[ad] The service leader for Cloud is now in Australia. Secure, reliable cloud and managed hosting all backed by 24x7x365 Fanatical Support. Create your free account now.
Buy an Seagate Business Storage NAS for your chance to win a holiday
[ad] Purchase a selected Seagate Business Storage NAS to receive a $20 cash-back AND go into the draw to win a $1,000 Flight Centre voucher so you can holiday in the destination of your choice. T&Cs apply.
How mobile and social media affect your Customer Experience strategy
[ad] How will the adoption of mobile devices and social media affect your Customer Experience strategy? Are you reaching your organisation's customers through these touch points? Click here to download a whitepaper by Fifth Quadrant examining consumer and business attitudes to these new contact channels.
Great articles on other sites
- Turnbull to release NBN review next week
- Canberra blitzes states with NBN take-up rates
- War on whistleblowers from Abbott, Turnbull as ICJ case arrives
- Stockland tech revamp at centre of growth plans
- Clare warns of Gonski-like backflips on the NBN
- Victoria seeks early buy-in to avoid past disasters
- Vtalk bucks the China trend with plan for Aussie build
- Booksellers bristle at Amazon's arrival
- Australian customers upbeat on Dell going private
- FTTP NBN supporters lobby Turnbull
50 things top IT pros need to know
[ad] This 18 page TechRepublic whitepaper explores 10 things you should know to become an epic IT manager, 40 other essential tips to advance your IT career and practical guidance for starting an IT consulting business. Click here to access the whitepaper.
The new IT manager: Trends affecting IT in business
[ad] The tables have turned for IT managers. IT used to be able to dictate which computing assets would be used by employees and how they would be used. No longer. This free GigaOM Pro research paper (click here to download it) gives a solid, fact-based perspective on how IT consumerisation, mobile computing and cloud delivery trends are changing the paradigm.
News, Telecommunications - Written by Renai LeMay on Wednesday, October 3, 2012 20:02 - 17 Comments
iiNet hid game forum hack from customers
news Following several months of rumors, national broadband provider iiNet has admitted a now-defunct forum associated with its 3FL gaming network was recently hacked and that it concealed the break-in from affected customers whose login details may have been compromised.
Rumours about the apparent hack have been swirling in Australia’s technology community for several months, with Delimiter receiving an unverified tip in July about the break-in, and iiNet customers on broadband forum Whirlpool complaining about receiving spam email to accounts which they had not publicly used for any purpose.
iiNet has made no public comment to the media regarding the issue and has not communicated regarding it to customers. However, in response to speculation on broadband forum Whirlpool about a break-in, the ISP’s network services manager Roger Yerramsetti posted last week that iiNet had done “a lot of digging” but could not find any evidence of a security breach or inappropriate access of customer information.
“Our teams have looked outward from iiNet and we’ve had expert people looking inward from outside as well,” he wrote. “There were some settings we were not happy with, which have now been modified, but for obvious reasons we cannot state what we have done. At this point we are happy to offer to change any affected account holder’s authoritative email address to stop any further unwanted emails.”
However, this week Delimiter received a second unverified tip regarding the issue. The tip contained what appeared to be an internal email from iiNet operations centre supervisor Paul Guidera sent on 7 June this year to iiNet’s executive team. In it, Guidera wrote that iiNet’s security team had informed his team that the 3FL website — the public face of a long-running iiNet gaming network used by both iiNet customers and non-iiNet customers, had been “compromised and defaced”. In response, the server had been taken offline temporarily.
“On instructions from security there is a comms blackout on this event (no publics, WP, staff communication etc),” wrote Guidera in the unverified email, referring to the desire to stop iiNet staff communicating about the issue to the public or through the Whirlpool forum. At that stage, iiNet was investigating the issue internally, but it had already announced in May that it was planning to merge 3FL with Internode’s games.on.net platform following iiNet’s acquisition of Internode late in 2011, and it appears as though iiNet progressed the process, in part due to the 3FL break-in.
This morning Delimiter requested comment on the issue from Guidera, iiNet chief executive Michael Malone, and later on, iiNet’s public relations representative, however no official company response was received. The company has not confirmed that Guidera’s email was genuine. However, following the requests for comment, tonight iiNet chief technology officer John Lindsay posted a comment on a previous Delimiter article confirming the break-in.
“The 3FL forum was a standalone system with its own user database and was not connected to iiNet’s secure networks,” he wrote. “In June we found that the system was hacked via an unpatched hole in PHP. Upon finding this, we shut down the forum immediately. No financial information was stored on this database. We didn’t handle the external communications well after this incident and have made changes to our internal policies. We subsequently retired the old 3FL forum after merging with games.on.net.”
Lindsay wrote that iiNet had investigated the spam issue raised by Whirlpool and had found no evidence linking the spam to the 3FL break-in. “Accounts created since the 3FL server was shut down have received this spam so it is very unlikely there is any connection,” he wrote.
One possible reason for the spam is the possibility of a loophole in the PHP framework that might have allowed attackers to source customer usernames from iiNet’s customer web server. “We suspect this is the likely origin of the mailing list. Many php installations allow this access but we should have closed it off when the system was installed and we have now,” wrote Lindsay.
In general, the iiNet CTO wrote that the company takes its customers’ privacy “very seriously”. “We do not store complete credit card data on our servers and are audited for PCI compliance regularly,” he wrote. “We run penetration tests against public facing servers and against our firewalls regularly. I am confident that we are using reasonable and prudent techniques to protect our systems and our customers.”
The news comes several months after another major Australian telecommunications company, AAPT, had some of its data compromised, with the loose knit group of Internet activists known as ‘Anonymous’ publishing some 3.5 gigabytes of data from the company, in protest against a wide-ranging package of surveillance and data retention reforms currently proposed by the Federal Government.
Privacy advocates have consistently warned over the past several months that the data retention scheme — which would see ISPs such as iiNet forced to keep extensive records on their customers’ online activities, ranging from records about who and when they email and place telephone calls to and from — would be at risk of being broken into, and highly sensitive data stolen.
There’s several concerning things about this situation.
Firstly, to my mind iiNet came very close to lying to its customers about the hack of the 3FL network. When Whirlpool users raised the spam issue with iiNet, the company’s network services manager Roger Yerramsetti flatly said the company had conducted an internal security audit and hadn’t found anything. This is probably technically true — the company had conducted an investigation into where the spam emails were coming from, and found no evidence that its actual customer database had been broken into.
However, I would be very interested to know whether Yerramsetti was aware of the simultaneous issue swirling around the hack of the 3FL forum. If so, then this omission of information comes very close to a deliberate attempt to mislead customers, in my opinion. Personally, I don’t believe Yerramsetti did know, given the ‘blackout’ which was imposed on the knowledge. However, it is clear that the top executives at iiNet — such as chief executive Michael Malone and CTO John Lindsay — would have been aware of both, and didn’t tell customers about the 3FL issue.
How serious is the 3FL issue? Probably not that serious. As Lindsay said today, it was the 3FL forum which was hacked, not iiNet’s customer database, and no financial information was lost. To be honest, these kinds of forums (typically based on phpBB or vBulletin) get hacked all the time, and my own personal experience tells me that it is very hard to secure these forum installations, due to the arcane software which runs them. There are very many undisclosed hacked forums online of which the admins are not aware. It’s a fact of life on the Internet, and anyone using these forums would be a fool to keep sensitive information there, or to use the same password for these kinds of forums that they use for other, more sensitive sites such as Internet banking.
But nevertheless, there does remain the possibility that someone could have used the hack of the 3FL forum as a launching pad into the rest of the iiNet network. It’s standard practice for Internet bad guys — find a vulnerable web server somewhere, hack it, and then look around for new admin details which will let you into other areas of the network. Hell, I used to be a Unix/Linux systems administrator for an ISP, and I have seen precisely these kinds of hacks in action in the past, and cleaned them up. Sometimes there’s not even an active human intelligence behind them — often it can be little more than a bot.
To my mind, what this demonstrates is somewhat of a lack of integrity on the part of iiNet. Clearly, the company has had several chances to come clean about this issue over the past few months, and just as clearly, it avoided doing so. As an iiNet customer and someone who uses its gaming network from time to time, I’m disappointed in the company.
On a wider note, AAPT has recently been hacked, Telstra has recently been hacked (in a very similar breach to the 3FL attack), and now we know iiNet has recently been hacked. Most of these hacks have been fairly trivial. But does anyone really believe at this point that these ISPs would absolutely, 100 percent, be able to guarantee the security of the massive stores of Australians’ telecommunications records which the Federal Attorney-General’s Department wants them to start holding? I certainly don’t. And that’s the bigger issue here.
Latest Delimiter 2.0 articles (subscriber content)
|Politicians from Australia’s major parties need to stop issuing ludicrous blanket pardons for the intelligence community’s ongoing misdemeanours and start applying a basic modicum of transparency and accountability to this important national security function.|
|The independent pro-fibre National Broadband Network movement is doing a far better job of promoting Labor’s Fibre to the Premises-based NBN policy than Labor itself. When is Labor going to wake from its slumber and start supporting this scrappy but energetic grassroots network of activists?|
|Ziggy Switkowski's first substantial public appearance since being appointed NBN Co chief executive has starkly demonstrated just how different he is from his predecessor, Mike Quigley, and just how strictly he will adhere to the guidelines which his patron, Communications Minister Malcolm Turnbull, has set for him.|
|Australian technology companies have been virtually absent from the the nation’s public stockmarket over the past decade as the stigma of the dot com bust took its toll on investor confidence. But a clutch of new listings planned for the closing months of 2013 shows renewed interest in the sector and that local entrepreneurs are smelling money in the air once again.|
|NBN Co’s Strategic Review process gives the company an unmissable opportunity to re-evaluate the early decision to deploy its FTTP network primarily through Telstra’s underground ducts. The company and its new Coalition masters must now seriously consider deploying more fibre aerially on power poles in an effort to speed up its rollout substantially.|
|That moment which many Australian technologists fervently hoped for but never expected to see has come to pass: Simon Hackett has been appointed to the board of the National Broadband Network Company. But what questions should the Internode founder be asking NBN Co’s executive management team? Here’s five ideas to start with.|
|The rapid replacement of respected NBN Co chief operating officer Ralph Steffens with a Telstra executive who appears less experienced with fibre rollouts but better politically connected represents a key signal that NBN Co’s senior executive hiring process has now become completely politicised and is no longer independent from the Federal Government.|
Enterprise IT, News - Dec 6, 2013 12:50 - 0 Comments
More In Enterprise IT
- Payroll disaster: Queensland sues IBM
- End of an era: Oracle Australia’s ‘safe hands’ leaves
- Qld launches whole of government IaaS panel
- Defence finally allows staff iPhones, iPads
- NSW Govt refreshes ICT Advisory Panel
News, Telecommunications - Dec 6, 2013 11:54 - 52 Comments
More In Telecommunications
- NBN Co internal FTTN analysis: Turnbull refuses to retract inaccurate claim
- Defying the Senate: Turnbull to release NBN Review by end of 2013
- Senate to force Turnbull to publish NBN Review
- Get on with FTTN job, Quigley tells NBN Co
- Senate circus shows politics has no place in NBN
More In Industry
- Xbox One goes off with a bang … but will the PS4 launch eclipse it?
- It’s not just Freelancer: Aussie tech IPOs are back in general
- Freelancer’s IPO: A billion reasons to care
- Australian retailers online: Late to the party and much to do
- DesignCrowd picks up another $3m
Digital Rights, News - Dec 5, 2013 14:08 - 24 Comments
More In Digital Rights
- Global privacy group files formal ASD complaint
- Labor open to surveillance discussion
- Snowden an “American traitor”, says Australia’s Attorney-General
- ASD goes rogue with Aussie metadata
- It’s live: Delimiter publishes AGD FoI mirror