single application - and that application gave you access to the entire database which included minor and major information, such as Name, Address, phone#, email, Your Challenge Question, the HINT tot eh challenge question, CC number, billing cycle and history, DNS, smtp, database passwords (if you host with NetSol), all email users and their passwords under that domain, ftp passwords, website passwords for the GUI designer and much much more!
If you have a domain with them that has other email address setup through the NetSol site, simply login and look at those accounts. Each of those users can change the oringial password you set for them once they log into their online mail. But you will always see the passwords as ****, but don't fret if you forgot one (or they changed it) and want to log into the email account of that user, pull up the source code - they are all in plain text (as of 1 year ago anyway).
They have certain "servers" that handle routing and other processes that are no more than a laptop - that's right, not a server - a laptop.
Oh and your cost of thousands of dollars to buy back your domain name - here is a little bit of info. Many users were irate about New Ventures grabbing doamins faster than anyone else when they expired, sometimes before it was to be released (grace period for renewal after it expired). All employees were told to let the customers know that we were not, nor were we affiliated with New Ventures. A month later at a financial meeting, it was announced that we've been making leaps and bounds in revenues and recently sold a domain name for nearly a million dollars!. A few of us started looking into this as NetSol is a registar supposedly with a set fee for domains. As it turns out New Ventures is in fact a part of NetSol - They're scamming everyone.
When I began working for NetSol, I was happy as a lark - until I got settled in and started digging into the processes, support and resolution chain and blatant lies were were telling people, I was so disappointed. I left not being able to stand the lies anymore. We'd tell people that their issue would have a resolution in 3 days, but they'd never hear from anyone. And in fact when someone would ask for someone higher up the chain of command, (ie: supervisor, etc) the supervisors would tell us to tell them they can't be transferred, get the number and the supervisor will call them in 5-10 minutes... would they be home? Issue is that they would never get a call back... only to call in again and be transferred to level II support once more and talk to yourself again, or a fellow Level II support person near you. We would all talk and discuss the deflection process. At that time their website were also riddled with iframe exploits, constantly being hacked and defaced for over a year and a half.
Unless anyone here actually works for NetSol - no one really knows what I know for a fact that goes on there. Given there history with customers and such, They've probably know about this for a long time.
Never try to beat a professional at his own game!
Give me a break! - I too worked for Network Solutions as Level II support - I know all about the bullshit story lines in order to save face. iframe exploits throughout the customers sites, issues not followed through on, the denial of New Ventures having -any- affiliation with NetSol. The ease of gaining access.
In fact while I worked there, several Tech's uploaded basic http shell emulators onto their sites and all had root level access within minutes.
Your infrastructure was and still is seriously flawed and appears that it always will be - I know first hand!
I'll file this under TasteButDontSwallow
Never try to beat a professional at his own game!