But there was no hacking of our servers!!



  • http://news.softpedia.com/news/UGNazi-Leaks-1-7-GB-of-Data-from-WHMCS-Servers-270914.shtml [quote user=""]A hacker group calling themselves "UGNazi" has managed to gain access to the systems of WHMCS - a company that offers client management, billing and support solutions - leaking 1.7 gigabytes' worth of data. The hackers have also deleted all the files from the firm’s server, which has led to the loss of the latest orders and tickets.  The data leak comprises 500,000 usernames, passwords, IP addresses and in some instances credit card details.[/quote]But not to worry!!  The head of the company has a very reassuring blog post:@Matt Pugh said:

    The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

    This means that there was no actual hacking of our server. They were ultimately given the access details.

    This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.
    Yes, that really is good news.  We weren't hacked and there is no vulnerability in out software -- we just gave them the information they needed to get in. That's so much better.

    Extra bonus points -- they don't have their own servers.  Thay are using a company called "HostGator".



  • This is just like how Macs don't get "viruses," they only get "malware." As if changing what you call it makes it less of an issue. "Oh, it's not really that bad. They just logged in and stole your identities, they didn't actually exploit the system's security to steal your identities."



  • Thier clients don't care how they got in, just that a hacker got in and got the data, and deleted the data fro the servers, etc.

    So maybe there was no hacker and Mister Matt Pugh was just covering his tracks and removing the evidence that he made a bet with 75% of the companies  assets in Vegas and found out the only way this can stay in Vegas is to delete the companies assets?

    But seriously, this just goes to show that those access questions should be seen as just another password into your system.

    The questions such as "What was your schools Mascot" should nto be answered with teh schools mascot but rather "ZAQ12#$rfv"

    but no one ever listens when I say, if you lose your password all you need is a public records search for your mothers maiden name to get in, how is that secure?


  • Discourse touched me in a no-no place

    @El_Heffe said:

    @Matt Pugh said:
    The person was able to impersonate myself with our web hosting company,

    @El_Heffe said:
    Thay are using a company called "HostGator".

    Perhaps someone could offer to increase their list of "10 Ways to Tell if Your Web Host Sucks"



    11) Their 'offline' authentication mechanisms allow unauthorised 3rd parties access to your data.





    Of course, the author of that post is no stranger to this type of thing, having written an article on How to Put the Kibosh on Content Scrapers & Thieves.



    All highly ironic of course.



  • @KattMan said:

    but no one ever listens when I say, if you lose your password all you need is a public records search for your mothers maiden name to get in, how is that secure?

    Mother's maiden name AND access to the victim's email, for non-WTF implementations...



  • @El_Heffe said:

    Extra bonus points -- they don't have their own servers.  Thay are using a company called "HostGator".

    HostGator, aren't they like "scraping the bottom of the barrel" cheap?



  • @blakeyrat said:

    @El_Heffe said:
    Extra bonus points -- they don't have their own servers.  Thay are using a company called "HostGator".

    HostGator, aren't they like "scraping the bottom of the barrel" cheap?

    You could say that.




  • @El_Heffe said:

    @blakeyrat said:

    @El_Heffe said:
    Extra bonus points -- they don't have their own servers.  Thay are using a company called "HostGator".

    HostGator, aren't they like "scraping the bottom of the barrel" cheap?

    You could say that.


    Only 130% wind powered?? I actually give a shit about the environment, I won't settle for anything less than 175%.



  • @pkmnfrk said:

    @El_Heffe said:

    @blakeyrat said:

    @El_Heffe said:
    Extra bonus points -- they don't have their own servers.  Thay are using a company called "HostGator".

    HostGator, aren't they like "scraping the bottom of the barrel" cheap?

    You could say that.


    Only 130% wind powered?? I actually give a shit about the environment, I won't settle for anything less than 175%.

     

    If they can use 130% power then they broke the laws of physics and mathematics, who knows what far-reaching effects that could have on the environment!

     



  •  @KattMan said:

    The questions such as "What was your schools Mascot" should nto be answered with teh schools mascot but rather "ZAQ12#$rfv"

    but no one ever listens when I say, if you lose your password all you need is a public records search for your mothers maiden name to get in, how is that secure?

    I totally agree. I don't think i've ever answered such a question with something i would be able to reproduce. At the very least they should let you come up with a question yourself, and not one of those standard questions that anyone can look up. And even then i think i would just enter some random crap.



  • @KattMan said:

    The questions such as "What was your schools Mascot" should nto be answered with teh schools mascot but rather "ZAQ12#$rfv"

    But that was my high schools' mascot! Good ol' Zaqqy the Zaqafarian from the planet Zaqanos. His alien powers included: school pride, perfect attendance and slashing the visiting team's tires if we lost a game.



  • I used to read stories of these over on attrition.org years back - site owners claiming they weren't hacked whilst simultaneously threatening to sue Jericho et al. for data theft.

    (the underage photo was a particularly good self-LART tale)

    I honestly wonder if those making them statements can't actually hear themselves speak, missing the opportunity to self-critique the emerging verbatim. They've gotta cringe in future when they read what they said.



  • @Cassidy said:

    I used to read stories of these over on attrition.org years back - site owners claiming they weren't hacked whilst simultaneously threatening to sue Jericho et al. for data theft.

    (the underage photo was a particularly good self-LART tale)

    I honestly wonder if those making them statements can't actually hear themselves speak, missing the opportunity to self-critique the emerging verbatim. They've gotta cringe in future when they read what they said.

    In their WHMCS' defense, they're technically correct (which is the best kind of correct). If I borrow your car and then hand the keys to a 13 year-old boy along with a bottle of whiskey, I didn't wreck your car, did I?



  • @morbiuswilters said:

    In their WHMCS' defense, they're technically correct (which is the best kind of correct).

    Stop going pedantic wickdeed on us now, Morbs! Back AWAY from the keyboard. Apply self-slappage. There. Better?

    @morbiuswilters said:

    If I borrow your car and then hand the keys to a 13 year-old boy along with a bottle of whiskey, I didn't wreck your car, did I?

    Okay, I'll bite on this one. No, you didn't wreak my car, but I don't think the analogy compares. Basically the facts are:

    • they were compromised, someone was able to gain unauthorised access, data was taken, data was deleted...
    • they "weren't hacked".  It's completely different. It's not the same thing.
    as Kattman points out: no matter how your dress it up or try to put a spin on it, the end results are the same for customers - their private data has been copied and/or deleted. Quibbling about the method in which it was performed and what name you give to it doesn't really help the customers who have suffered as a result - they are the ones that have lost out, and comments like the ones Matt Pugh gave don't exactly inspire confidence nor reassure.


  • @Cassidy said:

    No, you didn't wreak my car, but I don't think the analogy compares.

    I didn't wreck your car, either. And car analogies always apply in technology discussions.

    @Cassidy said:

    as Kattman points out: no matter how your dress it up or try to put a spin on it, the end results are the same for customers - their private data has been copied and/or deleted. Quibbling about the method in which it was performed and what name you give to it doesn't really help the customers who have suffered as a result - they are the ones that have lost out, and comments like the ones Matt Pugh gave don't exactly inspire confidence nor reassure.

    The end result is what matters in the car analogy, too. The point is, due to my negligence, your car was wrecked. I didn't wreck it. And WHMCS' software wasn't "hacked".

    Anyway, my point wasn't to seriously argue over this. It was just an amusing analogy pointing out that negligence is negligence, no matter how you dress it up. I don't think we substantively disagree.



  • @Matt Pugh said:

    The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host

    INSIDE JOB! who else than a disgruntled tech at WHMCS or HostGator would even hear about those guys



  • @Matt Pugh said:

    The person was able to impersonate myself ... "
     

    If there's one thing I hate more than illiterates, it's fucking illiterate illiterates who own a company, run for public office or hold positions in education.

    It is our sworn duty to Junior Wells and all that we hold holy to prevent these numbskulls from reproducing.

     



  • @mott555 said:

    If they can use 130% power then they broke the laws of physics and mathematics

    Not necessarily, they could produce more power that they need and sell it to other companies, hence the 130%



  • @morbiuswilters said:

    negligence is negligence, no matter how you dress it up.
     

    The difference that the blog post is trying to highlight is that it was the hosting company's negligence and not the software company's negligence, which is a huge difference imo


  • Trolleybus Mechanic

    @morbiuswilters said:

    @Cassidy said:
    No, you didn't wreak my car, but I don't think the analogy compares.

    I didn't wreck your car, either. And car analogies always apply in technology discussions.

     

    Technically you did wreck my car, because there's no way I'll ever be able to flush all the semen out of the exhaust system. (How're your burns, BTW?)

    And besides, it's more like I left my car in Pugface's carport and gave him the keys. Then he left the keys in one of those hidden keyholders, except he didn't hide it, and left the product sticker that said "HIDDEN KEYHOLDER: HIDE YOUR KEYS SO YOU CAN ALWAYS ACCESS YOUR CAR".

    And then when someone came around, that some said "I'm, like, totally a car owner. Can I go into the carport?" 

    So technically, no one broke into the car to steal it. I didn't see a jimmy, or a lock pick. I just saw some guy walk up to your car, take the key I left on the dashboard in a bright pink neon box, and then he drove away. But it's okay, no need to worry. NO ONE BROKE IN. Cool? K.

    In other news, people shouldn't do hip-hop in tap shoes.


  • Discourse touched me in a no-no place

    @Zolcos said:

    @morbiuswilters said:

    negligence is negligence, no matter how you dress it up.
     

    The difference that the blog post is trying to highlight is that it was the hosting company's negligence and not the software company's negligence, which is a huge difference imo

    And the software company was not negligent in their choice of hosting company....?



  • @Zolcos said:

    @morbiuswilters said:

    negligence is negligence, no matter how you dress it up.
     

    The difference that the blog post is trying to highlight is that it was the hosting company's negligence and not the software company's negligence, which is a huge difference imo

    Except, in this case, they went with a low-cost shit-host, which makes them negligent. Storing sensitive data on a shared web host is a massive WTF. Now, if they'd been coloing with a reputable provider and their provider did something moronic like letting a complete stranger into their cabinet, then yeah, I'd blame the provider.

    It's like when I eat at McDonald's, I don't complain about pubic hair in my food. It's a low-cost service and I realize it's not economical for McDonald's to have a 0% pubic hair rate. But if I'm eating a $200 meal at a fancy restaurant, the only pubic hairs in my food should be the ones I put there myself.



  • @morbiuswilters said:

    if I'm eating a $200 meal at a fancy restaurant, the only pubic hairs in my food should be the ones I put there myself.

    Unless:

    • you return your food to the kitchen because it's not warm enough or cold enough
    • you ask for ketchup
    • you are a cop and they know it

    Log in to reply