Massive Afrihost security flaw exposed

AfriMan said:
I think it's a bit of a leap to make an all out character assassination here of people you don't know, or have any insight into their reasons for making the decision they make. As I mentioned, I would be happy to make an introduction if you are genuinely interested in furthering the conversation around these topics for the benefit of all.

I think you've made your point, and I think we can agree that you would have done things differently. But lets keep the personal remarks out of the conversation :)
Click to expand...

Asking for his CV is rather condescending.
 
There is no reason they can justify the decision that was made, ever. It is also not character assassination but questioning their fitness for the role they are in based on evidence in the public domain, but I will leave all that out of it to keep things mostly civil...

At the end of the day I would suggest those responsible for your system design investigate getting CISSP certified as well as your company getting ISO27001 accredited as two good starting points...
 
ToxicBunny said:
There is no reason they can justify the decision that was made, ever. It is also not character assassination but questioning their fitness for the role they are in based on evidence in the public domain, but I will leave all that out of it to keep things mostly civil...

At the end of the day I would suggest those responsible for your system design investigate getting CISSP certified as well as your company getting ISO27001 accredited as two good starting points...
Click to expand...

I won't pretend I know what those numbers mean, but I am literally pasting that into a Skype chat with our Dev manager right now.

Thanks :)
 
AfriMan said:
I won't pretend I know what those numbers mean, but I am literally pasting that into a Skype chat with our Dev manager right now.

Thanks :)
Click to expand...

If it means your back end becomes more secure then it’s a pleasure... also investigate implementing pci-dss for your payment and payment method platform if it’s in house or require it from your 3rd party provider
 
ToxicBunny said:
If it means your back end becomes more secure then it’s a pleasure... also investigate implementing pci-dss for your payment and payment method platform if it’s in house or require it from your 3rd party provider
Click to expand...

Yeah, this is where I feel like it might be more meaningful to introduce you to someone a lot smarter than me. Would love for you to drop me a mail on [email protected] and I can promise it will go straight to the top guys :)
 
AfriMan said:
Yeah, this is where I feel like it might be more meaningful to introduce you to someone a lot smarter than me. Would love for you to drop me a mail on [email protected] and I can promise it will go straight to the top guys :)
Click to expand...

Will send an email in the morning and see what’s what and such...
 
AfriMan said:
Hey Everyone

We're aware of the article and I know that this was something we have been working on prior to Taylor Gibb's posts on Facebook.

I can't go into a in-depth discussion on a public forum, but I can say that we do have measures in place that would prevent some of the issues mentioned on this thread.

Clients can see all the numbers that connect to their DSL products. There was a feature that could flag and block unknown numbers (I haven't checked in a while). However, clients can contact us at any time and we will block any number that shouldn't be accessing their accounts from our system and investigate further.

We're actively looking into other preventative measures we can put in place.

We also don't store passwords in plain text. These are always encrypted.
Click to expand...


a reactive measure in this instance is a bit futile is it not, by the time you ask to block something its too late.

only allow connections from registered line references, the uk did this since they started called a cbuk reference. you could hand out dsl login details for a better subscriber experience and security was not a concern.
 
froot said:
https://www.iso.org/isoiec-27001-information-security.html
It's a system of standards which you apply to keep information secure :)

As a customer, I am appalled .
As a developer I am shocked at the answers I read above :(
Click to expand...

Us MyBB reps aren't qualified software developers, so it's sometimes a bit hard for us to answer these technical questions, but we do have an open channel directly to our developers and we do our best to facilitate responses back and forth between them and our community. I can, however, say with confidence that they are definitely aware and up to standard with the most modern certifications and practices.
 
access said:
a reactive measure in this instance is a bit futile is it not, by the time you ask to block something its too late.

only allow connections from registered line references, the uk did this since they started called a cbuk reference. you could hand out dsl login details for a better subscriber experience and security was not a concern.
Click to expand...

Great suggestion. :) The feature to lock in CLIDs in ClientZone rolled out last night. Go check it out. ;)
 
Someones account gets hacked and a few gigs are used. Big whoop.

How is this different from a router being hacked?
 
ToxicBunny said:
Hardly the sidelines... I work in the it industry... we would never in a million years provide a support agent the ability to see a users password regardless of the level of tech savvy of the user.

The fact that you didn’t architect your system from day one with that type of basic security is appalling in the extreme and you should question whether your security officer and your software architect are actually worth their salaries
Click to expand...

Hold up there Kevin Mitnick. Yes, they were able to show the passwords in cleartext on a form but that is hardly the end of the world.
I'm not usually first in line to come to Afrihost's defence but the accusations you made are laughable.

Instead of trying to sound authoritative on something you really have no clue about, maybe try to look at your own systems and see where you allow decryption of supposed private information. You will probably find a lot of cases that are much, much worse than this.
 
whatwhat said:
Hold up there Kevin Mitnick. Yes, they were able to show the passwords in cleartext on a form but that is hardly the end of the world.
I'm not usually first in line to come to Afrihost's defence but the accusations you made are laughable.

Instead of trying to sound authoritative on something you really have no clue about, maybe try to look at your own systems and see where you allow decryption of supposed private information. You will probably find a lot of cases that are much, much worse than this.
Click to expand...

*pats on the head*

They've allowed passwords to be in clear text on a form, which indicates that at best they can be decrypted from the DB on the fly, or that they're stored in cleartext.. Neither of those are acceptable basic security best practices, and you cannot claim to have the best of the best systems architects or security officers if this was allowed through the door in the first place.

I am in no doubt that there are areas on our own systems where private info is not as secure as it should be... but they are being rectified as soon as they are found and not just being put on backlogs to be dealt with at a later date.
 
ToxicBunny said:
*pats on the head*

They've allowed passwords to be in clear text on a form, which indicates that at best they can be decrypted from the DB on the fly, or that they're stored in cleartext.. Neither of those are acceptable basic security best practices, and you cannot claim to have the best of the best systems architects or security officers if this was allowed through the door in the first place.

I am in no doubt that there are areas on our own systems where private info is not as secure as it should be... but they are being rectified as soon as they are found and not just being put on backlogs to be dealt with at a later date.
Click to expand...

Our passwords have always been encrypted. We have never stored passwords in plain text. :) Please check out our response to the Fin24 article here.
 
ToxicBunny said:
*pats on the head*

They've allowed passwords to be in clear text on a form, which indicates that at best they can be decrypted from the DB on the fly, or that they're stored in cleartext.. Neither of those are acceptable basic security best practices, and you cannot claim to have the best of the best systems architects or security officers if this was allowed through the door in the first place.

I am in no doubt that there are areas on our own systems where private info is not as secure as it should be... but they are being rectified as soon as they are found and not just being put on backlogs to be dealt with at a later date.
Click to expand...

Now a much more interesting thing to ponder is how they manage those credit cards though.

Nowhere does Afrihost claim PCI compliance [at least not obviously on the webpage], which means if the credit card billing system is inhouse, there are some very legitimate concerns.

This password thing is ultimately trivial in comparison to credit card info.
 
AfriFella said:
Our passwords have always been encrypted. We have never stored passwords in plain text. :) Please check out our response to the Fin24 article here.
Click to expand...

Which is why I put the caveat of either or... :) But encryption that can be decrypted on the fly like that is as bad as storing a cleartext password ultimately....

The problem for you guys, is it speaks to lax security in the systems architecture...

At the very least you are aware of it and are taking steps to rectify the issues, which is better than many companies.
 
2012 said:
Now a much more interesting thing to ponder is how they manage those credit cards though.

Nowhere does Afrihost claim PCI compliance [at least not obviously on the webpage], which means if the credit card billing system is inhouse, there are some very legitimate concerns.

This password thing is ultimately trivial in comparison to credit card info.
Click to expand...

I did see the thread in the Afrihost Support forum relating to that but I decided not to comment on that... but yes, ADSL passwords are ultimately trivial in the grand scheme of things, and if they are storing CC's and the CVC's on their systems then there are clear causes for huge concern from their customers.
 
ToxicBunny said:
I am in no doubt that there are areas on our own systems where private info is not as secure as it should be... but they are being rectified as soon as they are found and not just being put on backlogs to be dealt with at a later date.
Click to expand...

Pot meet kettle.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X