UK Cosmetic Retailer Lush Targeted By Hackers 109
Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"
Re:My opposite experience (Score:4, Insightful)
'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'
Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.
Re:Oh come on... (Score:5, Insightful)
A "top notch" IT team will have
Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.
Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"
* at the cost of a short term outage;
Re:Every generation... (Score:3, Insightful)
Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed?
I wouldn't really call them evil. They notified all their online customers that their details may have been compromised and to take precautions (my girlfriend was one of them), as opposed to keeping it quiet, not telling anyone, and hope everything blows over.
My girlfriends often tells me how ethical they are as a company, they stopped using plastic packaging for their products wherever possible, and allow customers to return empty pots back to them for a discount on their next purchase (and they then re-use the pots). As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.
Re:Oh come on... (Score:4, Insightful)
Maybe their admin password was 'password'
It was worse than that.... it looks like up until very recently they could well have had their site on a Windows 2000 machine. 2000 was the best version of Windows that MS ever made, but it still had some chronic shortcomings that make it totally unsuitable for most internet-facing tasks.
http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk [netcraft.com]
Of course it is all too easy to just flame Windows, but even (especially) the MS fans will agree that using IIS5 in at least 2007 is not a clever thing to have been doing.
But lets be honest, the way that site is slinging about the word "hacker" it is clear they do not have any kind of top-notch IT... or even any clue about computers - they probably accepted what the industry told them as 100% truths, and then think that somehow some person is doing fucking magic or something to get into their server. Considering how keen they seem to be to shirk responsibility for the break ins (their list of suspect beliefs, for example), they truly do not recognise their own ignorance. The BBC miss the point too, and just go along with the hacker rhetoric as well.
Re:Oh come on... (Score:4, Insightful)
Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].
... perfectly correct, provided the server is administered competently.
This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.
And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.
I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.
The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.
Re:Mobile Operators and Police don't help (Score:2, Insightful)
Why do you want credit card companies to persecute their customers? Shouldn't they be reaching out to their customers with a more friendly business model?
You see, the way it works is the cardholder gets the stuff taken off their bill - usually no questions asked, it just happens. OK, so they want you to jump through some hoops for it, but it will happen no matter what.
Then the credit card company charges back the purchase to the merchant. The merchant should have insurance to cover this sort of thing, so it is no loss to them.
So who loses here? Nobody. Victimless crime.
The only problem is if the merchant doesn't have insurance. Too bad then. Should have gotten the insurance because it is going to happen to you eventually.
Obviously here the credit card company isn't going to prosecute anyone.
Oh, from a closer reading of your post it sounds like a DEBIT card was used, not a credit card. Well, the rules for those are different and banks are extremely reluctant to remove charges. Of course, they will charge back to the merchant anyway, just the same as a credit card. Except you might not ever get your money back from it and it just stays on your bill.
Simple rule here: never, ever use a DEBIT card online. Ever. There are no systemwide rules for how those transactions are cancelled as there are for credit cards. Use a debit card and lose your money. Period.