15 September 2007

Network Solutions doesn't care about security

We took over maintenance and development of a website for a client we've done software for for several years. Network Solutions hosts their website. Today I discovered that sometime between the last time I visited her site (about two weeks ago) and this afternoon at 4 pm, someone hacked her site and put malicious code in a hidden iframe on three of her pages. I called her, left a message, and fixed the webpages. By the time I fixed the pages, she called back, said she was out of town and didn't have her account information for her website with her and she needed to get back to her group. I told her I'd call Network Solutions and ask them to at least lock the site down so that no one, including me, could make changes to her website until she contacted them to change her FTP password.

After several phone calls, including:

  • calling and speaking to someone who didn't speak English well enough to understand what I was trying to explain;
  • calling back to be told that their support system was down and I'd have to call back in two hours to have the site locked down;
  • being routed multiple times through their phone system to enter a password to retrieve voice mail for an account I obviously shouldn't have had access to;
  • finally reaching someone who spoke some English, explaining the situation, and being disconnected when I was put on hold;
  • finally reaching someone who spoke English and knew the difference between hold and disconnect, only to be told that they couldn't help us after all. At this point I asked to speak to a supervisor, and was told one would call me back within an hour. By this point it's 6:15 pm.

By 9:15, I STILL hadn't heard back from Network Solutions, so I called back to be told a supervisor would call me back within an hour. The supervisor finally called me back at 10:05 pm, to tell me that they wouldn't lock down the website. So my client's site is still hanging wide open, waiting for these guys to come back and hack it again. I asked for the supervisor's supervisor to call me back and was told it would be within an hour; I'm still waiting.

Hubby said he's tempted to call them up and tell them he's going to hack our client's website and see if they'd lock it down then, but we're worried about criminal repercussions. You'd think Network Solutions would be worried about the repercussions about having one of their customers' websites compromised and serving pages that could result in the loss of the customer's client base, but it's pretty obvious that they don't. Worst case if they locked the site down is that the person on the phone isn't really supposed to have access to it, and so they've protected their customer from a malicious attack and as soon as the customer notices it they'll call in. Instead, they'd rather contribute to the insecurity of the internet. I wonder if there's some service package they're going to try to pitch when our client calls in to try to secure her site.

No comments: