Page 4 of 20 FirstFirst 123456714 ... LastLast
Results 76 to 100 of 495
  1. #76
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    I would be interested to know the PCI status, from what I have heard it sounds like there were some problems.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service
      0 Not allowed!

  2. #77
    Join Date
    Oct 2008
    Posts
    2,253
    Quote Originally Posted by eth00 View Post
    I would be interested to know the PCI status, from what I have heard it sounds like there were some problems.
    well I know stuff gets hacked sometimes but its the fact that wht had the data illegally which frustrates me
    Leader of the new anti sig spamming club.
      0 Not allowed!

  3. #78
    Join Date
    Aug 2005
    Posts
    521
    Quote Originally Posted by calande View Post
    I think this screenshot can prove useful. This is taken from Digital Point, a popular forum operated by a San Diego, CA company. The guys can locate the user using his IP address, and trace him.
    I think he would be smarter than to use an IP that leads back to him.
      0 Not allowed!

  4. #79
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,569
    Just got the list - yes, CCV details were stored there illegally.

    Nice job WHT.

    Can you please provide (before the hacker does it, that is) information regarding what other data you held? I notice that `account_id` and `address_id` are key fields meaning a table would be made for those...

    ... meaning our addresses have also been comprised, right? What else is stored in the tables related to these key fields?
      0 Not allowed!

  5. #80
    Join Date
    Feb 2008
    Location
    Texas, USA
    Posts
    445
    That's why Paypal payments are the best.
    HJI Technologies, LLC - A New Uncompromising Experience, Since 2014
    Shared Hosting | Resellers Hosting | VPS Hosting
    Add Incredible Value to YOUR Business | 30-Day Money Back Guarantee*
    Get Started Today! | Sales: (806) 724-8004
      0 Not allowed!

  6. #81
    Join Date
    Mar 2009
    Location
    Texas
    Posts
    942
    I was thinking the same thing eth00. It sounds to me like iNET/WHT are going to be looking at lawsuits and fines in the near future.

    The question hasn't been answered though, why was inet storing this stuff on the servers in the first place?
      0 Not allowed!

  7. #82
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,569
    Quote Originally Posted by HostLonestar-Randy View Post
    I was thinking the same thing eth00. It sounds to me like iNET/WHT are going to be looking at lawsuits and fines in the near future.

    The question hasn't been answered though, why was inet storing this stuff on the servers in the first place?
    Yep.

    And for that last bit: the terms "amateurish" and "illegally stored" come to mind.

    Quote Originally Posted by Androgen View Post
    That's why Paypal payments are the best.
    That's the thing that confuses me - I paid for advertising via PayPal.. unless I bought something from WHT (never again) a while back via my (now, thankfully, expired) debit card?
      0 Not allowed!

  8. #83
    Join Date
    Apr 2006
    Location
    Phoenix, AZ, USA
    Posts
    771
    Quote Originally Posted by HostLonestar-Randy View Post
    I was thinking the same thing eth00. It sounds to me like iNET/WHT are going to be looking at lawsuits and fines in the near future.

    The question hasn't been answered though, why was inet storing this stuff on the servers in the first place?
    It's an absolute << removed >> joke is what it is.

    WHT has comprimised our security in a way that is illegal.

    Everyone should be extremely dissappointed with the way this has been handled and the irresponisble actions of iNET WILL lead to lawsuits and the hopefully the end of their merchant account and future.

    You stored the CCV Numbers - There is no excuse.
    Last edited by writespeak; 04-08-2009 at 10:02 PM.
      0 Not allowed!

  9. #84
    That's why you store all customer information on paper, held offline, in a safe. Been doing it like that for years, ignoring the occasional complaint from customers about information not being available online. I don't care how secure you think the information is, if there is a network cable attached to it, it isn't secure.
      0 Not allowed!

  10. #85
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,901
    For AMEX card holders who are on the list, AMEX Customer Service confirms that even if the card has expired, as long as you still have an active AMEX account, they will process and approve a charge against an expired card. In their words, they do this "as a courtesy for their customers".

    AMEX Customers should call 800-992-3404 to report their card information.

    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.
      0 Not allowed!

  11. #86
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,105
    <<snipped removed quoted post>>

    I will give my personal opinion on this.

    As someone that has been in IT for over 20 years and by day runs a pretty large IT organization for a large business I know and I think you all know that there are things that you "know" sometimes that are proven wrong later.

    I am sure INET and SoftwareRevue were and still are posed with a dilemna. As my wife would say "Disclosure is good for the soul" so you want to disclose what you "know" as soon as you "know" it. The problem is you are sometimes proved wrong. I am quite sure that you have looked at problems before and dismissed one potential solution / root cause based on some symptom only to find out later that it was in fact true. If you haven't it is only because you are young to IT, believe me at some point everyone does.

    My information is in there as well so I can speak from the viewpoint of most of the people here. It sucks but I for one and I am sure most of you if you think about it would agree that Dennis on behalf of INET are not deliberatly witholding any information. They looked and thought they understood the scope of the breach before and were wrong it appears. There is no benefit to not telling people and I think as information comes to them, they are telling people.

    I am not downplaying this at all just saying that I think it is a bit unfair (but I get that people need to express themselves) to suggest that people are not telling the truth as they know it after doing as good of a review as possible in the timeframe. Again the dilemna of telling people early enough but doing as thorough a job of finding out everything you possibly can.

    I was at a Canadian bank when a division (not mine!) was sending faxes of personal informataion to a small business in the US and the review that happened then was pretty thorough. We just did not believe with the safegaurds in place that what was initially reported could have possibly happened when it was one of the safegaurds themselves that allowed it to happen.
    Last edited by bear; 04-08-2009 at 10:19 AM.
    CloudNexus Technology Services
    Managed Services
      0 Not allowed!

  12. #87
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,105
    Quote Originally Posted by page-zone View Post
    That's why you store all customer information on paper, held offline, in a safe. Been doing it like that for years, ignoring the occasional complaint from customers about information not being available online. I don't care how secure you think the information is, if there is a network cable attached to it, it isn't secure.
    PCI says you can't do this by the way if you are referring to CC info.
    CloudNexus Technology Services
    Managed Services
      0 Not allowed!

  13. #88
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    I don't care what any of you have to say in defending WHT.

    INET you have failed us. The simple fact you had CVV2 codes and you don't remove people's cards upon request show how pathetic of a company you are.

    PCI compliance guys.

    And to say its what you knew at the time? Who told you it was okay? mat?

    There was a 'hack' months ago that was made public on wht, and it was denied by Mat.

    See what happens when you try to hide things?

    /me goes back to bed.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  14. #89
    Join Date
    Jan 2003
    Location
    UK
    Posts
    131
    We're still waiting for WHT to inform the card holders personally of this data breach.

    We know our card details from 2005 were made public because we have a copy of the user and CC tables, whilst the cv2 and expiry were nolonger valid the card number was!

    Naturally we cancelled the new card with the same card number immediately, but if we can find a copy of the cc table and identify ourselves as compromised why has WHT not yet done this themselves?
      0 Not allowed!

  15. #90
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,105
    Quote Originally Posted by Steven View Post
    I don't care what any of you have to say in defending WHT.

    INET you have failed us. The simple fact you had CVV2 codes and you don't remove people's cards upon request show how pathetic of a company you are.

    PCI compliance guys.

    And to say its what you knew at the time? Who told you it was okay? mat?

    There was a 'hack' months ago that was made public on wht, and it was denied by Mat.

    See what happens when you try to hide things?

    /me goes back to bed.
    Ya go back to bed Steven. You have my opinion. I am in the same boat as you guys.
    CloudNexus Technology Services
    Managed Services
      0 Not allowed!

  16. #91
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,105
    Quote Originally Posted by Crucial Web Host View Post
    iNET Shills - make another excuse.

    Where can we find out which card we have on the list?

    edit: To upset to even comment.
    I don't work for INET. I volunteer to help moderate this board. You are being silly to think I would shill for anyone.
    CloudNexus Technology Services
    Managed Services
      0 Not allowed!

  17. #92
    Join Date
    Oct 2005
    Posts
    397
    WHT now must need to be Level 1 PCI compliant:
    Level 1 PCI Compliance This is for very large businesses, or sites that have been hacked or designated by credit card companies for Level 1 status. You'll be required to have an annual on-site security audit, and quarterly system perimeter scans. You need professional help!
    They are also subject to a large fine, from what I understand, at HostingCon on of the speakers there said a company was fined $37,000 when only 7 credit cards were stolen.

    I think Inet needs to attend the PCI speakers at their own Hosting Conference, LOL
    Last edited by jalapeno55; 04-08-2009 at 10:20 AM.
      0 Not allowed!

  18. #93
    Join Date
    Oct 2006
    Location
    /usr/src/linux/
    Posts
    700
    Believe storing cvv2 numbers is illegal, defeats the whole purpose of such verification.
    VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
    99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
    Follow us: twitter.com/VPSnoc
      0 Not allowed!

  19. #94
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,901
    Quote Originally Posted by DigitalLinx View Post
    Believe storing cvv2 numbers is illegal, defeats the whole purpose of such verification.
    Yeah, I think that point has been pretty well covered.

    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.
      0 Not allowed!

  20. #95
    Join Date
    Jan 2003
    Location
    UK
    Posts
    131
    For anyone questioning what data was compromised or not, the table structure:

    CREATE TABLE `creditcard` (
    `card_id` int(11) NOT NULL auto_increment,
    `account_id` int(11) NOT NULL default '0',
    `address_id` int(11) NOT NULL default '0',
    `cardnumber` bigint(20) NOT NULL default '0',
    `expdate` varchar(10) NOT NULL default '',
    `cardcode` varchar(5) NOT NULL default '0',

    `issueingbank` varchar(50) NOT NULL default '',
    `nameoncard` varchar(50) NOT NULL default '',
    `status` enum('valid','removed','modified','fraud','chargeback','other') NOT NULL default 'valid',
    `friendlyname` varchar(100) NOT NULL default '',
    `admin_note_id` int(11) NOT NULL default '0',
    `customer_note_id` int(11) NOT NULL default '0',
    `creation_timestamp` bigint(20) NOT NULL default '0',
    `creation_session_id` int(11) NOT NULL default '0',
    `modify_timestamp` bigint(20) NOT NULL default '0',
    `modify_session_id` int(11) NOT NULL default '0',
    `removal_timestamp` bigint(20) NOT NULL default '0',
    `removal_session_id` int(11) NOT NULL default '0',
    PRIMARY KEY (`card_id`),
    KEY `account_id` (`account_id`,`address_id`,`cardnumber`)
    ) TYPE=MyISAM PACK_KEYS=0;

    *our* cancelled CC details (Anon added):

    ('246', '819', '311', '5473677021731320', '12/2005', '119', 'Natwest MasterCard', 'G Anon', 'valid', 'GAnon', '0', '0', '1079448393', '14666', '0', '0', '0', '0');
      0 Not allowed!

  21. #96
    Quote Originally Posted by Coolraul View Post
    PCI says you can't do this by the way if you are referring to CC info.
    You can store cc numbers in a safe, just can't store the card id number. And Quickbooks POS does not require that number to run a charge. AFAIK, I'm completely compliant, right down to the video cameras surrounding my house, and the large immovable safe.
    Attached Thumbnails Attached Thumbnails qb.jpg  
    Last edited by page-zone; 04-08-2009 at 10:35 AM.
      0 Not allowed!

  22. #97
    Join Date
    Mar 2009
    Posts
    634
    Reported another mirror in the main post of the topic, did the hacker imply that he used social engineering to get into the server? (Which he mentioned as being not one of the best).

    Edit:

    ..what? As soon as I heard of the hack (a while after) I re registered with a new email (since my account was deleted.) The backup I just reported has my new email that I just registered with and didn't exist before the hack?
    Last edited by cedricd; 04-08-2009 at 10:51 AM. Reason: New info..
      0 Not allowed!

  23. #98
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Coolraul, you may not be paid by iNET however you have a direct interest to protect them and as such your opinion biased. So please do not spin the nonsense that this is even remotely acceptable.

    Bottom line - We were told no credit card data was compromised when the FACTS show this was in fact a direct lie. It's very clear now that iNET either knew those tables were taken or had no way of knowing and lied reassuring us that no credit card data was taken and our data was safe.

    Continually throughout both of these incidents iNET has posted misleading information. Even their own status page when occurred and was redirected stated this was taken from the first compromised (later removed) which is clearly inaccurate. How can an onlooker know that this was false within a few minutes and iNET take several hours and still get it wrong?

    The timestamp of the last card in the cc table is from March 25th which proves otherwise that the first statement posted was incorrect. I also confirmed this with my password hash, which matches a password I used after March 23rd for a week and then reset it.

    Which ultimately confirms that the database was 100% taken after March 23rd.

    It's very infuriating that not only have you been compromised several times but that each and every time the information posted is misleading and self-serving. From the time you were compromised months and months ago it was stated that this essentially didn't happen and was "development code". The question still hasn't been answered do this day, if this was "development code" what interest does iNET have in our unencrypted passwords? It is fairly evident that WHT was compromised back then and it was shrugged off as if it was nothing. The very fact that the forum was "backdoored" and the system administrators were totally oblivious to this fact until users of the forum highlighted it speaks volumes. To then go on and deny it and put it down to something else shows the true integrity of iNET.

    All in all this is totally unacceptable, I am sick and tired of seeing these type of incidents here and they always go the same, iNET publishes self-serving, misleading information, the technical savvy users notice this is wrong and doesn't add up and questions them. These questions go largely un-answered and if anything does get answers it's always only specific tiny irrelevant parts that get picked. it's the same old nonsense.

    Here is one of the best posts to this thread,

    Quote Originally Posted by DephNet[Paul] View Post
    Dennis,

    Can you confirm that the developers were 100% convinced that no critical data was exposed? Even if the devs were only 99% sure that critical data was exposed then the line of "Absolutely no data was exposed" can be seen to be a lie.

    I know you are not one of the developers, and please do not think I was attacking you personally Dennis.
    Will it be answered and if it does will it even answer the direct question? There are only 2 choices for the answer,

    1) The developers were 100% convinced there was no critical data exposed.
    2) They were only 99% convinced there was no critical data exposed.

    Moving forward why have I still not been informed that my data is floating around the internet? A thread can be created but you cannot contacted the effected users? In my opinion contacting the effected users should have been done immediately, there is nothing to check, you have a list of their credit cards sitting right in front of you, it's all over the internet.

    Everyone effected by it, or who even has the database, should contact the necessary card issuers and iNET's processor and ensure you explain you are sitting looking at thousands of others individuals credit cards, full with cvv. I strongly encourage everyone to do this.

    Not really sure why I expect better when time and time again you prove your total incompetence.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
      0 Not allowed!

  24. #99
    Join Date
    Apr 2004
    Location
    UK
    Posts
    1,334
    Quote Originally Posted by cedricd View Post
    ..what? As soon as I heard of the hack (a while after) I re registered with a new email (since my account was deleted.) The backup I just reported has my new email that I just registered with and didn't exist before the hack?
    You raise a good point here. I've just checked my hash in this recently leaked database, and it matches a new password I created after the March 21st leak . This recently leaked user database cannot have been the same one taken on or around March 21st (the initial compromise)...
      0 Not allowed!

  25. #100
    Join Date
    Oct 2005
    Location
    UK
    Posts
    552
    Did you change your password/e-mail on or before the 25th of March? The data appears to have been taken on the 25th of March - there was a further explanation somewhere on the forum, but I don't know where it is right now.
      0 Not allowed!

Page 4 of 20 FirstFirst 123456714 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •