Perhaps your company has been hacked or you fear it will be.
If so, you’re likely in the market for a web security firm.
But what if your web security firm is the one that was hacked?
That’s a reality for Staminus Communications, a Newport Beach-based hosting and distributed denial of service (DDoS) protection company that went offline Thursday morning after what a representative described as “a rare event [that] cascaded across multiple routers in a system wide event, making our backbone unavailable.”
The hackers did a data dump of names, e-mail addresses, database table structures, routing tables and more personal information of Staminus customers.
Then they added insult to injury by posting this:
TIPS WHEN RUNNING A SECURITY COMPANY
* Use one root password for all the boxes
* Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
* Never patch, upgrade or audit the stack
* Disregard PDO [PHP Data Objects] as inconvenient
* Hedge entire business on security theatre
* Store full credit card info in plaintext
* Write all code with wreckless abandon
The spelling error in the last one aside … OUCH!
An analysis by ARS Technica found no credit card information from Staminus customers was dumped after the “easy breach.”
That would really byte.