• Enjoy the freedom to innovate and grow your business


    [ad] With Microsoft Azure you have hybrid cloud flexibility, allowing your platform to span your cloud and on premise data centre. Learn more at microsoftcloud.com.

  • IT Admin: No Time to Save Time?


    [ad] Do you spend too much time patching machines or cleaning up after virus attacks? With automation controlled from a central IT management console accessible anytime, anywhere – you can save time for bigger tasks. Try simple IT management from GFI Cloud and start saving time today!

  • Free Forrester analysis of CRM solutions


    [ad] In this 25 page report, independent analyst house Forrester evaluates 18 significant products in the customer relationship management space from a broad range of vendors, detailing its findings on how CRM suites measure up and plotting where they stand in relation to each other. Download it for free now.

  • Great articles on other sites
  • RSS Great articles on other sites


  • Reader giveaway: Google Nexus 5


    We’re big fans of Google’s Nexus line-up in general at Delimiter towers. Nexus 4, Nexus 7, Nexus 10 … we love pretty much anything Nexus. Because of this we've kicked off a new competition to give away one of Google’s new Nexus 5 smartphones to a lucky reader. Click here to enter.

  • News, Telecommunications - Written by on Wednesday, October 3, 2012 20:02 - 17 Comments

    iiNet hid game forum hack from customers

    news Following several months of rumors, national broadband provider iiNet has admitted a now-defunct forum associated with its 3FL gaming network was recently hacked and that it concealed the break-in from affected customers whose login details may have been compromised.

    Rumours about the apparent hack have been swirling in Australia’s technology community for several months, with Delimiter receiving an unverified tip in July about the break-in, and iiNet customers on broadband forum Whirlpool complaining about receiving spam email to accounts which they had not publicly used for any purpose.

    iiNet has made no public comment to the media regarding the issue and has not communicated regarding it to customers. However, in response to speculation on broadband forum Whirlpool about a break-in, the ISP’s network services manager Roger Yerramsetti posted last week that iiNet had done “a lot of digging” but could not find any evidence of a security breach or inappropriate access of customer information.

    “Our teams have looked outward from iiNet and we’ve had expert people looking inward from outside as well,” he wrote. “There were some settings we were not happy with, which have now been modified, but for obvious reasons we cannot state what we have done. At this point we are happy to offer to change any affected account holder’s authoritative email address to stop any further unwanted emails.”

    However, this week Delimiter received a second unverified tip regarding the issue. The tip contained what appeared to be an internal email from iiNet operations centre supervisor Paul Guidera sent on 7 June this year to iiNet’s executive team. In it, Guidera wrote that iiNet’s security team had informed his team that the 3FL website — the public face of a long-running iiNet gaming network used by both iiNet customers and non-iiNet customers, had been “compromised and defaced”. In response, the server had been taken offline temporarily.

    “On instructions from security there is a comms blackout on this event (no publics, WP, staff communication etc),” wrote Guidera in the unverified email, referring to the desire to stop iiNet staff communicating about the issue to the public or through the Whirlpool forum. At that stage, iiNet was investigating the issue internally, but it had already announced in May that it was planning to merge 3FL with Internode’s games.on.net platform following iiNet’s acquisition of Internode late in 2011, and it appears as though iiNet progressed the process, in part due to the 3FL break-in.

    This morning Delimiter requested comment on the issue from Guidera, iiNet chief executive Michael Malone, and later on, iiNet’s public relations representative, however no official company response was received. The company has not confirmed that Guidera’s email was genuine. However, following the requests for comment, tonight iiNet chief technology officer John Lindsay posted a comment on a previous Delimiter article confirming the break-in.

    “The 3FL forum was a standalone system with its own user database and was not connected to iiNet’s secure networks,” he wrote. “In June we found that the system was hacked via an unpatched hole in PHP. Upon finding this, we shut down the forum immediately. No financial information was stored on this database. We didn’t handle the external communications well after this incident and have made changes to our internal policies. We subsequently retired the old 3FL forum after merging with games.on.net.”

    Lindsay wrote that iiNet had investigated the spam issue raised by Whirlpool and had found no evidence linking the spam to the 3FL break-in. “Accounts created since the 3FL server was shut down have received this spam so it is very unlikely there is any connection,” he wrote.

    One possible reason for the spam is the possibility of a loophole in the PHP framework that might have allowed attackers to source customer usernames from iiNet’s customer web server. “We suspect this is the likely origin of the mailing list. Many php installations allow this access but we should have closed it off when the system was installed and we have now,” wrote Lindsay.

    In general, the iiNet CTO wrote that the company takes its customers’ privacy “very seriously”. “We do not store complete credit card data on our servers and are audited for PCI compliance regularly,” he wrote. “We run penetration tests against public facing servers and against our firewalls regularly. I am confident that we are using reasonable and prudent techniques to protect our systems and our customers.”

    The news comes several months after another major Australian telecommunications company, AAPT, had some of its data compromised, with the loose knit group of Internet activists known as ‘Anonymous’ publishing some 3.5 gigabytes of data from the company, in protest against a wide-ranging package of surveillance and data retention reforms currently proposed by the Federal Government.

    Privacy advocates have consistently warned over the past several months that the data retention scheme — which would see ISPs such as iiNet forced to keep extensive records on their customers’ online activities, ranging from records about who and when they email and place telephone calls to and from — would be at risk of being broken into, and highly sensitive data stolen.

    opinion/analysis
    There’s several concerning things about this situation.

    Firstly, to my mind iiNet came very close to lying to its customers about the hack of the 3FL network. When Whirlpool users raised the spam issue with iiNet, the company’s network services manager Roger Yerramsetti flatly said the company had conducted an internal security audit and hadn’t found anything. This is probably technically true — the company had conducted an investigation into where the spam emails were coming from, and found no evidence that its actual customer database had been broken into.

    However, I would be very interested to know whether Yerramsetti was aware of the simultaneous issue swirling around the hack of the 3FL forum. If so, then this omission of information comes very close to a deliberate attempt to mislead customers, in my opinion. Personally, I don’t believe Yerramsetti did know, given the ‘blackout’ which was imposed on the knowledge. However, it is clear that the top executives at iiNet — such as chief executive Michael Malone and CTO John Lindsay — would have been aware of both, and didn’t tell customers about the 3FL issue.

    How serious is the 3FL issue? Probably not that serious. As Lindsay said today, it was the 3FL forum which was hacked, not iiNet’s customer database, and no financial information was lost. To be honest, these kinds of forums (typically based on phpBB or vBulletin) get hacked all the time, and my own personal experience tells me that it is very hard to secure these forum installations, due to the arcane software which runs them. There are very many undisclosed hacked forums online of which the admins are not aware. It’s a fact of life on the Internet, and anyone using these forums would be a fool to keep sensitive information there, or to use the same password for these kinds of forums that they use for other, more sensitive sites such as Internet banking.

    But nevertheless, there does remain the possibility that someone could have used the hack of the 3FL forum as a launching pad into the rest of the iiNet network. It’s standard practice for Internet bad guys — find a vulnerable web server somewhere, hack it, and then look around for new admin details which will let you into other areas of the network. Hell, I used to be a Unix/Linux systems administrator for an ISP, and I have seen precisely these kinds of hacks in action in the past, and cleaned them up. Sometimes there’s not even an active human intelligence behind them — often it can be little more than a bot.

    To my mind, what this demonstrates is somewhat of a lack of integrity on the part of iiNet. Clearly, the company has had several chances to come clean about this issue over the past few months, and just as clearly, it avoided doing so. As an iiNet customer and someone who uses its gaming network from time to time, I’m disappointed in the company.

    On a wider note, AAPT has recently been hacked, Telstra has recently been hacked (in a very similar breach to the 3FL attack), and now we know iiNet has recently been hacked. Most of these hacks have been fairly trivial. But does anyone really believe at this point that these ISPs would absolutely, 100 percent, be able to guarantee the security of the massive stores of Australians’ telecommunications records which the Federal Attorney-General’s Department wants them to start holding? I certainly don’t. And that’s the bigger issue here.

    submit to reddit

    17 Comments

    You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    1. Posted 03/10/2012 at 8:18 pm | Permalink |

      This is exactly the same risk that any data retained under any national ISP data retention scheme will face.

      Hacking, distribution, and misuse.

    2. Posted 03/10/2012 at 11:24 pm | Permalink |

      OK, I’m gonna play devils advocate here:

      How is mandatory data retention any different from the bank keeping your details in a heavily encrypted series of databases….forever, unless (presumably if their privacy regs are up to date) you leave them and close your account? Or your government info like Center link and Tax Office?

      Look, I don’t think mandatory data retention will work at the moment, but I really struggle to see how it is different from all the other info out there already??

      • Dan
        Posted 04/10/2012 at 8:34 am | Permalink |

        Australian ISPs make – collectively – what, about $10m per annum in profit? That is spread over about 150 organisations. The top 10, maybe 15, take the lions share of that right?

        Our banks make – collectively – something like $10b per annum in profit. That is spread over about 10-15 organisations in general.

        Which ones can afford high security and specialist consultancy around data??

        Also Renai, nice segue from a story about an ISP hack to anti-data retention statements. Timing in this argument is everything, and there needs to be more pressure against the goverments scare tactics

        • GongGav
          Posted 04/10/2012 at 10:40 am | Permalink |

          I think you’ll find that Aussie ISP’s make considerably more than $10m a year… Thats around $1 per household. While they arent making $1,000 per household, $100 per household per annum (or $8-$10 per month) isnt unreasonable to assume.

          Which is $1b a year. Before you look at the 2 million businesses that get gouged significantly more per month which would easily be another $1b per annum.

          7T has a fair point. There isnt all that much difference between this proposal and other data retentions that happen elsewhere. The biggest difference is in the incentive to retain that information.

          For an analogy, I was talking to 2 public servants a while ago. One worked the front desk at the ATO, the other worked at Centrelink. The ATO employee loved the enquiries area, and most of the time the clients were friendly and thankful. The Centrelink person was the opposite, hating the enquiries area for totally opposite reasons.

          End of the day, one department had clients that WANTED to come in, while the other had clients that were FORCED to come in. Different incentives, different interactions. This isnt all that different.

          Banks WANT to keep your information secure because its in their best interests. ISP’s are being forced to do this, so will comply with the minimal effort, and being dragged kicking and screaming the whole way.

          Half hearted incentives lead to half hearted practices. Which becomes a risk.

          • Posted 04/10/2012 at 12:12 pm | Permalink |

            Cheers GongGav. I really know I am playing Devil’s Advocate here, as I said. I don’t necessarily agree with the reforms. But I don’t believe “it will be highly insecure” is a good argument.

            As you pointed out GongGav, Dan, The Australian ISP industry is HUGE. Sure, Telstra collects some 60% of it, but they have revenues of $2 BILLION dollars on Consumer broadband alone. NOT including Business. And at a profitability rating of 64%, that’s some $1.2 Billion in profit there by themselves. That means profit in the industry would be close to $2 billion a year. Sure, it’s not the $30 Billion a year banks get, but they deal direct with money…..EVERYBODY’S money.

            My point was and GongGav actually made it better than me, if ISP’s are given REASON to keep this data secure, they will. They don’t have anywhere near the motivation to do it now. But if they were motivated by either massive reputation loss due to the type of data that’s kept or with money….or a combination of both, it would be just as secure as a bank. And nobody is suggesting we all stop internet banking are they?

            Look, there are numerous reason these reforms shouldn’t be entered into lightly, or even at all. But “all our data will then be vulnerable” is not one. Most ISP’s ALREADY keep metadata for a few weeks voluntarily anyway for traffic management purposes- if you hacked them at the right time, right now, you could get access to this data. The only difference is the time it’s kept and as I said, if given the right motivation, they’d beef up security.

            Whether that metadata should be kept at all I think is a more valid argument and one I won’t go into as it is slightly off topic in this article. But the security of said data is quite possible to manage. Whoever pays for it is, as I said, a different story….

    3. Posted 03/10/2012 at 11:25 pm | Permalink |

      OK, I’m gonna play devils advocate here:

      How is mandatory data retention any different from the bank keeping your details in a heavily encrypted series of databases….forever, unless (presumably if their privacy regs are up to date) you leave them and close your account? Or your government info like Center link and Tax Office?

      Look, I don’t think mandatory data retention will work at the moment, nor do I necessarily want it to, but I really struggle to see how it is different from all the other info out there already??

      • not same
        Posted 04/10/2012 at 9:48 am | Permalink |

        I think the bank industry is a great example of why there should be no data retention.

        At the moment the bank only records how much money you take or withdrawl at a certain time or place.

        Likewise your ISP might track how much data you have used at a certain time and place.. ie at your home address, or from a certain cell tower.

        What the bank currently does not record is what denominations was used in the transfer and who put which note in and which note was withdrawn. The bank wont track this $5 note with serial slhspsh3444 came from John Citizen and this $10 note with serial sh3l037e0 was withdrawn by John Doe. Sure if we track things we would probably reduce money laundering and other monetary related crimes. But at what cost?

    4. Bruce H
      Posted 04/10/2012 at 1:07 am | Permalink |

      Seven, these banks etc are commercially motivated to keep your data secure. While not a competitive advantage like it used to be, loosing your stuff is certainly a competitive disadvantage. Govt. departments are motivated politically to keep the data safe and the ISM/PSM is written in such a way to look out for that.

      ISPs are in neither category (I speak from first hand experience) as they certainly aren’t keeping this data for commercial advantage and they pretty much aren’t politically motivated to keep your this data secure. Further there are many smaller ISPs that just can’t afford the regime of vetted personnel, Class A or B containers/racks or better than “intruder resistant” premises. And despite what ISPs say, they are not in the business of security for such high security data and you need to rely on every ISP all of the time. It’ll break, sure as shit!

      • Posted 04/10/2012 at 1:44 am | Permalink |

        @Bruce H

        If the ISPs were given a central database to locate the data, in government hands, the same would apply. The proposals don’t specify if ISPs should keep it themselves. And if they don’t, you don’t think it would be competitively disastrous if they let all this info on what sort of websites their customers visit and who they send text messages and phonecalls too got hacked??

        The ISPs would become like banks. The problem being, who pays for it. That is something I want to know the answer to.

        • Bruce H
          Posted 04/10/2012 at 9:34 am | Permalink |

          Actually, the AGD said that it wasn’t interested in centralised storage at a ISP Data Retention workshop I attended in Melbourne. Why they said it was for public protection – my personal opinion is that they understand the challenges of managing this service and security,

          The costs of data retention in the centralized model would be worn by govt and they would install all sorts of security procedures to provide the public the fake feeling of safety. The Govt would then try and share the costs to ISPs but it won’t work and it will be worn by the tax payer.

          “competitively disastrous” But ISPs have already been hacked, i.e. in this article. I don’t remember T$ being punished for that big data loss they had.

          ISPs won’t become like banks, even the mid sized ISPs can’t afford the skills or the tech – or at least the paying public like you won’t allow them to pass on the costs. T$ will probably pay the costs because their base demographic is much older and are more likely to go along with the ‘great for policing’ idea. So, we will end up with more contraction in the industry until one or two big guys are left and then when the competition has reduced enough you will end up paying anyway along with any other bright ideas that pop into the heads of industry participants through a lack of competition. God that worked well under Telstra and Optus in the 80′s and 90′s didn’t it.

          • Bruce H
            Posted 08/10/2012 at 4:14 pm | Permalink |

            Well in news to hand, T$ has been punished for the loss of all those 734,000 customers that may have had their details exposed.

            So, how big was the fine…..well there wasn’t a fine…..

            okay, so – there received a direction on having their compliance measured by an independent 3rd party right……nope, nothing there either

            THEY ARE TOLD TO COMPLY WITH THE LAW IN FUTURE!!!!!

            “Given Telstra has pro-actively taken steps to remedy its processes with a view to preventing such an incident from happening again, a direction with respect to the specific code provision is the appropriate measure,” ACMA chairman Chris Chapman said.

            Yes, I feel better about data retention already.

    5. Jarrad
      Posted 04/10/2012 at 10:33 am | Permalink |

      I must admit I am not surprised. In my tenure with the Borg I found a few, very wide open, publicly available, potential security breaches and reported them. Nothing got done.

      I later heard a web service related to those security problems got hacked in the very early hours of the morning (around 1-2am WST) and as such the customer visibility was practically nil. The breach was fixed very quickly and upgrades to the platform implemented to stop another attack. This is just hearsay though and I never verified it. That said, given what I had found, it did not surprise me someone would end up exploiting those breaches.

      This isn’t to suggest that iiNet have bad security as I am led to believe a lot has been tightended there substantially in recent years. But I believe it does reflect a more reactive security stance within the company whereas it should be much more proactive in my opinion.

    6. proto
      Posted 04/10/2012 at 4:48 pm | Permalink |

      “One possible reason for the spam is the possibility of a loophole in the PHP framework that might have allowed attackers to source customer usernames from iiNet’s customer web server. “We suspect this is the likely origin of the mailing list. Many php installations allow this access but we should have closed it off when the system was installed and we have now,” wrote Lindsay.”

      If this is the case, they must think that user account details must be considered breached. The comment tells us that iiNet believe any app running on the same database server could have been accessed. Why would the iiNet website have a list of all customer email addresses if it wasn’t connected to their accounts/CRM system?

      • GongGav
        Posted 05/10/2012 at 8:58 am | Permalink |

        If you’re fishing about on an internal iiNet server, and come across a bunch of usernames, it would be fairly standard to spam those usernames @iinet.com.au and see what happens. Sure, some wont be iiNet customers, but most will.

      • Posted 05/10/2012 at 2:58 pm | Permalink |

        (Disclaimer – current employee of iiNet, but in Communications/Social Media – not Network Services / Security)

        “Why would the iiNet website have a list of all customer email addresses if it wasn’t connected to their accounts/CRM system?”

        Simple explanation for this one – user webspace. Each iiNet account comes with 1GB of webspace, which is in the format http://members.iinet.net.au/~username – pretty standard for most ISP’s. If you can obtain a directory listing, you have a set of usernames.

        When I saw the thread come up on WP, user webspace was my first assumption as to where a “leak” could have come from, given only primary email accounts were impacted – but my technical background is more in programming and technical support as opposed to networks, so I’ve no idea how easy it would be to get such a listing or how.

    7. Moz
      Posted 08/10/2012 at 1:26 pm | Permalink |

      Given Matthew’s comment above my iiSpam problems may stem from the same source. I have an iiNet username that’s 8 random alphanumeric characters. That email address is only used for communicating with iiNet and I’ve never given it to anyone, but it still gets occasional spam. My assumption has been that their system has been compromised at least once, since the spam is not the sort of thing iiNet would send themselves.

    8. Posted 20/10/2012 at 4:43 am | Permalink |

      One thing is always that one of the most prevalent incentives for using
      your cards is a cash-back and also rebate provision.
      Generally, you’ll get 1-5% back on various acquisitions. Depending on the credit cards, you may get 1% returning on most buying, and 5% back again on expenses made going to convenience stores, gasoline stations, grocery stores along with ‘member merchants’.




    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:


  • Most Popular Content


  • Six smart secrets for nurturing customer relationships
    [ad] Today, we are experiencing a world where behind every app, every device, and every connection, is a customer. Your customers will demand you to be where they and managing customer relationship is the key to your business’s growth. The question is where do you start? Click here to download six free whitepapers to help you connect with your customers in a whole new way.
  • Enterprise IT stories

    • WA Health told: Hire a goddamn CIO already doctor

      A state parliamentary committee has told Western Australia’s Department of Health to end four years of acting appointments and hire a permanent CIO, in the wake of news that the lack of such an executive role in the department contributed directly to the fiasco at the state’s new Fiona Stanley Hospital, much of which has revolved around poorly delivered IT systems.

    • Former whole of Qld Govt CIO Grant resigns petergrant

      High-flying IT executive Peter Grant has left his senior position in the Queensland State Government, a year after the state demoted him from the whole of government chief information officer role he had held for the second time.

    • Hills dumped $18m ERP/CRM rollout for Salesforce.com hills

      According to a blog post published by Salesforce.com today, one of Ted Pretty’s first moves upon taking up managing director role at iconic Australian brand Hills in 2012 was to halt an expensive traditional business software project and call Salesforce.com instead.

    • Dropbox opens Sydney office koalabox

      Cloud computing storage player Dropbox has announced it is opening an office in Sydney, as competition in the local enterprise cloud storage market accelerates.

    • Heartbleed, internal outages: CBA’s horror 24 hours commbankatm

      The Commonwealth Bank’s IT division has suffered something of a nightmare 24 hours, with a catastrophic internal IT outage taking down multiple systems and resulting in physical branches being offline, and the bank separately suffering public opprobrium stemming from contradictory statements it made with respect to potential vulnerabilities stemming from the Heartbleed OpenSSL bug.

    • Android in the enterprise: Three Aussie examples from Samsung androidapple

      Forget iOS and Windows. Today we present three decently sized deployments of Android in the Australian market on Samsung’s hardware, which the Korean vendor has dug up from its archives over the past several years for us after a little prompting :)

    • Businesslink cancelled Office 365 rollout cancelled

      Microsoft has been on a bit of a tear recently in Australia with its cloud-based Office 365 platform, signing up major customers such as the Queensland Government, Qantas, V8 Supercars and rental chain Mr Rental. And it’s not hard to see why, with the platform’s hybrid cloud/traditional deployment model giving customers substantial options. However, as iTNews reported last week, it hasn’t been all plain sailing for Redmond in this arena.

    • Qld Govt inks $26.5m deal for Office 365 walker

      The Queensland State Government yesterday announced it had signed a $26.5 million deal with Microsoft which will gain the state access to Microsoft’s Office 365 software and services platform. However, with the deal not covering operating system licences and not being mandatory for departments and agencies, it remains unclear what its impact will be.

    • Hospital IT booking system ‘putting lives at risk’ doctor

      A new IT booking platform at the Austin Hospital and Olivia Newton-John Cancer and Wellness Centre in Melbourne is reportedly placing the welfare of patients with serious conditions at risk.

    • Bailey quits Macquarie for non-profit COO role marc-bailey

      Long-time Macquarie University chief information officer Marc Bailey has left the educational institution to join non-profit group Intersect, which focuses on applying advanced ICT technologies to the practice of research.

  • Enterprise IT, Featured, News - Apr 16, 2014 16:49 - 1 Comment

    WA Health told: Hire a goddamn CIO already

    More In Enterprise IT


    News, Telecommunications - Apr 17, 2014 11:01 - 44 Comments

    Turnbull lies on NBN to Triple J listeners

    More In Telecommunications


    Featured, Industry, News - Apr 17, 2014 9:28 - 0 Comments

    Campaign Monitor takes US$250m from US VC

    More In Industry


    Digital Rights, News - Apr 17, 2014 12:41 - 4 Comments

    Anti-piracy lobbyist enjoys cozy email chats with AGD Secretary

    More In Digital Rights