• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Easynet laziness leaves sensitive info open

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Connectivity // Telecommunications // Internet News

View previous topic :: View next topic  
Author Message
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Sat Aug 24, 2002 12:15 pm    Post subject: Easynet laziness leaves sensitive info open Reply with quote

Quote:


A catalogue of poor security practices at company Web sites hosted by a leading Internet service provider (ISP) have put hundreds of UK businesses at risk.

Simple software configuration errors have left sensitive systems information accessible on servers connected to Easynet's network. This could allow anyone with basic IT knowledge to view confidential files, change the contents of Web pages, or delete entire Web pages, security experts said.

The news should act as a wake-up call for IT directors and computer security staff working for every organisation with a Web site, whether hosted in-house or by an external ISP.

It will also come as an embarrassment to Easynet, which has won awards for its Internet services, and, with 30,000 business customers is ranked a the 12th largest ISP in Europe by market capitalisation.

A small firm of IT consultants, DDPlus, revealed the problem after it examined a range of servers on the Easynet network during a security audit for one of the ISP's customers.

DDPlus discovered that sensitive details, including confidential user names, files including credit card details, and an unencrypted database containing the user names of more than 1,700 Web sites belonging to past and current Easynet customers were accessible. Although the database was two years old a significant number of the passwords and user names were still valid, DDPlus said, leaving the internal workings of customers' Web sites exposed.

Easynet refused to comment on DDPlus' findings and could not say who was responsible for the errors. But in an earlier interview with Computer Weekly the company said that responsibility for Web site security may rest either with the ISP or its customers, depending on the hosting contract the customer chooses.

DDPlus said that configuration errors in at least six servers connected to the Easynet network had left sensitive systems details accessible over the Internet, including details of software services, network connections, shared files, and the user names of Easynet customers. Some of the servers, based at Easynet's Brick Lane datacentre in London, were administered by Easynet staff and appeared to be used for hosting multiple Web sites.

Peter Sommer, security expert at the London School of Economics, said, "These are the kind of mistakes people were making four or five years ago. It is not as if we are talking about some very clever exploit being downloaded on the machine. To be able to see this kind of data from the beginning is pure laziness."

DDPlus was able to show that it was possible to guess passwords used to control Easynet's customer Web sites, many of which were identical to their user names.

A password-cracking program downloaded from the Internet could crack the passwords in a matter of minutes. Such problems could easily have been prevented if the system had limited users to three attempts at typing in a password, security experts said.

Further investigations by DDPlus show that security problems are not confined to systems connected to the Easynet network. The security firm has discovered similar vulnerabilities to servers connected to the networks of six other ISPs.

Easynet has declined to take up an offer of further information and assistance in solving the problems from DDPlus. The consultancy said it first alerted Easynet to the problems by e-mail in July, but contacted Computer Weekly when it did not receive a reply.

DDPlus managing director Dinis Cruz said, "I was very surprised that all this information was openly available. It is so dangerous and revealing that we did not know how to react.

"We knew from our past experience that security can be lax, but this is the worst case we have seen," he said.



Source cw360.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Connectivity // Telecommunications // Internet News All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter