Ihug has owned up to a password glitch which saw the company issue vulnerable passwords for about three months this year.
Although not quite as obvious as Xtra's original auto-generated passwords, Ihug's were vulnerable to hacker programs such as Crack and Brute, because they all took a similar form based on the day on which a new customer registered. All passwords began with "mon", "tue" and so on, followed by a series of random numbers.
"We've notified our customers, telling them how to change their passwords if they registered before June this year--which is something we have always advised them to do anyway," says Ihug corporate manager Tim Wood. "And if anybody feels the urge to flame, they should flame me because it was my fault."
Passwords are now a randomly-generated series of letters and numbers and Wood says the company's new system administrator has been "tidying up and firewalling" Ihug's system.
Security problems at Ihug have been highlighted in a bitter dispute with a former customer who refuses to say how he obtained a stolen Ihug password file (see Spammer demands $15).
Computerworld has also spoken to a Christchurch-based associate of the Chaos hacker group, which posted a chunk of an Ihug password file to the nz.general newsgroup--apparently from an account called email@example.com. Although the passwords in such files are routinely encrypted, the file lines posted contained decrypted versions, to show it could be done.
The man who contacted Computerworld says the information was posted "because Ihug has a pretty big security hole and they've had an attitude about when they've been told. I've got the entire password file, and about 150 accounts on it have been decrypted. I've tried them and they work."
The man refused to say where he got the file, but Wood says it appears to date back to an error in setting permissions in May, when a backup password file was available unprotected on Ihug's ftp server for two days. He says it does not seem to be the same file as that used for a recent "spam" on Ihug customers. This was a "shadow" file and contained only customer listings and not passwords.
Ihug general manager Nick Wood has also told newsgroup readers "we suspect an ex-Ihug employee who was in a trusted position stole a more recent copy of the password file. The police are at present investigating this and have all the details of all parties involved in Wellington, Auckland and Christchurch. We expect this matter to be resolved shortly."