Secure Or You Will Loss Your Reputation

samiux

Tonight (April 26, 2015, HKT), one of the threads (http://www.hkepc.com/forum/viewt ... page%3D1&page=1) (you may need to login to see the thread) in one of the local forums catch my eyes.

The thread is talking about a local company carrying out a KickStarter Campaign for a coffee machine (Arist) (https://www.kickstarter.com/proj ... anytime/description).  Their goal is $120,000-USD and it is funded over 580% ($845,139-USD).  The design of the coffee machine get an award in Hong Kong too (http://startupbeat.hkej.com/?p=16567).

However, the backers messages or questions have not been answered since it is funded.  Many backers asked for refund and lost their faiths (https://www.kickstarter.com/proj ... as-anytime/comments).  The creator of the campaign posts recently that their server has been hacked and sensitive data have been stolen.  The creator believed that it was done by some of the backers.

One of the local media reports that Arist did not reply for their question for the matter (http://unwire.hk/2015/04/26/aris ... to-refund/top-news/).

I wonder if the creator of the campaign is a deceiver or their server is really being hacked?  I then carry out a quick and dirty check on the server (http://aristcafe.com/).

First of all, the CEO and funder of Arist, Mr. Benson CHIU is ex-staff of Microsoft (http://wongleona.blogspot.hk/2015/04/2015nbition.html).  According to the article, Mr. Benson is doing programming work.  His brother Nelson is running a new company after the campaign, namely Kick Start HK (http://www.kickstarthk.com/).

What I find so far?  The web site of Arist is hosting on Cloud server at RackSpace (www.rackspace.com).  The web application is running Wordpress 4.1.1, Microsoft IIS 8.0 and PHP 5.4.38.  The shopping cart application is WooCommerce.  It is a plugin for Wordpress.  The shopping cart part is running SSL/TLS.  The site is believed to be protected by Cloudflare as I find Cloudflare javascript on the site.

So, what's wrong with the web site?  We know that Wordpress 4.1.1 has vulnerabilities on Same-Origin Method Execution and Unauthenticate Stored Cross-Site Scripting.  There is also a SQL injection vulnerability on WooCommerce recently (dated March, 2015).  Meanwhile, the most interesting thing is that the site is running a private SSL certificate for the shopping cart part.

In addition, the site is running quite slow and the WooCommerce do not accept PayPal.  It accepts credit cards only.

After my quick and dirty test on Arist web site, it is believed that the site is vulnerable to (1) Same-Origin Method Execution and (2) Unauthenticate Stored Cross-Site Scripting on Wordpress as well as (3) SQL injection on WooCommerce.  Those vulnerabilites can lead to data abuse and loss.

Finally, if the Arist is not a deceiver, their web site is properly being hacked and suffering from sensitive data loss.  I am not going to comment that why Arist do not response to their backers questions and queries.  I doubt that why an IT guy (Mr. Benson CHIU) will overlook this fault.  In my opinion, businessmen should not overlook Information Security or you will lost your reputation very easily.

Samiux

Update on April 27, 2015 : Arist Scam - http://aristscam.com/

--
Update reason : fix broken link
                             add Arist Scam website

samiux

The article is rewritten at here

Samiux

ykmran

如果佢地d重要既資料係擺係wordpress server度，咁唔止佢地既server保安有問題wor

samiux

The article is rewritten at

Samiux
samiux 發表於 2015-4-27 16:21

I find something wierd on Arist.  

Benson and Nelson are running their websites for their companies, nBition Development and Kick Start HK, with Tengine web server.  However, Arist is running on Microsoft IIS.  

Meanwhile, nBition Development and Kick Start HK are protected by WAF - Akamai Technologies Inc.  The web applications of those sites cannot be detected easily.  However, Arist is not protected by any WAF although Cloudflare javascript is found on the site.  The web application can be identified very easily and it is hosting at Rackspace.

I believe that Kick Start HK web site should be built later than Arist's.

My question is that Arist is not as important as nBition Development and Kick Start HK?  Or, it is really a scam?  We need to wait until the October this year for the product delivery.

samiux

I find something wierd on Arist.  

Benson and Nelson are running their websites for their compani ...
samiux 發表於 2015-4-28 03:18

The article has been updated as the following :

The Arist web site has been checked again and the captioned said vulnerability are still there.

I almost read all the comments by Benson and Arist team on the KickStarter and they are summarized as the following :

- During the campaign, they often answer questions and urge others to be backers.
- They said they will release the video to all arist backers personally. However, they failed to do so. It is because of the patent pending. However, they show the video to the reporters of unwire.hk. Why not backers?
- They said that they will update the backers often several times, but it is failed too.
- They said the arist is in production, but who knows. It is April 2015 now.
- Later, they even do not answer any questions.
- They claimed that their web site has been hacked and confidential data have been stolen. They suspect it was done by backers.
- They stated that the delivery will be delayed till October 2015. Why not deliver the products batch by batch????

Source from Arist Scam : Is Arist planning to defraud the Hong Kong government?

They post a "Statement of Clarification" on their web site :

1. It has come to our attention that there has been posting and circulation of articles with untrue and false information about Arist originated from Hong Kong media groups and individuals since 26 April 2015 (HKT). Given the situation has already led to unnecessary speculation on the capacity and integrity of the Arist Team, we are obliged to clarify as below:
   
2. 
   
3. 1) Our website and cloud storage account were hacked in mid-April 2015. Being a responsible developer, we have reported the case to the U.S. Police. A notice of such had been posted on our Kickstarter campaign site to notify our backers.
   
4. 
   
5. 2) We have no plans to delay the planned launch date, which is from October 2015 onwards. As promised, if we cannot ship Arist 3 months after your expected ship date, you will have the option to request a full refund. We stick to this promise with no exceptions.
   
6. 
   
7. Despite the recent hacking, and circulation of untrue and biased online messages, we have no intention to stop the work with Arist. As of today, we have more than 25,000+ retail orders to consider as well. We will not stop until we deliver Arist to everyone.
   
8. 
   
9. We continue our mission to change the world of coffee. We have come a long way and we are almost there. To those of you who have been with us since the beginning, we thank you most sincerely. We truly appreciate your support, concern and attention.

複製代碼

Update reason : fix broken link

samiux

The article has been updated as the following :

The Arist web site has been checked again and the  ...
samiux 發表於 2015-4-28 08:54

More update (part 3) at here.

ykmran

I think this article should better be titled:   
Do Not Host Your Own Website Unless You Kn ...
toylet 發表於 2015-4-28 22:06

應該叫Do Not Host Your Own Website

天宮葉月

點解突然又講政治嘢嘅