Results 1 to 25 of 27
Thread: ASO Billing System Compromised
-
05-16-2011, 06:03 PM #1Retired Moderator
- Join Date
- May 2006
- Location
- San Francisco
- Posts
- 7,325
ASO Billing System Compromised
Just received this email. This is now the third time my information has been stolen to my knowledge in the last year... first the Gawker hack, then the PS3 hack, and now this.
We recently discovered that one of our internal servers had been compromised. We have received no reports of any harm to customers as a result of the attack. However, we did want to notify you regarding the situation quickly in order to allow you take any necessary precautions and to inform you of the steps we’ve taken to further secure your information.
What Happened
An attacker was able to gain access to one of our internal servers that hosted our billing system. Our billing system contains the contact information you provided to us when you signed up, as well as encrypted credit card information and encrypted account passwords.
Because the attacker was able to remove a number of server logs, we cannot be sure what (if anything) the attacker was able to access or if the attacker was able to decrypt any sensitive information. However, we are choosing to err on the side of the caution.
What We’ve Done
Immediately after detecting the breach, we initiated a full security lockdown across our entire network and made a series of technical and procedural changes to increase the security of all servers and services.
Besides the security procedures that we have enacted internally, we have also taken a number of other steps to ensure that this never happens again, including the tokenization of all credit card data. For our customers, this means that their credit card data will be stored securely directly with our payment gateway provider. We are also changing our procedures to ensure that customer passwords are not stored in our database.
In an effort to assist in the possible apprehension of the attacker, we have contacted and are fully cooperating with law enforcement officials.
We do not believe that any data from any of our other brands or partners has been compromised as a result of this isolated incident. However, we have taken steps to increase security throughout our entire company.
What You Can Do
We encourage our customers to follow security best practices and continue to use unique and secure passwords that are updated regularly.
If your current cPanel password is still the same as when you signed up with us, we encourage you to change that password and will be sending you a separate email with further instructions later this week. If your current cPanel password differs from the one you had when you signed up (as it does for many of our customers), we will not be contacting you further.
As always, it is also a good idea to review your credit card and bank statements on a regular basis to ensure there is no irregular activity.
Our Apology and Our Commitment
I apologize about any inconvenience that this intrusion generally, or the password resets in particular, might cause you. We are committed to providing our customers with the best possible web hosting experience and part of that is ensuring that our customers’ data is as safe and secure as possible.
If you have any questions or concerns, please do not hesitate to contact us. Like always, we will be available to answer any questions you might have 24 hours a day, 7 days a week.
Sincerely,
Douglas Hanna
CEO, A Small Orange LLC
ceo@asmallorange.com
-
05-16-2011, 06:16 PM #2Web Hosting Master
- Join Date
- Mar 2008
- Location
- NW Ohio
- Posts
- 9,658
-
05-16-2011, 06:24 PM #3Retired Moderator
- Join Date
- May 2006
- Location
- San Francisco
- Posts
- 7,325
Indeed, I'm more concerned about things like my password, email, and security question information when it comes to these hacks though. As you said, dealing with cc fraud isn't too difficult.
Kudos to ASO for a quick and clear synopsis of what happened and what they're doing to fix it though.
-
05-16-2011, 06:24 PM #4Elite Webmaster
- Join Date
- Nov 2008
- Location
- Florida, U.S
- Posts
- 1,738
Sorry to hear this.. It looks like they are handling it quite good, though. Have you changed your passwords? You might want to inform your credit card company/bank about the probable danger so they can keep an extra eye on your account. I hope they do catch the culprit...
HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
★ Fast ★ Reliable ★ Affordable ★ Secure ★ Friendly & Courteous
★ RISK-FREE Money Back Guarantee ★ U.S.A Based & Operated
★ Read Through Our Most F.A.Q's!
-
05-16-2011, 06:46 PM #5Web Hosting Master
- Join Date
- Mar 2007
- Location
- USA
- Posts
- 5,274
So many breaches these days. It's getting quite ridiculous. What exactly do these people accomplish with personal information? It's 2011. CreditScore.com is $10/mo. Your CC Bank/Company are pretty powerful in dealing with these situations...not quite sure what the purpose is. To get your Facebook password?
Sajan Parikh - PHP Development | Server Management | Linux Administration | Web Consulting
Feel free to get in touch with me if I can be of assistance with anything.
e: sajan@parikh.io | w: sajan.io
Give me a call at (262) 343-5973.
-
05-16-2011, 07:02 PM #6Web Hosting Master
- Join Date
- May 2008
- Location
- Melbourne, Australia
- Posts
- 10,629
This would be annoying Orien, I am not sure what I have done wrong either
I am not hosted with ASO (A Small Orange) but I did buy a WHMCS based module through them and are currently on their billing system.
Secondly, my own personal "Hotmail" was somewhat hacked recently, not sure how and not sure why, but it was the same I used within the PSN Network.
Thirdly, my Facebook was also compromized from somewhere within Kula Lumpur, not sure how and not sure why.
I think I am someone who uses strong passwords but still manages to become compromized...
I feel your frustration.
So many breaches these days. It's getting quite ridiculous. What exactly do these people accomplish with personal information? It's 2011. CreditScore.com is $10/mo. Your CC Bank/Company are pretty powerful in dealing with these situations...not quite sure what the purpose is. To get your Facebook password?██ l Dedigeeks • Shared • Wordpress • Dedicated • Established 2006
██ l Leading AUSTRALIAN Hosting Provider • Sydney & Melbourne Datacentres
██ l cPanel/WHM • R1Soft Backups • 24/7/365 Support • SMS Hosting Alerts*
██ l www.dedigeeks.com • Managing Director • Service Superstars
-
05-16-2011, 07:55 PM #7Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,816
-
05-16-2011, 08:04 PM #8Web Hosting Master
- Join Date
- Feb 2006
- Posts
- 5,393
This type of hack really underscores the importance of differentiating your login details from site to site.
@quantumphysics The Facebook questions are hilariously easy LOLWHMEasyBackup.com - Take Control Of Your Backups!
Complete Backup Solution For WHM Reseller Accounts
-
05-16-2011, 08:51 PM #9Web Hosting Evangelist
- Join Date
- Dec 2001
- Posts
- 518
I got the same email and I haven't been with ASO for some time.
These guys have been hacked quite a few times over the years. They really need to work on security.
-
05-16-2011, 09:21 PM #10Web Hosting Master
- Join Date
- May 2008
- Location
- Melbourne, Australia
- Posts
- 10,629
I just received the e-mail now actually...
██ l Dedigeeks • Shared • Wordpress • Dedicated • Established 2006
██ l Leading AUSTRALIAN Hosting Provider • Sydney & Melbourne Datacentres
██ l cPanel/WHM • R1Soft Backups • 24/7/365 Support • SMS Hosting Alerts*
██ l www.dedigeeks.com • Managing Director • Service Superstars
-
05-16-2011, 09:34 PM #11Disabled
- Join Date
- Apr 2009
- Posts
- 3,262
I would call your credit card company and get a new card. You never know these days.
-
05-16-2011, 11:21 PM #12Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
Sadly this is happening all to often....
What's even more scary is that a lot of WHT providers have no clue on security and run their WHMCS / billing platforms on cPanel boxes with WHM, SSH, FTP open to the public.
They should make you take a test in order to process credit cards, if you have no idea how to secure a box, you shouldn't be allowed to do business.
sigh.
-
05-16-2011, 11:23 PM #13Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
-
05-16-2011, 11:25 PM #14Web Hosting Master
- Join Date
- Mar 2007
- Location
- USA
- Posts
- 5,274
They do. It's called PCI compliance. We have to test and submit a scan report by a verified PCI Scanner every 3 months to our provider.
PCI Compliance includes many of the stuff you're talking about. Although our shared servers are not on PCI compliant servers, our corporate sites and billing systems are. No public SSH, no FTP, no Panel, everything locked down.
While how secure PCI really is, is sometimes questioned. That is the requirement of processing cards.
*ASO's email did say they were switching to tokenization though. That's another method.Sajan Parikh - PHP Development | Server Management | Linux Administration | Web Consulting
Feel free to get in touch with me if I can be of assistance with anything.
e: sajan@parikh.io | w: sajan.io
Give me a call at (262) 343-5973.
-
05-16-2011, 11:27 PM #15Web Hosting Master
- Join Date
- Jun 2010
- Location
- Grand Rapids, Mi
- Posts
- 712
-
05-16-2011, 11:47 PM #16Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
Yes -- I know all about PCI, like the back of my hand.
However, you don't *NEED* to follow PCI until you meet a certain threshold of income, which seems to be over 100k/annually. and 95% of the people on WHT don't fall into that category, however that doesn't mean they shouldn't secure their boxes.
It's only a matter of time when these companies who run on cPanel / shared boxes for billing get hacked and go out of business. Less competition for us, I guess ;-)
-
05-17-2011, 08:22 AM #17Managed Service Provider
- Join Date
- Feb 2004
- Location
- Atlanta, GA
- Posts
- 5,662
-
05-17-2011, 10:02 AM #18Web Hosting Master
- Join Date
- Mar 2007
- Location
- USA
- Posts
- 5,274
Sajan Parikh - PHP Development | Server Management | Linux Administration | Web Consulting
Feel free to get in touch with me if I can be of assistance with anything.
e: sajan@parikh.io | w: sajan.io
Give me a call at (262) 343-5973.
-
05-17-2011, 11:50 AM #19Elite Webmaster
- Join Date
- Nov 2008
- Location
- Florida, U.S
- Posts
- 1,738
HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
★ Fast ★ Reliable ★ Affordable ★ Secure ★ Friendly & Courteous
★ RISK-FREE Money Back Guarantee ★ U.S.A Based & Operated
★ Read Through Our Most F.A.Q's!
-
05-17-2011, 11:53 AM #20Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
-
05-17-2011, 11:57 AM #21Elite Webmaster
- Join Date
- Nov 2008
- Location
- Florida, U.S
- Posts
- 1,738
Last edited by CD Burnt; 05-30-2011 at 03:20 AM.
HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
★ Fast ★ Reliable ★ Affordable ★ Secure ★ Friendly & Courteous
★ RISK-FREE Money Back Guarantee ★ U.S.A Based & Operated
★ Read Through Our Most F.A.Q's!
-
05-17-2011, 12:03 PM #22Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
That's exactly the attitude which is going to get you hacked.
Are customer email addresses, passwords and addresses not considered important?
What about if someone gets into your server (based on allowing insecure ports on a billing box) add their own code to your billing platform and start sniffing your packets? It won't mater if you process credit cards elsewhere when you are hacked internally, they can redirect your customers elsewhere and grab their data just fine.
-
05-17-2011, 12:08 PM #23Elite Webmaster
- Join Date
- Nov 2008
- Location
- Florida, U.S
- Posts
- 1,738
Did I say that?.. All I said was that you're wrong saying PCI compliance has a income threshold.. And you come back all hurt with your panties in a bunch posting your ignorant responses trying to damage my company? You're a piece of work. Have at it, at least I know who to blame if it happens.
HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
★ Fast ★ Reliable ★ Affordable ★ Secure ★ Friendly & Courteous
★ RISK-FREE Money Back Guarantee ★ U.S.A Based & Operated
★ Read Through Our Most F.A.Q's!
-
05-17-2011, 12:14 PM #24Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
Once you are one of those levels, you are required to pass yearly tests. Until then, you're not (unless you're merchant account decides to make you)
This doesn't mean you shouldn't follow it, because you should on day 1, however there are income levels as stated above.
This thread is a bit off topic.
-
05-17-2011, 12:17 PM #25<< Insert Funny Title >>
- Join Date
- Jun 2004
- Location
- California
- Posts
- 681
If we're all going to go insane... then maybe having your billing portal be web accessible on port 80 isn't the 100% SAFEST possible way to protect your customer information. After all, what if your billing system got hacked, malicious code inserted, and someone sniffed out payment information of your customers?
Obligatory proof that I too can connect to a random HTTP server with telnet:
telnet billing.stablehost.com 80
Trying 173.255.198.45...
Connected to billing.stablehost.com.
Similar Threads
-
ASO is hiring Billing Ninjas!
By JenLepp in forum Employment / Job OffersReplies: 5Last Post: 03-09-2011, 03:51 AM -
ASmallOrange (ASO) compromised/hacked!
By CArmstrong in forum Web HostingReplies: 115Last Post: 07-31-2009, 11:56 AM -
compromised system
By agapio in forum Dedicated ServerReplies: 3Last Post: 11-16-2008, 07:17 PM -
HostingAmerica compromised system
By cruxhost in forum VPS HostingReplies: 7Last Post: 03-18-2008, 01:00 PM -
Has this system been compromised? RH 8.0
By M0NkEY in forum Hosting Security and TechnologyReplies: 3Last Post: 06-11-2003, 02:10 PM