In case you aren’t in the habit of visiting my web site late at night or early in the morning, you may not have noticed that my web host was hacked late last night. Not my web site. Not even just the server my web site is hosted on. No, I mean the HOST, and multiples of servers were wiped clean and serving up a page offering a malware download that contained who knows what (for hours and hours — very disturbing). All of this mayhem was due to an employee signing in from a home computer that was compromised and his password to his A Small Orange employee account being grabbed … and used, because there were no security measures in place to make sure something like that couldn’t happen. Color me unimpressed with the security measures in place.
To say I am, at the least, distraught and pissed off would be a grand understatement. Their backup was recent enough that I didn’t lose anything but the last photo I uploaded (so far as I can tell at the moment), but when I discovered what was going on as I was headed to bed last night, every last one of my files was gone. Use your imagination as to my reaction, or go to my Livejournal and read the ranting I did over there as this hell unfolded.
As soon as I get done with all the real life, offline stuff I have to get done today, I will be sitting down to explore my hosting options. I have the feeling continuing to use A Small Orange is not currently on the table. I’ve not been all that unhappy with them as a host over the years, but I have had web hosts I would describe as being the very worst web hosts on the planet, and never once did anything of this scale happen. A whole bushel basket of “Kudos” can be wiped away quite quickly by one “Oh Shit” of this magnitude.
Anyway, I have to get going with my day. Everything should be fine with my web site, no viruses or anything. It seems the hackers just deleted everything and set up their crappy little download page and file on the servers they got into (many of them). I’m sure I’ll be ranting more on this later.
And as if this weren’t enough, our Time Warner cable box is having fits this morning and keeps rebooting on its own. My very last consumer nerve was worked over thoroughly when my host experienced it’s security failure last night, so TW better not push my buttons today. In fact, everywhere I have to go better give me good customer service, because this has been a consumer’s week from hell for me. I have run into too much stupidity and failure this week, and my meter is pegged and my limit has been reached. The next FAIL I encounter will not go well for whoever is responsible.
The list of complaint emails I have to write grows longer each day. Ugh.
‘Security’ has to be one of the most over-sold myths in our Anglo-centric culture. It’s up there with get-rich-quick, miracle diets and personal relationships with Jesus. As they teach in Business School, ask them what they want and then sell it to them.
You can almost write the self-exculpatory script for ASO, something to the effect that this was an unfortunate, isolated incident, measures have been taken to insure it’ll never happen again, personnel have been retrained and they have your best interests at heart. Blah, blah, blah. Then they’ll raise your rates and the same thing will happen all over again.
That crap came with no certificate, so to install it one would have had to override the browser’s default recommendation not to install.
Oh yes, the platitudes have been flowing. So sorry. Won’t happen again. We’re taking measures. Blah dee blah. I’ve heard it a hundred times before from a hundred different companies over a hundred different problems. And usually, the very same problem doesn’t happen again, but it’ll be something else that will.
While I would have bitched and moaned a lot about data loss, because that always just sucks, to me the most damning thing to happen throughout this event has been them not getting the malicious crap offline ASAP. Totally unacceptable.
The whole damn thing is just unacceptable. I mean, what the hell were they thinking by allowing employees to log into sensitive and powerful accounts from home computers without some kind of secondary authorization? I practically have to give blood to get into my bank account web site, and these people just willy-nilly let employees log into an account from wherever they like with only a password?!
End result was 25 servers hacked (alphabetically by name from A through D). Pretty ugly mess they’ve made for themselves. I’m not feeling a lot of sympathy. I’m sure I’ll be moving on elsewhere after I have explored my options.