

Name.com Tells Customers To Change Password Due To Breach - othello
http://www.thedomains.com/2013/05/08/name-com-tells-customers-to-change-password-due-to-breach/

======
agwa
Well, name.com seems to be taking this in good humor on Twitter:

"@HackThePlanet Can you just send a postcard next time?"
<https://twitter.com/namedotcom/status/332304801050271744>

"@xDictate Yes. It's been a huge pain in the ass, yet it's hard not to
appreciate great technical savvy."
<https://twitter.com/namedotcom/status/332308994255384577>

Regarding elephants: "@BobSnooks Even though it feels like we're getting
trampled by them, we still won't shoot."
<https://twitter.com/namedotcom/status/332232278078001153>

Hopefully this is an indication they'll be willing to release full details of
the incident. In contrast, Linode seems to take their image _way_ too
seriously and refuses to say anything that might make them look bad. (Of
course, _not_ saying anything makes them look worse, but they don't seem to
realize that.)

------
blacktulip
For anyone who wasn't following HN yesterday:

<https://news.ycombinator.com/item?id=5667027>

<https://news.ycombinator.com/item?id=5667391>

~~~
chadscira
i changed my password yesterday when i saw that. took name.com quite a while
to contact us...

~~~
t0
I find it interesting that one HN story can lead a huge corporation to take
such drastic action. We don't even know if any of that is true!

~~~
ceejayoz
Name.com seems to think it's true.

------
edmond_dantes
Notice they said "encrypted" passwords not (salted password hashes) passwords.

I don't trust "encrypted" password because my experience with Host Gator: I
contacted Host Gator support to reset my password and they were able to send
me my previous PLAINTEXT password. I asked them how this was possible and they
told me that the passwords were encrypted and only a few people had access to
it.

People who also have access to it: Anyone who can see the Host Gator email que
and the mail-servers the email passed through.

I promptly closed my account with them.

~~~
btipling
Encrypted is not the same as hashed. An encrypted password could be secure as
long as the means to decrypt the password, for example the key used to
encrypt, is not leaked. Sending you passwords over email however is horrible.

If your password is hashed, which it usually should be, then the service would
not be able to give it to you. The reason services sometimes instead opt to
encrypt instead of hash is for support reasons. Encrypting a password could be
ok, as long as they never expose the password over something like email.

~~~
bigiain
"The reason services sometimes instead opt to encrypt instead of hash is for
support reasons."

I've seen _very_ few good reasons for encrypting passwords instead of hashing
them - and that's certainly not one of them. Sure, "support" might need access
credentials to my account - but it needs to be _their_ access credentials, not
mine. Sure, you can build the infrastructure required to securely manage
encrypted passwords and the decryption key storage - but you can almost
certainly build an alternative system where support never need _my_ password
instead.

~~~
matchu
I read "support reasons" as needing to send the customers their passwords in
case they forget it. Resets are better, sure, so it's not a good reason, but
at least it's an actual reason.

------
carlsednaoui
Name.com user here. This is the first time one of my registrars gets
compromised and I'm not sure I understand the (potential) severity of what has
happened.

What would HN suggest doing in a case like this (aside from changing
passwords)? Just let it be? Monitor credit card? Change registrar?

Looking forward to your feedback.

~~~
blacktulip
I try not use credit card online while other choices are given. Name.com only
has my paypal account name (if they save this kind of information).

However I still changed my credit card since it was in the Linode database.

I considered changing registrar. But I really can't know to which one I can
go. How do you know they won't be (or already are) compromised?

~~~
eli
At least in the US, having your card number stolen is such a small deal that
it hardly seems worth worrying about. Just keep an eye on your statement,
which you should really be doing anyway. You don't have to pay for charges you
didn't authorize. In my experience, the card issuer typically detects the
fraud automatically.

------
mcintyre1994
The article implies this is the first time they've notified customers, so
they've either been unaware (seems unlikely since the FBI had a mole in HTP,
who have claimed responsibility) or just not disclosing it? Is that true? I
can understand why people are annoyed at Linode and everything, but this seems
ridiculous if it's the first time.

------
mattwdelong
It looks like they may have used RSA encryption with a 4096 bit key [1] and as
far as I know, if the private key is not compromised; this is pretty darn
secure...Can anyone confirm?

[1] - <https://twitter.com/namedotcom/status/332260201535266816>

~~~
eli
HNer kouiskas suggests it is a weak, unsalted hash.
<https://news.ycombinator.com/item?id=5677550>

~~~
andrewmunsell
That seems to be for the password, right? Credit cards should be encrypted
with a much stronger algorithm (hence the reference to the private keys).

~~~
eli
Oh, I guess so. I'd be much more concerned about my password than my credit
card.

------
ceejayoz
Well, that confirms at least part of the Linode story.

~~~
dkuntz2
What exactly wasn't believable about it before? Linode confirmed that someone
cracked into their system on their blog, which I consider as being
confirmation enough for everything.

~~~
ceejayoz
Linode confirmed they were cracked, but the HTP write-up in
<https://news.ycombinator.com/item?id=5667027> included a lot of additional
details, much of it hard to confirm.

FBI moles, compromise of a fairly large registrar, etc.

~~~
dkuntz2
I guess I just didn't see a reason for HTP to lie about it, especially with
several smaller pieces out there confirming large portions of it.

I suppose I don't understand why it's necessary to know if HTP was being 100%
honest when the big details have been confirmed.

~~~
ceejayoz
This is the first confirmation I've seen of Name.com being hacked. That's a
fairly significant sticking point, particularly as the known attack vector on
Linode was a ColdFusion exploit, not a complete takeover of their registrar...

------
nemothekid
Oddly enough, as a name.com customer I kind of surprised that I found this out
through HN first.

~~~
graue
Did you not get the email? I'm a Name.com customer too and I didn't get this
email.

~~~
rada
I got the email an hour ago.

------
windexh8er
Name.com seems to be on the same path Go Daddy was 8 years ago (sans scantily
clad women for marketing).

I wouldn't appreciate the "humor" (Twitter) around this event if I were a
customer. My only hope is that if anything like this happens to Gandi that
they handle it with, true to style, no-bullshit transparency - spare the crap.

------
xSwag
I made an account on name.com 5 days ago. Anybody know when the breach
happened?

~~~
3JPLW
It was back in April, in association with an attack on Linode [1]. See this HN
comment by RoboTeddy from yesterday for a great summary of the group's story
about these attacks [2].

However, Name.com has not disclosed much information. I don't know if they
were aware of the attack until the group released their story yesterday. The
systems could have still been compromised.

[1] <https://blog.linode.com/2013/04/16/security-incident-update/>

[2] <https://news.ycombinator.com/item?id=5667391>

