Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Even My Mom Could Hack These Sites

CmdrTaco posted more than 7 years ago | from the figuratively-speaking-anyway dept.

Security 233

Frequent Slashdot Contributor Bennett Haselton's latest story is ready for your consumption. He starts "Recently, as an experiment, I wrote from my Hotmail account to ten different hosting companies that were each hosting some of my Web sites, asking for logins to change the domain settings. Even though I never provided any proof that the messages from the Hotmail account were really coming from me (the address they all had on file for me was a different one), half of them replied back and gave me the logins that I needed."

I figured that if I wrote to them saying "I forgot my password, please mail it to me," that would be too obvious. Instead, at the time I had set up shop with these hosting companies, I entered a domain name at the time of creating my account, and asked them to register it on my behalf (long before I had this experiment in mind). Then when I wrote to them recently from my Hotmail address, I sent each of them a message saying: I need to transfer this domain somewhere else, can you give me the login at the registrar where you registered the domain, so I can change the domain settings. Five of the ten companies either (a) gave me the registrar login, (b) transferred the domain to my registrar account on request (even though I never provided any proof that the owner of that registrar account was really me, either), or (c) changed the domain to point to a new IP address that I specified -- all of which, of course, would allow an attacker to take over a site temporarily or even permanently, if it hadn't really been me writing from the Hotmail address.

But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them.

But even for small-time hosting, a 50% success rate for a trick like this is uncomfortably high. So what can we do about it? Well, every problem has a non-solution that requires changing human nature ("People should just stop buying from spammers and they'd go out of business!") and a non-solution that ignores the economics of the situation ("ISPs should devote more resources to stopping spammers on their own network!"). In this case, the corresponding non-solutions would be (a) "People who work for hosting companies should be less gullible" and (b) "ISPs should hire smarter people, without charging more to their hosting customers".

The solution that doesn't require any cheating, though, is to have procedures in place for anything remotely security-related, and drum into employees' heads that they have to follow those procedures. Here's some good news: Of the five companies that fell for the ruse asking for my registrar login information, when I followed up with them saying "Hey, I forgot my account password, can you mail it to me", only two of them actually sent my password to the Hotmail account. To those two, I replied with some terse words about having a six-inch-thick steel door while leaving the window wide open. But at least it was only two out of ten that fell for that ruse, compared to five out of ten that fell for the registrar trick. The difference is that hosting companies have procedures in place to deal with password resets -- a script that sends the existing password, or sends a reset-password link, only to the customer's e-mail address on file.

Similarly, any hosting company that registers domains on behalf of users, should have procedures in place for transferring the domains to users or letting them change domain settings. In fact, of the five companies that didn't fall for the ruse, most of them said "Go to the customer control panel here and log in" -- it wasn't that their guard went up because I was writing from a Hotmail account, it was that they already had procedures in place for a customer wanting to change domain settings, and what's what the idiot-proof book told them to do. Kevin Mitnick always said that the weakest link in any security chain was people. Sometimes the way for ISPs to tighten security is to make the people in the chain act more like machines.

Until then, there are probably many sites out there that are this easy to "hack", using a method that could charitably be called low-tech. After seeing which hosting companies fell for the trick, I pointed out that they had sent the login information to an unverified address and admonished them to be more careful in the future, but I didn't storm out vowing to take all of my business elsewhere -- after all, if 50% of all low-budget hosting companies out there fall for this, what would be the point?

cancel ×

233 comments

well what ISPs released the info? i want to avoid (4, Interesting)

Anonymous Coward | more than 7 years ago | (#19146597)

well what ISPs released the info? i want to avoid them.

Re:well what ISPs released the info? i want to avo (3, Insightful)

Anonymous Coward | more than 7 years ago | (#19146733)

I'd go out on a limb and suggest that none of this really occurred and what he's really doing is showing off a huge social experiment about how people will talk about nothing. If he really did find something viable out he would definitely offer up the names and contact information of these companies so that people could complain and drop their services.

Re:well what ISPs released the info? i want to avo (2, Insightful)

tttonyyy (726776) | more than 7 years ago | (#19146953)

I'd go out on a limb and suggest that none of this really occurred and what he's really doing is showing off a huge social experiment about how people will talk about nothing. If he really did find something viable out he would definitely offer up the names and contact information of these companies so that people could complain and drop their services.
1: "Aaaah, now I know who these weak companies are I can be pretty sure of hacking some sites they host!".
2: Ill gained PROFIT!!!

It is responsible of the poster to not reveal which companies have weaknesses he has discovered.

New Theories! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19147859)

Yo mama's so old her social security number is 1!

Yo mama's so old she flicked the switch when god said let there be light!

Yo mama's so old that when she was in school there was no history class!

Yo mama's so old she's in Jesus's yearbook!

Yo mama's so old her birth certificate says expired on it!

Yo mama's so old she knew Burger King while he was still a prince!

Yo mama's so old she was a waitress at the Last Supper!

Yo mama's so old she ran track with dinosaurs!

Yo mama's so old her birth certificate is in Roman numerals!

Yo mama's so old she has a picture of Moses in her yearbook!

Yo mama's so old she sat behind Jesus in the third grade!

Yo mama's so stupid when she saw the under 17 not admitted sign, she went home and got 16 friends!

Yo mama's so stupid it took her 2 hours to watch 60 Minutes!

Yo mama's so stupid that she tried to put M&M's in alphabetical order!

Yo mama's so stupid she could trip over a cordless phone!

Yo mama's so stupid that she sold the car for gas money!

Yo mama's so stupid she asked you "What is the number for 911?"!

Yo mama's so stupid she took a ruler to bed to see how long she slept!

Yo mama's so stupid when she read on her job application to not write below the dotted line she put "O.K."!

Yo mama's so stupid she got stabbed in a shoot out!

Re:well what ISPs released the info? i want to avo (1)

arth1 (260657) | more than 7 years ago | (#19147413)

Naming the sites would be making himself the target of lawsuits if people using these ISPs get "hacked" this way.

Regards,
--
*Art

Re:well what ISPs released the info? i want to avo (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19147883)

Really. Who has 10 different hosting companies to host "some of my websites"?

If this guy actually has 10 businesses or unique sites or whatever (unlikely), wouldn't you pick the one hosting service with the best service plan and just use it?

Re:well what ISPs released the info? i want to avo (2, Funny)

Anonymous Coward | more than 7 years ago | (#19146859)

"Even my mom could hack these sites" ???

As a 48 yo grandmother, I am offended that technical incompetance is equated with being a mother. I don't think anyone would have said "even my dad could hack these sites".

I am incidentally, a C programmer of 20+ years.

Re:well what ISPs released the info? i want to avo (4, Funny)

Anonymous Coward | more than 7 years ago | (#19146941)

"Even George W. Bush could hack these sites"

There, that should be inoffensive enough for everyone now. ;-)

-(Anonymous for safety)

Re:well what ISPs released the info? i want to avo (4, Funny)

Anonymous Coward | more than 7 years ago | (#19147273)

"Even George W. Bush could hack these sites"

There, that should be inoffensive enough for everyone now. ;-)

You just offended everyone's mother.

Re:well what ISPs released the info? i want to avo (1)

ditoa (952847) | more than 7 years ago | (#19146947)

i smell bullahit. there are no women on /. ;)

Re:well what ISPs released the info? i want to avo (2)

cerberusss (660701) | more than 7 years ago | (#19147149)

Well, he said that his mother could hack these sites ;-)

Re:well what ISPs released the info? i want to avo (4, Funny)

Sinister Stairs (25573) | more than 7 years ago | (#19147167)

So easy a cave man could hack it.

You're a feminist? How cute! (4, Insightful)

Anonymous Coward | more than 7 years ago | (#19147191)

An Anonymous Cowardess wrote:

As a 48 yo grandmother, I am offended that technical incompetance is equated with being a mother. I don't think anyone would have said "even my dad could hack these sites".


One swallow does not a summer make.

As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose. Get your fellow sisters to become on average at least as tech-savvy as the average man, and then complain.

Note that men don't complain when allegories about the opposite sex are used. A statement like "His hands were typing at the speed of an old grandmother knitting" won't be met with outrage from men feeling offended because grandfathers could be knitting too.

Take your hardcore feminism elsewhere -- it doesn't belong on /.

Re:You're a feminist? How cute! (5, Interesting)

Anonymous Coward | more than 7 years ago | (#19147517)

It's funny though how if the poster had said "Even a [insert any race here] person could hack these sites" it would be a completely different kettle of fish that would probably see people fired and a national outcry over racism.

I'm not condoning racism, I'm just pointing out how much sexism is often seen as O.K. whereas racism is seen as an eternal evil. The line "As long as there's far more tech-savvy men than women, the generalization by assuming a gender serves a useful purpose" in particular would not go down well if made on racial rather than sexual grounds, despite probably being equally valid.

parent is a troll (4, Insightful)

oliverthered (187439) | more than 7 years ago | (#19147231)

just ask google [google.co.uk]

Re:well what ISPs released the info? i want to avo (5, Funny)

Dachannien (617929) | more than 7 years ago | (#19147265)

It's obvious that you're a C programmer, since a C++ programmer would have immediately recognized the difference between a class and an instance of that class.

Re:well what ISPs released the info? i want to avo (0)

Anonymous Coward | more than 7 years ago | (#19147307)

> well what ISPs released the info? i want to avoid them.

It's a small sample size, but I think his results were probably representative. In that case, it'd be far better to know which companies didn't release the info -- otherwise you're back to flipping a coin.

Sad news, Reverend Falwell dead at 73 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19146639)

I just heard some sad news on Talk Radio, famed preacher the Reverend Jerry Falwell was found dead at his prestigeous Liberty University. No further details were available. Even if you did not admire his great works of charity and helping those less fortunate, there is no denying his contribution to society. Truly an American icon!

HAPPY news, Reverend Falwell dead at 73 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19146791)

That's not sad news -- in fact, that's some of the happiest news I've heard all year! I might see if I can get myself a fake passport and fly to the USA, just so I can piss on his grave. Bet there's going to be a massive queue, though.

Re:HAPPY news, Reverend Falwell dead at 73 (1, Offtopic)

PadRacerExtreme (1006033) | more than 7 years ago | (#19147101)

Holy flamebait batman!

Disgree with his beliefs if you want, but he was still a person. He had a wife and kids....

<sigh>

Re:HAPPY news, Reverend Falwell dead at 73 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19147253)

... Who thankfully weren't gay or atheist or a member of the ACLU. Otherwise, they would have been responsible for 9/11 and disowned. He was an evil instigator and a bully, bringing out the worst in people by preying on their fears.

Re:HAPPY news, Reverend Falwell dead at 73 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19147447)

bringing out the worst in people by preying on their fears
Shouldn't that be bringing out the worst in people by praying on their fears?

Re:HAPPY news, Reverend Falwell dead at 73 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19147283)

He also blamed the ACLU, gays, lesbians, feminists, etc. for 9/11.

He was 73. It's not like he was in the prime of his life and was killed in an accident or something. He had a wife and kids, but so did my grandfather when he died. I didn't see anyone posting to /. when that happened.

Re:HAPPY news, Reverend Falwell dead at 73 (0, Offtopic)

mysqlrocks (783488) | more than 7 years ago | (#19147301)

Disgree with his beliefs if you want, but he was still a person. He had a wife and kids...

I agree with you, but wasn't it Jerry Falwell that picketed Matthew Shepherd's funeral? I think I disagree with more than just Falwell's beliefs, but his actions. I can understand the desire to piss on Falwell's grave after some of things that he's done but any human being's funeral and grave should be respected.

Re:HAPPY news, Reverend Falwell dead at 73 (0, Offtopic)

644bd346996 (1012333) | more than 7 years ago | (#19147531)

Jerry Falwell deserves to be remembered. He definitely does not deserve to be respected, after all the things he did and said.

Re:HAPPY news, Reverend Falwell dead at 73 (1)

dosius (230542) | more than 7 years ago | (#19147713)

I thought that was Fred Phelps.

-uso.

Re:HAPPY news, Reverend Falwell dead at 73 (0, Offtopic)

nuzak (959558) | more than 7 years ago | (#19147615)

> He had a wife and kids

This doesn't make him better than anyone else. And everything else about him made him worse. He was one of the few people who could inspire genuine hate from me.

Too bad for his wife and kids, perhaps. May he rot in his own hell.

Re:HAPPY news, Reverend Falwell dead at 73 (0, Offtopic)

Itninja (937614) | more than 7 years ago | (#19147155)

Classy.

Do it quick (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#19147193)

If you get here fast enough, you can probably piss on his corpse. Even get on CNN doing it.

Re:Sad news, Reverend Falwell dead at 73 (-1, Offtopic)

eosp (885380) | more than 7 years ago | (#19146915)

GET SOME PRIORITIES! I'll probably be downmodded, but I had to get it out of the way.

The moral of the story is: (4, Insightful)

Reason58 (775044) | more than 7 years ago | (#19146651)

You get what you pay for.

Re:The moral of the story is: (5, Interesting)

laffer1 (701823) | more than 7 years ago | (#19146969)

I can tell most people posting have never worked for a hosting company. The company I worked for did not have much information on clients to "test" them. We did require that they send us email from their original sign-up address. Here is the problem though. Often, an account would be setup by one employee sometimes in their own name for a company. That employee would them leave and the business would be stuck with no login and inaccurate account information. What do we do then? Of course they knew her name, but not much else. In the case of customers outside the US, we had a policy that we could not call them. So we had to take incoming calls or emails only. Sometimes the customer changed their contact address to their website. This means that if their email is not working, we could of course not receive an email from them about their account!

Obviously for many accounts, it is possible to get accurate, useful information. Then again, when a company views it that you are holding their website hostage they get a little upset too! We have several lawyers get froggy with us on behalf of their clients when we did try to verify things. Also, with so many hosting companies its a very cut throat business. Its hard to make money when you get $10 a month at best from most customers. That's less than most Internet access accounts.

Now if you pay verio through the roof for hosting they will go through quite a few steps to verify you are you but they won't keep spam off their network. I had an account with them a few years ago and they actually had an open relay setup. Anyone could impersonate your website and if you had an account, it was easy to enumerate the domains on the server your site was on. Some of this might be resolved with their costly VPS services, but its also resolved with a dedicated server you can lock down yourself too. These days I won't run anything on a server I do not control. I've also found that ISPs are much more careful with dedicated server or VPS account customers.

As far as listing companies, I think most people are scared of lawsuits these days. Since I happened to pick on my verio experience, I should be just as unfair to my own former employer. http://www.customweb.net/ [customweb.net] (myeasyhost.com now i believe) There is something wrong with every hosting company. The trick is finding one that you can live with.

Why not use the simple, obvious solution? (4, Interesting)

msauve (701917) | more than 7 years ago | (#19147471)

The web host was getting paid, weren't they?

For verification, ask for the matching credit card name and number, or write to the billing address, etc. However you were getting paid, there is some form of verified contact. (Unless you weren't getting paid, in which case nuke them, or you were billing their ex-employee's private credit card, in which case that person still "owned" the site and you shouldn't be giving the caller access).

Re:The moral of the story is: (1)

192939495969798999 (58312) | more than 7 years ago | (#19147727)

Or, you'll pay for security eventually, either up front in a better host, or in the end, when you get hacked.

Statistical sample (5, Insightful)

winkydink (650484) | more than 7 years ago | (#19146657)

One cannot conclude from the small sample size that 50% of all small, low-budget hosting companies are not security-conscious. Further, if you want to motivate these insecure companies to change their behavior, voting with your feet by taking your business elsewhere is the correct behavior.

Re:Statistical sample (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19146797)

A large number of these budget hosting companies use the same farmed out support centers in India. Maybe the experiment should have looked a little closer?

Am I wrong? (4, Interesting)

Frosty Piss (770223) | more than 7 years ago | (#19146843)

One cannot conclude from the small sample size that 50% of all small, low-budget hosting companies are not security-conscious.

I would have thought the opposite: The big monoliths would have out-sourced unmotivated help desks that might do this. Smaller companies, I thought, where actually run by real people with a connection to their customers... Am I wrong?

Big, out-sourced ISPs (4, Interesting)

blueZ3 (744446) | more than 7 years ago | (#19147039)

who have cheap labor doing the work are more likley to have procedures, because the workers aren't trained enough to answer questions like this--it's like a customer service script they wade through.

IMO, the most dangerous aren't the untrained script-readers from a large ISP, nor the three-CS-college-friends small ISPs, but the folks at "mid-sized" ISPs who know just enough to be dangerous. At a big company, procedures protect you. At a small company, it's possible that the knowledge of the smart guy running the shop will help protect you. A mid-sized shop, that's hired some less knowledgable folks but doesn't have procedures yet, seems to me to be the most likely to screw up.

Re:Am I wrong? (2, Insightful)

Splab (574204) | more than 7 years ago | (#19147353)

One should remember, enterprise and small time companies are no longer as easy to distinguish as it used to be. One of my friends run a low budget hosting company and suffers under problems like those others have described, ig. how do you know who is who when you don't have a budget to know your customers.

I on the other hand have worked for a company where hosted sites payed upwards of $50.000 for the site and $500+ for hosting per month, we knew our customers and never had to consider such problems.

Both my friends company and the one I worked for had about the same number of people employed but we cater to different crowds - who is enterprise and who is small time?

Re:Am I wrong? (1)

TheRaven64 (641858) | more than 7 years ago | (#19147591)

Customer service is the main thing keeping me with the small hosting company I use. I know that, if something goes wrong, I have email and IM addresses for the CEO, CTO, and a tech in the data centre (okay, probably the tech in the data centre), and can bug them until they fix it. They have an automated ticketing system too, but I prefer the personal touch.

Re:Am I wrong? (1)

rob1980 (941751) | more than 7 years ago | (#19147697)

No, you're right. But these hosting companies are making the mistake of assuming that since they know their customers, anybody who calls/e-mails in must automatically be considered authorized to make account changes and doesn't need to be challenged. It's a dangerous practice, and one that I personally don't engage in where I work. (I'm the primary webhosting support contact for a local ISP.)

Re:Am I wrong? (1)

Vellmont (569020) | more than 7 years ago | (#19147779)


I would have thought the opposite: The big monoliths would have out-sourced unmotivated help desks that might do this. Smaller companies, I thought, where actually run by real people with a connection to their customers... Am I wrong?

Maybe. The other running theory is large companies have enough people to actually have procedures in place to catch these kind of things.

But it's been my observation that you're correct as well. Large companies lose any connection to customers, and tend to treat them as commodities to be tossed around.

Given the choice, I tend to chose the smaller companies that don't tend to screw me over all the time. I'd also tend to limit my exposure to these kind of hacks simply by having my hosting company manage my domain registration.

Re:Statistical sample (0)

Anonymous Coward | more than 7 years ago | (#19147123)

And maybe letting them know why you're switching!

Re:Statistical sample (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19147669)

It seems anytime numbers are posted on /. some anally retentive math geek spits outs in first-post manner "but, but, you do not have a large enough sample size to make any intelligent observations." If only 5 out of 10 bank robbers that draw a gun actually fire shots we cannot make any statistical evaluations of that but we can sure as hell duck! There are times when the statistics of an event are irrelevant and the (possible) outcome is more important.

past mistakes (2, Interesting)

ISwearNotmyPorn (1072206) | more than 7 years ago | (#19146679)

It continues to astonish me that we as a society continue to make the same mistakes. You would think at this day and age basic 'social engineering' would no longer work.

Re:past mistakes (2, Insightful)

pembo13 (770295) | more than 7 years ago | (#19146751)

Why? It seems to me that it is the most reliable form..

Re:past mistakes (4, Insightful)

CastrTroy (595695) | more than 7 years ago | (#19146803)

I don't think there's many people that would fall for the wallet inspector, why would people fall for these social engineering attacks. I know a lot of people who sit down at a computer, and their brain turns off. They are smart people, but anything computer related makes them just lose all intelligence and common sense. People who would have no problem doing something like following instructions to assemble a child's toy, could not do something equally difficult like following instructions for sending an email with an attachment. I wonder if any studies have been done to look into stuff like this.

Re:past mistakes (2, Insightful)

shotgunsaint (968677) | more than 7 years ago | (#19146955)

[blatantly stolen from thinkgeek.com]
Social Engineering Expert... because there is no patch for human stupidity.
[/blatantly stolen]

Re:past mistakes (0)

Anonymous Coward | more than 7 years ago | (#19147179)

that quote is incorrect.

Smith & Wesson make several patches for human stupidity.

Re:past mistakes (2, Funny)

peragrin (659227) | more than 7 years ago | (#19147227)

My boss still refers to AOL as "the Internet". I was finally able to force her to upgrade her windows 98 machine. as I setup XP and firefox I set firefox's icon to that of AOL's, set the Homepage to www.aol.com and changed the icon's name. I installed aim. She is annoyed that the "new" aol isn't quite the same as the old one but is dealing with it.

never underestimate a person's unwillingness to learn something new.

"You would think ..." (1)

codergeek42 (792304) | more than 7 years ago | (#19147319)

...but many don't; hence the rampant effectiveness of social engineering.

Re:past mistakes (2, Funny)

Digital Vomit (891734) | more than 7 years ago | (#19147403)

It's almost as if society is continuously replacing itself with people who have no knowledge of history...

And yet... (1)

C10H14N2 (640033) | more than 7 years ago | (#19147837)

Even those who realize that have still fallen for the crooks who've convinced them to refer to cons as "social engineers," which in itself was a frightfully successful con job not least because it was perpetrated on /actual/ engineers.

Gee thanks (4, Funny)

MillionthMonkey (240664) | more than 7 years ago | (#19146723)

Now my hosting company won't email my password to my Hotmail account anymore!

Get a real ISP... (4, Interesting)

creimer (824291) | more than 7 years ago | (#19146743)

When I forgot the password to access the CPanel account to modify my website and I sent an email requesting that it be changed, the ISP owner left a voicemail on my cell phone with the new password and I was charged five bucks.

Re:Get a real ISP... (1, Informative)

Anonymous Coward | more than 7 years ago | (#19146811)

A "real ISP" doesn't charge to reset your password.

Re:Get a real ISP... (1)

MillionthMonkey (240664) | more than 7 years ago | (#19146985)

>> the ISP owner left a voicemail on my cell phone with the new password and I was charged five bucks.

> A "real ISP" doesn't charge to reset your password.

He could have been referring to his cell phone service.

Re:Get a real ISP... (1)

creimer (824291) | more than 7 years ago | (#19147363)

Time equals money -- especially if you're a one-person ISP with 5,000+ subscribers. I'm still a satisified customer after being with this ISP for 12 years now. Can't say the same for those ISPs that don't charge to reset your password.

Re:Get a real ISP... (0)

Anonymous Coward | more than 7 years ago | (#19147595)

This is the S&M school of customer service. "Oh, Chuck, I've been a BAD user. Bill me! Bill me again!"

passwords should be hashed (5, Insightful)

brunascle (994197) | more than 7 years ago | (#19146769)

for various reasons, i think passwords should be stored in hashed format. it should be impossible for the hosting company to tell me my password. they should just reset it.

Re:passwords should be hashed (2, Interesting)

garett_spencley (193892) | more than 7 years ago | (#19147007)

Well, even if they reset it and e-mailed you the new password it wouldn't help any in this case.

Of course, if they don't bother to hash it then that's probably another symptom of complacent or non-existent security policies and could be a red flag that kind of problem is a possibility. And to the converse, if they bother to hash the password they're probably smart enough to have stricter policies in place.

Still...

Re:passwords should be hashed (0)

Anonymous Coward | more than 7 years ago | (#19147027)

and what happens when they reset it?

this happened to me... apparently someone (not me) convinced my host to change the password for my website by just asking them to in their support chat room. i flipped out at them for this, and now i have 2 passwords. 1 real password, and 1 that i have to give them if i want to change the password. seems a little silly, but there have been no problems since then.

Re:passwords should be hashed (5, Informative)

kebes (861706) | more than 7 years ago | (#19147333)

Agreed. I once dealt with a small-time hosting company (not the cheapest around, mind you, but not the most expensive). When I initially setup the account, I was surprised and annoyed to see that in the admin control panel, among the various update options, there was a "change password" that listed my password, in plaintext, right on screen. I emailed them telling them that it was ridiculous to:
a) Store a password as plaintext instead of hashing. (And, obviously, they were not salting the passwords.)
b) To display the password on screen, where anyone shoulder-surfing could take a look.

A few months later, I was running into some problems, and emailed them for support. Somewhere along the interchange (they didn't believe that the option I needed was missing from the control panel), they actually asked me for my password (over email) so that they could go and change it themselves. This baffled me, and I sent them a very long letter explaining in detail why it is a bad idea for a company to ask its own customers for their passwords, and why email should never be used to exchange password data. Moreover the idea that they didn't have the admin privileges to go check for themselves struck me as odd.

Anyways, I never gave them my password, and told them to fix it from their end, which they eventually did. Needless to say, at the end of the contract, I didn't renew. So I guess I have to agree with the article's point: many small or medium hosting companies are not bothering to implement basic security protocols (like hashing). But, more importantly, somehow the employees are not being trained with even the minimum skills regarding security.

Re:passwords should be hashed (1)

Dekortage (697532) | more than 7 years ago | (#19147451)

That's exactly what my hosting company does (cheapcheap [cheapcheap.biz] ). Support reps can reset your password, but not tell you what it is. Furthermore, if requesting changes, you have to provide all kinds of account information to verify your identity -- customer #, account pin #, last several digits of the credit card used to pay for the domain, billing street address, etc. Honestly it was a pain in the ass to get my account reset a few months ago, but I'd rather it be difficult than something anyone could do.

Re:passwords should be hashed (0)

Anonymous Coward | more than 7 years ago | (#19147819)

Unless I misread the summary, hashing passwords is irrelevant.

Hashing only works when you control the verification of the password. So, someone enters a password, you hash it and compare it to a stored hash.

In this situation, he was asking for the password to login to the registrar. In that scenario, the registrar controls the verification of the password and most likely does store that password as a hash. But the ISP needs to maintain that password in order to log into the registrar. The password stored by the ISP cannot be stored as a hash...since that would be useless.

List the providers, you pratt! (0)

Anonymous Coward | more than 7 years ago | (#19146771)

'nuff said.

Pick any two... (5, Insightful)

SighKoPath (956085) | more than 7 years ago | (#19146787)

of these three options: Cheap, Fast, Secure.

This seems pretty simple though (1)

joggle (594025) | more than 7 years ago | (#19147215)

Not necessarily. In this case it wouldn't take much to prevent this behavior. Simply write the software the employees use in such a way that they can only send the password to the e-mail on file. If the client wants the password sent to an e-mail not associated with the account then the employee would need some sort of identification (such as credit card number and perhaps some other info) which they would then enter into the program they're using. If it matches, then the software would allow them to send the password to the client. This isn't exactly rocket science and this logic could be written into the software with very little effort by any competent developer.

It's probably easier than you think (4, Insightful)

Toreo asesino (951231) | more than 7 years ago | (#19146795)

A quick scan of Google would confirm this:

http://www.google.com/search?q=inurl%3Aadmin%3Dtru e [google.com]

I'm not attempting to start a flame-war here, but the percentage of those sites that end in ".php" is remarkably high...

Ah to hell with it, let the flames commence.

*runs*

Re:It's probably easier than you think (2, Interesting)

brunascle (994197) | more than 7 years ago | (#19146851)

gah. one of those is actually mine, but it was disabled shortly after that url got public. and it never gave you admin access anyway, it just changed what happened when that particular article was unavailable to the public: it would forward it to a CMS login instead of showing a "Not found" error. i'm fairly confident that my CMS is secure though.

Re:It's probably easier than you think (1)

Shawn is an Asshole (845769) | more than 7 years ago | (#19147029)

Probably at least 90% of those are vulnerable to SQL injection exploits. After all, checking data and using prepared statements or at least "addslashes()" is just "way too complicated".

Troll? Me? (1)

Toreo asesino (951231) | more than 7 years ago | (#19147221)

Modded troll for presenting raw facts that was largely devoid of opinion?! I guess I deserve it.

Re:It's probably easier than you think (2, Interesting)

alan.briolat (903558) | more than 7 years ago | (#19147755)

If you want to start blaming PHP for security flaws, then at least be fair and blame C/C++ for buffer overflows too. The problem is that PHP is "easy", meaning that you don't have to be a good programmer to use it. That means a lot of unexperienced people writing sites/scripts without any concept of the possible attack vectors. I've been writing PHP-based scripts for a few years now, and I've never had any vulnerability become apparent even when specifically inviting people to try and find them. My current site [codescape.net] even has its source code publically viewable [codescape.net] . The worst that anybody can generally do is impair their own experience of the site. I'm not trying to be arrogant, just pointing out that the language is not to blame, ignorant programmers are.

Your Mom (2, Funny)

aegisalpha (58712) | more than 7 years ago | (#19146817)

To be fair, your mom isn't too shabby at social engineering.

Re:Your Mom (0)

Anonymous Coward | more than 7 years ago | (#19147559)

your mom isn't too shabby at social engineering.

Yeah, she managed to find at least one sailor who was drunk enough.

Firearms mod (0)

Anonymous Coward | more than 7 years ago | (#19146829)

Similar thing happened to a HL mod called Firearms a few years ago. From the remains of their website [firearmsmod.com] :

The same can't be said for the Firearms 2 Team, who kicked off their mod in August 2005 by hijacking the Firearms Forums, FTP, and servers using back-door access supplied by our server provider, ReconGamer. Every single team member and most of the forum admin/mod staff were banned, and we lost all of our art source and personal files stored on the server.
From what I can remember, ReconGamer was providing free or very cheap hosting to the mod. A prominent community member emailed them asking for passwords using a similar scheme and they fell for it.

I try this everywhere (5, Informative)

daeg (828071) | more than 7 years ago | (#19146875)

I try this with every new company we utilize through work. I call from a variety of numbers, including the one registered, my cell phone, and my home phone. I call, giving them only the company name and claim to be "new". If they get suspicious, I tell them the entire IT staff was fired and I'm their replacement and the old staff wouldn't give anyone details about accounts. The social engineering aspects are insanely easy. A few want a fax sent on company letterhead. Any idea how easy it is to fake letterhead through fax? Even a postal letter is easily faked. I remove our liability, or at least reduce it, with companies like this. It takes maybe 10-15 minutes for each company -- give a try sometime.

For more fun, forge your from: and reply-to: headers. Attach an empty file called signature.asc. Or make it appear to have been sent from a Blackberry, with a fake tag line "Sent via BlackBerry(r)" at the end. You could even go so far as to forge a "conversation" between 2 people which you are forwarding to make it look like the officers of the company authorized you dealing with the company.

I think part of the failure is that many IT workers have faced a similar situation: new job duties include trying to recover accounts/information from a disgruntled former employee.

What I've done with a few companies that we work with is given them a secret key to store in the account notes. I am the only one that knows the key. The other members of the board know the location to get the key, but not the key itself. Major account changes require the key. Along with the stored key there are detailed instructions about each and every external IT account in case something happens to me, or they wish to fire me. It's not flawless, but it's better than nothing.

I did something like this once... (4, Insightful)

Itninja (937614) | more than 7 years ago | (#19146903)

A few years ago I wanted to impress it on my boss that the human factor is usually one of the weakest in a security model. So, with him in the room, I called HR and said something like 'Hi Sarah! How are you doing? Didn't you just get back from vacation? Did you have a good time? (...more smalltalk ad nauseum...). Anyway, I'm retarted. I just reset my password, but I must of had caps lock on or something because now I can't get it to work. Can you reset it for me again? Thanks!' No hacking, cracking, phreaking, yadda yadda yadda.

Re:I did something like this once... (3, Funny)

Anonymous Coward | more than 7 years ago | (#19146957)

"...Anyway, I'm retarted. I just reset my password,..."

Did she ask what your new tart looked like?

Re:I did something like this once... (1)

CrackedButter (646746) | more than 7 years ago | (#19146971)

How did your boss react? Did Sarah lose her job?

Re:I did something like this once... (2, Interesting)

Itninja (937614) | more than 7 years ago | (#19147203)

The boss was suprised. But, no, Sarah stayed employed. But we did have a *intensive* company meeting regarding security later that month.

Re:I did something like this once... (0)

Anonymous Coward | more than 7 years ago | (#19147745)

Am I missing something? You phoned Sarah and asked her to change your password.

Man, that's *real* social engineering.

Possible new anti-spam technique? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#19146935)

I could see this possibly having applications in shutting down spamvertised websites. Being as usually the domains that are spamvertised have been registered less than 7 days prior to the deluge of promotional spam, the hosting regsitration should be recent.
Of course, this would work better if the hosting companies spoke English (which they seldom admit to doing).
Though really, it would be even better if same trick could be pulled on registrars. If you could get into the registration info for evil.spamdomain.info, and change the DNS information to point to something other than a DNS server, you could pretty quickly shut down the domain.

Yes, I'm the same AC that always blames spam on registars. And I will continue to do so for the forseeable future.

My ISP requires a blood test to match (1)

Jazz-Masta (240659) | more than 7 years ago | (#19146937)

Well, not really...

The company I host with requires quite a bit of security to have requests sent through. Unfortunately I've been burned by it before. You need a few pieces of identification in addition to the correct email address. But without the correct email address, even the other peices of identification won't get you served. This is good since I know my servers are cared for well.

Perhaps these hosts were so small that the tech recognized the person writing in, the language style, etc. This doesn't excuse it at all. This does make be uncomfortable, knowing that in the past, without much money or resources to spend on hosting I have gone to these "low budget" possibly shady hosting companies. Granted, in the article, most sites on these servers have very little to no content that is worth hijacking. But that wouldn't be the point for "hackers"...it would be to just screw up someone's day or week.

I vote for one of the more eccentric, unemployed slashdot users to start a site that chronicles his/her attempts to take over small sites and then post the results in a table for easy avoidance of said hosting companies.

uncomfortably high? (5, Insightful)

prgrmr (568806) | more than 7 years ago | (#19146939)

a 50% success rate for a trick like this is uncomfortably high

It seems that the only thing "uncomfortably high" is the author. If real, a 50% failure rate is deplorable, to the point where it ought to have prompted some righteous moral outrage. This isn't just another intellectual exercise in social engineering, it's a failure of the system. It's equivalent to 5 out of 10 grocery stores accepting a check presented by someone not the account holder and with no signature on it. That sort of behavior wouldn't be socially tolerable, nor should this be.

If it is, in fact, a real event.

The author ought to be immediately forthcoming with the who, what, and when of his experiment if he really wants some serious consideration and feedback.

Re:uncomfortably high? (1)

ShrapnelFace (1001368) | more than 7 years ago | (#19146967)

TWO WORDS FOR YOU:

HA

HA

And then add on a AH! HA!

Re:uncomfortably high? (1)

blcamp (211756) | more than 7 years ago | (#19147535)


> The author ought to be immediately forthcoming with the who, what, and when of his experiment if he really wants some serious consideration and feedback.

You bet he would be getting feedback... in the form of one or more court summons.

The suits would be coming out of the woodwork at him.

This should be a day and age where social engineering should not work anymore, but it does.

It also should be a day and age where a company or person should not intimidate others into silence with possible legal action... but we're not there yet.

Re:uncomfortably high? (1)

VWJedi (972839) | more than 7 years ago | (#19147539)

It's equivalent to 5 out of 10 grocery stores accepting a check presented by someone not the account holder and with no signature on it.

I think you're skewing the statistics a bit. The author said, "[T]hese were all low-budget hosting companies[.]" An equivalent analogy would be something like "5 out of 10 'mom and pop' convenience stores accepting a check presented by someone not the account holder and with no signature on it." The expected level of competence is typically lower when you talk about small operations when compared to large corporations with greater resources to develop and implement policies and training.

The author clearly picked companies in a way that he anticipated would generate a non-trivial number of successful "hacks". He probably expected to trick 2 or 3 of the 10 companies and was surprised that 5 fell for it.

This is why social engineering will always work (0, Troll)

shaze (665876) | more than 7 years ago | (#19147051)

Because their is no patch for human stupidity. / That, or a disturbing lack of equitable/fair wage laws...

Not unexpected (1)

einhverfr (238914) | more than 7 years ago | (#19147103)

For a while, I had my site hosted on the only low-budget hosting I could find that supported PostgreSQL. About six months later, the site was defaced.

Now, given enough time and resources that sort of thing is going to happen. However this particular hosting company responded to the defacement in entirely inadequate ways. About a week after the defacement, they informed their customers that their upstream network provider was requiring a reformat on all machines which had been cracked.

WTF? Isn't this the *first* thing you do? I immediately took my business elsewhere. Not because of the incident but the response.

It was crystal clear that they had no security plan, no incident response plan, and no security procedures in place. In general my motto now is "you get what you pay for."

Re:Not unexpected (1)

garett_spencley (193892) | more than 7 years ago | (#19147343)

They were most likely a reseller and didn't actually have physical access to the machine.

This is actually quite common. Many companies rent cheap dedicated servers from large providers like theplanet.com and then resell shared hosting on them. It's a good way to make money and offer really cheap hosting to a lot of customers. The downside is that if an incident occurs then the reseller has to go through the support channels of their own hosting provider to get the matter resolved.

It's not like they can just drive to the data center with a fresh new server with the most recent non-compromised backups imported and plug in the new system with no downtime. They need to rely on their own hosting company to do whatever procedures they have in place. This usually involves filling out a support ticket and waiting 24 hours for them to give you a new box. Then you've gotta import whatever backups yourself over the network from the backup server you've rented, provided you bothered to rent one. Which, if you're a reseller, you'd better hope for your customers' sake you did. Problem is most of these 'companies' are looking for the cheapest way to make money and so it's tempting to pay $80 / month for a dedicated box with 1200 GB transfer. A backup solution could end up doubling that fee. Not to mention the reseller is responsible to implement the backup procedures. The hosting provider only provides the boxes, they don't care how you manage your data.

All of this slows down the process. So the moral is... beware of resellers. Make sure your hosting company has their own data center, or at the very least uses co-location instead of reselling rented dedicated boxes that are not physically accessible to them.

Then again, like others have said, you get what you pay for.

Dotster screwed me too (0)

Anonymous Coward | more than 7 years ago | (#19147113)

I had a dozen personal domains registered with Dotster, and stupid me, decided to register my company's domain with them under my personal account. I didn't think much of it until I was laid off, and left on very bad terms. A month went by and all of the sudden I noticed certain domains were no longer resolving.

It turned out the previous employer called/emailed/faxed Dotster and within 4 hours, Dotster gladly turned over my personal account to them, along with changing my password and all contact info. That wonderful registrar saw the one domain and transferred all 13 domains over without even contacting me. It took two weeks to get everything straightened out, and in the end, Dotster refused to admit they did anything wrong, and couldn't understand why I was upset.

Everything's fine now, and needless to say, Dotster is no longer my registrar.

Re:Dotster screwed me too (1)

lmnfrs (829146) | more than 7 years ago | (#19147365)

Thanks, I'll be switching my domain off of dotster as soon as i get home. That's ridiculous.

Hosting 101 (3, Informative)

unity100 (970058) | more than 7 years ago | (#19147117)

These are hosting basics. They should have made you login to support system and put a support ticket, even if you were using an email address that was registered with them - "from" address can easily be faked as known.

Please send me your hotmail username and password (5, Funny)

Timesprout (579035) | more than 7 years ago | (#19147137)

so I can check the veracity of this story.

I call bluff! (5, Interesting)

billcopc (196330) | more than 7 years ago | (#19147199)

I have some serious doubts about the Truthiness(tm) of this article, just because in years of web business I've never met a serious fellow with 10 different hosting providers. A normal person would either pick one provider and pay for a large enough account to handle the 10 projects, or take the next step and get a dedicated server.

The author also suggests that small hosting companies have poorly-trained staff. That could not be any further from the truth. In most cases, small companies are run by one or more highly skilled techie entrepreneurs who know their clients well enough to avoid such security blunders. A large faceless company with dozens or even hundreds of employees is far more likely to have things slip through the cracks, and the staff hierarchy ensures that no single individual knows the whole story.

Take for example the world of Internet Service Providers. In a small, 3-man shop, when you call tech-support you're probably talking to a server administrator or network guru. In a big nationwide telecom, you're talking to an outsourcer who learned his "trade" six months ago during his job training and his primary source of information is the knowledge base and screenshots on his workstation.

Well here's a not-so-secret fact about hosting companies: they outsource their sales and support just like any other business. The bigger they are, the more likely you will be speaking with someone who has no idea who you are, what your server looks like and who is more afraid of their own supervisor than of you withdrawing your business. I was shopping for a cheap junky server a couple months ago and I dealt with 4-5 different hosting companies who were looking great, right up until their sales person dropped the ball out of either ignorance or laziness. Most of them were just human parking pages, no matter what I typed into the chat box, they'd simply return a list of links to their terms of service or FAQ. There's one particularly brilliant fellow who pointed me to a non-existent PDF file on their website, then took another 10 minutes to finally accept that I am not an idiot and if I say a link is 404, it's friggin 404. Many of them ended the conversation saying they would email me various documents or a contract, and none ever did. At one point I was even doubting my own mail server, since NONE of them were coming through on their promises.

The moral of this rant ? The world of web hosting is bursting with fraudsters, posers and imbeciles. I probably put in 30-40 hours of research before finally coming across a provider that suited my needs and budget, most of that time was wasted dealing with crooks and idiots. Here's a tip: go to a forum like webhostingtalk.com and have a chat with other hosting clients, read all the success and horror stories before throwing your money at a company you don't know. Make sure you know what you're getting into before signing anything.

Re:I call bluff! (2, Informative)

faedle (114018) | more than 7 years ago | (#19147467)

Given Bennet (and Peacefire's) history, it's totally believable that he'd register with a bunch of different providers.

I'm more impressed by... (0, Troll)

cranky_slacker (815016) | more than 7 years ago | (#19147309)

the fact that there exists one Hotmail user out who knows more about the internet than just clicking the "Blue E" to get there.

Can It Be So Simple... (2, Funny)

packetmon (977047) | more than 7 years ago | (#19147505)

So I change my Caller ID to 1800MASTERCARD and call a ranDumb stranger "Hi this is Jesse James from Mastercard calling to confirm your credit card number..." Think it doesn't work. Can't blame people for being trusting/stupid.

It Gets Even Worse (1)

freastro (1103067) | more than 7 years ago | (#19147821)

I've actually been able to get access to an account this way. The old webmaster for my guild had retired from the infamous SWG and left the domain in limbo (i.e. the hosting company had put up a for sale sign) without so much as a username or password. So I contacted the hosting company just trying to purchase the domain, but for $10 they gave me the domain and surprisingly a tgz of the web site and phpBB database. I ended up having everyone recreate their accouns anyway, but if that database had any sort of financial or private information (besides passwords in MD5 which they did give me) I would have made sure they knew about their security problems. I would post the conversation I had with the company, but I'd have to dig it out.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...