Fasthosts customer? Change your password now Fasthosts, "the UK's number 1 web host", has fired off emergency emails telling customers to change all their passwords after police were called in to investigate a major data breach. The Gloucester-based firm contacted The Reg this morning with a statement. It said: "As the breach could relate to Fasthosts customer data... …
"Historically, Internet companies have rarely encrypted passwords to aid customer service."
How's this "aid customer service"? Luser 'phones up asking for the password? Wouldn't it be just as easy to go "No, we can't tell you it, but we *can* reset it to "dogfood24", done".
Just hope they don't lose their "security warning" e-mail in transit from themselves to their customers via.. their MTA. Reckon it's a likely chance of them losing most of it then.
"Historically, Internet companies have rarely encrypted passwords to aid customer service."
Only if you are lazy buggers who can't be bothered to implement proper password security and resetting procedures - note I said resetting NOT recovery. If any log in system includes an option to "send your password" if you've forgotten it, avoid it like the plague if its important. This means they are keeping passwords in plain text. Any one with ANY common sense should give you an option to reset your password instead.
We are writing to inform you that we have recently discovered evidence of a network intrusion involving a Fasthosts server. We have reason to believe that the intruder has gained access to our internal systems, and that this may have in turn given them access to your username and some service passwords.
We have since closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again.
We therefore recommend, as a precaution, that you now change the following passwords on your account, both for your personal use, and for your customers:
Your main account control panel login password
All email (Standard, Advanced and Exchange mailbox) passwords for you and your customers' mailboxes
All FTP passwords
All MySQL and MS SQL database passwords
These can all be changed within your control panel. Further details on how to change your passwords can also be found in the support section of our website.
We strongly recommend that you choose secure passwords so that they cannot easily be guessed. These passwords should include the following:
It should be a minimum of 8 characters long
It should contain an upper case and a lower case letter
It should also contain at least one number (numeric)
We recognise that this may cause some inconvenience and concern, and for that we sincerely apologise. Please be assured that your account security is extremely important to us, and we have taken every step possible to secure your information against any future intrusion attempts.
We have used fasthosts for over 6 years without many problems (if you understand that you get what you pay for).
I have just received the 'change your passwords' email and now have to change over 2000 passwords.
This is one of the final insults from a company whose support has been diving downhill, for example I have to book 1 week in advance to have an engineer look at a possible critical hardware failure on one of our dedicated server discs.
SIGH !
J
yeah, that makes sense. "I've forgotten my password, the one i use on all my internet banking sites too" "ah yes, its FL1bble sir"
surely "OK, we've emailled you a link to change it" or "we've set up a temporary password, you'll have to change it..." would serve the customer better?
Its like saying that locksmiths should have a key to all the doors in the street incase you lose your key... which reminds me. Where are my keys...
"Historically, Internet companies have rarely encrypted passwords to aid customer service."
So, can someone post ISP names that do encrypt passwords. In a similar fashion to the flap about posting names of footballers who gave money to the nurses charity. We're not dissing the bad ISPs, we're simply praising the good ones.
Why do ISPs who must see more cracking attacks than anyone else think they're immune from being cracked.
Quite a few web servers respond to the /../../../etc/passwd type attack and you only need one like that to reveal everyone's passwords.
Madness.
Max
"We've asked Fasthosts why the passwords were not encrypted in the first place. It said: "Historically, Internet companies have rarely encrypted passwords to aid customer service.""
Moreover, some common authentication methods used REQUIRE a plaintext (i.e. unencrypted) password to be stored. e.g. A RADIUS server needs access to plaintext passwords to support CHAP, ironically used to avoid passing passwords in plaintext over the wire.
Is this actually everyone hosted on Fasthosts? Or just a limited number?
I have had no email from Fasthosts, and there is nothing on the RSS feeds or control panel. So is this really company wide?
(Probally the same Chinese hacker I have been watching who slams the same brute force password list against my FTP server every weekend.... would of thought he would of got bored by now!!)
Its nice to say that Encryption protects passwords, but that's false. Yes it does make it more difficult for the laymen to look at the data and see the passwords, however, if the encryption formula isn't strong enough, then the password could be spoofed. If someone gained this level of access, then it would be easy for them to see what encryption algorithms are in place and guess passwords. Even with MD5 which is near impossible to reverse engineer a password, all that really needs to be done is feed values into the algorithm then do a simple query on the data (say, SELECT UserName FROM userdb.userstable WHERE Password='MD5Hash';) You'll then get a nice list of user names who share the password... Granted you don't get a massive list of users, but with enough users of a system, overlaps in passwords are bound to happen. Applying a simple salt to the algorithm will help this, but in my experience, this is more rare then actually encrypting the password in the first place...
The real issue here isn't that they had it in plain text or not... But how did an attacker gain such level of access.... Sounds like someone broke into the facility. That's a Physical access issue. Who forgot to lock the door. I bet we'll find there was an iPhone behind all of this.
As a company this issue is going to cause a major problem for us. We have hundreds of handheld devices out there with with FTP and sql database access. How the hell are we going to implement these changes without stopping our customers dead in the tracks. We will have to issue revised apps,they will not be able to upload or download data out in the field until the app is rolled out to all users.
This is a real kick in the teeth for those of us who have to go to our clients and explain passwords need changing.
However I'm going to do this, however tempting it is to just hope you dont get stung by not changing. Up until now FH has denied everything it possibly can whenever anything didnt work right or there was a problem. The fact they are being open about this makes me think there is a really high chance of there being a problem to the customers. What is missing from this though is how long someone could have had the passwords. if the police has been called, external people in to fix the problem. Surely this has been known about for weeks?!?!
Maybe this will be the problem that moves a lot of FH servers and staff to another location owned by their german overlords
When Fasthosts are charging as little as £3.99 a month for 1.5GB of space and unlimited traffic doesn't it occur to anyone for that kind of money you'd need to sell 500 months worth of web hosting to even buy a cheap HP or Dell server. I mean you'd have to sign up for 41 years to even pay for the box it's hosted on. You get what you pay for and costs have to be cut somewhere. It never seems to occur to many people that they're actually not paying enough for web hosting.
i've got several domains on fasthosts/ukreg... and i've not received any email regarding this breach... this article was the first i knew of it, and only then cause i have your newd feed on my google homepage...
what worries me therefore is the idea that they should publicly announce the breach before even advising the users... which is akin to telling the media that your friends house is unlocked before letting him know...
i think i'll move hosts asap ... which i was thankfully planning anyway due to various issues that have been steadily increasing of late...
changing all the passwords. At work we have a Fasthosts reseller account with a lot of domains all with lots of mailboxes and ftp and a lot with databases. What fun I'll have changing all the passwords, then changing the database ones in code on all the websites that have them and finally changing the outlook passwords on countless clients sites. Oh and I nearly forgot all the CMS passwords will need changing as well.
Might be done by Christmas!
@Dan Germain "btw, does El Reg encrypt the passowrd i've just used to post a comment? ;-)"
Course they don't. How else do they pay for all their EBay toys and Amazon pr0n? They are logging into your PayPal account at this moment.... :D
@all-of-us
Isn't it a little comical that we are complaining about telling our staff/clients to change passwords? I thought a decent password policy forces changes at a regular period. LoL!! I know "Change User Passwords" has been on my TODO list for 18months....
"When Fasthosts are charging as little as £3.99 a month for 1.5GB of space and unlimited traffic doesn't it occur to anyone for that kind of money you'd need to sell 500 months worth of web hosting to even buy a cheap HP or Dell server. I mean you'd have to sign up for 41 years to even pay for the box it's hosted on. You get what you pay for and costs have to be cut somewhere. It never seems to occur to many people that they're actually not paying enough for web hosting."
That's a very naive determination. Big managed web hosts build their own web servers in bulk, and stuff them full of customers' sites. If you think about it, 1.5GB is nothing when a cheap and nasty set of 300GB hard drives in a decently robust RAID config wouldn't cost more than £300. And a company can easily afford to put 50-100 low-traffic sites (no business or high-traffic site would ever go near such a cheap solution) on a single box. If everyone's paying that charge, then the hardware is paid for in a month or two.
I'm sure we all recognise the phrase, "to aid customer service." As in "to aid customer service, we're not collecting post on a weekend any more." "To aid customer service, we've closed your high street branch." "To aid customer service, we've fired everyone in the UK and moved our call centre to India." "To aid customer service, we've shot all our customers through the head with a nailgun."
It's what you say when the truth would read, "because we're a bunch of incompetent muppets..."
cynic-mode: on
Yeah, but everyone knows that IT people are the worst for strong passwords and changing them often. Perhaps "Change User Passwords" has been on the TODO list of the Fasthost admins for 18 months too and they wanted to find a reason for it that would make people actually take notice of their request...
It's a myth that changing passwords periodically is required for strong security, but it is certainly true that it can lead to weakened security. If I have a strong password today, it's still a strong password next year. So the question is can it be compromised in that time? If it can then changing it is not really protecting anything except working around the problem. If not, then the point stands. Can it be partially determine in that time? If so, then there is a case for password changes, but then this only would apply to a controlled environment with a proper assessment of the risk. If not then again the point stands.
However _forcing_ password changes often causes people to think of an easy one because they are not psyched up to remember one at that time, or else they need to get on and do some work. I remember a company which forced password changes with all kinds of rules - in the end people used P@ssword1, P@ssword2 and so on - quite the opposite of the intended result.
Tiscali don't encrypt passwords either. I was helping a friend install a new router a couple of weeks ago, and she'd forgotten her password. I said she'd have to ring Tiscali and get her password reset, but instead they gave her hints like "it ends with a 3". I almost fell off my chair.
Fortunately I'm with Demon.
'We've asked Fasthosts why the passwords were not encrypted in the first place. It said: "Historically, Internet companies have rarely encrypted passwords to aid customer service."'
I've been using the Internet since 1992. I have *NEVER* before encountered an ISP that did NOT encrypt passwords. In fact, anyone installing a Linux-based server (or, in fact, even a Windows-based server, oxymoronic though that seems) would find that passwords are encrypted *BY DEFAULT* and that it takes a significant amount of effort to disable that encryption.
My advice, as a professional consultant, would be for any remaining Fasthosts customers to run for the nearest exit - terminate all business connections with this apparently incompetent ISP, destroy any data you may have hosted on their servers, and move to a *real* ISP.
Having worked at some really big companies my experience has been in branded hardware so perhaps colours my experience of how cheap web hosts operate. I'm well aware that box-stuffing is as old as the web hosting business and Jeff's estimate of about 100 doesn't square with what I've seen of hundreds and hundreds of sites squashed on to cheap 1 and 2U whitebox servers built of cheap components. There is clearly a significant cost implication on web hosts otherwise they wouldn't be massively over-selling their resouces and praying to God no one actually uses anything like their disk, bandwidth of CPU allowance. Anyone serious about a web presence for business needs to realise all of these cheap hosts are building their foundations on sand, for £3.99 a month they aren't getting high spec servers on NetApp or HP StorageWorks storage. Often there getting cheap servers with internal storage that's barely on stage beyond the rubbish PC World sell.
All I know from people who do run web sites is that 99% of web hosts seem to be as rubbish as each other and seem to be largely based on a form of pyramid scheme where someone is endlessly reselling someone elses service. I'm glad I have nothing to do with this kind of tat.
Fasthosts have replied to my request for compensation by suggesting that changing passwords frequenly is a useful security measure. Thanks Fashosts, really appreciate having to change somewhere upward of 500 passwords. Read below for a giggle
From FH
While we understand that the changing of passwords can present an organisational problem for our customers we would like to stress that this is a precautionary measure that we recommend, not a requirement that we are imposing.
Where a significant amount of work is required to update all passwords we recommend that this work is carried out as soon as possible but in a way that doesn't necessarily have an impact on the everyday operation of their business. We assess that the risk to our customers is very small in this instance.
On the basis of this recommendation, which we are confident is sensible and does not harm our customer's interests, we do not feel that this incident justifies compensation.
"So, can someone post ISP names that do encrypt passwords. In a similar fashion to the flap about posting names of footballers who gave money to the nurses charity. We're not dissing the bad ISPs, we're simply praising the good ones."
Yes, try United Hosting : UK and US based servers, highly reputable company (I'm only a customer, not a share holder). They put security, security, security at the very top of everything, and never compromise that.
I'm pretty stunned by there statement: "Historically, Internet companies have rarely encrypted passwords to aid customer service."
If they are using any kind of Unix related/descended/look alike box to host then they have to go to a great deal of effort to turn off password encryption on the host, and if they are using ssh via https then that password transmission is encrypted on line...
What fools!
The old advice on changing your password is mostly due to old circumstances. In the good (bad) old days, hundreds if not thousands of users would share access on a system, and frequently, those users were not trusted users (i.e., university systems). What's more, if you had access to the system, you could read /etc/passwd and the password hashes therein. Thus, if you never changed your password, you were far more susceptible to a dictionary attack than if you simply changed your password every couple of months. Of course, in this day and age, the password hashes are not exposed to all and sundry, and the justification for this has fallen off quite a bit.
A second, more applicable in the modern day reason is that if your password is compromised and you don't realize it, changing your passwords on a regular basis will minimize the damage. However, one must question just how frequently a user would have to change their password for this to matter.
On the other hand, a good reason to NOT change your password on a regular basis, is the difficulty of managing strong passwords, especially if they are constantly changing. One (very) slow trend that is helping this is the increasing availability of truly long passwords on systems. For example, a passphrase made of 5 words chosen at random via 5 pair of dice thrown 5 times each is actually very easy to remember - it's just 5 random words - but has 64 bits of entropy. 6 words have 77 bits, and 7 have 90. In comparison, the best you can achieve with an 8 character string of line noise is 52 bits of entropy. And even 7 random words are a LOT easier to remember than 8 random characters. Just remember - the words MUST be randomly selected. Regular spoken English does not have that much entropy in it, and our brains do not do a good job at selecting words truly at random.
If you're interested to learn more about passphrases, try checking out diceware:
http://www.diceware.com/
They have word tables to be used with 6 sided dice, along with a far more exhausted explanation of passphrase entropy, etc.
-daniel
They are just numbers in a database.
Record the original value of the encrypted password.
Replace it with the encrypted value of a temporary password.
Restore it to the original encrypted value.
Create a interface to automate the procedure, give the required database privileges to an account that can only connect via internal IP addresses.
Tech support can then gain temporary access to any account by temporarily changing the password. The customer gets to keep his old password, which remains a secret.
Even expecting users to use strong passwords is probably a bit of a losing battle, let alone changing them all the time. People don't usually have strong memories so they have weak memorable passwords.
The average owner of a password is an ordinary person trying to do something with a computer - and they have to use dozens of passwords. But for 95% of the sites they visit the password and username is veiwed as nothing more than a nuisance. So they choose one that is easily remembered, and probably stick with it for every web site they log in to.
To all those who are so expert that they know Linux encrypts passwords to begin with... guess what, they probably don't authenticate against individual machines with their own shadow password system. It's probably a central server with a custom authentication system. This information may be pushed out to the hosting servers, but was probably stored unencrypted so that the system that pushes it to individual servers (Linux, Windows, MySQL, whatever) can encrypt the password in the correct format for that particular system... and that is the problem, everyone wants to encrypt their passwords differently, so you store the plaintext in the master database...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
