Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Network Solutions Suffers Massive Data Breach

Soulskill posted more than 4 years ago | from the is-there-a-prescription-for-that dept.

Security 70

dasButcher writes "Network Solutions, the domain registration and hosting service company, suffered a massive security breach that lasted three months and exposed tens of thousands of credit card numbers of its customers and of the businesses that use its hosting and online payment processing service. The company is just beginning the victim notification process. 'There is no information on how the code was planted on the sites. While examination of the code shows that it had the ability to ship data off to a third party, and Network Solutions believes that it did just that, the exact code is not available for public review. There is also no public information as to where the data believed to be stolen was sent.'"

Sorry! There are no comments related to the filter you selected.

Big companies (1, Informative)

sopssa (1498795) | more than 4 years ago | (#28817781)

This is exactly why you dont go with the *HUGE* companies. Theres a huge possibility that someone somewhere will target it and get around their security. It just takes one hack and all customers are affected. Security by obscurity is not always such a bad idea; go with the small ones who also can do their shit, and aren't such a big target.

Big penises (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28817797)

This is exactly why you dont go with the *HUGE* penises. Theres a huge possibility that someone somewhere will target it and get around their security. It just takes one hack [goatse.fr] and all customers are affected. Security by obscurity is not always such a bad idea; go with the small ones who also can do their shit, and aren't such a big target.

Re:Big companies (4, Insightful)

ScrewMaster (602015) | more than 4 years ago | (#28817813)

This is exactly why you dont go with the *HUGE* companies. Theres a huge possibility that someone somewhere will target it and get around their security. It just takes one hack and all customers are affected. Security by obscurity is not always such a bad idea; go with the small ones who also can do their shit, and aren't such a big target.

Small registrars can suck just as much as the big ones. All you can do is go by reputation: unfortunately, by the time a company has gotten popular enough to gain a good reputation, it probably has begun to start thinking more about money than quality.

Re:Big companies (1)

sopssa (1498795) | more than 4 years ago | (#28817841)

True, to an extend. Thankfully I've found a great reseller that just knows how to do things and provide easy-to-use api and fast support etc. As far as I know, they are quite large reseller but they've kept it good as they know what they're doing.

But yeah, with GoDaddy's major ad campaigns and such its probably hard for a newcomer or someone doing other business find a good provider.

DNSSEC (1)

TheLink (130905) | more than 4 years ago | (#28818045)

At least you have an option to go somewhere else.

But with DNSSEC, I believe we'd all be stuck with one per TLD.

So who is going to be in charge of .com for DNSSEC purposes? Network Solutions?

Re:DNSSEC (1)

shentino (1139071) | more than 4 years ago | (#28821359)

It had better be verisign or ICANN.

Not the best but I'd just as soon trust a registry than a registrar.

Re:DNSSEC (1)

amorsen (7485) | more than 4 years ago | (#28821955)

Verisign is Network Solutions...

Re:DNSSEC (2, Funny)

Lennie (16154) | more than 5 years ago | (#28825177)

Good thing they are going to handle the root signing process for DNSSEC as we can all see, they know what they are doing.

Re:DNSSEC (1)

amorsen (7485) | more than 5 years ago | (#28825247)

Well they're the ones who issued Microsoft certificates to a fraudster. And the ones who implemented Site Finder. They also did a bit of securities fraud (options backdating).

Wonderful company.

Re:DNSSEC (1)

ScrewMaster (602015) | more than 5 years ago | (#28826589)

Well they're the ones who issued Microsoft certificates to a fraudster. And the ones who implemented Site Finder. They also did a bit of securities fraud (options backdating).

Wonderful company.

I think the GP was attempting a (401c) Expression of Subtle Irony.

Re:DNSSEC (1)

Lennie (16154) | more than 5 years ago | (#28825183)

> But with DNSSEC, I believe we'd all be stuck with one per TLD.

Why do you think it's different as they way it's handled now ?

Re:Big mouths (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28818015)

Small mouths can suck just as much as the big ones. All you can do is go by reputation: unfortunately, by the time a mouth has gotten popular enough to gain a good reputation, it probably has begun to start thinking more about its herpes.

Re:Big companies (3, Informative)

sjames (1099) | more than 4 years ago | (#28818091)

Small registrars can suck just as much as the big ones.

Yes, they can, but if you are a cyber-criminal and want to hack an e-commerce site to get credit card details, given two sites riddled with security flaws and assuming a non-zero amount of effort to crack them, do you crack the one that does 10000 transactions a day or the one that does 100?

Re:Big companies (1)

ScrewMaster (602015) | more than 4 years ago | (#28818243)

Small registrars can suck just as much as the big ones.

Yes, they can, but if you are a cyber-criminal and want to hack an e-commerce site to get credit card details, given two sites riddled with security flaws and assuming a non-zero amount of effort to crack them, do you crack the one that does 10000 transactions a day or the one that does 100?

It's a risk no matter what you do. I had a friend who had a couple domains at JumpDomain. So far as he knows, there was no security breach ... but they screwed him over in a number of other ways, including turning off his domains and refusing to transfer them for several months (something about the owner "being out of town." WTF?) My point is that you have to look at the whole picture and make decisions based upon your own needs. What I want out of a registrar may not be what you want. The big boys do fuck up on security (rather frequently, given the crap I've had to deal with from both my credit card issue and the bank that holds my mortgage), but are generally better about procedure. Little guys may (may, I say) be better on security, but often have other unprofessional attributes. Like I said, it all comes down to reputation, and that takes time to acquire. Don't just pick the first registrar you come across in your search engine of choice.

And no matter where you go, don't pay for your domains with a debit card.

Re:Big companies (1)

witherstaff (713820) | more than 4 years ago | (#28820647)

When I was doing direct credit card billing the merchant account agreement had a 10,000 fine for each and every card if it was stolen and was our fault. I'm hoping netsol gets a huge bill for this sort of thing. After the horrors of their monopoly on DNS I'm all for them suffering for bad service.

Re:Big companies (0)

Anonymous Coward | more than 4 years ago | (#28820785)

When I was doing direct credit card billing the merchant account agreement had a 10,000 fine for each and every card if it was stolen and was our fault. I'm hoping netsol gets a huge bill for this sort of thing. After the horrors of their monopoly on DNS I'm all for them suffering for bad service.

No argument. 404 hijacking alone should earn them a special place in Hell.

Re:Big companies (0)

Anonymous Coward | more than 5 years ago | (#28824129)

Except of course when the small company is just a reseller for the big company. The fees to be a registrar are rather steep so if your dealing with a *small* company chances are its register.com or network solutions or someone else on the backend including all you contact and billing data.

I don't know about network solutions reseller API but chances are that someone out their was effected by this without even being aware that their domain was ultimately provided by network solutions.

Robert Gibbs in way over his head... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28817821)

http://news.yahoo.com/s/ap/20090725/ap_on_go_pr_wh/us_obama_harvard_scholar [yahoo.com]

My favorite quote from the article:

"The story had taken on a life of its own, and the White House scrambled to keep up."

LOL, that seems to characterize the job Robert Gibbs is doing pretty well!

Re:Big companies (4, Interesting)

Antique Geekmeister (740220) | more than 4 years ago | (#28817853)

As opposed to the small companies, where they haven't bothered to do any security yet? I'm explaining to a corporate partner right now why using the built-in version of subversion on RHEL with an HTTP setup, and NFS home directories, and using the Kerberos of Active Directory for Subversion passwords, is an exquisitely bad idea. (Your passwords are silently stored in clear text, and available over NFS shares.) The people who knew, and cared, had been told it wasn't on their tasklist. The managers further up assumed that it was safe because it was HTTPS. The mangers in the *middle* hadn't been willing to discomfit people by teaching them to use SSH with keys, or spend the time having to type in passwords. So almost *every user's primary keys* were available to anyone who plugged in a live CD and poked around for NFS mountable home directories and bothered to mount them and look at /home/$USR/.subversn/auth/. This is a long-existing, publicly announced problem. Every environment where I've seen this sort of thing occur has been small: The big companies have a security architect whose job it is to scream about this kind of thing, and to insist that it be addressed. And the big companies are willing to have one person run the daily script to look for these passwords stored in people's home directories. (It only takes one person running an out-of-date OS accessing NFS home directories, or who hasn't updated to subversion 1.6 which at least asks before it stores your passwords.) Or a policy of not having password free SSH keys, and one person to notice their NFS mounted SSH keys without passwords that present the same sort of problem.

Re:Big companies (2, Funny)

Antique Geekmeister (740220) | more than 4 years ago | (#28817865)

Oh, dear. Pleae excuse that run-on paragraph: I occasionally forget to hit the 'Plain Old Text' option when I write.

Re:Big companies (1)

maxume (22995) | more than 4 years ago | (#28818153)

There's a pref that you can set to make 'Plain Old Text' the default.

Re:Big companies (1)

Antique Geekmeister (740220) | more than 4 years ago | (#28818249)

Oh, yes. Thank you.

Re:Big companies (1)

TheLink (130905) | more than 4 years ago | (#28819047)

I prefer "Extrans", so that I can use symbols like < and > without problems. Extrans appears to be Slashdot's term for "plain text".

Whereas Slashdot's "Plain old text" treats special characters as special, and converts urls to links. It's not what I'd expect from "plain old text".

I have no idea why it's like that.

Re:Big companies (0)

Anonymous Coward | more than 4 years ago | (#28818019)

So almost *every user's primary keys* were available to anyone who plugged in a live CD

So somebody with physical access to the machines can get access to critical data - well fook me with a very large fookin' stick, that's something new for the books on security.

Re:Big companies (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28818097)

The small companies don't have the staff or the competencies to handle security. The big companies, on the other hand, just don't care. The main difference is that one is giving the illusion of due diligence and the other isn't.

That's why I prefer small companies. Same general level of risk, but their databases are smaller, so I'm a smaller target.

Re:Big companies (1)

SleepingWaterBear (1152169) | more than 4 years ago | (#28819063)

Perfect security doesn't exist (at least I've never encountered it), so the goal with security is to minimize the chance of a harmful breach. From that point of view, the small company may actually be a better choice even if the security is abysmal or non existant. For all practical purposes a cottage with the key under the doormat is more secure than the mansion next door with a fancy security system - both can be robbed, but no one's going to bother to rob the cottage unless they have something in particular against the owner.

The security at your partner company is truly awful, but if they're low enough profile they'll probably never suffer a breach. Obviously I can't speak to your specific case, but for a small enough company security is a waste of money - security only makes sense if the chance of a breach times the cost of a breach is greater than the cost of the security.

Big companies may generally have much better security, but I doubt their security is enough better to make up for the extra exposure.

Re:Big companies (0, Offtopic)

simoncpu was here (1601629) | more than 4 years ago | (#28818001)

I registered my domains with a small registrar once upon a time. A few years later, they became bankrupt, and I was left scrambling to transfer my domains to an established, well-known registrar.
Lesson: this is exactly why you don't go with small companies.

Open sharing of security and exploit details (1)

gavron (1300111) | more than 4 years ago | (#28817799)

Look for Network Solutions to not provide any information useful to the community about this security incursion.

They think "Open disclosure" and "transparency" are things you find in mailing envelopes.

Ehud

Re:Open sharing of security and exploit details (0)

Anonymous Coward | more than 4 years ago | (#28817849)

Look for Network Solutions to not provide any information useful to the community about this security incursion.

They think "Open disclosure" and "transparency" are things you find in mailing envelopes.

Ehud

Yeah ... I'm surprised they opened up even this much.

Why hold this data? (4, Insightful)

Anonymous Coward | more than 4 years ago | (#28817801)

Why.. I mean WHY?

Why hold this data, are they all retarded? Its not their data to hold..once you send the transaction to visa and it is accepted, this information should be PURGED. Period.

Re:Why hold this data? (3, Insightful)

Xelios (822510) | more than 4 years ago | (#28818197)

Because data is valuable, and most companies wouldn't delete anything without being forced to. I keep telling myself that maybe breaches like this will convince other companies to purge this kind of data when it's no longer needed, but so far it seems that greed still has the upper hand here. Can't say I'm surprised though.

Not true (2, Interesting)

an.echte.trilingue (1063180) | more than 4 years ago | (#28818231)

once you send the transaction to visa and it is accepted, this information should be PURGED. Period.

Not true. Lots of businesses hang on to your card number, especially if you will do repeat business with them, such as Amazon.

Network solutions is my registrar. They do not keep your CC by default, they ask your permission and there is a very good reason for them to do this. This is why:

My business has a few dozen domain names: our trademarks and a couple of names that are similar (typos that we don't want squatters to snatch up; .com, .net, .be, .fr variants, etc). They were all registered at different times and so there is usually one getting ready to expire every few weeks. We could make it part of the daily routine of one of our developers to check up on all of our domains and repurchase a new registration as needed. This costs money... lots of money if you add it up over a year. Besides, it introduces an element of human error: a few years ago, the company lost its primary domain name because the guy in charge of doing that had left and nobody thought to assign the job to somebody else. It cost us thousands of dollars to buy it back.

Alternatively, we can just allow Network Solutions to keep our CC number and re-register the domain automatically. It is easy and cheap. Of course, this kind of solution requires that Network Solutions not hire a retarded monkey to code its ERM...

Re:Not true - I call Bullshit (4, Informative)

rockwood (141675) | more than 4 years ago | (#28818653)

I call Bullshit, and with due reason. I worked for Network Solutions as Level II support - handling anything from programming to server issues.

I know for a fact that they do store credit cards - regardless of what they may or may not claim.

One billing application that allow you to search ALL historical purchases, what, when, card #, address, services etc...

The second for more recent purchases.

Primarily we used a single application - and that application gave you access to the entire database which included minor and major information, such as Name, Address, phone#, email, Your Challenge Question, the HINT tot eh challenge question, CC number, billing cycle and history, DNS, smtp, database passwords (if you host with NetSol), all email users and their passwords under that domain, ftp passwords, website passwords for the GUI designer and much much more!

If you have a domain with them that has other email address setup through the NetSol site, simply login and look at those accounts. Each of those users can change the oringial password you set for them once they log into their online mail. But you will always see the passwords as ****, but don't fret if you forgot one (or they changed it) and want to log into the email account of that user, pull up the source code - they are all in plain text (as of 1 year ago anyway).

They have certain "servers" that handle routing and other processes that are no more than a laptop - that's right, not a server - a laptop.

Oh and your cost of thousands of dollars to buy back your domain name - here is a little bit of info. Many users were irate about New Ventures grabbing doamins faster than anyone else when they expired, sometimes before it was to be released (grace period for renewal after it expired). All employees were told to let the customers know that we were not, nor were we affiliated with New Ventures. A month later at a financial meeting, it was announced that we've been making leaps and bounds in revenues and recently sold a domain name for nearly a million dollars!. A few of us started looking into this as NetSol is a registar supposedly with a set fee for domains. As it turns out New Ventures is in fact a part of NetSol - They're scamming everyone.

When I began working for NetSol, I was happy as a lark - until I got settled in and started digging into the processes, support and resolution chain and blatant lies were were telling people, I was so disappointed. I left not being able to stand the lies anymore. We'd tell people that their issue would have a resolution in 3 days, but they'd never hear from anyone. And in fact when someone would ask for someone higher up the chain of command, (ie: supervisor, etc) the supervisors would tell us to tell them they can't be transferred, get the number and the supervisor will call them in 5-10 minutes... would they be home? Issue is that they would never get a call back... only to call in again and be transferred to level II support once more and talk to yourself again, or a fellow Level II support person near you. We would all talk and discuss the deflection process. At that time their website were also riddled with iframe exploits, constantly being hacked and defaced for over a year and a half.

Unless anyone here actually works for NetSol - no one really knows what I know for a fact that goes on there. Given there history with customers and such, They've probably know about this for a long time.

Re:Not true - I call Bullshit (1)

Kremit (632241) | more than 4 years ago | (#28819745)

Wow. I'm so glad I moved from NetSol 8 YEARS ago (my first domain name). They were bad then!

Re:Not true (1)

Pollardito (781263) | more than 4 years ago | (#28821931)

Network solution customers who have their domains registered there weren't the ones to get their information stolen, it is the customers of merchants who host their e-commerce websites on Network Solution servers that were affected (from one of the linked articles [careandprotect.com] ):

In the ordinary course of business, Network Solutions identified unauthorized code on servers supporting some of our E-Commerce merchantsâ(TM) websites. We promptly removed this code, and all of our E-Commerce servers are functioning properly. No servers supporting networksolutions.com were affected.

Re:Why hold this data? (2, Insightful)

burkmat (1016684) | more than 4 years ago | (#28818275)

Who says they hold the data?
Both the summary and the first paragraph of TFA suggests the malicious code simply intercepted the data that passed the infected servers these past 3 months.

I guess /. is moving from not reading TFA, to not reading TF summary, to simply commenting on headlines...

Re:Why hold this data? (0)

Anonymous Coward | more than 4 years ago | (#28818313)

Holding the data isn't the problem. Holding the data in an insecure matter, that IS the problem. All customer data should be first encoded and then encrypted, making it a two step process to access the data. It makes searching and sorting a bit more difficult, but at least the data is harder to get it.

I would like to know the technical details of what/how the data to compromised. And as usual, no one will go to jail or pay any fines, but thousands of joe-customers will have their identities stolen and have to fix their credit reports.

PayPal (1)

Dan541 (1032000) | more than 5 years ago | (#28825929)

Another reason to pay with "PayPal"

Released/posted at 7pm on a Friday? (5, Insightful)

xxxJonBoyxxx (565205) | more than 4 years ago | (#28817809)

Released/posted after close of business on a Friday? I'd say this is part of a coordinated effort to say as little as possible about this.

BTW, a better/original story link is here:
http://voices.washingtonpost.com/securityfix/ [washingtonpost.com]

Heh, am I not glad (1)

siddesu (698447) | more than 4 years ago | (#28817829)

That I left them some time ago, and that I always use a throw-away credit card numbers online. The best defense against privacy leaks is the one you design yourself, and it better accounts for the possibility of breach at all services you use.

Too bad it isn't always possible to do that easily and in a manner that helps you avoid all risk.

Re:Heh, am I not glad (2, Informative)

theverylastperson (1208224) | more than 4 years ago | (#28818293)

I do something similar. I use a prepaid WalMart card for all online purchases. Typically I use it along with my PayPal account (which has a fraud guarantee, that I've used on one occasion). If it gets hacked they won't get much.

I personally would never give my actual bank card to anyone over the Internet or Phone. To be perfectly honest I pay for most transactions with cash and I haven't written a check (other than payroll checks) in almost 10 years.

Israel (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28817873)

Guilty!

I left many years ago... (4, Interesting)

Shag (3737) | more than 4 years ago | (#28817897)

When they started trying to be the anti-Google, and be as evil as possible. I still remember the time they sent me alarmingly-worded letters about the need to renew a couple domains with them... shortly after I transferred those domains to another registrar.

I've figured all along I was just one of many who were happy to be rid of them. Today? Doubly so.

Re:I left many years ago... (3, Interesting)

ionix5891 (1228718) | more than 4 years ago | (#28817933)

karma i say what goes around comes around, pitty innocent people are involved, tho anyone who stayed with them after these controversies deserves what they got

http://en.wikipedia.org/wiki/Network_Solutions#Controversies [wikipedia.org]

Re:I left many years ago... (5, Interesting)

generic.individual (1590219) | more than 4 years ago | (#28818123)

I hate those people. I once stupidly used their site (because it was the first name to pop to mind) to do a whois on a potential domain for a business. The name was simple, my parenters name and my name, and surprisingly not taken. Then I found out why so many people hate these guys. When I did the whois network solutions registered the name I was searching so I now had to either buy that name from them or wait a year for it to be free again. What assholes.

Sucks for the lower downs involved, but I can't help but smile.

Re:I left many years ago... (1)

generic.individual (1590219) | more than 4 years ago | (#28818181)

Reading the wikipedia article another user posted, I see they weren't registering domains but rather reserving them for 4 days. I just saw the new whois pointing to network solutions and assumed it was registered.

4 days is better than a year, but still completely evil.

storing credit card information on the InterTUBES (4, Insightful)

viralMeme (1461143) | more than 4 years ago | (#28817929)

"After conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions on approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information [careandprotect.com] "

At this stage of the game, what are these supreme innovators doing storing raw credit card numbers on a publicly accessible web server. And what's even more incredulous is that no one noticed. Where are all these magic intrusion detection systems. I mean the average ISP has more security in place. Have they been, like Rip Van Winkle, asleep for the past twenty years ..

Re:storing credit card information on the InterTUB (0)

Anonymous Coward | more than 4 years ago | (#28818237)

This doesn't surprise me at all. Large organizations are reactive, never proactive. Mcafee's recent XSS issue is a similar situation. Security and auditing is scary to suits, and inevitably generates extra work for them. It's never priority one.

Re:storing credit card information on the InterTUB (3, Informative)

juuri (7678) | more than 4 years ago | (#28818261)

There's nothing that says the data was stored on any publicly accessible server. What is said is that there was a code insertion that could have been used to transfer data out. The attackers probably patched into whatever lame backend system they were using for these transactions and added a little bit of code to simply copy the details out to a URL/irc bot somewhere. Cases like these typically involve some inside help or an ex-employee.

SOX issue (1)

192939495969798999 (58312) | more than 4 years ago | (#28817955)

Security breach aside, it's a SOX issue to store or transmit CC numbers that way.

SOX may be annoying, but it is meant to avoid scenarios such as this, where a breach would yield that information in the first place.

Re:SOX issue (1)

walmass (67905) | more than 4 years ago | (#28818551)

Not SOX, at least not directly.

I think you mean PCI-DSS: https://www.pcisecuritystandards.org/ [pcisecuritystandards.org]

Re:SOX issue (3, Informative)

noc007 (633443) | more than 4 years ago | (#28819237)

walmass is correct. This would only be a SOX issue IF they didn't have separate people/groups for development, QA, implementer, and production support/administration. This is more of a PCI-DSS issue which must be complied with if there is going to be any handling and especially storage of card numbers.

Re:SOX issue (1)

ChadM (102789) | more than 5 years ago | (#28823133)

I think you mean PA-DSS [visa.com] , which applies to payment application providers. PCI-DSS applies to the merchants themselves.

Re:SOX issue (0)

Anonymous Coward | more than 4 years ago | (#28818609)

Security breach aside, it's a SOX issue to store or transmit CC numbers that way.

SOX may be annoying, but it is meant to avoid scenarios such as this, where a breach would yield that information in the first place.

As the Director of regulatory compliance for a publicly traded company, this is wrong. SOX establishes an environment of IT General Controls, but it does not explicitly address what can or can not be stored. Other regulations -- such as PCI DSS -- do, but not SOX. It says nothing about "storing and transmitting CC numbers." It merely seeks to establish IT controls on those processes.

Were their controls faulty? I would speculate that they were, and that's a SOX issue -- but only in a secondary way. These systems are actually out of scope for SOX: it is the financial reporting systems that are in SOX scope, and it is unlikely that the compromised systems were part of their financial reporting systems.

And yes, I get paid to do this for a living.

ThisCo. Sux, LLC (1)

shubert1966 (739403) | more than 4 years ago | (#28818079)

I left them many years ago because:
-Form fields and labels were not consistent throughout their literature.
-Customer service experience held considerable 'vowel-trouble.'
-Overpriced initially as a registrar, and then of course, as a secure host.

Easy-to-deploy, Turnkey!, Just give us your card. ;)

found it! (0)

Anonymous Coward | more than 4 years ago | (#28818089)

"There is also no public information as to where the data believed to be stolen was sent."

Oh, so that's what all those big emails I've been receiving were! No worries, folks! I've got all the data right here!

Is register.com a Network Solutions company? (0)

Anonymous Coward | more than 4 years ago | (#28818119)

I can never figure out which companies are which these days. Is register.com (actually rcomexpress.com) the same thing as Network Solutions?

Shashib (2, Funny)

shashib (1167725) | more than 4 years ago | (#28818179)

I work for Network Solutions and we understand that this is a difficult time and we are already taking proactive steps to ease the burden on merchants that may have been impacted by this issue by providing assistance with their customers that may have been impacted. To help affected folks.find information quickly we have setup a website http://www.careandprotect.com./ [www.careandprotect.com] Thanks, Shashi B

Re:Shashib (5, Informative)

rockwood (141675) | more than 4 years ago | (#28818751)

Shashi B,

Give me a break! - I too worked for Network Solutions as Level II support - I know all about the bullshit story lines in order to save face. iframe exploits throughout the customers sites, issues not followed through on, the denial of New Ventures having -any- affiliation with NetSol. The ease of gaining access.

In fact while I worked there, several Tech's uploaded basic http shell emulators onto their sites and all had root level access within minutes.

Your infrastructure was and still is seriously flawed and appears that it always will be - I know first hand!

I'll file this under TasteButDontSwallow

Re:Shashib (0)

Anonymous Coward | more than 4 years ago | (#28819087)

Sounds to me like if you know so much maybe you were one of the people that helped hack this system. Just saying, I would watch yourself saying things like this you might just end up with some papers being served to you soon.

Re:Shashib (2, Interesting)

rockwood (141675) | more than 4 years ago | (#28819135)

Nah - those that did it were eventually caught (after about a 6mo to a year) and they were terminated. Besides, even if I could do it, I wouldn't know what to do with the info afterward.

My main point is that the security holes at NetSol is akin to a block of Swiss Cheese. And in most cases the security breaches and Malware placed on their system go unnoticed for long periods of time.

Re:Shashib (1)

Aphex Junkie (633436) | more than 4 years ago | (#28821851)

Sounds to me like if you know so much maybe you were one of the people that helped hack this system.

You are an idiot.

iframes and malware payloading kolmic.com (1)

noc007 (633443) | more than 4 years ago | (#28820131)

So what's the deal with NS's usage of kolmic.com? Imagine my CTO's surprise when our content filter blocked one of our subsidiary's NS parked domains because of an iframe of kolmic.com with a nice trojan payload. Some googling revealed this isn't an isolated case and NS has been doing some advertising with them for a while.

NSI - not a good bargain anyway (1)

vaporland (713337) | more than 5 years ago | (#28824245)

I have used NSI for domain registration in the past, and their hosting for static sites is actually OK - when you don't use them for anything else.

I finally figured out how to have my Google For Your Domain domains point to my hosted areas on NSI's servers for static content, and still use Google services (mail, blog, etc) for everything else.

$10 per domain per year for Google registration beats the hell out of trying to haggle with NSI sales staff when your domains are up for renewal. I have one left that is still registered @ NSI that I'm switching to Google (eNom/GoDaddy) next year. I'll keep my hosting @ NSI though, since I'm not doing any ecommerce with them...

Re:Shashib (0)

Anonymous Coward | more than 4 years ago | (#28818777)

Care and protect? Network Solutions?

Honestly, I just threw up in my mouth a bit. Top contender for winning the oxymoron of the millenium award.

Analogous To MS (1)

bitemykarma (1515895) | more than 4 years ago | (#28818641)

If you're dumb enough to use them, you deserve what you get.

Network Solutions (Idiocracy) (0)

Anonymous Coward | more than 4 years ago | (#28819899)

Network solutions are a bunch of yahoos.. Once they made me the technical contact on about 8,000 domains. I got calls from all over from folks saying"Who are you and how did you get to be the technical contact on our domain?" I still have the printouts. About 200 pages(double sided) that list the domains. They have always had their heads up their hoohoos..

Take precautions (1)

ZosX (517789) | more than 4 years ago | (#28820079)

When I buy things online I use prepaid visa cards. Nobody has to know my bank account information, social security number or anything. I also give as little information out as possible. The most they will likely find on me, outside of my social security number (which anyone can find with some digging and a few bucks) is my name and address and a frequently empty visa debit account. I've had friends who have had their identity hijacked and it is very hard to convince credit agencies that you really didn't get a credit card and buy all of that stuff. My credit is pretty destroyed, but if that is something you are worried about, it does help to continuously monitor your credit report and score and potentially catch things before time starts working against you.

Re:Take precautions (0)

Anonymous Coward | more than 5 years ago | (#28823815)

Is this supposed to be some sort of hyperbole? I work in the credit card processing industry (posting AC to not draw unwanted attention). Reporting fraudulent charges is as easy as calling the bank and saying "I didn't do this". The only way it would be difficult to convince them is if in the past you've actually bought something and then tried to act like it was fraud so you could keep it without paying. Banks do catch on to this stuff...

A friend once put it best (0)

Anonymous Coward | more than 5 years ago | (#28822921)

As a friend once said (in regards to the sex.com and races.com fiascoes): Network Solutions couldn't secure a lava pool against snowmen.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?