Telecom Xtra has couriered new connection packs out to all its 10,000-plus customers as it strives to keep abreast of an embarassing security scandal which broke last week.
The big courier drop was necessary to meet a target of midnight last night, when Xtra will release subscriber email held since its mail server was disabled on Friday afternoon.
The drop is the latest--and probably last--of several attempts by Xtra to dispel concern about the password-related security problem, which came to light last Thursday, when the recently formed Internet Service Providers Association sent Xtra a letter advising that it had learned of the problem and suggesting remedial action.
The weekend since must have been an unpleasant one for some Xtra staff--one source says the Netscape software being used to change passwords was never intended for global changes and can only change a few accounts at a time. Xtra, depending on what week its spokespeople are being quoted, has either 10,000-plus or 15,000-plus accounts. Craig Anderson, head of security at ProNet and an ISPANZ member, told @IDG the security breach "was brought to our attention by someone who should remain unnamed. The hole is so simple and so easy to exploit it would be irresponsible to be specific about it, but it certainly suggests that Telecom doesn't know too much about security. It also suggests that their plans regarding online commerce and banking might be something to worry about."
Telecom held its silence until the following day, when media communications manager Quentin Bright issued a press release headed "Telecom rejects anti-Xtra lobby claims". The release quoted acting Xtra head Peter Saunders saying "Recent changes as part of our regular improvement of site security were taken one step further today when we released online procedures to allow Xtra customers a new way to easily change their password."
Saunders rejected claims by ISPANZ, saying "the fact of the matter is that Xtra's security procedures are robust," but Xtra's email had in fact been closed down the previous afternoon.
A new "alert" page on Xtra's site also appeared, advising customers that "to protect access to your information it is important that you regularly change your password". It linked to a new password form, which required the cutomer's billing number, to verify the authority to make a change.
Trouble was, the form was accessible from anywhere on the Internet--and the billing number associated with a customer name was, as users began to report, easily available by dialling Telecom's 123 helpline. Telecom insisted that other verification, including a check on the number being called from, was necessary for the release of a billing number. But at least one Xtra user known to @IDG was able to obtain the billing number by calling from work and simply giving his name and residential address.
Telecom also pointed to network security consultant Shayne Bates, who told the press over the weekend that he had examined Xtra system and found no evidence of a breach and no cause for concern.
"The fact is," says Anderson. "A breach would not be readily apparent--and a full investigation of the system would be a huge job anyway. I do, however, think there was some truth in Telecom's claims that they knew of the problem It's so simple it was probably discovered in the first week of operation.
"I stand by the claim that a 12-year-old could exploit this hole. We actually presented it to some kids and they saw it in about 30 seconds, on average. This is really stupid."
Anderson says Telecom has still not informed its customers of the seriousness of the situation, or made them aware that their communications have been insecure since the service started.