BeThere ISP vulnerability

Docproc · Apr 18, 2007, 08:16:28

I do hope IDNet isn't open to an attack like this:

http://www.theregister.co.uk/2007/04/17/hackers_service_terminated/

Glenn.

Lance · Apr 18, 2007, 08:48:30

I wouldn't have thought so!

Rik · Apr 18, 2007, 11:33:28

I saw the story and wondered at the motives of the hacker. TBH, I'm not surprised that his account was closed, it's hardly responsible to publish how to hack the system!

Docproc · Apr 18, 2007, 12:39:05

Quote from: rikbean on Apr 18, 2007, 11:33:28
I saw the story and wondered at the motives of the hacker. TBH, I'm not surprised that his account was closed, it's hardly responsible to publish how to hack the system!

I wondered too, but I think it's a case of him being naive rather than anything else.

The article was painting Be as the bad guys, but I'm not sure what else they were supposed to do in the circumstances.

Glenn.

Rik · Apr 18, 2007, 13:41:13

I don't think they could do anything else, Glenn. I'd expect any ISP to take pretty much the same action.

It would be nice to see them sorting the security issues a bit more quickly though.

Adam · Apr 18, 2007, 18:12:49

This was an accident waiting to happen. I have seen a number of ISPs add their own accounts on routers they give away in order to be able to help users; it won't just be limited to BeThere. Many of the other ISPs however do allow for disabling of such accounts.

A sensible thing for the ISPs who need such functionality would be to limit remote telnet to IPs only authorised people have access to. Another possible solution would be to randomly generate passwords and simply label the routers with them, then the end user could supply the ISP with the password when they require access.

Rik · Apr 18, 2007, 18:16:25

I'm assuming Simon or Tim will be aware of the story, Adam, but from what you say, would it be advisable to draw their attention to it?

Adam · Apr 19, 2007, 01:31:52

Quote from: rikbean on Apr 18, 2007, 18:16:25
I'm assuming Simon or Tim will be aware of the story, Adam, but from what you say, would it be advisable to draw their attention to it?

I don't think IDNet used to ship their Speedtouch routers with an account for themselves enabled by default, and the Netgear routers don't even offer such functionality, so I don't believe there is any real need to bring their attention to it.

Rik · Apr 19, 2007, 08:19:29

Thanks for that.

Simon_idnet · Apr 19, 2007, 15:45:58

The key difference here between IDNet and Be is that we do not insist that our customers use hardware that we supply.

Where we do supply hardware we default to password-protecting remote access using the password that is requested by our customers (or randomly generated if not supplied).
Simon

Rik · Apr 19, 2007, 15:47:49

Thanks for filling us in on this issue, Simon.