Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,325

    ASO Billing System Compromised

    Just received this email. This is now the third time my information has been stolen to my knowledge in the last year... first the Gawker hack, then the PS3 hack, and now this.

    We recently discovered that one of our internal servers had been compromised. We have received no reports of any harm to customers as a result of the attack. However, we did want to notify you regarding the situation quickly in order to allow you take any necessary precautions and to inform you of the steps we’ve taken to further secure your information.


    What Happened
    An attacker was able to gain access to one of our internal servers that hosted our billing system. Our billing system contains the contact information you provided to us when you signed up, as well as encrypted credit card information and encrypted account passwords.

    Because the attacker was able to remove a number of server logs, we cannot be sure what (if anything) the attacker was able to access or if the attacker was able to decrypt any sensitive information. However, we are choosing to err on the side of the caution.


    What We’ve Done
    Immediately after detecting the breach, we initiated a full security lockdown across our entire network and made a series of technical and procedural changes to increase the security of all servers and services.

    Besides the security procedures that we have enacted internally, we have also taken a number of other steps to ensure that this never happens again, including the tokenization of all credit card data. For our customers, this means that their credit card data will be stored securely directly with our payment gateway provider. We are also changing our procedures to ensure that customer passwords are not stored in our database.

    In an effort to assist in the possible apprehension of the attacker, we have contacted and are fully cooperating with law enforcement officials.

    We do not believe that any data from any of our other brands or partners has been compromised as a result of this isolated incident. However, we have taken steps to increase security throughout our entire company.


    What You Can Do
    We encourage our customers to follow security best practices and continue to use unique and secure passwords that are updated regularly.

    If your current cPanel password is still the same as when you signed up with us, we encourage you to change that password and will be sending you a separate email with further instructions later this week. If your current cPanel password differs from the one you had when you signed up (as it does for many of our customers), we will not be contacting you further.

    As always, it is also a good idea to review your credit card and bank statements on a regular basis to ensure there is no irregular activity.


    Our Apology and Our Commitment
    I apologize about any inconvenience that this intrusion generally, or the password resets in particular, might cause you. We are committed to providing our customers with the best possible web hosting experience and part of that is ensuring that our customers’ data is as safe and secure as possible.

    If you have any questions or concerns, please do not hesitate to contact us. Like always, we will be available to answer any questions you might have 24 hours a day, 7 days a week.


    Sincerely,

    Douglas Hanna
    CEO, A Small Orange LLC
    ceo@asmallorange.com

  2. #2
    Join Date
    Mar 2008
    Location
    NW Ohio
    Posts
    9,658
    Quote Originally Posted by Orien View Post
    Just received this email. This is now the third time my information has been stolen to my knowledge in the last year... first the Gawker hack, then the PS3 hack, and now this.
    This sure seems to be going around a lot lately. I certainly hope that no one has gotten your information.

    I know on my credit cards you can call in a fraud alert so anything out of the ordinary will be charged to your card without your verification.

  3. #3
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,325
    Quote Originally Posted by MichelleH View Post
    This sure seems to be going around a lot lately. I certainly hope that no one has gotten your information.
    Indeed, I'm more concerned about things like my password, email, and security question information when it comes to these hacks though. As you said, dealing with cc fraud isn't too difficult.

    Kudos to ASO for a quick and clear synopsis of what happened and what they're doing to fix it though.

  4. #4
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,738
    Sorry to hear this.. It looks like they are handling it quite good, though. Have you changed your passwords? You might want to inform your credit card company/bank about the probable danger so they can keep an extra eye on your account. I hope they do catch the culprit...
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee U.S.A Based & Operated
    Read Through Our Most F.A.Q's!

  5. #5
    Join Date
    Mar 2007
    Location
    USA
    Posts
    5,274
    So many breaches these days. It's getting quite ridiculous. What exactly do these people accomplish with personal information? It's 2011. CreditScore.com is $10/mo. Your CC Bank/Company are pretty powerful in dealing with these situations...not quite sure what the purpose is. To get your Facebook password?
    Sajan Parikh - PHP Development | Server Management | Linux Administration | Web Consulting
    Feel free to get in touch with me if I can be of assistance with anything.
    e: sajan@parikh.io | w: sajan.io
    Give me a call at (262) 343-5973.

  6. #6
    Join Date
    May 2008
    Location
    Melbourne, Australia
    Posts
    10,629
    This would be annoying Orien, I am not sure what I have done wrong either

    I am not hosted with ASO (A Small Orange) but I did buy a WHMCS based module through them and are currently on their billing system.

    Secondly, my own personal "Hotmail" was somewhat hacked recently, not sure how and not sure why, but it was the same I used within the PSN Network.

    Thirdly, my Facebook was also compromized from somewhere within Kula Lumpur, not sure how and not sure why.

    I think I am someone who uses strong passwords but still manages to become compromized...

    I feel your frustration.

    So many breaches these days. It's getting quite ridiculous. What exactly do these people accomplish with personal information? It's 2011. CreditScore.com is $10/mo. Your CC Bank/Company are pretty powerful in dealing with these situations...not quite sure what the purpose is. To get your Facebook password?
    There are so many possibilities, that is the problem. Bank account information, Credit Card Numbers, Addresses, Phone Numbers, Revengence, Fun. There are so many reasons why people will do this, when I had my Hotmail compromized it was basically used for 'Spam'... So really figures I suppose, depending on their intentions.
    l Dedigeeks Shared Wordpress Dedicated Established 2006
    l Leading AUSTRALIAN Hosting Provider Sydney & Melbourne Datacentres
    l cPanel/WHM R1Soft Backups 24/7/365 Support SMS Hosting Alerts*
    l www.dedigeeks.com Managing Director Service Superstars

  7. #7
    Join Date
    Mar 2009
    Posts
    3,816
    Quote Originally Posted by Noppix View Post
    So many breaches these days. It's getting quite ridiculous. What exactly do these people accomplish with personal information? It's 2011. CreditScore.com is $10/mo. Your CC Bank/Company are pretty powerful in dealing with these situations...not quite sure what the purpose is. To get your Facebook password?
    Pretty much, yeah.

    I find it amazingly hilariously stupid that Facebook uses recovery questions based on stuff 90% of your friends list would know though.

    Client databases are easily sale-able on the blackmarket for something like a few bucks a person...

  8. #8
    Join Date
    Feb 2006
    Posts
    5,393
    This type of hack really underscores the importance of differentiating your login details from site to site.

    @quantumphysics The Facebook questions are hilariously easy LOL
    WHMEasyBackup.com - Take Control Of Your Backups!
    Complete Backup Solution For WHM Reseller Accounts

  9. #9
    Join Date
    Dec 2001
    Posts
    518
    I got the same email and I haven't been with ASO for some time.

    These guys have been hacked quite a few times over the years. They really need to work on security.

  10. #10
    Join Date
    May 2008
    Location
    Melbourne, Australia
    Posts
    10,629
    I just received the e-mail now actually...
    l Dedigeeks Shared Wordpress Dedicated Established 2006
    l Leading AUSTRALIAN Hosting Provider Sydney & Melbourne Datacentres
    l cPanel/WHM R1Soft Backups 24/7/365 Support SMS Hosting Alerts*
    l www.dedigeeks.com Managing Director Service Superstars

  11. #11
    I would call your credit card company and get a new card. You never know these days.

  12. #12
    Join Date
    Jul 2005
    Posts
    3,784
    Sadly this is happening all to often....

    What's even more scary is that a lot of WHT providers have no clue on security and run their WHMCS / billing platforms on cPanel boxes with WHM, SSH, FTP open to the public.

    They should make you take a test in order to process credit cards, if you have no idea how to secure a box, you shouldn't be allowed to do business.

    sigh.

  13. #13
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by DSD View Post
    I got the same email and I haven't been with ASO for some time.
    Exactly the reason we purge all sensitive information after a customer cancels.

  14. #14
    Join Date
    Mar 2007
    Location
    USA
    Posts
    5,274
    Quote Originally Posted by nerdie View Post
    Sadly this is happening all to often....

    What's even more scary is that a lot of WHT providers have no clue on security and run their WHMCS / billing platforms on cPanel boxes with WHM, SSH, FTP open to the public.

    They should make you take a test in order to process credit cards, if you have no idea how to secure a box, you shouldn't be allowed to do business.

    sigh.
    They do. It's called PCI compliance. We have to test and submit a scan report by a verified PCI Scanner every 3 months to our provider.

    PCI Compliance includes many of the stuff you're talking about. Although our shared servers are not on PCI compliant servers, our corporate sites and billing systems are. No public SSH, no FTP, no Panel, everything locked down.

    While how secure PCI really is, is sometimes questioned. That is the requirement of processing cards.

    *ASO's email did say they were switching to tokenization though. That's another method.
    Sajan Parikh - PHP Development | Server Management | Linux Administration | Web Consulting
    Feel free to get in touch with me if I can be of assistance with anything.
    e: sajan@parikh.io | w: sajan.io
    Give me a call at (262) 343-5973.

  15. #15
    Join Date
    Jun 2010
    Location
    Grand Rapids, Mi
    Posts
    712
    Quote Originally Posted by nerdie View Post
    Exactly the reason we purge all sensitive information after a customer cancels.
    Exactly the correct thing to do. Once a customer leaves, after few months, their credit cards (if they paid with one) is removed from our system.

  16. #16
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by Noppix View Post
    They do. It's called PCI compliance. We have to test and submit a scan report by a verified PCI Scanner every 3 months to our provider.

    PCI Compliance includes many of the stuff you're talking about. Although our shared servers are not on PCI compliant servers, our corporate sites and billing systems are. No public SSH, no FTP, no Panel, everything locked down.

    While how secure PCI really is, is sometimes questioned. That is the requirement of processing cards.

    *ASO's email did say they were switching to tokenization though. That's another method.
    Yes -- I know all about PCI, like the back of my hand.

    However, you don't *NEED* to follow PCI until you meet a certain threshold of income, which seems to be over 100k/annually. and 95% of the people on WHT don't fall into that category, however that doesn't mean they shouldn't secure their boxes.

    It's only a matter of time when these companies who run on cPanel / shared boxes for billing get hacked and go out of business. Less competition for us, I guess ;-)

  17. #17
    Join Date
    Feb 2004
    Location
    Atlanta, GA
    Posts
    5,662
    Quote Originally Posted by Noppix View Post
    They do. It's called PCI compliance. We have to test and submit a scan report by a verified PCI Scanner every 3 months to our provider.

    PCI Compliance includes many of the stuff you're talking about. Although our shared servers are not on PCI compliant servers, our corporate sites and billing systems are. No public SSH, no FTP, no Panel, everything locked down.

    While how secure PCI really is, is sometimes questioned. That is the requirement of processing cards.

    *ASO's email did say they were switching to tokenization though. That's another method.
    Just because you pass a PCI scan does *NOT* make you PCI Compliant.

  18. #18
    Join Date
    Mar 2007
    Location
    USA
    Posts
    5,274
    Quote Originally Posted by RyanD View Post
    Just because you pass a PCI scan does *NOT* make you PCI Compliant.
    True. I wasn't trying to imply that. Was simply addressing what the other replier was talking about specifically.
    Sajan Parikh - PHP Development | Server Management | Linux Administration | Web Consulting
    Feel free to get in touch with me if I can be of assistance with anything.
    e: sajan@parikh.io | w: sajan.io
    Give me a call at (262) 343-5973.

  19. #19
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,738
    Quote Originally Posted by nerdie View Post
    However, you don't *NEED* to follow PCI until you meet a certain threshold of income, which seems to be over 100k/annually.
    That's not true. PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee U.S.A Based & Operated
    Read Through Our Most F.A.Q's!

  20. #20
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by HostLeet View Post
    That's not true. PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
    You should take your own advice ;-)

    Running your billing network on a cPanel box, eh?
    Last edited by CD Burnt; 05-30-2011 at 03:20 AM.

  21. #21
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,738
    Quote Originally Posted by nerdie View Post
    You should take your own advice ;-)

    Running your billing network on a cPanel box, eh?
    Good one.. Shows alot about your character. But we don't store any cardholder data, we use payment processors. Thank you, though.. For letting me know never to do business with you or your company.
    Last edited by CD Burnt; 05-30-2011 at 03:20 AM.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee U.S.A Based & Operated
    Read Through Our Most F.A.Q's!

  22. #22
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by HostLeet View Post
    Good one.. Shows alot about your character. But we don't store any cardholder data, we use payment processors. Thank you, though.. For letting me know never to do business with you or your company.
    That's exactly the attitude which is going to get you hacked.

    Are customer email addresses, passwords and addresses not considered important?

    What about if someone gets into your server (based on allowing insecure ports on a billing box) add their own code to your billing platform and start sniffing your packets? It won't mater if you process credit cards elsewhere when you are hacked internally, they can redirect your customers elsewhere and grab their data just fine.

  23. #23
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,738
    Quote Originally Posted by nerdie View Post
    Are customer email addresses, passwords and addresses not considered important?
    Did I say that?.. All I said was that you're wrong saying PCI compliance has a income threshold.. And you come back all hurt with your panties in a bunch posting your ignorant responses trying to damage my company? You're a piece of work. Have at it, at least I know who to blame if it happens.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee U.S.A Based & Operated
    Read Through Our Most F.A.Q's!

  24. #24
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by HostLeet View Post
    Did I say that?.. All I said was that you're wrong saying PCI compliance has a income threshold.. And you come back all hurt with your panties in a bunch posting your ignorant responses trying to damage my company? You're a piece of work. Have at it, at least I know who to blame if it happens.
    PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
    PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
    PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
    PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually


    Once you are one of those levels, you are required to pass yearly tests. Until then, you're not (unless you're merchant account decides to make you)

    This doesn't mean you shouldn't follow it, because you should on day 1, however there are income levels as stated above.

    This thread is a bit off topic.

  25. #25
    Join Date
    Jun 2004
    Location
    California
    Posts
    681
    If we're all going to go insane... then maybe having your billing portal be web accessible on port 80 isn't the 100% SAFEST possible way to protect your customer information. After all, what if your billing system got hacked, malicious code inserted, and someone sniffed out payment information of your customers?

    Obligatory proof that I too can connect to a random HTTP server with telnet:
    telnet billing.stablehost.com 80
    Trying 173.255.198.45...
    Connected to billing.stablehost.com.
    (Moral of the story: a conversation full of weak "what ifs" and lame accusations ("OMG your HTTP server also runs an IMAP server?!") is silly and will get none of us anywhere at the end of the day.)

Page 1 of 2 12 LastLast

Similar Threads

  1. ASO is hiring Billing Ninjas!
    By JenLepp in forum Employment / Job Offers
    Replies: 5
    Last Post: 03-09-2011, 03:51 AM
  2. ASmallOrange (ASO) compromised/hacked!
    By CArmstrong in forum Web Hosting
    Replies: 115
    Last Post: 07-31-2009, 11:56 AM
  3. compromised system
    By agapio in forum Dedicated Server
    Replies: 3
    Last Post: 11-16-2008, 07:17 PM
  4. HostingAmerica compromised system
    By cruxhost in forum VPS Hosting
    Replies: 7
    Last Post: 03-18-2008, 01:00 PM
  5. Has this system been compromised? RH 8.0
    By M0NkEY in forum Hosting Security and Technology
    Replies: 3
    Last Post: 06-11-2003, 02:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •