Xtra's sorry security saga should never have happened

Xtra's email security hole has earned it a place in the 'Hall of Shame' of an international security expert.

Fact: Telecom Xtra should never have gone live with the password generation system which created its freshly-plugged security hole.

The fact that it did can only cast doubt on the credibility of everyone involved in supplying, implementing and checking the system. The hole was bad enough to earn Xtra a place in the "Hall of Shame" of an international security expert contacted by @IDG.

It came to light a week ago yesterday, shortly after the Internet Service Providers' Association of New Zealand (ISPANZ) faxed a letter to the office of Xtra boss Chris Tyler, advising that a security problem had been brought to its attention and suggesting a course of action.

Telecom maintains that it had discovered the problem around the same time and was working on a fix. But in the highly networked world of the Internet community, Telecom's hand was hurried by the fact that, very quickly, a lot of other people seemed to know about its embarrassing problem.

So what was the problem which prompted the shutdown of Xtra's mail server for days, a huge courier drop of new registration packs to more than 10,000 customers, and a sterling PR effort?

It is probably best to present it as it would appear to a potential hacker--and indeed, as it appeared to @IDG.

Since launch, Xtra has employed a registration system which churns out logins (which take the form xtr followed by six numerals) and passwords (six alphabetical characters). These have gone out with every registration pack.

Users are then able to choose an "Xtra ID" name for themselves but this is only an alias to the login, by which the system continues to know them. Finding the login associated with an Xtra ID is, @IDG has been assured, relatively trivial. And finding the password generated for the login? Now that Xtra has ditched the old system, you can be the judge:

Login: Password

xtr188772 wppqqv

xtr593375 kommqk

xtr994045 oolxlk

The past week has seen a battle of the security consultants, with Telecom ignoring the four consultants suggested by ISPANZ and directing the press to its own consultant, who declared the system to be sufficiently robust. One ISPANZ member called Telecom's man and subsequently claimed that the consultant admitted to not knowing what the problem was when he was quoted.

To avoid the scrap, @IDG emailed the login-password combinations above, along with a brief explanation, to Mark Fabro, network security consultant with of Secure Computing, vendors of Borderware.

Fabro replied promptly, saying that he "had to read the text three or four times--or is that 'm' or 'l' times?--to make sure what I was seeing was real."

Fabro says the only comparison he could make was with old VAX/VMS systems which came with default passwords under the assumption that the advanced users of those systems would change their passwords immediately.

"This concept still caused more than its fair share of security headaches," says Fabro. "But in 1996 you would think that this problem would not show its ugly head again. Although the first-time user may need a little help in getting started using the system, a much more non-predictable username/password scheme should be used.

"This is a very bad example of how first usernames and passwords should be issued and is a system that can be broken by a brute force attack in seconds. In fact, you do not even have to attack the system initially, as the username is directly mapped to a numerical sequence based on the fact that each letter has a corresponding number.

"Issuing username/password combinations in this manner offers no security whatsoever, and can defeat the entire security of the project before the first person ever logs in. Even if the person has changed their password, can you be sure it was even them?"

Acting Xtra head Peter Saunders was unavailable this week, but Telecom media communications manager Quentin Bright insists he was told of the problem and work to fix it before the ISPANZ fax arrived.

"They (Xtra staff) came to me early in that week and said they were looking to bring in a new security system and while they were doing that they had come across a poential security issue. The solution to that issue would be to offer people the ability to change their passwords online--so we were planning to bring it in anyway. My first question was, do you have any evidence that anyone had breached the existing security system?--and the answer was no."

Xtra stopped generating passwords with its existing system "within a reasonable timeframe ... a very short timeframe. They were planning to roll it out in the next few days anyway. You can say it's a coincidence, but in actual fact it predates the ISPANZ letter and it was the case."

The online password-change system was decried by ISPANZ, which pointed out that the cutomer billing numbers required to make changes had in some cases been freely given out on the Telecom 123 helpline. The eventual solution--a mass courier drop to all customers on Monday--is described by Bright as "simply good customer relations. They were going to provide for people to do it online, but if people weren't there, were away on holiday for example, it became important to move fast."

Telecom's first public comment on the matter was a release headed 'Telecom rejects anti-Xtra lobby claims' and aggressively concluded "the fact of the matter is that Xtra's security procedures are robust." A week later, Bright conceded to @IDG that the glitch "may be a lesson well learned" but still had misgivings about the role of ISPANZ.

"It's kind of a toughie--we've obviously got a bias and they've got one too. Our feeling is that while it was good of them to notify us, we were aware of it. What we weren't so thrilled about--and I don't know whether this was ISPANZ or whoever--was that suddenly it became very public. Why did that happen?

"You've got to ask yourself--this is an organisation which was set up to be anti-Telecom and anti-Xtra, on pricing and everything else. They didn't invite Xtra to join them and suddenly, whammo. It's a bit harsh ... a couple of people contacted me and said, you guys are unlucky, it could have been anyone. Is everybody else's system 100% fail-safe?"

In truth, it would have been hard to expect ISPANZ, whose members feel a very strong sense of grievance at Xtra's conduct in their market, to have made no capital at all of the problem. Some of those in the know shared information more readily than others. But Xtra customers are still arguably getting better advice from ISPANZ they they are from Xtra. And, apart from affirming that the problem was password related when directly asked, no one gave the game away to @IDG.

"That's the thing," says Bright. "People still had to be given a start. People had to be told where to look."

Bright says the security and registration system at Xtra was sup-plied by a range of companies, including Telecom's Australian subsidiary, Pacific Star and "security experts".

"It came from outside the Internet services group. You operate on the premise that the security system you have is a good one--obviously no one goes in with a system that they don't think will work. They believed it was secure, but they also believed that as time went on, people would try and challenge the security system. We also believed we would need to enhance the security system--and this is when the issue came to light.

"I think this may be a lesson well learned. To look at it, I think the electronic commerce and security being planned at Xtra would have been a move up from where they are now anyway. There was a very high awareness of that--that these things would have to be developed differently."

Join the newsletter!

Error: Please check your email address.
Show Comments
[]