Finger points to hole in Xtra security

A hole in its system, which Xtra is oddly reluctant to close, has played a significant role in the recent controversial events.

A hole in its system, which Xtra is oddly reluctant to close, has played a significant role in the recent controversial events.

Telecom’s mail server is open to a very old and very basic Internet utility--one called “finger”. A general explanation of finger can be found in IDG’s The Internet Plain & Simple, but it has very specific implications for Xtra because of the way its system is set up. That is, if you finger an Xtra email address, you will be provided with that customer’s numerical Xtra log-in, and vice versa.

It was this finger hole which provided the “missing link” in the Xtra security scare-- because it provided the ability to derive the numerical Xtra log-in from a customer’s mail address. @IDG readers will know by now that until Telecom took emergency measures, a password (and hence full account access) could easily be derived from an Xtra log-in.

Finger must also have been the command which Voyager used to get Xtra’s mail server to cough up 10,000 Xtra email addresses. Staff refused to confirm this, but what Voyager appears to have done is launched a script to finger all possible Xtra log-ins in the range xtr000001 to xtra999999. Those which had live mail addresses associated with them would simply have been dumped into a mail program.

Finally, it was finger which led Voyager directly to Xtra’s rogue employee (see Rogue). The worker had forged the return address of abusive email to John O’Hara, but had left in his Xtra log-in number. Voyager staff fingered the Xtra number and came up with the address.

Meanwhile, Xtra has “rubbished” claims made about its proxy server--whilst moving to close the loophole which allowed any user to connect to the proxy and get international data traffic at local rates.

Acting Xtra head Peter Saunders says the server was open “only for a short period” to allow direct access for large business customers while Netscape software was being upgraded.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]