ISPs address website security concerns

[QuintonB]

ADSL ISP website security concerns

Internet Service Providers respond to security concerns that were recently raised

 

[Tornalca]

Basics boys!!!

 

[MR V]

I think Prophet made this find, so he should get a IPad or something

 

[eyc]

"the only thing to be comprimised from this page is your ADSL username and password"... lol !! , are you kidding me Laurie ?

 

[whatwhat]

ISPs in South Africa are run by idiots.

 

[Necuno]

ADSL ISP website security concerns

Internet Service Providers respond to security concerns that were recently raised

Thanks


There is also the cookie issue and assumption on username and password storage:

Usernames for one isn't case sensitive. This is confirmed when you look at how they handle the "stay-in" cookie****. If your username is aAbDC then you can log in with either AABDC or AAbdc since they always default to AABDC.

****I had to block out detail

:edit
These username as case insensitive seems to be a thing with various isps as mweb, axxess, afrihost and webafrica is accepting username as case insensitive.

Storing the info as plain text in the cookie, shows that they don't really know what they are doing. To think, not even popular free forum scripts do that. I don't think they really know what hashing is. That is why they can display the last few characters of the password in the logs. Seeing that a good hash, is supposed to be one-way, but now they are accessing parts of it. This shows that they simply store the password as plaintext or they encrypt everything with the same key. So if their db got exploited and their servers, the key would be found and everyone's login details will be gone as well.

A lot of free open source scripts for forums and ecommerce use salted hashtags nowadays. It is shocking that an ISP (like WebAfrica) can't do the same.

For the webafrica representative that sees nothing wrong in the plaintext cookie. You are supposed to put in a unique code string, that identifies the user. There are various ways you can do it, but just putting in the username and password is pathetic. And you need to clean up these strings after some time. Since it is a cookie, so it is supposed to be temporary.

With WA, the usernames are really short, and they all follow the same format. So its super easy to guess a different user's username. Atleast some of the other ISPs only use the email for logins.

 

[nelwa]

Thanks


There is also the cookie issue and assumption on username and password storage:

I just checked cookies on WA's site, and I can confirm both username and password are stored in plain text...that is pathetic in terms of security.

 

[Flojo]

This means, none of these companies have had an external or PCI audit.

 

[DarkStreet]

Just checked for myself and WebAfrica does indeed store the username and password in a cookie. :wtf:

 

[whatwhat]

WebAfrica will probably say SSL is not sustainable.

 

[entrepr]

I'm concerned that if ISPs, with their supposed concentration of IT skills, can't get the basics right, then what hope is there for the wider community to tighten security.

Once hackers learn that South Africa is open sesame, they will have a field day and they will keep returning for the spoils

 

[waroop]

Just checked for myself and WebAfrica does indeed store the username and password in a cookie.

Thanks for the feedback guys.

I am fully in agreement with you that this is not good enough. I'll make sure we get this fixed.

 

[Necuno]

I'm concerned that if ISPs, with their supposed concentration of IT skills, can't get the basics right, then what hope is there for the wider community to tighten security.

Once hackers learn that South Africa is open sesame, they will have a field day and they will keep returning for the spoils

Goes quite well the IT personas just thinking that someone else might top up for you.

That person who just does a quick abuse is not the problem, but it is the one who lies dormant and gathers information. Furthermore it is not up to the end user who must first complain about abuse, but rather the members of ISPA who should by their standards applying basic 101 to keep their client detail intact. It's quite shocking to see an isp saying that they are going to play reactionary instead of being proactive. If you really think that the person is just going to hop in and top up for you, you are not thinking broad enough.

Even looking past the issues of clear text in cookies... how is the billing information stored?

 

[DarkStreet]

Fialkov said that, should the account password be sniffed, you can potentially use it to top up. However, Cybersmart logs where the top up came from and they can check whether it was done from the address that the ADSL account belongs to, Fialkov said.

“I am not sure why someone would want to top up someone else’s account,” Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.

His attempt at humour is a monumental failure as he's clearly missing the point: too many people use a single password for all their accounts, from emails to (shockingly) internet banking. If somebody is able to sniff their password they won't be bothered with topping them up (what a stupid assumption!), they will rather garner more information about the user and try the password at a multitude of services. These days it's ridiculously easy to find out information about somebody online and track which services they use.

 

[Snekko]

Agreed, most services are held on the web & the average persons struggles to keep track of passwords never mind complex ones hence one password being used for all...

LOL these dudes run these ISP's? Oversight LOL its a retarted oversight specially when you selling ssl certs too, uhhh.

Saw this happen internationally on hosting sites to, that's was around 2 years ago lol was wondering if these tools would click on at all & infact they didn't someone else did.

A gig back wtf is that a sick joke, ya cause they wouldn't be able to pull personal details like a cell number, address and setup a rig for account details LOL a gig hahahaha

Give that man a back hand

Didn't look into the plain text thing ROFL so in essence they may as well have just posted it on their home pages.

* can't stop laughing its too funny & they both looks like they munched poptarts for breakfast. Not that I have anything againgst poptarts.

 

[Murmaider]

This means, none of these companies have had an external or PCI audit.

haha what? I bet you get a little buzz and a smile when you get the opportunity to mention rave names like 'PCI' don't you?

For starters, PCI compliance costs in the Hundreds of thousands of rands and is only needed if you actively storing Credit card information. Otherwise it's not required or even needed.

2ndly, 90% of the people commenting in this thread don't even understand what SSL actually is, what it actually protects or even how it actually protects information, yet will take any opportunity given to wave a finger. While I do agree that all login services should be SSL encrypted to prevent MITM, there are far more concerning things than your ADSL username and password.

Like the fact that if I know your Bank account number, ID number, name, phone number and address, I can authenticate myself as you with Standard Bank and perform any actions I want on your account via very basic social engineering. Any employee (for example) who is able to simply view your employment contact (any HR person) could get this information in about 10 seconds. This to me is more concerning than "OMG SOMEONE IN CHINA WILL USE MY ADSL ACCOUNT" Here is a hard fact, no one, anywhere else in the world wants to use your ****ty adsl account, I promise.

 

[nelwa]

Thanks for the feedback guys.

I am fully in agreement with you that this is not good enough. I'll make sure we get this fixed.

Don't just remove the usernames and passwords from cookies - use a one way hash of passwords, and never store the plain text version - never, nowhere...there are many articles on the web on this, I'm sure you be able to find a proper tutorial with some googling.

 

[Snekko]

It doesn't have to be someone in China,Africa had its own way.

The HR persons would have direct access not like they are finding the details on the street.

Don't think a further comment on SSL is required as its lacking from an entry point.