The Host I just signed up with (and paid for) FeaturePrice.com just told me they had been hit by hackers and that is why my site wasn't up yet. Is there anything I should be doing to protect myself? or is the damage done? Anyone else here with FeaturePrice? I don't know what to do.

-Thanks in advance.

:D

Well whatever damage was done, has been, and at this point there is nothing left to do in terms of protection. Though I would ask what measures they are taking to ensure that there are no repeat incidents. It is also worth asking if they store your credit information on one of the servers that got hacked. (If they do, just to be on the safe side I recommend cancelling your credit card)

It is also worth asking if they store your credit information on one of the servers that got hacked. (If they do, just to be on the safe side I recommend cancelling your credit card)

I highly doubt anyone is this stupid to store a credit card db on a web server.

Thanks for the reply, Relyc.

I'm wondering if it's too late to pull out now since I had JUST signed on with FeaturePrice. My website is tapping its foot on my computer, just DYING to meet the world, but now I know why there was a delay. They have my money......I guess I'll see if I get my server space. But let this be a warning to anyone considering this host. The jury's still out.

I'm suspicious anytime someone blames things on "the hackers" without explaining what exactly happened and how it's been handled.

"the hackers" = "we're incompetent"

Originally posted by bitserve
I'm suspicious anytime someone blames things on "the hackers" without explaining what exactly happened and how it's been handled.

"the hackers" = "we're incompetent"

Wouldn't that scare off the customers though? I mean I've heard of hosting companies covering up the fact that they've been hacked, but never of anyone saying "we've been hacked that's why your site is down", when in fact they haven't been hacked...

Originally posted by avara


Wouldn't that scare off the customers though? I mean I've heard of hosting companies covering up the fact that they've been hacked, but never of anyone saying "we've been hacked that's why your site is down", when in fact they haven't been hacked...

It sounds better and is easier to blame others then to say "We had no back ups, a hard drive failed, you need to start over because we advertised something we do not do."

Not saying that is what happened, only pointing out it is always easier for some to blame others.

I was at featureprice 2 hosts ago and I got that excuse about hackers causing extensive downtime more than once. I finally got tired of the downtime and lame excuses and found another host.

Originally posted by UmBillyCord


It sounds better and is easier to blame others then to say "We had no back ups, a hard drive failed, you need to start over because we advertised something we do not do."

You've got me there. ;)

It's really beyond me though how anyone could advertise backups, etc, and not actually provide them. I couldn't live with myself if I did something like that.

Originally posted by UmBillyCord


I highly doubt anyone is this stupid to store a credit card db on a web server.

As do I, but that isn't to say it can't happen.

I don't believe FeaturePrice hosting people manage their own datacenter, that's why they will always got hacked. I ran a multi-trace, and found that they are outsourcing their data center at AT&T. It has been a bad month for AT&T. They sold their shared-hosting business to Interland, then, according to InternetNews.com, their AT&T WorldNet servers got spam attack affecting 1.4 million users in the last few days.

If your website is still hosted at FeaturePrice, I don't believe you should stay too long, I'd rather request chargeback now, before they run out of money paying several banners advertisements at Register.com sister companies (more than $100,000 per month).

they got hacked? i was just about to sign up with them too... i don't think i'll join now...

Originally posted by UmBillyCord


I highly doubt anyone is this stupid to store a credit card db on a web server.

Well, "someone" is. Look at the information about how addr.com had their system compromised and how someone went off with over 50,000 people's credit card information just last year. I'd imagine they aren't the only one's. At least hope that the DB is encrypted if they did store it. That's also the big issue about security. People are so worried about SSL on order forms, which is reasonable to worry about -- but it's more likely someone will not store this information properly (where is it being submitted and how, for example), than it will be that someone will pick up the data stream on a non-SSL communication. Seriously, this is a big issue that's often not discussed, because most of us would usually assume people aren't that stupid... when in fact, often they are.

Originally posted by avara

Wouldn't that scare off the customers though? I mean I've heard of hosting companies covering up the fact that they've been hacked, but never of anyone saying "we've been hacked that's why your site is down", when in fact they haven't been hacked...

It depends. I agree with you, if you just say "We've been hacked, our servers our down." It scares people away, but it has been my experience that full disclosure, especially one posted as soon as the incident is discovered gets a pretty good reception from customers.

One note: Full disclosure includes not only what happened (more detailed than we got hacked, but you don't have to give step by step instructions :D), but also what steps were taken to patch the security hole and ensure that data integrity was preserved.

People generally understand that there are ^%$*! who have nothing better to do than attack servers, and even the best companies get hacked. But they really hate non-communicative hosts.

As Tim alluded, storing credit card numbers on a web server is not dangerous if AND ONLY IF the information is encrypted in such a way that the server does not know how to read it. This is achieved through a public/private key crypto system where the public key is stored on the server to encrypt information as it goes into the DB.

The real challenge is to keep the private key safe (even when it is not on a web server).

Originally posted by uuallan


It depends. I agree with you, if you just say "We've been hacked, our servers our down." It scares people away, but it has been my experience that full disclosure, especially one posted as soon as the incident is discovered gets a pretty good reception from customers.


[SNIP]


Good points. A: If someone finds out by another means or that you basically lied to them not telling them or denying it, that would be bad. B: More reasonably even, software like BIND, SSH, FTP, etc. often have holes waiting to be found. Although you can configure the system very securely, use other tools like TinyDNS/djbdns, Qmail and other things that have better security history, there will likely, at some point, be some service running, or that you need, that will have a security issue that is either not announced and you get hit, or it's announced and within an hour or less (or so), someone that saw it the first minute decides to try it against your server(s). So, sometimes it's just something people have to accept that does happen -- but with efforts and knowledge and keeping up to date, it sometimes can make it very difficult to crack a system (but never impossible -- not unless you code all of your own services and possibly all the kernels and quit web hosting altogether to dedicate your life to making web host's more secure).

Originally posted by AtlantaWebhost.com
As Tim alluded, storing credit card numbers on a web server is not dangerous if AND ONLY IF the information is encrypted in such a way that the server does not know how to read it. This is achieved through a public/private key crypto system where the public key is stored on the server to encrypt information as it goes into the DB.

The real challenge is to keep the private key safe (even when it is not on a web server).

Actually, I didn't ever say it wasn't dangerous to store encrypted credit card information online. It's certainly an uncountable percentage safer than a clear text database, like addr.com had. Of course, how many of us would; A: Store credit card information in a file? B: Not encrypt it if we did. C: Put it in a publicly browsable directory (if people use scripts to browse). D: On top of all that, leave the permissions to allow someone to use a script to download that file. How many of us, how many? Hmmm, Yeah, so there's a good example of a host that actually is probably a good one to stay away from. Either that, or they needed better management to know that their employees did this or some employee did anyway -- someone that hopefully lost their job or addr.com is truly a bad choice still. [Oh, I won't get into this] :-)

Originally posted by AtlantaWebhost.com
As Tim alluded, storing credit card numbers on a web server is not dangerous if AND ONLY IF the information is encrypted in such a way that the server does not know how to read it. This is achieved through a public/private key crypto system where the public key is stored on the server to encrypt information as it goes into the DB.

The real challenge is to keep the private key safe (even when it is not on a web server).

I think you should read Tim's post again. He never said this, and knowing him, he wouldn't agree.

<edit> - figures that within the 15 minutes it takes me to reply, eat a sandwich and hit submit, Tim would have already posted.<edit/>

The only people who would argue that storing CCs online, on a web server, can be secure , are those who run small host that has only one server and use some of those cheap billing systems out there. They have no where else to put them because they only have one server. So if they didn't argue this, they would be hypocritical.

Anyway, I know if you want automation, you need cards online. However you can secure the hell out them MUCH better if they are on a locked down server with bare bones services running and a block of all IPs but the ones you need (plus a few other techniques :)).

I take security very serious. Although, I will be the first too admit, we have done some stupid things. But as long as you catch them and correct them, you are fine.

Originally posted by UmBillyCord
The only people who would argue that storing CCs online, on a web server, can be secure , are those who run small host that has only one server and use some of those cheap billing systems out there. They have no where else to put them because they only have one server. So if they didn't argue this, they would be hypocritical.


Hey, I help run a small business, but we certainly don't store information such as CC's on a webserver.. We use Third party systems, to store and handle this for us, much more secure, and to a point more cost efficent... 2checkout, revecom, etc....

Originally posted by The Prohacker



Hey, I help run a small business, but we certainly don't store information such as CC's on a webserver.. We use Third party systems, to store and handle this for us, much more secure, and to a point more cost efficent... 2checkout, revecom, etc....

I didn't say *ever* small host. But I think we all know the ones I am talking about.

Originally posted by The Prohacker
We use Third party systems, to store and handle this for us, much more secure, and to a point more cost efficent... 2checkout, revecom, etc....

The question is how secure are these really? I would think that a hacker looking to get credit card numbers would go after one of these. Heck, even Authorize.net got hacked recently. I am not sure there is any good place to store CC numbers. You almost have to store them on a pc that is not hooked to anything that can access the internet (dialup included). Even then you need to encrypt them so only a couple of people know how to get them. If it can be hacked, someone will try.

Here's how I handle secure credit card transactions, feel free to borrow from Dixie's security techniques:

They call me on the phone and give me their credit card number in pig latin.

I enter it into my little terminal with my eyes closed so I can't write down what the number is.

Then I hit the submit and when the ticket prints, I eat it.

:D

Hmm what if someone hacks my toilet, time to PORT scan it! Gives new meaning to the term "mail bomb"

I apologize for incorrectly analyzing Tim’s post.

I do not have knowledge about the specific situations regarding security breaches for the mentioned hosting provider. However, protecting data on a web server should not be different than protected any other data server.

Public key cryptography, such as RSA, allows for data to be encrypted with one key in such a way that it can only be read with the paired key, which cannot be mathematically derived from the first. In our specific case, customer data is delivered to our system over SSL and is immediately fed to PGP. The server only has the PGP public key and therefore cannot decrypt the data.

This form of security is something my company is actively working to develop further for virtual hosting purposes. Properly applied cryptography in conjunction with otherwise secure file permissions and data basing systems allows for a great deal of security for information.

Best regards,
Frank Rietta

Here is my story:

I had pre-paid $84.40 for an annual service, regarding website hosting. I signed up initially because of the live technical support in April of 2002. However, in July 2002, I called technical support only to find out they were now routing calls to technical support and there no longer was a live technician w/ which to speak. Yet, they still call their support "live" with a 3 hour call back. Unacceptable. I called Florida office requesting a refund. They only accept requests via email at billing@featureprice.com Vendor refuses to respond to emails concerning refund. Vendor offered international telephone number for billing resolution. However the number answers with a fax. This number is posted on their website at featureprice.com (International: +43 – 7942-72493 ) They also offer a 1-800 number for international correspondence on their web site but this too is not forwarded to their foreign office. Instead it reaches the Florida office that refuses to assist with billing questions.

Hello,

Yes there's something you can do to protect yourself...

If they offer you money back guarantee, ask for it and go look for a good hosting provider. This was first time happened to you, what about later on ? Sure it will be.

PS: Maybe FeaturePrice's servers [ I guess shouldn't put " s " as server(s) ] are based at home of the owner... and the neighbor tried to hack him because FeaturePrice's owner shagged their daughter :D

that was my two cents..