Even My Mom Could Hack These Sites

Frequent Slashdot Contributor Bennett Haselton's latest story is ready for your consumption. He starts "Recently, as an experiment, I wrote from my Hotmail account to ten different hosting companies that were each hosting some of my Web sites, asking for logins to change the domain settings. Even though I never provided any proof that the messages from the Hotmail account were really coming from me (the address they all had on file for me was a different one), half of them replied back and gave me the logins that I needed."

I figured that if I wrote to them saying "I forgot my password, please mail it to me," that would be too obvious. Instead, at the time I had set up shop with these hosting companies, I entered a domain name at the time of creating my account, and asked them to register it on my behalf (long before I had this experiment in mind). Then when I wrote to them recently from my Hotmail address, I sent each of them a message saying: I need to transfer this domain somewhere else, can you give me the login at the registrar where you registered the domain, so I can change the domain settings. Five of the ten companies either (a) gave me the registrar login, (b) transferred the domain to my registrar account on request (even though I never provided any proof that the owner of that registrar account was really me, either), or (c) changed the domain to point to a new IP address that I specified -- all of which, of course, would allow an attacker to take over a site temporarily or even permanently, if it hadn't really been me writing from the Hotmail address.

But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them.

But even for small-time hosting, a 50% success rate for a trick like this is uncomfortably high. So what can we do about it? Well, every problem has a non-solution that requires changing human nature ("People should just stop buying from spammers and they'd go out of business!") and a non-solution that ignores the economics of the situation ("ISPs should devote more resources to stopping spammers on their own network!"). In this case, the corresponding non-solutions would be (a) "People who work for hosting companies should be less gullible" and (b) "ISPs should hire smarter people, without charging more to their hosting customers".

The solution that doesn't require any cheating, though, is to have procedures in place for anything remotely security-related, and drum into employees' heads that they have to follow those procedures. Here's some good news: Of the five companies that fell for the ruse asking for my registrar login information, when I followed up with them saying "Hey, I forgot my account password, can you mail it to me", only two of them actually sent my password to the Hotmail account. To those two, I replied with some terse words about having a six-inch-thick steel door while leaving the window wide open. But at least it was only two out of ten that fell for that ruse, compared to five out of ten that fell for the registrar trick. The difference is that hosting companies have procedures in place to deal with password resets -- a script that sends the existing password, or sends a reset-password link, only to the customer's e-mail address on file.

Similarly, any hosting company that registers domains on behalf of users, should have procedures in place for transferring the domains to users or letting them change domain settings. In fact, of the five companies that didn't fall for the ruse, most of them said "Go to the customer control panel here and log in" -- it wasn't that their guard went up because I was writing from a Hotmail account, it was that they already had procedures in place for a customer wanting to change domain settings, and what's what the idiot-proof book told them to do. Kevin Mitnick always said that the weakest link in any security chain was people. Sometimes the way for ISPs to tighten security is to make the people in the chain act more like machines.

Until then, there are probably many sites out there that are this easy to "hack", using a method that could charitably be called low-tech. After seeing which hosting companies fell for the trick, I pointed out that they had sent the login information to an unverified address and admonished them to be more careful in the future, but I didn't storm out vowing to take all of my business elsewhere -- after all, if 50% of all low-budget hosting companies out there fall for this, what would be the point?

well what ISPs released the info? i want to avoid

[Anonymous Coward]

well what ISPs released the info? i want to avoid them.

past mistakes

[ISwearNotmyPorn]

It continues to astonish me that we as a society continue to make the same mistakes. You would think at this day and age basic 'social engineering' would no longer work.

Get a real ISP...

[__aaclcg7560]

When I forgot the password to access the CPanel account to modify my website and I sent an email requesting that it be changed, the ISP owner left a voicemail on my cell phone with the new password and I was charged five bucks.

Am I wrong?

[Frosty Piss]

One cannot conclude from the small sample size that 50% of all small, low-budget hosting companies are not security-conscious.

I would have thought the opposite: The big monoliths would have out-sourced unmotivated help desks that might do this. Smaller companies, I thought, where actually run by real people with a connection to their customers... Am I wrong?

Re:It's probably easier than you think

[brunascle]

gah. one of those is actually mine, but it was disabled shortly after that url got public. and it never gave you admin access anyway, it just changed what happened when that particular article was unavailable to the public: it would forward it to a CMS login instead of showing a "Not found" error. i'm fairly confident that my CMS is secure though.

Possible new anti-spam technique?

[Anonymous Coward]

I could see this possibly having applications in shutting down spamvertised websites. Being as usually the domains that are spamvertised have been registered less than 7 days prior to the deluge of promotional spam, the hosting regsitration should be recent.
Of course, this would work better if the hosting companies spoke English (which they seldom admit to doing).
Though really, it would be even better if same trick could be pulled on registrars. If you could get into the registration info for evil.spamdomain.info, and change the DNS information to point to something other than a DNS server, you could pretty quickly shut down the domain.

Yes, I'm the same AC that always blames spam on registars. And I will continue to do so for the forseeable future.

Re:The moral of the story is:

[laffer1]

I can tell most people posting have never worked for a hosting company. The company I worked for did not have much information on clients to "test" them. We did require that they send us email from their original sign-up address. Here is the problem though. Often, an account would be setup by one employee sometimes in their own name for a company. That employee would them leave and the business would be stuck with no login and inaccurate account information. What do we do then? Of course they knew her name, but not much else. In the case of customers outside the US, we had a policy that we could not call them. So we had to take incoming calls or emails only. Sometimes the customer changed their contact address to their website. This means that if their email is not working, we could of course not receive an email from them about their account!

Obviously for many accounts, it is possible to get accurate, useful information. Then again, when a company views it that you are holding their website hostage they get a little upset too! We have several lawyers get froggy with us on behalf of their clients when we did try to verify things. Also, with so many hosting companies its a very cut throat business. Its hard to make money when you get $10 a month at best from most customers. That's less than most Internet access accounts.

Now if you pay verio through the roof for hosting they will go through quite a few steps to verify you are you but they won't keep spam off their network. I had an account with them a few years ago and they actually had an open relay setup. Anyone could impersonate your website and if you had an account, it was easy to enumerate the domains on the server your site was on. Some of this might be resolved with their costly VPS services, but its also resolved with a dedicated server you can lock down yourself too. These days I won't run anything on a server I do not control. I've also found that ISPs are much more careful with dedicated server or VPS account customers.

As far as listing companies, I think most people are scared of lawsuits these days. Since I happened to pick on my verio experience, I should be just as unfair to my own former employer. http://www.customweb.net/ [customweb.net] (myeasyhost.com now i believe) There is something wrong with every hosting company. The trick is finding one that you can live with.

Re:passwords should be hashed

[garett_spencley]

Well, even if they reset it and e-mailed you the new password it wouldn't help any in this case.

Of course, if they don't bother to hash it then that's probably another symptom of complacent or non-existent security policies and could be a red flag that kind of problem is a possibility. And to the converse, if they bother to hash the password they're probably smart enough to have stricter policies in place.

Still...

Big, out-sourced ISPs

[blueZ3]

who have cheap labor doing the work are more likley to have procedures, because the workers aren't trained enough to answer questions like this--it's like a customer service script they wade through.

IMO, the most dangerous aren't the untrained script-readers from a large ISP, nor the three-CS-college-friends small ISPs, but the folks at "mid-sized" ISPs who know just enough to be dangerous. At a big company, procedures protect you. At a small company, it's possible that the knowledge of the smart guy running the shop will help protect you. A mid-sized shop, that's hired some less knowledgable folks but doesn't have procedures yet, seems to me to be the most likely to screw up.

I call bluff!

[billcopc]

I have some serious doubts about the Truthiness(tm) of this article, just because in years of web business I've never met a serious fellow with 10 different hosting providers. A normal person would either pick one provider and pay for a large enough account to handle the 10 projects, or take the next step and get a dedicated server.

The author also suggests that small hosting companies have poorly-trained staff. That could not be any further from the truth. In most cases, small companies are run by one or more highly skilled techie entrepreneurs who know their clients well enough to avoid such security blunders. A large faceless company with dozens or even hundreds of employees is far more likely to have things slip through the cracks, and the staff hierarchy ensures that no single individual knows the whole story.

Take for example the world of Internet Service Providers. In a small, 3-man shop, when you call tech-support you're probably talking to a server administrator or network guru. In a big nationwide telecom, you're talking to an outsourcer who learned his "trade" six months ago during his job training and his primary source of information is the knowledge base and screenshots on his workstation.

Well here's a not-so-secret fact about hosting companies: they outsource their sales and support just like any other business. The bigger they are, the more likely you will be speaking with someone who has no idea who you are, what your server looks like and who is more afraid of their own supervisor than of you withdrawing your business. I was shopping for a cheap junky server a couple months ago and I dealt with 4-5 different hosting companies who were looking great, right up until their sales person dropped the ball out of either ignorance or laziness. Most of them were just human parking pages, no matter what I typed into the chat box, they'd simply return a list of links to their terms of service or FAQ. There's one particularly brilliant fellow who pointed me to a non-existent PDF file on their website, then took another 10 minutes to finally accept that I am not an idiot and if I say a link is 404, it's friggin 404. Many of them ended the conversation saying they would email me various documents or a contract, and none ever did. At one point I was even doubting my own mail server, since NONE of them were coming through on their promises.

The moral of this rant ? The world of web hosting is bursting with fraudsters, posers and imbeciles. I probably put in 30-40 hours of research before finally coming across a provider that suited my needs and budget, most of that time was wasted dealing with crooks and idiots. Here's a tip: go to a forum like webhostingtalk.com and have a chat with other hosting clients, read all the success and horror stories before throwing your money at a company you don't know. Make sure you know what you're getting into before signing anything.

Re:I did something like this once...

[Itninja]

The boss was suprised. But, no, Sarah stayed employed. But we did have a *intensive* company meeting regarding security later that month.

Why not use the simple, obvious solution?

[msauve]

The web host was getting paid, weren't they?

For verification, ask for the matching credit card name and number, or write to the billing address, etc. However you were getting paid, there is some form of verified contact. (Unless you weren't getting paid, in which case nuke them, or you were billing their ex-employee's private credit card, in which case that person still "owned" the site and you shouldn't be giving the caller access).

Re:You're a feminist? How cute!

[Anonymous Coward]

It's funny though how if the poster had said "Even a [insert any race here] person could hack these sites" it would be a completely different kettle of fish that would probably see people fired and a national outcry over racism.

I'm not condoning racism, I'm just pointing out how much sexism is often seen as O.K. whereas racism is seen as an eternal evil. The line "As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose" in particular would not go down well if made on racial rather than sexual grounds, despite probably being equally valid.

Re:It's probably easier than you think

[alan.briolat]

If you want to start blaming PHP for security flaws, then at least be fair and blame C/C++ for buffer overflows too. The problem is that PHP is "easy", meaning that you don't have to be a good programmer to use it. That means a lot of unexperienced people writing sites/scripts without any concept of the possible attack vectors. I've been writing PHP-based scripts for a few years now, and I've never had any vulnerability become apparent even when specifically inviting people to try and find them. My current site [codescape.net] even has its source code publically viewable [codescape.net]. The worst that anybody can generally do is impair their own experience of the site. I'm not trying to be arrogant, just pointing out that the language is not to blame, ignorant programmers are.

From the other side of the fence...

[BlueNoteMKVI]

I just ran into a similar situation today, actually - from the ISP side. I run a small web services company. Most of our business is in web design and programming, but we offer the hosting mostly as a convenience to customers (only one contact person, one bill, etc).

I got a call from one of my clients' employees asking for a password reset on his email account. He's moving to a new office in the same building, doesn't know his password, wants to set up Outlook. No big deal, usually, but this is a guy I've never talked to or met. He argued with me a bit about it - said he's been an employee there for years, the boss is a personal friend, etc etc. Regardless, I don't know him from Adam so I refuse to give him the new password, instead offering to email it to the boss (the only contact email we have on file). He eventually accepts this.

Then we find out the boss is out of town somewhere and can't check his email. The guy's password has already been reset, so he can't check mail on his old computer either. He's SOL for the rest of the day until the boss checks his email from the hotel.

I hate to make things hard, but I have to - otherwise I could find myself featured in an article like this.

Seanic

[Chysn]

Here's a fun one. I used to have several sites hosted by Seanic (www.seanic.net). This outfit is a social engineer's wet dream:

(1) All I had to do to get my FTP host, user ID and password was ask. It didn't matter what email address I used. No verification at all.
(2) On two separate occasions, they accidentally emailed me somebody ELSE'S FTP login information, at random, without me even contacting them.
(2) I requested a telnet account (no SSH), and the permissions were such that I could cd / and cd into any other client's home directory. I assume that other telnet users could access my home directory as well.

All for only four bucks a month.

Re:well what ISPs released the info? i want to avo

[gbulmash]

Inoffensive? Beware. I once included a political joke in a post. It would get a downmod, then an upmod, then a downmod, then an upmod...

Every time the anti-bushies raised my score, that allowed the pro-bushies to expend more negative mod points to try to knock my post down. All in all, I got like 27 positive mods and 25 negative mods. And for getting 25 negative mods, I got my posting privileges suspended for almost a month.

Now, if none of the anti-Bush crowd had modded me up, the pro-Bushies could have given me a max of 3-6 negative mod points. But because of all the upmods, it allowed for dozens of downmods, triggering an automatic suspension.

Thing is, it's not just your opponents trying to shout you down that causes you trouble. It's all the people trying to cancel them out that creates the opportunity for you to get so many downmods on a single post that you get suspended.

- Greg

Re:well what ISPs released the info? i want to avo

[styrotech]

I, for one, could put forward the argument that it is the responsibility of the poster to fully disclose to the public, (after first notifying the offenders and waiting a reasonable amount of time), so that those of us who are vulnerable to such a social engineering attack, can know about it and react accordingly.

What so you can wear the cost and disruption of moving to another provider that he didn't test and will probably do the same thing anyway?

Wouldn't he be better off just posting a list of providers that didn't fall for it?

Then again, either list might not be entirely useful. From just one test per provider, how do you know how common either successes or failures are for them?