Andreas Ramos andreas.com
andreas.com | Blog | Web | Jobs | FAQs | Stuff | Me | Work

PPC | Adsense | Search Engines | Internet | SteamNet | High Stakes
RSS Reader | HTML Guide | Use SSI | CSS Intro | The vi Editor
HomeSite | De-Word | ColorSelect | SV Work | eCommerce
Networks | XML | The Invisible Web | eText | Web Obit
Characters | Web on PDA | Blogs | PNG Format


 

FAQ: Hostica's security problems

Here's a report on Hostica's problems with web security, a review of their service, with information, recommendation, and tips on how to deal with this.

I manage 15 websites. Most of these were hosted at Hostica.com. A number of these websites are commercial websites for companies. These sites included opt-in monthly newsletters for customers: visitors subscribe to the newsletters and they can unsubscribe at any time.

In late June 2004, all of these websites were shut down by Hostica. Hostica's support and billing departments ignored repeated emails and telephone calls. Finally, a day later, they said that the sites were shut down due to spamming.

We contacted SpamCop. Two persons replied and said there were no spam reports against us. Apparently, Hostica misunderstood a routine email from SpamCop and on the basis of that, they shut down everything. We sent the email from SpamCop to Hostica. They refused to contact SpamCop. We told Hostica that they should monitor their mail processes and distinguish normal usage from spammers. The CEO said "We don't have the resources to deal with that." Basically, they don't understand the problem, they don't have sufficient staff, and they can't fix problems.

Hostica refused to restore service. We had to move the websites. This cost us three solid days, from morning to night, to move and restore 15 websites.

  • We lost SSL certificates ($100/yr for each certificate.)
  • Clients lost four days of orders and sales.
  • We lost three days of email communication.

This is a major problem for Hostica's method of managing accounts: they can't shut down a single website. They shut down all of the websites within the global account. Companies that had nothing to do with this were shut down.

Hostica's Service

Hostica will not alert you, notify you, or even discuss this with you. They simply shut down the sites and avoid calls. Although we sent a number of emails and made telephone calls to Hostica, it took 20 hours before Hostica replied.

Hostica does not offer their telephone numbers. Call them at 310.212.0190 and 310.406.8885 and leave messages. However, they generally ignore phone messages.

This isn't a unique event for Hostica. It occurs every few months, yet they don't know how to deal with this. There isn't a procedure, notification, review, or investigation.

Security Problems

This creates an extremely serious security problem at Hostica. With a single email, hackers can shut down company websites and have all the files deleted.

  • It is easy to use Google to find companies that are hosted at Hostica. Hackers could visit those websites, sign up for newsletters, and then begin complaining that they are being spammed. Hostica will immediately shut down the companies, delete the files, and ignore emails and calls from those companies.
  • Since Hostica shuts down websites on the basis of a single report, justified or not, it would be easy for hackers to submit spam reports. Even if a website sends out a single normal email, Hostica will shut down the website. Hackers can easily get Hostica to shut down legitimate companies.
  • Hackers can also send out emails that spoof a company's address. One hacker sends out this email to several friends, who then complain to Hostica. Hostica will shut down the website and delete the files.
  • A number of computer virus work by copying address books and sending out virus to other users. If a virus enters a computer and sends out 50 copies, the recipients could complain to Hostica. They will shut down the website and delete the files.

Hostica has no way to deal with any of these situations. They shut down the websites, delete the files, and hide until the customer goes away.

Recommendations

If you host your website at Hostica:

  • Monitor your website every few hours. Hostica will shut it down without notification.
  • Keep a complete copy of your website on your computer. Otherwise, Hostica will delete the website and not return it to you. They will not give you FTP access so you can recover your files.
  • Make daily backups, every single day, of records from your website. This includes orders, newsletter subscriptions, database, and so on. You must copy these onto your computer every day. Otherwise, Hostica will delete these files.
  • Do not use global accounts at Hostica. Each website must have its own separate account. If your company's website is within an account that includes other companies, and one of those companies (of which you have never heard) is shut down for whatever reason, your website will also be shut down and deleted.

As Hostica said to us, they don't have the resources to fix this problem.

andreas at Twitter   andreas' blog   andreas' Newsletter   andreas' Page at Facebook   andreas' Fan Page at Facebook      andreas' channel on Youtube   andreas at LinkedIn   Bookmark and share

web | jobs | FAQs | stuff | me | work | sitemap | © 1994-2010 andreas.com