Breach not a hack, says IS

Cambridge Advanced Learner's Dictionary - hack - to get into someone else's computer system without permission in order to find out information or do something illegal.

Longman Dictionary - a way of using a computer to get into someone else's computer system without their permission.

SO THIS IS NOT A HACK? IS please use some intelligence and admit it was a hack as per definition.
 
Cambridge Advanced Learner's Dictionary - hack - to get into someone else's computer system without permission in order to find out information or do something illegal.

Longman Dictionary - a way of using a computer to get into someone else's computer system without their permission.

SO THIS IS NOT A HACK? IS please use some intelligence and admit it was a hack as per definition.

hack
v. hacked, hack·ing, hacks
v.tr.
1. To cut or chop with repeated and irregular blows: hacked down the saplings.
2. To break up the surface of (soil).
3.
a. Informal To alter (a computer program): hacked her text editor to read HTML.
b. To gain access to (a computer file or network) illegally or without authorization: hacked the firm's personnel database.
4. Slang To cut or mutilate as if by hacking: hacked millions off the budget.
5. Slang To cope with successfully; manage: couldn't hack a second job.
v.intr.
1. To chop or cut something by hacking.
2. Informal
a. To write or refine computer programs skillfully.
b. To use one's skill in computer programming to gain illegal or unauthorized access to a file or network: hacked into the company's intranet.
3. To cough roughly or harshly.

Using the definition of "hack" from a dictionary? You are going to come up with a whole bunch of different meanings, and even different interpretations of the meaning. In your own words, please "use some intelligence", and read the context that IS was using it in instead of nitpicking over the meaning of the word.

IS is saying that there was, according to their system, no unauthorized access. The "hacker" obtained the username and password without compromising the core IS system (no brute force attack etc.).

This probably means the admin account itself was compromised, not the system, probably due to some successful phishing. That or the admin had a keylogger/trojan on a machine he used to log in. Of course, it is also possible, if quite unlikely, that the guy bypassed every single security measure IS had in place without leaving a trace.

So no, strictly speaking, if what IS is saying is correct, the hacker did not use his 1337 n1nj4 5k1llz (read: programming skills) to hack into their system. Wouldn't want to be the admin in question....

Regardless, the method itself does not really matter. Whether it was a hack or not, the end result is that the system was compromised, and whilst the damage to the system itself was minimal, the leaked information is going to cost them. So IS had to respond to try and put the minds of their existing customers at ease, even if it is playing on the meaning of the word themselves.
 
Using the definition of "hack" from a dictionary? You are going to come up with a whole bunch of different meanings, and even different interpretations of the meaning. In your own words, please "use some intelligence", and read the context that IS was using it in instead of nitpicking over the meaning of the word.

IS is saying that there was, according to their system, no unauthorized access. The "hacker" obtained the username and password without compromising the core IS system (no brute force attack etc.).

This probably means the admin account itself was compromised, not the system, probably due to some successful phishing. That or the admin had a keylogger/trojan on a machine he used to log in. Of course, it is also possible, if quite unlikely, that the guy bypassed every single security measure IS had in place without leaving a trace.

So no, strictly speaking, if what IS is saying is correct, the hacker did not use his 1337 n1nj4 5k1llz (read: programming skills) to hack into their system. Wouldn't want to be the admin in question....

Regardless, the method itself does not really matter. Whether it was a hack or not, the end result is that the system was compromised, and whilst the damage to the system itself was minimal, the leaked information is going to cost them. So IS had to respond to try and put the minds of their existing customers at ease, even if it is playing on the meaning of the word themselves.

Finally, some intelligence on this matter. +100
 
Cambridge Advanced Learner's Dictionary - hack - to get into someone else's computer system without permission in order to find out information or do something illegal.

Longman Dictionary - a way of using a computer to get into someone else's computer system without their permission.

SO THIS IS NOT A HACK? IS please use some intelligence and admit it was a hack as per definition.

So, say you step out of the office to go to the loo, and your colleague quickly gets on your pc to find some (let's say relevant company related) information, but without your express permission, you would then say your colleague "hacked" your computer? :rolleyes:
 
Nicely put NoName, agree 100%

And when the world realised that NOTHING connected to the internet is safe, less stupid comments will be posted about the skillz of this little racists script kiddie or the lack of skills from people with real experience.

Yes technically he might have "hacked" in but gaining unauthorised access, but by no means is this guy skilled at all or should be calling himself a real hacker. Or a cracker which is the real technical term for someone who gains access with malicious intend.
 
Last edited:
ROFL!!!!

Mweb, the memory of a goldfish

Today, Mweb say that there was no hack and therefor no security hole was used to gain access to the system. It was a valid login and password that gained them access.

Yesterday, however, Mweb released a news statement saying that they have fixed the security flaw that was used to gain access to their system.

It makes me wonder, did Mweb simply lie and release that statement to put the public mind at ease while they try and find the flaw and then today, after further investigation, realised it was a valid l/p that was used and completely forgot about their statement yesterday saying that they had fixed the hole. What hole was fixed if it was a valid l/p that gained them access exactly?

Interesting to say the least


Excerpt from the article

Update

"The interface provided by Internet Solutions to provision and manage our customers on their ADSL network was compromised. This has subsequently been secured. There are less than a thousand customers who are potentially affected by this, as most have already been moved over to our own IPC network during the course of the last few months. We will be contacting these customer to reset their passwords, as an added security measure," MWEB said in an official statement.

http://mybroadband.co.za/news/adsl/16073-MWEB-Business-ADSL-Hacked.html
 
Last edited:
Actually this is obviously the work of a cracker, hackers are cuddly grey beards that code kernels and would never do any nefarious things ever!
 
EXACTLY! Most of us are most likely hackers, anyone who has assembled their own PC and installed their own OS, broke that OS on purpose and fixed it again is a hacker. Anyone who dismantled his mom toaster or his toy car is a hacker. This Louis McCarty tool is neither hacker or cracker, just a sad little man who needs a hug.

vanilla_pie, I don't want to defend the fact that yes, many ISP's lie constantly to save their asses, but where did MWEB say they fixed the flaw? The statement says "This has subsequently been secured" ie the compromised account was deleted.

But yeah, to quote Dr G. House, EVERYBODY LIES!
 
REPUTATIONAL DAMAGE

This is all it is for both IS and Mweb.

Currently the blame is being pushed back and forth between the two companies. In all likelihood top bras are fighting due to the incident.

In order to save the reputation of both companies they are coming up with all types of excuses for the incident. Admitting to whatever happened will cut the throat of either companies.

Unfortunately for Mweb, they already made their first press release, which was utter sh*t. Now they are claiming something else, which is also a bunch of sh*t.

They have been hacked. That's it.

Btw, the biggest manipulators, liars, schemers, scammers and corruptors are the banking industry, other large companies are nothing else, but only on a smaller scale.
 
Last edited:
The "hacker" obtained the username and password without compromising the core IS system (no brute force attack etc.)
The "hacker" got confidential info from their system = The security was compromised. And unless IS authorized his access, it is by definition unauthorized. Doesn't matter whether the username/pwd combo used was on the access list, that still wouldn't make his access authorized.

So no, strictly speaking, if what IS is saying is correct, the hacker did not use his 1337 n1nj4 5k1llz (read: programming skills) to hack into their system.
Hacking is not limited to "1337 n1nj4 5k1llz". The other methods (dumpster diving, social engineering etc) are a time honored tradition. It means beating the system as a whole, including the fool behind the keyboard.

Or look at infamous hackers, like say Kevin Mitnick:


That or the admin had a keylogger/trojan on a machine he used to log in.
Both of which, depending on how they are used, are considered a hack:
http://en.wikipedia.org/wiki/Hacker_(computer_security)#Trojan_horse
http://en.wikipedia.org/wiki/Hacker_(computer_security)#Key_loggers

So, say you step out of the office to go to the loo, and your colleague quickly gets on your pc to find some (let's say relevant company related) information, but without your express permission, you would then say your colleague "hacked" your computer? :rolleyes:
Exploited a vulnerability in the system: Weak security training -> Didn't lock his desktop. System compromised.

The term that everybody is looking for is Social Engineering. This is very different to hacking.
And if you look under the "Common methods" section of the wiki on Hacker we get (drum roll): Social Engineering.
 
Im sorry to say regardless how IS wants to spin it. They where hacked. If using a valid username and password is infact the correct way in going about in a Pen atempt. Not attacking a system head on alerting possible IDS. You dont brute force attack ISP's ever. If I was someone at IS i would check and recheck the user accounts gaining access to their systems. This didnt sound like it would be a one time deal. Also the person or persons behind the hack knows what they are doing as it shows a level of skill not to have a failed login attempt. But to think that it wasnt a hack because of this someone at IS doesnt like the mud on their faces. Pride is a killer when it comes it IT security industry. Because a person with to much pride will never ask for help and would cover up his/her short commings. Sorry to Say but IS you have been hacked. Perhaps it might be because of some dealings they have had with employees (Thats where I would strat looking). Regardless IS was Hacked and hacked by people that know what they are doing. Perhaps SA's biggest ISP cant find the persons who hacked them and this might just be an attempt to save face infront of a big customer.

Good luck with the Ghost hunting. :D

PS@NoName hacking/cracking what ever you want to call it 101 is not to use an Administrator Account for your access. As that is an account that would be easly spotted. Im currently doing my CEH and recommend people empower themselfs with facts not myths.
 
Last edited:
OK, for the sake of the argument let's assume they weren't hacked, as they claim. What then are we to make of the MWeb's Press Release saying their systems were "compromised"?

There are two dimensions with only 4 possibilities:

USER - either authorised or unauthorised
ACCESS - either authorised or unauthorised

Let's play out the possibilities:

(1) An authorised person gained access in an authorised way. And this compromised their systems? One has to ask how and why. Er, mistakes happen. Just come clean.
(2) An authorised person gained access in an unauthorised way? Like (1), this is very worrying if customer accounts are compromised this way.
(3) An unauthorised person gained access in an authorised way. System and password security is problematic. Worse than being hacked.
(4) An unauthorised person gained access in an unauthorised way. Hacked.

Whichever way you look at it, there's an internal problem. And denying they were hacked is actually an admission that the problem is worse than getting hacked, however they wish to define hacking.

It gets worryinger and worryinger, methunks.

Best solution: Just come clean, like Hetzner. And beef up security and processes, chaps.
 
Something does not make sense to me; why would someone try a SQL injection attempt when he/she/it was already successfully authenticated? Surely they could just do whatever the hell they wanted since they logged in as Admin?
 
What then are we to make of the MWeb's Press Release saying their systems were "compromised"?
How do you arrive at that conclusion when the article clearly states;

... customers' accounts were briefly compromised yesterday (25 October) when access was gained to Internet Solutions' (IS) self-service management system ...

All new Business ADSL services provisioned after April, as well as the bulk of legacy services already migrated, use MWEB's internal authentication systems, which were completely unaffected by this incident.
 
How do you arrive at that conclusion when the article clearly states;
Not sure I understand your question, Roman4604. Are you referring to 'my conclusion' that their systems were compromised? If customer accounts under their control were 'briefly compromised' (by inference, without the permission of the said customers) then what other possible conclusion is there? This is after all what MWeb formally said in their Press Release. 'Compromise' encompasses quite a wide spectrum of untoward actions. In any event, the 'compromise' was of such a nature that the customers had to be informed and their 'passwords changed remotely'.
 
The "hacker" got confidential info from their system = The security was compromised. And unless IS authorized his access, it is by definition unauthorized. Doesn't matter whether the username/pwd combo used was on the access list, that still wouldn't make his access authorized.


Hacking is not limited to "1337 n1nj4 5k1llz". The other methods (dumpster diving, social engineering etc) are a time honored tradition. It means beating the system as a whole, including the fool behind the keyboard.

No worries, agreed that the system was compromised, regardless of the spin IS is putting on it. But I believe the point IS is trying to make is their system was not compromised on a technical level due to an exploit or vulnerability. As you have rightfully pointed out, hacking has multiple methods and interpretations, so I'm trying to point out the context that IS is using the definition. This might not seem like an important distinction, but they are trying to say they were not "hacked" but "compromised", which means a lot in terms of security (can just get rid of the weak link, problem solved). In other words, a PEBKAC or ID10T error. Having your system compromised due to social engineering is embarrassing as hell, but not as serious (in my opinion) as having them gain access by technical means.

It just feels like people are trying to take IS's statement out of context. They are not saying they were not compromised (or "hacked" if you insist), but that the breach was not of a technical nature.

Social engineering or idiot admins will cause unauthorized access unless they build a second or third layer of authentication,like say, biometrics, one time passwords, physical access cards etc. Otherwise, the username/pwd combo is the only way they have to authorize "his access" as you put it. So, from a system point of view, the user WAS authorized (he provided the proper credentials). Now, that limitation may in and of itself be a system problem they should address for the more privileged accounts.

PS@NoName hacking/cracking what ever you want to call it 101 is not to use an Administrator Account for your access. As that is an account that would be easly spotted. Im currently doing my CEH and recommend people empower themselfs with facts not myths.

Internet Solutions’ Sean Nourse, Executive of their Connectivity Business, explained that the person logged into the system using an existing ‘admin’ username and password, and that the rights of this user were restricted to the information published online.

Notice the 'admin' in quotes. This wasn't a full blown system administrator account. Sounds more like a call center account, or something similar. Something with more privileges than a normal account, but still restricted. The failed SQL injection would seem to indicate the hacker couldnt do anything but dump the info he got access to. If the hacker had gotten his hands on a system admin account, SQL injection would have been the last of IS's worries...
 
Was referring to your statement ;

From the article I read; they are saying their customer account information was compromised (exposed), but nowhere do they state their systems were compromised.
You draw a distinction without a difference. Their customer account info is on their computer systems, which are managed by, via and through their technical and management systems. The customer account info was compromised. Ergo their systems were compromised. Systems has a wide ambit - from machinery to software to processes, these are all systems.
 
Top
Sign up to the MyBroadband newsletter
X