Hackers Completely Shut Down DDoS Protection Firm Staminus

An anonymous reader writes: Hackers have breached DDoS protection firm Staminus, a US-based company that offers protection against a range of network security attacks including, well, DDoS. The fraudsters have also reportedly stolen sensitive data from Staminus' database and dumped it online. Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text. The alleged security nightmare doesn't end there, unfortunately. Hackers managed to expose crucial services via external Telnet, and reset all of Staminus' routers to factory settings, causing a network and services downtime. Staminus acknowledged network and services issues, which apparently last for more than 20 hours, on Thursday, and later assured that its global services have been restored.

credit card details in plain text?

[JcMorin]

I'm surprise a security firm go away with that... best time to plug the fact that it's time to user payment like PayPal or even better bitcoin so you can get your money stolen if a service you use get hacked.

Re:credit card details in plain text?

[TWX]

Credit cards can be cancelled and transactions reverted, at least to an extent.

They steal your bitcoin wallet information and transfer it, it's gone.

Re:credit card details in plain text?

[redmid17]

Both people who use Bitcoin are very glad they weren't targeted.

Re:credit card details in plain text?

[bluefoxlucid]

It's hard to not store credit card details in plain text. Even the fabled encryption relies on an automated system accessing it by decryption, meaning somewhere the key is accessible. You can hit the database application and say, "Please give me credit cards," and it decrypts them; or it at least can access the key and use that, so you get that too; or it's whole-disk encryption, so it's useless.

You store CCNs so you can re-bill people when you get hacked. We haven't advanced to the point of billing contracts in the financial system yet, so we won't send a vendor-signed billing contract up to the bank saying "I can bill with this frequency and this maximum charge per period". If we did, we could hit the bank and say "Contract #3876492 Bill=$42.79" and the bank would determine if the message was signed by the correct vendor, valid for the contract, and within correct billing limits, as well as what account it affects. No need to store CCNs.

Re:credit card details in plain text?

[ScentCone]

The solution for that is TOKENS. Your web app collects the CC info over an SSL-encrypted session, and presents it to an API at the bank (also talked-to over a secure pipe). The bank records the CC info and returns a token CC account - essentially, a fake CC that you CAN store in plain text because it's completely useless outside of the context in which you and the bank have arranged to later use it. Then, when you go to run the transaction (say, when you're about to ship some goods, or renew services, etc) - which might be half a second later, or a year later - you've got something you can work with, and no need for fragile/complex crypto locally. The bank, which already in theory DOES that in a big way for a living, has that part covered.

The token/fake CC number, BTW, can contain the same last four card number digits as the real card, which makes it very easy to combine those four digits with a scrap or two of customer info in order to look up account history, etc., locally without having to interact with the bank again later.

Re:credit card details in plain text?

[JustAnotherOldGuy]

You store CCNs so you can re-bill people when you get hacked.

The best strategy is simply not to store them, ever. Let the card gateway store them (Authorize.net, PayPal, Amazon, etc) so if anything happens, it's not on your shoulders. I've run sites that accept credit cards for ~15 years, but I never, EVER store the numbers on my servers.

Re:credit card details in plain text?

[JcMorin]

you could say the same for you cash or gold or anything you can hold. The problem with credit card transaction is the global cast. All those millions transactions reverted do charge fees to users, banks and merchants... that's why you have an almost 3% fees to accept it. With new payment solution like Apple Pay it get even worst. Bitcoin is far for perfect, but at least the concept that nobody can pull money from you and you have to push it is the right direction. You can setup you money to have 2 or more signature, for instance your computer, your cell, a website or a even a physical device. Having both steal make it much more unlikely.

Re:credit card details in plain text?

[taustin]

If they were storing credit card info in plain text, they weren't PCI compliant, and are 100% responsible for all costs relating to the investigation (average cost: $100,000) and remediation ($4-5 per card to replace, plus all fraud and related fees).

And they likely won't be allowed to take credit cards much longer.

Telnet

[ArchieBunker]

Even funnier is having telnet running. But then again telnet has had way fewer security issues than ssh and ssl lately.

Re:Telnet

[barc0001]

Fewer NEW ones yes. There's still the inherent one that won't go away ever.

Re:Telnet

[Locke2005]

Yeah, while I was working at Oracle, I managed to snag the network administrator password that would grant admin privilege on every Sun box at Oracle... just by filtering telnet traffic in promiscuous mode on my workstation and catching a network admin logging in remotely via telnet to another computer on my subnet. There's a reason why any sane person uses ssh instead.

Re:Telnet

[Ksevio]

That's why I always run telnet over an SSH tunnel!

Re:Telnet

[Tharkkun]

Well if they used the same root password on every box they had bigger problems than telnet... All it takes is one box to be compromised and you have a pretty good chance of obtaining the password... You can crack the hash, on windows boxes you can even pass the hash without cracking it, if you cant crack the hash then you can backdoor the services to capture passwords and wait for someone to log in, and unless the box is completely unused you can probably entice an admin to log in by crashing whatever service the box is supposed to be running... A crashing service doesn't even raise suspicion these days, people are used to software being unreliable and will just restart it or even reboot the whole box.

They haven't allowed anything other than SSH for 5+ years. He probably also sniffed it from the development environment. Everyone had sudo root access on on 100k+ hosts.

Re:Mischief

[TWX]

Sounds like the biggest problem was that they didn't practice security for themselves. One should assume that being in the security business that one automatically will be a more visible target, and one's security should be set up to meet that head-on.

These guys sound like an old-west movie set. A bunch of authentic-looking fascades held-up by timbers bracing them, no actual building behind the face.

Protection firm?

[wjcofkc]

Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text.

Hackers managed to expose crucial services via external Telnet

I would like to say mind = blown, but we see too much of this shit from so called "security companies". Anyone here want to start a real security company with me? Most of the people that will be posting in this thread are already more qualified than these "security companies" we keep reading about.

As soon as I finish this sentence, I am changing my voicemail message to: I will be unavailable the rest of the day as I commit myself to breaking the world record on the single longest series of facepalms.

Not quite what you wanted to say?

[SeaFox]

Hackers have breached DDoS protection firm Staminus, a US-based company that offers protection against a range of network security attacks including, well, DDoS.

Well... wouldn't it make sense that a DDoS protection firm would offer protection against DDoS?
Unless the story here is the hackers took them down with a DDoS this sentence doesn't say as much as the author was hoping.
So far it looks like a plain network intrusion case.

Funny

[DaMattster]

It would seem that Staminus did not have the 'stamina' to live up to it's own marketing campaign. Happily some hackers exposed the truth.

Seriously?

[JustAnotherOldGuy]

Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text.

What a brilliant strategy- standardizing on server passwords!

Storing credit card details in plain text is a super-duper PCI compliance no-no, however, and I'm truly amazed they had the balls to do this when they MUST have known better. This is one of the most serious violations when storing credit card data, and to have a security-industry company doing it is kind of mind-boggling.

Hands up who's surprised?

[ledow]

I've heard of backup companies who don't take proper backups. The servers go, they lose all their customer's data, no returns.

This isn't a shock. Quite often the very people who you "have to consult" in order to appease your boss are the very snakeoil salesman that have no clue about what they're doing beyond talking themselves up.

I had a guy tell my boss that our website "was insecure, expired certificates, etc.". Turns out he was plugging our domain.com into some online checker but didn't notice that our website is actually www.domain.com. Our bare domain, therefore, of course wasn't encrypted or any such nonsense and had no need to be - it was just a landing page that HTTP redirected you to the proper domain (and, to be honest, 99% of the website has no need for a secure certificate either, as none of it is private or confidential - it's a website - and the CMS for it is accessed an entirely different way).

And the expired cert? Actually a fallback "localhost" cert returned by Apache if you specifically request a non-existent https subdomain like "https://domain.com" (which doesn't exist as a website, and only gets a response because it resolves to the same IP as www.domain.com which has the secure port open).

But he plugged it into the checker, so everyone must be able to get into our systems right?! What are we going to do about it?!

The very people who run these services HAVE NO CLUE what they are doing. Like the people that my employer keeps trying to get me to take training courses from, or the apprenticeship company that one of my colleagues has to spend 9 weeks training at.

He said last time he went that their "network" was a bunch of unlicensed workstations ("Just ignore that notice"), with no security, all the same passwords (so he was able to remote into the instructor's PC, etc.), admin-level accounts, all clients connected direct to the Internet with no filter or firewall, and that they thought he was "hacking" because he was remoted into his own home server after finishing their coursework and doing some research of his own. Another told him off for upgrading the version of server because his remote session was to a more modern version.

These were the people TEACHING HIM (supposedly) how to set up domains, manage a network, implement group policy, etc. etc. etc. And they'd not heard of virtualisation, proper imaging techniques (they have "rollback" on their clients but pretty much they are just used by class after class and rebuilt when necessary, hence why they are unlicensed as there's no KMS server, or even a proper image). And they were teaching him on Server 2008... his home server has 2016, and we're using 2012R2 in the workplace.

Basically, he's going there to tick a box to say that "someone other than my boss" thinks he can do the basics, not to actually learn anything. Unfortunately that "someone other" are obviously bog-useless at what they do, or they wouldn't be working at such a company - they'd have got themselves a job managing real servers somewhere.

That's pretty much what's happened here. Get a consultant in to audit things and say you're up-to-scratch. But who audits the auditor? No-one? Pointless then. And they can't even apply the principles that they are judging YOU on to their own internal systems.

I hope they lose every customer they had.

Renames Company To Stupidus.

[zenlessyank]

Changes root password and calls it a day.

Customer lawsuits and PR damage ...

[davidwr]

... will shut this company down for good, even if it does survive the technical damage.