Results 76 to 100 of 495
-
04-08-2009, 08:59 AM #76Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
I would be interested to know the PCI status, from what I have heard it sounds like there were some problems.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service0
-
04-08-2009, 09:00 AM #77Web Hosting Master
- Join Date
- Oct 2008
- Posts
- 2,253
0
-
04-08-2009, 09:09 AM #78Web Hosting Evangelist
- Join Date
- Aug 2005
- Posts
- 521
0
-
04-08-2009, 09:12 AM #79Web Hosting Master
- Join Date
- Sep 2006
- Location
- Cardiff - United Kingdom
- Posts
- 1,569
Just got the list - yes, CCV details were stored there illegally.
Nice job WHT.
Can you please provide (before the hacker does it, that is) information regarding what other data you held? I notice that `account_id` and `address_id` are key fields meaning a table would be made for those...
... meaning our addresses have also been comprised, right? What else is stored in the tables related to these key fields?0
-
04-08-2009, 09:12 AM #80Aspiring Evangelist
- Join Date
- Feb 2008
- Location
- Texas, USA
- Posts
- 445
That's why Paypal payments are the best.
█ HJI Technologies, LLC - A New Uncompromising Experience, Since 2014
█ Shared Hosting | Resellers Hosting | VPS Hosting
█ Add Incredible Value to YOUR Business | 30-Day Money Back Guarantee*
█ Get Started Today! | Sales: (806) 724-80040
-
04-08-2009, 09:13 AM #81Web Hosting Master
- Join Date
- Mar 2009
- Location
- Texas
- Posts
- 942
I was thinking the same thing eth00. It sounds to me like iNET/WHT are going to be looking at lawsuits and fines in the near future.
The question hasn't been answered though, why was inet storing this stuff on the servers in the first place?0
-
04-08-2009, 09:17 AM #82Web Hosting Master
- Join Date
- Sep 2006
- Location
- Cardiff - United Kingdom
- Posts
- 1,569
Yep.
And for that last bit: the terms "amateurish" and "illegally stored" come to mind.
That's the thing that confuses me - I paid for advertising via PayPal.. unless I bought something from WHT (never again) a while back via my (now, thankfully, expired) debit card?0
-
04-08-2009, 09:21 AM #83Web Hosting Master
- Join Date
- Apr 2006
- Location
- Phoenix, AZ, USA
- Posts
- 771
It's an absolute << removed >> joke is what it is.
WHT has comprimised our security in a way that is illegal.
Everyone should be extremely dissappointed with the way this has been handled and the irresponisble actions of iNET WILL lead to lawsuits and the hopefully the end of their merchant account and future.
You stored the CCV Numbers - There is no excuse.Last edited by writespeak; 04-08-2009 at 10:02 PM.
0
-
04-08-2009, 09:22 AM #84Web Host
- Join Date
- Jun 2002
- Posts
- 1,798
That's why you store all customer information on paper, held offline, in a safe. Been doing it like that for years, ignoring the occasional complaint from customers about information not being available online. I don't care how secure you think the information is, if there is a network cable attached to it, it isn't secure.
0
-
04-08-2009, 09:33 AM #85Retired Moderator
- Join Date
- Nov 2002
- Location
- WebHostingTalk
- Posts
- 8,901
For AMEX card holders who are on the list, AMEX Customer Service confirms that even if the card has expired, as long as you still have an active AMEX account, they will process and approve a charge against an expired card. In their words, they do this "as a courtesy for their customers".
AMEX Customers should call 800-992-3404 to report their card information.
SiriusI support the Human Rights Campaign!
Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.0
-
04-08-2009, 09:47 AM #86Retired Moderator
- Join Date
- May 2004
- Location
- Toronto, Canada
- Posts
- 5,105
<<snipped removed quoted post>>
I will give my personal opinion on this.
As someone that has been in IT for over 20 years and by day runs a pretty large IT organization for a large business I know and I think you all know that there are things that you "know" sometimes that are proven wrong later.
I am sure INET and SoftwareRevue were and still are posed with a dilemna. As my wife would say "Disclosure is good for the soul" so you want to disclose what you "know" as soon as you "know" it. The problem is you are sometimes proved wrong. I am quite sure that you have looked at problems before and dismissed one potential solution / root cause based on some symptom only to find out later that it was in fact true. If you haven't it is only because you are young to IT, believe me at some point everyone does.
My information is in there as well so I can speak from the viewpoint of most of the people here. It sucks but I for one and I am sure most of you if you think about it would agree that Dennis on behalf of INET are not deliberatly witholding any information. They looked and thought they understood the scope of the breach before and were wrong it appears. There is no benefit to not telling people and I think as information comes to them, they are telling people.
I am not downplaying this at all just saying that I think it is a bit unfair (but I get that people need to express themselves) to suggest that people are not telling the truth as they know it after doing as good of a review as possible in the timeframe. Again the dilemna of telling people early enough but doing as thorough a job of finding out everything you possibly can.
I was at a Canadian bank when a division (not mine!) was sending faxes of personal informataion to a small business in the US and the review that happened then was pretty thorough. We just did not believe with the safegaurds in place that what was initially reported could have possibly happened when it was one of the safegaurds themselves that allowed it to happen.Last edited by bear; 04-08-2009 at 10:19 AM.
CloudNexus Technology Services
Managed Services0
-
04-08-2009, 09:50 AM #87Retired Moderator
- Join Date
- May 2004
- Location
- Toronto, Canada
- Posts
- 5,105
0
-
04-08-2009, 09:50 AM #88Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I don't care what any of you have to say in defending WHT.
INET you have failed us. The simple fact you had CVV2 codes and you don't remove people's cards upon request show how pathetic of a company you are.
PCI compliance guys.
And to say its what you knew at the time? Who told you it was okay? mat?
There was a 'hack' months ago that was made public on wht, and it was denied by Mat.
See what happens when you try to hide things?
/me goes back to bed.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
04-08-2009, 09:58 AM #89WHT Addict
- Join Date
- Jan 2003
- Location
- UK
- Posts
- 131
We're still waiting for WHT to inform the card holders personally of this data breach.
We know our card details from 2005 were made public because we have a copy of the user and CC tables, whilst the cv2 and expiry were nolonger valid the card number was!
Naturally we cancelled the new card with the same card number immediately, but if we can find a copy of the cc table and identify ourselves as compromised why has WHT not yet done this themselves?0
-
04-08-2009, 10:06 AM #90Retired Moderator
- Join Date
- May 2004
- Location
- Toronto, Canada
- Posts
- 5,105
0
-
04-08-2009, 10:08 AM #91Retired Moderator
- Join Date
- May 2004
- Location
- Toronto, Canada
- Posts
- 5,105
0
-
04-08-2009, 10:12 AM #92Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
WHT now must need to be Level 1 PCI compliant:
Level 1 PCI Compliance This is for very large businesses, or sites that have been hacked or designated by credit card companies for Level 1 status. You'll be required to have an annual on-site security audit, and quarterly system perimeter scans. You need professional help!
I think Inet needs to attend the PCI speakers at their own Hosting Conference, LOLLast edited by jalapeno55; 04-08-2009 at 10:20 AM.
0
-
04-08-2009, 10:14 AM #93Web Hosting Master
- Join Date
- Oct 2006
- Location
- /usr/src/linux/
- Posts
- 700
Believe storing cvv2 numbers is illegal, defeats the whole purpose of such verification.
█ VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
█ 99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
█ Follow us: twitter.com/VPSnoc
0
-
04-08-2009, 10:18 AM #94Retired Moderator
- Join Date
- Nov 2002
- Location
- WebHostingTalk
- Posts
- 8,901
I support the Human Rights Campaign!
Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.0
-
04-08-2009, 10:19 AM #95WHT Addict
- Join Date
- Jan 2003
- Location
- UK
- Posts
- 131
For anyone questioning what data was compromised or not, the table structure:
CREATE TABLE `creditcard` (
`card_id` int(11) NOT NULL auto_increment,
`account_id` int(11) NOT NULL default '0',
`address_id` int(11) NOT NULL default '0',
`cardnumber` bigint(20) NOT NULL default '0',
`expdate` varchar(10) NOT NULL default '',
`cardcode` varchar(5) NOT NULL default '0',
`issueingbank` varchar(50) NOT NULL default '',
`nameoncard` varchar(50) NOT NULL default '',
`status` enum('valid','removed','modified','fraud','chargeback','other') NOT NULL default 'valid',
`friendlyname` varchar(100) NOT NULL default '',
`admin_note_id` int(11) NOT NULL default '0',
`customer_note_id` int(11) NOT NULL default '0',
`creation_timestamp` bigint(20) NOT NULL default '0',
`creation_session_id` int(11) NOT NULL default '0',
`modify_timestamp` bigint(20) NOT NULL default '0',
`modify_session_id` int(11) NOT NULL default '0',
`removal_timestamp` bigint(20) NOT NULL default '0',
`removal_session_id` int(11) NOT NULL default '0',
PRIMARY KEY (`card_id`),
KEY `account_id` (`account_id`,`address_id`,`cardnumber`)
) TYPE=MyISAM PACK_KEYS=0;
*our* cancelled CC details (Anon added):
('246', '819', '311', '5473677021731320', '12/2005', '119', 'Natwest MasterCard', 'G Anon', 'valid', 'GAnon', '0', '0', '1079448393', '14666', '0', '0', '0', '0');0
-
04-08-2009, 10:21 AM #96Web Host
- Join Date
- Jun 2002
- Posts
- 1,798
Last edited by page-zone; 04-08-2009 at 10:35 AM.
0
-
04-08-2009, 10:47 AM #97Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 634
Reported another mirror in the main post of the topic, did the hacker imply that he used social engineering to get into the server? (Which he mentioned as being not one of the best).
Edit:
..what? As soon as I heard of the hack (a while after) I re registered with a new email (since my account was deleted.) The backup I just reported has my new email that I just registered with and didn't exist before the hack?Last edited by cedricd; 04-08-2009 at 10:51 AM. Reason: New info..
0
-
04-08-2009, 11:10 AM #98Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Coolraul, you may not be paid by iNET however you have a direct interest to protect them and as such your opinion biased. So please do not spin the nonsense that this is even remotely acceptable.
Bottom line - We were told no credit card data was compromised when the FACTS show this was in fact a direct lie. It's very clear now that iNET either knew those tables were taken or had no way of knowing and lied reassuring us that no credit card data was taken and our data was safe.
Continually throughout both of these incidents iNET has posted misleading information. Even their own status page when occurred and was redirected stated this was taken from the first compromised (later removed) which is clearly inaccurate. How can an onlooker know that this was false within a few minutes and iNET take several hours and still get it wrong?
The timestamp of the last card in the cc table is from March 25th which proves otherwise that the first statement posted was incorrect. I also confirmed this with my password hash, which matches a password I used after March 23rd for a week and then reset it.
Which ultimately confirms that the database was 100% taken after March 23rd.
It's very infuriating that not only have you been compromised several times but that each and every time the information posted is misleading and self-serving. From the time you were compromised months and months ago it was stated that this essentially didn't happen and was "development code". The question still hasn't been answered do this day, if this was "development code" what interest does iNET have in our unencrypted passwords? It is fairly evident that WHT was compromised back then and it was shrugged off as if it was nothing. The very fact that the forum was "backdoored" and the system administrators were totally oblivious to this fact until users of the forum highlighted it speaks volumes. To then go on and deny it and put it down to something else shows the true integrity of iNET.
All in all this is totally unacceptable, I am sick and tired of seeing these type of incidents here and they always go the same, iNET publishes self-serving, misleading information, the technical savvy users notice this is wrong and doesn't add up and questions them. These questions go largely un-answered and if anything does get answers it's always only specific tiny irrelevant parts that get picked. it's the same old nonsense.
Here is one of the best posts to this thread,
Will it be answered and if it does will it even answer the direct question? There are only 2 choices for the answer,
1) The developers were 100% convinced there was no critical data exposed.
2) They were only 99% convinced there was no critical data exposed.
Moving forward why have I still not been informed that my data is floating around the internet? A thread can be created but you cannot contacted the effected users? In my opinion contacting the effected users should have been done immediately, there is nothing to check, you have a list of their credit cards sitting right in front of you, it's all over the internet.
Everyone effected by it, or who even has the database, should contact the necessary card issuers and iNET's processor and ensure you explain you are sitting looking at thousands of others individuals credit cards, full with cvv. I strongly encourage everyone to do this.
Not really sure why I expect better when time and time again you prove your total incompetence.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com0
-
04-08-2009, 11:14 AM #99Web Hosting Master
- Join Date
- Apr 2004
- Location
- UK
- Posts
- 1,334
You raise a good point here. I've just checked my hash in this recently leaked database, and it matches a new password I created after the March 21st leak . This recently leaked user database cannot have been the same one taken on or around March 21st (the initial compromise)...
0
-
04-08-2009, 11:17 AM #100Web Hosting Master
- Join Date
- Oct 2005
- Location
- UK
- Posts
- 552
Did you change your password/e-mail on or before the 25th of March? The data appears to have been taken on the 25th of March - there was a further explanation somewhere on the forum, but I don't know where it is right now.
0