DDoS protection firm Staminus has been breached and shamed by hackers, who released a mocking “Tips When Running a Security Company” list along with a data dump of Staminus customer information, including that for sites belonging to the Ku Klux Klan.
A crew going by the name of FTA took responsibility. The motivation was to bring to light one of Staminus’ key customers: The KKK.
“Yes, that’s right, Staminus was hosting the KKK and its affiliates,” it said. “An organization legally recognized in some regions as a terrorist collective. Not that we hold anything against the KKK. Choosing such an awful host as Staminus however is unforgiveable [sic], and consequently they had to be punished.”
The website run by the Klan has been downed as part of what appears to be a significant breach—and it remains down as of this writing, although the Staminus site itself is back online.
The hackers said that Staminus had used the same root password to access all its servers and hadn’t kept patches up to date, making it an easy target. In its sarcastic “Tips” zine, it detailed the company’s security holes:
- Use one root password for all the boxes
- Expose PDUs [power distribution units in server racks] to WAN with telnet auth
- Never patch, upgrade or audit the stack
- Disregard PDO [PHP Data Objects] as inconvenient
- Hedge entire business on security theatre
- Store full credit card info in plaintext
- Write all code with wreckless [sic] abandon
The dumped data meanwhile includes customer contact details and password hashes, as verified by Forbes. Information for the KKK and related sites, including a KKK radio site, was included.
David Maman, whose company HexaTier protects databases in the cloud, said that the incident could have been a whole lot worse for Staminus.
"In this case, it ended in a good way,” he said. “Shaming has become the best possible outcome for a breached company. What if the attacker had started selling the ‘down time’ of the customers ‘protected’ by this security firm? Or even worse, what if the attacker had used the entire infrastructure at a critical time to attack additional security companies? Or even government sites?”
As for the lack of data security, Maman reiterated that inevitability should be the byword, especially for a security company. "We all realize that it's not a question of if a company will be breached; it's a question of when,” he said. “So companies of all sizes and from all sectors should finally accept that the perimeter is history, and the focus should shift to the last line of defense—protecting the information itself."
Photo © Everett Historical