[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] WorldOnline ISP security fiasco
From:       mea culpa <jericho () dimensional ! com>
Date:       1998-06-25 21:24:43
[Download RAW message or body]


Forwarded From: "Prosser, Mike" <Mike_Prosser@tds.com>

[FYI- Interesting excerpts from Risks Digest.....be careful what you ask
 for, you might just get it.....   -Mike]


Date: Tue, 23 Jun 1998 10:36:26 ECT
From: Paul van Keep <pvk@acm.org>
Subject: ISP security fiasco

WorldOnline, one of the large dutch ISP has suffered a number of security
failures recently. These were mainly attributable to human error and weak
OS level security measures. The most prominent mistake was to assign
passwords to users by using a combination of the first four letters of
their userid and a 4 digit code. I even doubt that the 4 digit code is
randomly chosen but even if it is, cracking an account with this knowledge
is pretty easy and straightforward.  In an attempt at damage control,
WorldOnline last week stated that it's system is secure and that users
should not worry, although they do not feel responsible for breakins on
websites that they host. To prove their point and to get some positive
publicity, they even launched a competition with a prize of $7400 for the
first reproducible crack. The prize was claimed within a few days by a
cracker who managed to extract thousands of private e-mails from a mail
server.  Another team cried foul because the system they had hacked into
(running the internal helpdesk)  had been abruptly switched off in an
attempt to stop the crackers.  The dutch provider association (NLIP) has
denounced the competition as a cheap publicity stunt. 

Paul van Keep


-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

[prev in list] [next in list] [prev in thread] [next in thread]