Text only | Text with Images

IDNetters Forums

Technical News & Discussion => Broadband, Internet & General Computer News & Discussion => Topic started by: Docproc on Apr 18, 2007, 08:16:28

Title: BeThere ISP vulnerability
Post by: Docproc on Apr 18, 2007, 08:16:28
I do hope IDNet isn't open to an attack like this:

http://www.theregister.co.uk/2007/04/17/hackers_service_terminated/

Glenn.
Title: Re: BeThere ISP vulnerability
Post by: Lance on Apr 18, 2007, 08:48:30
I wouldn't have thought so!
Title: Re: BeThere ISP vulnerability
Post by: Rik on Apr 18, 2007, 11:33:28
I saw the story and wondered at the motives of the hacker. TBH, I'm not surprised that his account was closed, it's hardly responsible to publish how to hack the system! :(
Title: Re: BeThere ISP vulnerability
Post by: Docproc on Apr 18, 2007, 12:39:05
Quote from: rikbean on Apr 18, 2007, 11:33:28
I saw the story and wondered at the motives of the hacker. TBH, I'm not surprised that his account was closed, it's hardly responsible to publish how to hack the system! :(

I wondered too, but I think it's a case of him being naive rather than anything else.

The article was painting Be as the bad guys, but I'm not sure what else they were supposed to do in the circumstances.

Glenn.
Title: Re: BeThere ISP vulnerability
Post by: Rik on Apr 18, 2007, 13:41:13
I don't think they could do anything else, Glenn. I'd expect any ISP to take pretty much the same action.

It would be nice to see them sorting the security issues a bit more quickly though.
Title: Re: BeThere ISP vulnerability
Post by: Adam on Apr 18, 2007, 18:12:49
This was an accident waiting to happen. I have seen a number of ISPs add their own accounts on routers they give away in order to be able to help users; it won't just be limited to BeThere. Many of the other ISPs however do allow for disabling of such accounts.

A sensible thing for the ISPs who need such functionality would be to limit remote telnet to IPs only authorised people have access to. Another possible solution would be to randomly generate passwords and simply label the routers with them, then the end user could supply the ISP with the password when they require access.
Title: Re: BeThere ISP vulnerability
Post by: Rik on Apr 18, 2007, 18:16:25
I'm assuming Simon or Tim will be aware of the story, Adam, but from what you say, would it be advisable to draw their attention to it?
Title: Re: BeThere ISP vulnerability
Post by: Adam on Apr 19, 2007, 01:31:52
Quote from: rikbean on Apr 18, 2007, 18:16:25
I'm assuming Simon or Tim will be aware of the story, Adam, but from what you say, would it be advisable to draw their attention to it?

I don't think IDNet used to ship their Speedtouch routers with an account for themselves enabled by default, and the Netgear routers don't even offer such functionality, so I don't believe there is any real need to bring their attention to it.
Title: Re: BeThere ISP vulnerability
Post by: Rik on Apr 19, 2007, 08:19:29
Thanks for that. :)
Title: Re: BeThere ISP vulnerability
Post by: Simon_idnet on Apr 19, 2007, 15:45:58
The key difference here between IDNet and Be is that we do not insist that our customers use hardware that we supply.

Where we do supply hardware we default to password-protecting remote access using the password that is requested by our customers (or randomly generated if not supplied).
Simon

Title: Re: BeThere ISP vulnerability
Post by: Rik on Apr 19, 2007, 15:47:49
Thanks for filling us in on this issue, Simon. :)
Text only | Text with Images