Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Completely Shut Down DDoS Protection Firm Staminus (softpedia.com)

Posted by msmash on from the bad-guys-winning dept.

An anonymous reader writes: Hackers have breached DDoS protection firm Staminus, a US-based company that offers protection against a range of network security attacks including, well, DDoS. The fraudsters have also reportedly stolen sensitive data from Staminus' database and dumped it online. Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text. The alleged security nightmare doesn't end there, unfortunately. Hackers managed to expose crucial services via external Telnet, and reset all of Staminus' routers to factory settings, causing a network and services downtime. Staminus acknowledged network and services issues, which apparently last for more than 20 hours, on Thursday, and later assured that its global services have been restored.

6 of 64 comments (clear)

  1. credit card details in plain text? by JcMorin · · Score: 3, Insightful

    I'm surprise a security firm go away with that... best time to plug the fact that it's time to user payment like PayPal or even better bitcoin so you can get your money stolen if a service you use get hacked.

    1. Re:credit card details in plain text? by TWX · · Score: 5, Insightful

      Credit cards can be cancelled and transactions reverted, at least to an extent.

      They steal your bitcoin wallet information and transfer it, it's gone.

      --
      Do not look into laser with remaining eye.
    2. Re:credit card details in plain text? by bluefoxlucid · · Score: 4, Insightful

      It's hard to not store credit card details in plain text. Even the fabled encryption relies on an automated system accessing it by decryption, meaning somewhere the key is accessible. You can hit the database application and say, "Please give me credit cards," and it decrypts them; or it at least can access the key and use that, so you get that too; or it's whole-disk encryption, so it's useless.

      You store CCNs so you can re-bill people when you get hacked. We haven't advanced to the point of billing contracts in the financial system yet, so we won't send a vendor-signed billing contract up to the bank saying "I can bill with this frequency and this maximum charge per period". If we did, we could hit the bank and say "Contract #3876492 Bill=$42.79" and the bank would determine if the message was signed by the correct vendor, valid for the contract, and within correct billing limits, as well as what account it affects. No need to store CCNs.

      --
      Support my political activism on Patreon.
    3. Re:credit card details in plain text? by JustAnotherOldGuy · · Score: 4, Insightful

      You store CCNs so you can re-bill people when you get hacked.

      The best strategy is simply not to store them, ever. Let the card gateway store them (Authorize.net, PayPal, Amazon, etc) so if anything happens, it's not on your shoulders. I've run sites that accept credit cards for ~15 years, but I never, EVER store the numbers on my servers.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  2. Re:Mischief by TWX · · Score: 4, Insightful

    Sounds like the biggest problem was that they didn't practice security for themselves. One should assume that being in the security business that one automatically will be a more visible target, and one's security should be set up to meet that head-on.

    These guys sound like an old-west movie set. A bunch of authentic-looking fascades held-up by timbers bracing them, no actual building behind the face.

    --
    Do not look into laser with remaining eye.
  3. Re:Telnet by barc0001 · · Score: 5, Insightful

    Fewer NEW ones yes. There's still the inherent one that won't go away ever.