UK Cosmetic Retailer Lush Targeted By Hackers 109
Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"
Color me nonplussed (Score:1)
Well, you could, that is, if you were able to get your hands on any fine Lush products, but now you can't, so I guess I'm not nonplussed after all.
How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.
Re: (Score:2)
How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.
There are alternatives. For The Netherlands we have iDEAL: http://en.wikipedia.org/wiki/IDEAL [wikipedia.org]
It works very simple, you only authorize a single payment. They could scam you out of a single payment but that's it. I exclusively buy online at shops that support iDEAL. And that list is growing fast, Steam also supports iDEAL for half a year now, and Blizzard accepts it as payment method. The whole credit card setup is so stone-aged compared to this.
Also note that I don't need to setup a different account or anyt
Re: (Score:2)
Agree, iDeal may not be the end all, be all, solution for online transactions but it's pretty solid, safe and simple.
Currently I only do payments via iDeal or paypall only. My paypall accounts is empty most of the times. If I want to buy something via paypall I transfer the amount of money needed first and then make the transaction.
Re: (Score:2)
PayPal has instant transfers out of attached bank accounts available at least in the US.
Then you don't have the delay of waiting for the transfer to clear and add to your account balance, then paying with your balance.
Re: (Score:3)
Your credit card will be compromised. It is a fact of life.
Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people. Credit card companies do not prosecute - ever. So, even if someone is caught they aren't going to do any time.
Magnify the opportunity and reward 1000 times for a credit card database.
I do not know of anyone ever that had to pay for their credit card being used fraudulently. Generally I get a phone call asking i
Re: (Score:2)
Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people.
That's it? Hahaha, suckers!
Oh come on... (Score:4, Interesting)
It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.
Re: (Score:1)
Such is not always the case. Even if you run a top notch secure system, there will always be bugs and ways to compromise it.
Re:Oh come on... (Score:5, Insightful)
A "top notch" IT team will have
Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.
Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"
* at the cost of a short term outage;
Re: (Score:3)
Not if the "zero day attacks" are in the bespoke code for your website. Then you'd be in the situation of getting whoever wrote your code to to sort their mess out, which for a relatively small firm like Lush would probably mean dragging back in whatever lowest bidder contractor they used.
Re: (Score:2)
dragging back in whatever lowest bidder contractor they used.
We are discussing here a "top notch" IT team.
a) they wouldn't have used a lowest bidder in the first place
b) once they know the URL they would be able to use one of the Apache filtering modules or a feature of their load balancer to block that URL
c) once they captured the URL that caused the break in they could just fix the code themselves; being top notch they won't be using anything they don't have the code to.
Even a slightly less than top notch company will have a support contract and in the case o
Re: (Score:2)
The hackers have already demonstrated that they're probably a cut above the average script kiddie, insofar as they hacked the site to forward credit card numbers and this went unnoticed for a couple of months.
There's a good chance that the IT team at the time this all blew up weren't sure exactly how the hackers got in in the first place. And if they were, they had evidence to suggest that attacks continued after the website was brought down and fixed. In which case, one line added to mod_security configu
Re:Oh come on... (Score:4, Insightful)
Maybe their admin password was 'password'
It was worse than that.... it looks like up until very recently they could well have had their site on a Windows 2000 machine. 2000 was the best version of Windows that MS ever made, but it still had some chronic shortcomings that make it totally unsuitable for most internet-facing tasks.
http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk [netcraft.com]
Of course it is all too easy to just flame Windows, but even (especially) the MS fans will agree that using IIS5 in at least 2007 is not a clever thing to have been doing.
But lets be honest, the way that site is slinging about the word "hacker" it is clear they do not have any kind of top-notch IT... or even any clue about computers - they probably accepted what the industry told them as 100% truths, and then think that somehow some person is doing fucking magic or something to get into their server. Considering how keen they seem to be to shirk responsibility for the break ins (their list of suspect beliefs, for example), they truly do not recognise their own ignorance. The BBC miss the point too, and just go along with the hacker rhetoric as well.
Re: (Score:3)
2000 was the best version of Windows that MS ever made
Still... it's a dubious honor.
IMHO, Windows Servers have a purpose... to help administrate lots of Wndows Desktops with Active-Directory, and, of course, Exchange. When running Exchange, you need a couple or three compentant administrators, that do nothing else, who are constantly on top of things... because it doesn't run by itself.
Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, r
Re:Oh come on... (Score:4, Insightful)
Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].
... perfectly correct, provided the server is administered competently.
This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.
And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.
I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.
The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.
Re: (Score:2)
Upvote please the guy immediately above who knows a bit about Windows. It's hard, but do-able.
Re: (Score:2)
No chance, unfortunately, the /. view is very unlikely to agree.
Thing is, most hacks these days have rather more to do with the application than the platform it's running on. When I said "you have no business running a public website which processes transactions...", I include a public website running Linux.
I don't actually have any experience running Windows on a public server, and hence I wouldn't feel entirely confident I could do a decent job. But to claim it's impossible to do it properly is just ign
Re: (Score:2)
Re: (Score:3)
Lush isn't an IT firm, they're a cosmetics firm.
I would be astonished if their IT staff are in-house - there's a very strong chance they outsource it all.
Re: (Score:2)
Re: (Score:2)
I doubt much is online sales. The noxious fumes from their heavily scented products make a trip to Macy's highly unpleasant if you wander into the wrong part of the store.
Re:Oh come on... (Score:5, Interesting)
Noxious fumes from heavily scented products? Have you actually smelled their products? It's probably the only thing in Macy's that won't make my airway tighten up instantly. I have asthma and that toxic bullshit that is in most body products makes me react immediately, whether I can actually smell it or not; and so much the worse if I can smell it, since my body has been trained to associate the toxic reaction with the artificial smell.
My lady has Lush products and they are both less scented and less noxious than virtually anything else on the market. Stop with your FUD.
Re: (Score:2)
Second that. Fortunately my wife gets all of her Lush stuff in brick-and-mortar stores, not online.
Re: (Score:2)
noxious/näkSHs/ Adjective: Harmful, poisonous, or very unpleasant.
I find Lush products to be noxious. My wife also finds their products to be noxious.
Lush sells a heavily-scented product line. If you don't believe that I don't know what to say.
It has some of the strongest, most intense scents I have ever encountered. I would rather stand down-wind from a hog farm than in an aisle full of Lush products.
If your lady has you convinced it's more lightly scented than other products, your lady is fucking wit
Re: (Score:2)
I note that you post Anonymously, probably because you are a fucking toolbag shill.
If you can actually provide some kind of evidence, ANY kind of evidence, that it's Lush products in isolation causing this to happen, AND that these products are smellier than the USUAL stuff which you find in those stores (even my local Grocery Outlet, a second-run grocery store that sells pullbacks, has a whole stinky section of brand-name perfume next to Checkstand #1) then I might consider that you are a real human with a
Re: (Score:2)
God, do you work for Lush?
Call Macy's. Ask for the Lush counter.
Don't ask if it's natural, don't ask anything else. Just tell them that your mother likes things with a very mild scent, one of your workmates said Lush was good, and ask if it has a mild scent or if it's pretty strong.
If you can't tell on your own then maybe you have some level of anosmia.
Further..... we're arguing about cosmetics on Slashdot. What the fuck. Can we just stop now???
Moderators, please. DON'T MOD EITHER OF US UP.
Re: (Score:2)
God, do you work for Lush?
No, but I wouldn't mind. I would not, however, work for one of the cosmetics products companies that is knowingly using toxics in their products.
Sometimes I wonder if the dollar stores were created to kill off Mexicans. They're full of toxic shit (there's been recalls for notebooks with lead paint on the covers and such) and notably they have tons of Latin-colored (you know, bright clashy colors) plates and such which have lead warnings printed in them only in English when the people who buy that stuff over
Re: (Score:2)
A "top not" IT team will have a proper budget.
Most of the things you mentioned cost money, and sadly most IT teams are the bastard children of management decisions as far as budget goes.
It usually takes something like this before management decides to finally empower the IT team with some form of financial support for their IT needs.
"We'd like to offer you a job..." (Score:3)
"...if your salary weren't way above what us cheapskates are willing to pay!"
Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.
Re: (Score:3)
"...if your salary weren't way above what us cheapskates are willing to pay!"
Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.
No doubt there is some truth is that. However the smart guys work for the challenge not the money. I know plenty of rich crap people and plenty of smart non-so-rich people.
Re: (Score:2)
or whether the guy who designed the kit was formidable.
Re: (Score:2)
FTFY
Re: (Score:2)
It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.
Exactly. I'll bet the lush IT team consists of a few guys who might be reasonably smart but they just can't cover the amount of work they are meant to be doing. Management interference and other distractions most likely mean they could not keep track of all the work they should be doing.
Unless they took the Microsoft route that is. Then they most likely employed a bunch of MCSE's who don't really understand technology, spent a fortune on windows servers and another fortune on active directory servers, and s
Re: (Score:1)
"It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't."
No, it's whether they actually HAD an IT team, or whether they just paid for a website and expect it to run forever with their great management skills.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
My opposite experience (Score:5, Funny)
Re: (Score:1, Funny)
Re:My opposite experience (Score:4, Insightful)
'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'
Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.
Re: (Score:2, Interesting)
'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'
Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.
MySQL? Looks like the port is open. Running 5.0.91 by the looks of it too.
And they wonder why they were hacked.
Re: (Score:1)
Sometimes it's a good idea to stay clear of crime scenes.
Re: (Score:1)
Re: (Score:2)
It's PHP Apache if you look.
PHP. The free alternative to visual basic.
Re:Netcraft says.... (Score:4, Informative)
Wrong, if you check their 'what's that site running' history [netcraft.com] you'll see that they only switched to Apache yesterday. Before that, they were on IIS 5 on, FFS, Windows 2000, which is a sign that they were probably running on outdated poorly managed systems. The fact that the attack attempts "continue" is probably meaningless as whatever they were, they are almost certainly failing now, but the attempts will still show up in the logs which will make any naive IT administrator nervous.
Re: (Score:3)
Yea, every computer on the internet is under constant attack. Like a lot of people, I've moved my SSH daemon to a non standard port out of annoyance with my secure log filling up with common username / password login attempts from botnets.
If you're presenting a service to the world on a standard port, botnets will always be trying to robohack you.
I'm not too sure of that Netcraft report though as Lush appear from their statements to have been with their current hosts since at least October last year, so the
Re: (Score:2)
I note that they also switched hosting provider. Obviously they're not too keen on their previous provider.
Every generation... (Score:2)
Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed? If you're doing it for the fun of hacking, how much fun could it be to repeatedly hack a site that's obviously not very difficult to hack? Or is this just some juvinile delinquints trying to steal credit card details?
Re:Every generation... (Score:4, Informative)
They were doing it to steal credit card details. There are reports in the comments sections of various newspapers that they were using the cards to buy Telefonica O2 pay as you go credits. Presumably they then use these to phone premium rate numbers and cash out that way.
Re: (Score:3, Insightful)
Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed?
I wouldn't really call them evil. They notified all their online customers that their details may have been compromised and to take precautions (my girlfriend was one of them), as opposed to keeping it quiet, not telling anyone, and hope everything blows over.
My girlfriends often tells me how ethical they are as a company, they stopped using plastic packaging for their products wherever possible, and allow customers to return empty pots back to them for a discount on their next purchase (and they then re-u
Re: (Score:2)
As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.
That's the biggest advert they've got! You can smell one of their shops halfway down the street.
Re: (Score:2)
Smells good to me. You can buy their soaps and your bathroom smells wonderful as well. I buy their stuff here in the States and like it actually. Is Lush Canada, Lush UK, and the Lush company here in the US all the same? I wonder what the other web sites are running... :-O
Re: (Score:2)
Very much in so, they've openly admitted that they have been approached by people wanting to license/franchise the brand outside the UK where they're based and refused.
Re: (Score:2)
Okay, well that makes sense. Here in the US I don't see them selling so much make-up like others have described as they do mostly natural bath products. I also don't see them in the likes of Macey's as has been described here. At least not that I've noticed. They DO have their own shops however and I've visited them at several malls and at an airport of all things. I always have some of their soap here and while I don't use it all the time the stuff smells great. I've actually found that when women smell it
Re: (Score:2)
The Win2K web server was with an outside hosting company.
I can't believe any self-respecting hosting company is still operating anything running 2K, so my money's on it being their own server in a colo (which is now an Apache server with United Hosting - who I don't think do colo so I'd imagine it's a case of "we need to move our site to something which we can be 100% certain hasn't been hacked 15 ways from sunday - only way to do that is to run it on a different server altogether").
They do virtually no mak
And so (Score:2)
Someone thought that slashdotting the site would help more...
Glass half empty, or half full? (Score:2)
Well, after their servers experience a Chernobyl style meltdown from slashdotting, the hackers can't even get close enough to sift through the ashes! :-)
Re: (Score:2)
Someone thought that slashdotting the site would help more...
The site is mainly text with a couple of images. No adverts (I don't think). More likely to stand up to a large influx of visitors compared to a site that is half flashy adverts, due to transferring less data.
Our morals and those of our customers? (Score:2, Interesting)
How do they ascertain customer's morals? Just because someone buys something from you doesn't mean they have good morals!
What if the culprits turn out to be customers assisted by an employee? :)
Re: (Score:1)
What if the culprit(s) turns out to be an employee?
Re: (Score:1)
Consider that the customers are customers. That means that they pay money in return for products, as opposed to, say, stealing them. This might imply that the customers agree on "stealing is undesirable." Some might even extrapolate to "cracking servers is undesirable."
Lush is not a typical 'cosmetics' store (Score:1)
Re: (Score:1)
Smelly (Score:2)
The smell from their shops is so strong that it's actually unpleasant to stand at a nearby bus stop.
Re:Smelly (Score:5, Funny)
Oh, it's only a phase. It normally ends once they go to university.
Re: (Score:1)
Exactly. If there were only some way of preventing the stores from opening and instead allowing customers to shop online...
Having a page on eBay and Amazon is something a few companies are doing now. The sort of script-kiddies and spotty virgin bedroom boys who try and take sites down are too lame to be able to affect them, so you'd be safe.
I always thought... (Score:1)
Re: (Score:3)
It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.
Which would explain why they're only worried about customers who bought stuff in the last couple of months.
Mobile Operators and Police don't help (Score:5, Informative)
Re: (Score:2, Insightful)
Why do you want credit card companies to persecute their customers? Shouldn't they be reaching out to their customers with a more friendly business model?
You see, the way it works is the cardholder gets the stuff taken off their bill - usually no questions asked, it just happens. OK, so they want you to jump through some hoops for it, but it will happen no matter what.
Then the credit card company charges back the purchase to the merchant. The merchant should have insurance to cover this sort of thing, so
Re: (Score:2)
Wow just yesterday my spouse got called by Amex because a (one single) charge appeared that fell outside her normal spending pattern and they suspended her card right away, told her she would not be charged the amount and told her a replacement card would be received within 5 business days.
I used my business debit card for a sub $100 withdrawal, at an ATM in a branch of my bank, in a small town about 30 miles from where I normally do business. This set off some kind of alert and the fraud division called m
Yum (Score:2)
Their coconut soaps fantastic.
Goes great with a bit of icecream and and grated dark chocolate.
Re: (Score:2)
Re: (Score:2)
> I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.
Yeah, like speciality fudge or something.
Don't think that the ingredients are that different, either. Replace the oil with butter, and add a bit of sugar :)
Morals ... (Score:2)
"We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."
Are these the same moral that allow Lush to charge premium prices for what is essential home made soap [wikipedia.org].
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
"We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."
Are these the same moral that allow Lush to charge premium prices for what is essential home made soap [wikipedia.org].
I think its mostly hand made. Surprisingly human workers cost more than machines.
Besides, most things of a 'premium' brand will have a large mark-up. I've heard that for trainers (sneakers? Is that the American term?) they don't get much better in quality past the £50 point, but companies still have ones that cost over twice that because if they didn't someone else would sell them for that much, and people would buy them (percieved high quality from spending more)
Lush Should Sell on Amazon Instead (Score:2)
Own up already (Score:2)
Windows 2000/IIS? Storing cc numbers as plain text in your online database? If you're gonna lay down next to fire ants, don't cover yourself in honey.