Hackers Completely Shut Down DDoS Protection Firm Staminus (softpedia.com) 64
An anonymous reader writes: Hackers have breached DDoS protection firm Staminus, a US-based company that offers protection against a range of network security attacks including, well, DDoS. The fraudsters have also reportedly stolen sensitive data from Staminus' database and dumped it online. Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text. The alleged security nightmare doesn't end there, unfortunately. Hackers managed to expose crucial services via external Telnet, and reset all of Staminus' routers to factory settings, causing a network and services downtime. Staminus acknowledged network and services issues, which apparently last for more than 20 hours, on Thursday, and later assured that its global services have been restored.
credit card details in plain text? (Score:4, Insightful)
Re:credit card details in plain text? (Score:5, Insightful)
They steal your bitcoin wallet information and transfer it, it's gone.
Re:credit card details in plain text? (Score:5, Funny)
Re: (Score:3)
Telnet (Score:3)
Even funnier is having telnet running. But then again telnet has had way fewer security issues than ssh and ssl lately.
Re:Telnet (Score:5, Insightful)
Fewer NEW ones yes. There's still the inherent one that won't go away ever.
Re:Telnet (Score:5, Funny)
Re: (Score:2)
You made my day!
Re: (Score:3)
Re: (Score:2)
Well if they used the same root password on every box they had bigger problems than telnet... All it takes is one box to be compromised and you have a pretty good chance of obtaining the password...
You can crack the hash, on windows boxes you can even pass the hash without cracking it, if you cant crack the hash then you can backdoor the services to capture passwords and wait for someone to log in, and unless the box is completely unused you can probably entice an admin to log in by crashing whatever servi
Re: (Score:2)
Well if they used the same root password on every box they had bigger problems than telnet... All it takes is one box to be compromised and you have a pretty good chance of obtaining the password... You can crack the hash, on windows boxes you can even pass the hash without cracking it, if you cant crack the hash then you can backdoor the services to capture passwords and wait for someone to log in, and unless the box is completely unused you can probably entice an admin to log in by crashing whatever service the box is supposed to be running... A crashing service doesn't even raise suspicion these days, people are used to software being unreliable and will just restart it or even reboot the whole box.
They haven't allowed anything other than SSH for 5+ years. He probably also sniffed it from the development environment. Everyone had sudo root access on on 100k+ hosts.
Re: (Score:2)
while I was working at Oracle
I'm not sure if I should think you're still okay in my book because it's past-tence or if you're no longer okay in my good book because you worked there.
You didn't work in sales, did you? Or legal?
Re: (Score:2)
There are many reasons why telnet is still around...
Some older devices support nothing else.
Some vendors charge you extra for SSH support (or for anything supporting encryption at all).
Windows only comes with a telnet client by default (although they are finally planning to change that).
Telnet isn't necessarily a problem if you control/trust the entire network path, for instance i have some switches i use for testing and i connect to them using telnet over a direct cable from my laptop to the switch itself
Re:credit card details in plain text? (Score:5, Insightful)
It's hard to not store credit card details in plain text. Even the fabled encryption relies on an automated system accessing it by decryption, meaning somewhere the key is accessible. You can hit the database application and say, "Please give me credit cards," and it decrypts them; or it at least can access the key and use that, so you get that too; or it's whole-disk encryption, so it's useless.
You store CCNs so you can re-bill people when you get hacked. We haven't advanced to the point of billing contracts in the financial system yet, so we won't send a vendor-signed billing contract up to the bank saying "I can bill with this frequency and this maximum charge per period". If we did, we could hit the bank and say "Contract #3876492 Bill=$42.79" and the bank would determine if the message was signed by the correct vendor, valid for the contract, and within correct billing limits, as well as what account it affects. No need to store CCNs.
Re:credit card details in plain text? (Score:5, Interesting)
The token/fake CC number, BTW, can contain the same last four card number digits as the real card, which makes it very easy to combine those four digits with a scrap or two of customer info in order to look up account history, etc., locally without having to interact with the bank again later.
Re: (Score:2)
Using the same last 4 digits would add a lot of work, considering computers can just look up a token (a number) against a table indexed by token that labels the relationship {Token,FK=CCN}.
The system I described was more robust--using a Contract ID with a merchant, rather than an abstract "token"--and includes authentication of the merchant, authorization of the merchant's billing activities, and exclusion of all personally-identifiable information in the billing action.
Re: (Score:2)
That entire processor could happen almost instantly, why would it need to take 45 days?
Re: (Score:1)
Because banks?
Re:credit card details in plain text? (Score:5, Insightful)
You store CCNs so you can re-bill people when you get hacked.
The best strategy is simply not to store them, ever. Let the card gateway store them (Authorize.net, PayPal, Amazon, etc) so if anything happens, it's not on your shoulders. I've run sites that accept credit cards for ~15 years, but I never, EVER store the numbers on my servers.
Re: (Score:2)
Amazon still stores them somewhere. Risk transfer is a good strategy; but somewhere down the line, someone faces these problems. People who claim things like encryption as a strategy for every data breach are under some weird belief that an automated computer system can both prevent a hacker compromising authentication from compromising authorization (i.e. it lets you access the data because it believes you're an authorized user, but the data is magically unreadable) and internally allow the authenticate
Re: (Score:2)
Amazon still stores them somewhere. Risk transfer is a good strategy; but somewhere down the line, someone faces these problems.
That's right, but it sure as shit ain't gonna be me. :)
Amazon probably has enough money and enough clever people (hopefully) to do a good job of securing credit card details, but I'm smart enough to know that I don't.
I'm not smarter and better funded than a million hackers, and I fucking know it. That's why I let someone who's better at doing it do it for me.
Re: (Score:1)
Re: (Score:2)
You take the card details and encrypt them using your processor's public key... That way you can re-bill the customer but you aren't storing the card number in a way that would be usable by anyone who hacked you.
Problem is that a lot of payment processors don't bother with this, and often require you to submit the plain text card number.
Re: (Score:2)
That exists where I live (The Nethelands) but it requires a signed paper form from the account owner as part of the billing contract.
Not something easily done over the internet.
It gets generally used for utility companies and subscriptions to magazines, cable and such.
I can even view all the active billing contracts on my bank's website and cancel them from there.
Re: (Score:3)
If they were storing credit card info in plain text, they weren't PCI compliant, and are 100% responsible for all costs relating to the investigation (average cost: $100,000) and remediation ($4-5 per card to replace, plus all fraud and related fees).
And they likely won't be allowed to take credit cards much longer.
Why store CC info online at all? (Score:1)
Er, why store ALL of it where hackers can get to it at all?
I see the day when companies store sensitive customer-provided info in a "near-line" data warehouse which has a small, carefully-controlled, carefully monitored data-pipe to their other systems.
When one of their main systems needs data for a specific customer, it asks for it and in most cases, it will get it, use it, then purge it.
But if too much data is being "pulled" from the "near-line" data store in too short a time, or if data is being pulled w
DDoS != DoS (Score:2)
Maybe they aren't a security firm?
DDoS != DoS
DDoS != security
Strictly speaking, a DDoS is different than typical security like typical DoS prevention firewall rules because there isn't much you can do about it once the packets reach you. These guys prevent the packets from reaching you while still letting legitimate traffic trough as much as possible during the DDoS attack.
Maybe these guys are specialized in DDoS and they know little about security and how to protect their network.
Re:Mischief (Score:5, Insightful)
These guys sound like an old-west movie set. A bunch of authentic-looking fascades held-up by timbers bracing them, no actual building behind the face.
Re: (Score:2)
Well yeah. If you get into the security business, you need to go big or go home; you're automatically an enormous target.
Re: (Score:2)
Re: (Score:1)
If you have a network with servers and a dedicated Internet connection, you should have the experts in house
This isn't about experts.
They are a DDoS protection service, and the way such companies work is that traffic to/from your network routes through their systems first. They purchase HUGE amounts of bandwidth, from multiple Tier1 backbone providers, and will often route traffic through a variety of extremely expensive mitigation appliances. Few companies can afford to pay for enough bandwidth and hardware to soak up a 500gig DDoS, let alone the hardware which will let you intelligently filter and allow legit t
Re: (Score:2)
Yeah, especially if you use the "cobbler's children" model to run your business.
Protection firm? (Score:5, Funny)
I would like to say mind = blown, but we see too much of this shit from so called "security companies". Anyone here want to start a real security company with me? Most of the people that will be posting in this thread are already more qualified than these "security companies" we keep reading about.
As soon as I finish this sentence, I am changing my voicemail message to: I will be unavailable the rest of the day as I commit myself to breaking the world record on the single longest series of facepalms.
Re: (Score:2)
If you do your security "properly" you will be more expensive than the competition and you will go out of business.
Capitalism is fun sometimes.
Not quite what you wanted to say? (Score:4, Funny)
Hackers have breached DDoS protection firm Staminus, a US-based company that offers protection against a range of network security attacks including, well, DDoS.
Well... wouldn't it make sense that a DDoS protection firm would offer protection against DDoS?
Unless the story here is the hackers took them down with a DDoS this sentence doesn't say as much as the author was hoping.
So far it looks like a plain network intrusion case.
Myth Busted (Score:2)
Funny (Score:3)
Re: (Score:2)
Happily some hackers exposed the truth.
If that was their agenda, they could have done so in a far less destructive way. Quite making excuses for griefers.
Re: (Score:2)
Those ways usually get you on the receiving end of very expensive lawsuits. They made sure there won't be any money left for that.
Seriously? (Score:4, Funny)
Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text.
What a brilliant strategy- standardizing on server passwords!
Storing credit card details in plain text is a super-duper PCI compliance no-no, however, and I'm truly amazed they had the balls to do this when they MUST have known better. This is one of the most serious violations when storing credit card data, and to have a security-industry company doing it is kind of mind-boggling.
Hands up who's surprised? (Score:5, Interesting)
I've heard of backup companies who don't take proper backups. The servers go, they lose all their customer's data, no returns.
This isn't a shock. Quite often the very people who you "have to consult" in order to appease your boss are the very snakeoil salesman that have no clue about what they're doing beyond talking themselves up.
I had a guy tell my boss that our website "was insecure, expired certificates, etc.". Turns out he was plugging our domain.com into some online checker but didn't notice that our website is actually www.domain.com. Our bare domain, therefore, of course wasn't encrypted or any such nonsense and had no need to be - it was just a landing page that HTTP redirected you to the proper domain (and, to be honest, 99% of the website has no need for a secure certificate either, as none of it is private or confidential - it's a website - and the CMS for it is accessed an entirely different way).
And the expired cert? Actually a fallback "localhost" cert returned by Apache if you specifically request a non-existent https subdomain like "https://domain.com" (which doesn't exist as a website, and only gets a response because it resolves to the same IP as www.domain.com which has the secure port open).
But he plugged it into the checker, so everyone must be able to get into our systems right?! What are we going to do about it?!
The very people who run these services HAVE NO CLUE what they are doing. Like the people that my employer keeps trying to get me to take training courses from, or the apprenticeship company that one of my colleagues has to spend 9 weeks training at.
He said last time he went that their "network" was a bunch of unlicensed workstations ("Just ignore that notice"), with no security, all the same passwords (so he was able to remote into the instructor's PC, etc.), admin-level accounts, all clients connected direct to the Internet with no filter or firewall, and that they thought he was "hacking" because he was remoted into his own home server after finishing their coursework and doing some research of his own. Another told him off for upgrading the version of server because his remote session was to a more modern version.
These were the people TEACHING HIM (supposedly) how to set up domains, manage a network, implement group policy, etc. etc. etc. And they'd not heard of virtualisation, proper imaging techniques (they have "rollback" on their clients but pretty much they are just used by class after class and rebuilt when necessary, hence why they are unlicensed as there's no KMS server, or even a proper image). And they were teaching him on Server 2008... his home server has 2016, and we're using 2012R2 in the workplace.
Basically, he's going there to tick a box to say that "someone other than my boss" thinks he can do the basics, not to actually learn anything. Unfortunately that "someone other" are obviously bog-useless at what they do, or they wouldn't be working at such a company - they'd have got themselves a job managing real servers somewhere.
That's pretty much what's happened here. Get a consultant in to audit things and say you're up-to-scratch. But who audits the auditor? No-one? Pointless then. And they can't even apply the principles that they are judging YOU on to their own internal systems.
I hope they lose every customer they had.
Renames Company To Stupidus. (Score:4, Funny)
Re: (Score:2)
Changes root password and calls it a day.
Ah, but you would have to change the root password from St4m|nu5 to Stup|du5
(St4m|nu5 was apparently the root password they used, according to the hackers, so it might not be true).
Customer lawsuits and PR damage ... (Score:2)
... will shut this company down for good, even if it does survive the technical damage.