Slashdot Mirror
ISP Emails Customer Database To Thousands
Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."
Demon Internet Yesman: Christ! We're getting murdered out there! ... if it was fucking October! And we're dealing with internet users here, not AOL USERS! Jesus, has anyone else got something better? ... ... ... I'm listening ... ... and now that the evil person tried to do something evil with that data, we have caught them and they are safely behind bars but if you're receiving this message you are not evil so you have nothing to worry about and only good people have your information.
Demon Internet CEO: Okay, okay, calm down. We've got a little issue on our hands here and we kinda need to sweep this little thing under the carpet. Now, you're not getting paid six figures to agree with me, what have you got?
Demon Internet Yesman: I've drafted an e-mail that explains to our customers that for Halloween we decided to be evil -- after all, we are Demon Internet? Huh? Huh?
Demon Internet CEO: Not bad, not bad
Demon Internet Yesman: I've got it! We tell them that we're trying to be transparent and an "open information" company because information wants to be free and so we sent everyone everyone's log on and contact information so they can
Demon Internet CEO: Did you just personify the noun 'information'? That's the stupidest fucking thing I've ever heard. Who are you? Pack your shit, you're fired. Next.
Demon Internet Yeswoman: *tentatively raises her had* Well, we could tell them that we suspected one of them was an evil dirty file sharer
Demon Internet CEO:
Demon Internet Yeswoman:
Demon Internet CEO: *nods slowly and approvingly* Yes, yes, that's good. We are law enforcers, we are providers, in their eyes we have done only good and now they fear and respect us and think they have escaped the sickle of justice. I like it. Sally, you're off of blow job duty. Frank, you're on blow job duty -- it's simple: my office every weekday at noon. Sally, I knew that equal opportunity employment shit that made me hire you was on to something. Okay folks, listen up, I want everyone in Great Britain to open their mouths 'cause I'm about to put my big fat cock in it.
My work here is dung.
Demon's going to have hell to pay.
Is there a good alternative ISP available to the same customers. If so, then I would expect a stampede away from Demon ISP to their competitor. There is no need for government intervention.
Security through obscurity never helped anyone.
839*929
... that privacy 'policies' don't mean squat...
------ The best brain training is now totally free : )
10 Bucks says it comes down to a cat on the keyboard.
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.
I run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month.
This story goes back several years, as you will see.
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
18 months later I got a (manually generated) bill for $13,000.
The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.
If you're a zombie and you know it, bite your friend!
If they follow evil corporation best practices manual -- they obviously do so, then I doubt that.
Demon wanted all customers to take up eBilling several years ago. You had to opt out of eBilling. I opted out because I wanted a printed invoice to give to the accountants and because I thought sooner or later so cockup like this would happen. My choice has been vindicated. And no, I won't be looking for another vendor. Demon are more expensive than other vendors, but other than the eBilling foulup, they are generally good and no bandwidth restrictions or upper limits at all. And that is what I want.
Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.
There's absolutely no reason to store passwords in the first place. In fact, in a well designed system it would be impossible for the ISP to know the passwords. They'd be hashed and salted first. This is so obvious and simple to do that failing to do so should be considered criminally negligent.
Give me Classic Slashdot or give me death!
Demon Internet Yesman 2: Uh, um .... SPLUNGE!
Demon Internet CEO: What does splunge mean?
Demon Internet Yesman 2: It means it's a great idea, but possibly not, and I'm not being indecisive!
Demon Internet CEO: GOOD!
Culture is more than commerce
Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P
#fuckbeta #iamslashdot #dicemustdie
I think that we should start putting ficticious information (something blob-like, like a customer name) into sensitive databases that matches one or more virus signatures. This would cause email filters to block the content before it leaves the premises. (Yes, I realize that we'd need to be filtering out-going mail, but unless you're a spam generator, that's a small fractgion of your incoming email. Some of use are already doing this, although not for this reason.)
Nothing for 6-digit uids?
Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P
The stories are funnier when they are fictitious, Sally.
Great, I just got an diabetes and an erection from reading your post.
"Too good to be true" says the empty bottle of Three Philosophers Quadruple sitting next to me.
My work here is dung.
A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on. You don't want to give them a new password at that point because their daughter isn't around to write it down again. And in practice, the password isn't protecting anything of value anyway.
http://michaelsmith.id.au
You're hired!
Invaders must die
... why emails originating from ISPs, should be audited first then approved / denied.
TOP DSLR Cameras Reviews of the top DSLRs
Yes some asshat will accidentally forward whatever. How this occurs is demonstrated by my example below (I witnessed this, details altered). I've see co-workers make this mistake, and I've been a customer when the same fault happend and I got sent a 700kb spreadsheet of confidental information. But anyway, here is the two step method to epic fail:
Step 1: Email staff with a template for them to send, and attach a spreadsheet of the customers
-----Original Message-----
From: Bob Smart [mailto: Bob.Smart@[-------].co.--]
Sent: Thursday, 23 September 2008 10:53
To: [-------] Outbound Contact Team
Subject: FW: eBill template
Hi Team,
Please send this template below to all customers in the attached spreadsheet. You three can divide the work amongst yourselves.
>
Dear customer-name-here,
[etc..]
Step 2: Your keyboard jockeys forward the email, deletes the header and Boss's message. Inserts customer details into template. Send, Boom, Done.
By default, forwarding in pretty much all mail applications keeps the attachment.
I'm sure this is the principal way documents are leaked from just about any organisation.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
The real WTF is that all those passwords were in the clear. What the hell business does anyone have these days, doing anything more than storing a one-way hash?
Causation can cause correlation
I realize most people don't use negabases or other things that would prevent marketing twats from getting their filthy grubby hands on information--but why was there a password field even available to anybody to start with?
Four years ago I inherited an application with plaintext passwords. Yes, it took me *two years* to fix it because of other even worse problems--but it was fixed in the end (SHA1, salted per user in the front and tail).
Our support team bitched and moaned that they could no longer troubleshoot problems by looking up the user's password to login as them--then moaned even louder when I took away their database access entirely (I would have done that *first* if I could have gotten away with it). Now they log in as an admin and switch to a "user view" where they can't break anything without clicking an "edit account" button, and have read-only access to some predefined views on the database they can't edit. No more worrying about IT writing to my database or starting transactions they don't finish. No more tools playing with SQL on their lunch hour taking down production by dropping the wrong table... Best practices exist for a reason. Because sooner or later you grow, and the new guys don't get properly indoctrinated and do something stupid.
Our old supportteam staff wouldn't even be able to find the password column in the account table anymore--because it *doesn't exist*. It's basically a "passwordImage" table joined on accountids, with permissions set on the entire table such that only the authenticator service can read it.
For a company with an actual budget--it just seems inexcusable that plaintext passwords could be made available, much less were given to somebody who was foolish enough to let it leave a terminal.
When will people be held accountable for their complete absence of best practices and willful ignorance?
This reminds me of when I was hired to do some maintenance on a small fantasy racing team website. The website seemed pretty well implemented and the database seemed reasonable. I then took a look at the account info table and was horrified to find that everything was stored in plain text, passwords, real names, user names, CC numbers, addresses, etc. I'm not exactly a database/web guru, but come on! How hard is it to use md5() to store passwords?? And I don't like the idea of some random guy (me in this case) being entrusted with everyone's credit info. There has to be a better way.
I learned my lesson though. I will never pass my credit info to a small-time website. To think that a fairly large ISP would be this stupid in the year 2009 is mind boggling.
I would love to see Demon crash and burn. The most horrible company to deal with. We run a lot of our customers email and domains. We used to buy the domains through demon, then one month they forgot to send us a renewal bill for one of our many domains. Instead of calling us or emailing us like a normal company to check why we hadn't paid they decided to suspend all of our domains for this one outstanding bill. We finally got the missing bill in the post a few days later, dated the same day that they suspended all of our accounts. Then the same things happened a second time a few weeks later. Obviously after the first time we asked them to double check that there where no more outstanding bills we hadn't received and they assured us that we were all up to date. Turned out they missed one of our accounts when they checked. Awful company to deal with in general, any DNS changes to a domain has to be done via fax on a letter with the company's header. Seriously? A large ISP like Demon cant make DNS changes over the phone/email or even have a management site online where the customer can change this? Of course they refused to give us our AuthInfo codes when we requested them. They said we could not get them for 6 months as we had just bought the domains. Turned out that when they "suspended" our domains they actually just canceled all of them and then put them through as a new orders to reactivate them. Finally got the AuthInfo code but had to put through the cancellation first which was scary to do as I had a feeling they were just going to cancel it and give us the AuthInfo code at the same time as they remove all our DNS records from their NS server. Luckily the move went through smoothly. Now with Zen and 1&1 which in comparison are top notch. All of this for a stupid outstanding amount of £12 renewal fee for 1 domain. Our customers ended up having 3 days of no emails or web services. Thank you and goodbye Demon!
...when a corporate is involved it always is a MISTAKE.
When an individual hacker exposes weak security, he is a terrorist.
Wow!
Talk about double standards.
Why can't the corporate be sued on SAME grounds like hackers?
"Doing what i can, with what i have." ~ Burt Gummer
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.
However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.
That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!
Huh? My is password cleartext it's always ******** no matter what I type, so insecure!
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Great, I just got an diabetes and an erection from reading your post.
Sounds like you need an insulin erection.
Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post
You see, when a company fucks up, they call us at The Goat and we send them a person. Said person "works" there and takes all the blame and gets fired. The company looks good and we make money.
Legal fuck ups cost $100,000 for the goat plus our markup of 100% for a total of $200,000. The $100,000 for the goat allows him to live for a while until the public forgets about him. Goats for white collar illegal activities will run on a sliding scale. But let's say you have another Enron type of thing. That'll run you well in the tens of millions but the upside is you get away with it (and your hundreds of millions or billions) and our Goat goes to trial and maybe even jail for you (extra million per year sentenced). Sorry, we won't offer any services for violent crimes, mafia stuff, or political hanky panky - sorry Congressmen, Senators, and any ex-Presidents.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
I wonder how rare this situation actually is. The same thing happened to me in about 1998 when I was a customer of Q-net, which later got absorbed by Eftel. Some certifiable cretin emailed out the ISP's entire customer contact list to every one of its customers. The managing director of Q-Net was a total creep, and rather than admitting responsibility and eating crow, his letter of "apology" was more of an exhortation to customers to secure their passwords. Needless to say, I was unamused, and changed ISPs shortly after.
Which is why a CHAP password is not a unified billing password.
I used Three in Australia, the PAP login was a dummy - set by them, the user doesn't need to know this one.
It may be true that most ISPs do use this as the only password - that's their risk.