Eircom storing passwords in the clear

gerryk

Guys... could you have a quick gander at this thread and comment, please.
As an eircom customer, I am somewhat concerned.

http://www.boards.ie/vbulletin/showthread.php?t=2056712698

eircom: Ant

gerryk wrote: »

Guys... could you have a quick gander at this thread and comment, please.
As an eircom customer, I am somewhat concerned.

http://www.boards.ie/vbulletin/showthread.php?t=2056712698

Hi gerryk,

Thanks for bringing this to our attention. I will certainly look into this. Please bear with us as it It may take a little time to check.

I will get back to you as soon as possible.

Regards,
Ant

gerryk

Cheers Ant.

teddy b123

gerryk wrote: »

Cheers Ant.

Any update?

Tow

If you just ring them up an say you forgot the password for xyz@eircom.net they will tell it to you. I did it a while back for an old company email address, armed with all the eircom bills ready to any answer security question etc, and none was asked.

MadsL

A week to comment on your information security policy?? This should be pinned up in big red letters on every CSRs desk. Do you realise how vunerable you are to social hacking by giving CSRs access to passwords? Secure password reset technology is hardly new.

Giblet

Amateur hour IT facilities it seems.

MagicRon

EIRCOM, have a read of http://www.neowin.net/news/gizmodo-twitter-account-hacked--thanks-to-apple

and then maybe
http://www.neowin.net/news/amazon-closes-security-hole-quietly

gerryk

Any news Ant?

eircom: Ant

gerryk wrote: »

Any news Ant?

Hi gerryk,

Just in response to your tweet. I don't have any firm information on this query yet. Generally it does take time, as this comes under operational and security matters.

Appreciate your contact on twitter and for bearing with us. As soon as I have further information I will expand here, as boards is a more feasible platform, given character restrictions.

Best Regards,
Ant

teddy b123

I was in touch with a manager in your technical support department who insists the system is secure
I was informed that only support staff have access to these passwords
These passwords are on an internal database
---(Which is connected to the frontend for password resets which are made online to be updated)
Every employee access to this database is recorded
A user that requests a password reset must have all their details verified
They are planning to implement a more secure way of sending out users passwords in the coming months

gerryk

teddy b123 wrote: »

I was in touch with a manager in your technical support department who insists the system is secure
I was informed that only support staff have access to these passwords
These passwords are on an internal database
---(Which is connected to the frontend for password resets which are made online to be updated)
Every employee access to this database is recorded
A user that requests a password reset must have all their details verified
They are planning to implement a more secure way of sending out users passwords in the coming months

Few comments on this.

1. as long as there are people in the loop, the system is not secure. I don't care how loyal, well trained and meticulous staff are, they are vulnerable to manipulation, and as such are a weakness.

2. passwords in the clear on any system is a vulnerability. I don't care if the system is buried in a mountain guarded by cerberus, it's a weakpoint if it's not encrypted using a one-way cypher.

3. best intentions are no substitute for system level enforcement. It doesn't matter how diligent you are, any access to a system can be manipulated.

Short answer, Eircom. It is not acceptable to retain passwords in the clear. If a password reset mechanism must be implemented, it should only be possible via an unspoofable means... e.g. a phone call from the number associated with the account, with the reset password SMSed to the mobile on record.

I understand that the aim is convenience to the user, but this is not an acceptable reason for exposing customers to potential data egress. Look at Mat Honan's hack for an example of how this sort of thing can escalate. There were no technical vulnerabilities exploited in this, it was all organisational and human... in short, social engineering and research breached the security of some of the biggest players in the business, Amazon and Apple. Please do the right thing, Eircom.

MadsL

gerryk wrote: »

Few comments on this.

1. as long as there are people in the loop, the system is not secure. I don't care how loyal, well trained and meticulous staff are, they are vulnerable to manipulation, and as such are a weakness.

2. passwords in the clear on any system is a vulnerability. I don't care if the system is buried in a mountain guarded by cerberus, it's a weakpoint if it's not encrypted using a one-way cypher.

3. best intentions are no substitute for system level enforcement. It doesn't matter how diligent you are, any access to a system can be manipulated.

Short answer, Eircom. It is not acceptable to retain passwords in the clear. If a password reset mechanism must be implemented, it should only be possible via an unspoofable means... e.g. a phone call from the number associated with the account, with the reset password SMSed to the mobile on record.

I understand that the aim is convenience to the user, but this is not an acceptable reason for exposing customers to potential data egress. Look at Mat Honan's hack for an example of how this sort of thing can escalate. There were no technical vulnerabilities exploited in this, it was all organisational and human... in short, social engineering and research breached the security of some of the biggest players in the business, Amazon and Apple. Please do the right thing, Eircom.

Awesome post. Listen to this man. Better yet, give him a job.

Your data centres in Clonshaugh and Citywest have ISO 27001 - crazy that you have this glaring hole in your consumer service end of things. Reminds me of the wireless routers on which you took so long to fix the security hole.

Ronan Kneafsey, Director, eircom Business said, “We are delighted to have achieved ISO 27001 for our two largest data centres, as it represents independent confirmation of eircom’s world-class managed services credentials. We provide highly secure managed services to some of the largest enterprises in the world, including secure hosting, and we continue to work hard to ensure we not only meet the most stringent security requirements of our clients, but that we also foster a “security culture” within eircom.

Really?

jreanor

This is just disgraceful but I am absolutely not surprised.

If you don't mind Ant I would like to ask you a question. Is it the belief of Eircom that it is completely beyond the realm of possibility that this database of plaintext password could fall into the wrong hands?

This seems to have been the stance of many companies who had their password database compromised. An example of a high profile case of this is Sony's famous hack last year (http://techland.time.com/2011/06/02/new-sony-hack-claims-one-million-user-passwords/).

Obviously everyone should have different passwords for every site they visit. But I have no doubt in my mind that many users use the same password for their eircom email address as for sites containing very sensitive information such as paypal or various social networks. In fact, I was guilty of exactly this for a time.

All it would take would be one pissed off employee or a determined hacker. There is no such thing a 100% secure system and judging by how eircom handles passwords I suspect it is not the only security vulnerability.

I also wonder if such naive security policies would be of interest to the data protection commissioner.

Eircom should take this issue very seriously before the media catch wind of this and you start losing customers.

gerryk

Two weeks and counting, guys.

gerryk

I understand that you (Ant/James etc) are at the mercy of those higher up with regard to making statements on this, but can you point out that if they aren't more forthcoming with information in the relative privacy of this thread, that they may have to defend their position in the public eye.

MagicRon

This thread has over 700 views - If you think that ignoring the concerns that your customers have brought up here will somehow make the questions go away, then you're seriously mistaken!

In light of the many hacks and user password exposures that have hit the media in recent times and the fact that it has been highlighted here now that one of Ireland's largest companies isn't handling passwords correctly (and that your agents are actually telling customer's the passwords with little customer verification ), we want to know exactly what is being done to rectify the concerns raised by your customers in this thread?

eircom: Ant

MagicRon wrote: »

This thread has over 700 views - If you think that ignoring the concerns that your customers have brought up here will somehow make the questions go away, then you're seriously mistaken!

In light of the many hacks and user password exposures that have hit the media in recent times and the fact that it has been highlighted here now that one of Ireland's largest companies isn't handling passwords correctly (and that your agents are actually telling customer's the passwords with little customer verification ), we want to know exactly what is being done to rectify the concerns raised by your customers in this thread?

Hi MagicRonm


Absolutely not ignoring this query. Both James and myself have sought further information. We will update as as soon as we can.

Apologies for the delay getting back to you.

Ant

Praetorian

My thread was ignored too!

RUCKING FETARD

Praetorian wrote: »

My thread was ignored too!

Games 17
Motors 16
Computers & Technology 15
IrelandOffline 11
Humour 9
Broadband 8
Star Trek 6
Battlestar Galactica & Caprica 6
Counter-Strike 4
After Hours 4
<li id="more_link">« Show Less
Commuting & Transport 3
Rock & Metal 3
Nets & Comms 3
Windows 3
English 2
Mobiles & PDAs 2
Feedback 2
Audio-Video Editing 1
Bargain Alerts 1
Golf 1
Soccer Access Requests 1
Graphics 1
GAA 1
Xbox 1
Racquet Sports 1
Forum Requests 1
Unreal 1
Design 1
Humanities 1
Half-Life 1
Overclocking & Modding 1
Wireless 1
Star Wars 1
Sci-Fi & Fantasy 1
Soccer 1

You've no Thread in Eircom??

Praetorian

RUCKING FETARD

http://www.boards.ie/vbulletin/showthread.php?p=80072936

gerryk

Ant, we're approaching a month since I asked this question. How long does it take to get a response from either your security team or your PR team? While I acknowledge that this is somewhat beyond your control, what is in your control is the ability to pass on a message to whoever needs to know, that if I don't get a response by the end of the week... I will "talk to Joe" or whatever other bloke on the radio is good at stirring the pot.

teddy b123

gerryk wrote: »

Ant, we're approaching a month since I asked this question. How long does it take to get a response from either your security team or your PR team? While I acknowledge that this is somewhat beyond your control, what is in your control is the ability to pass on a message to whoever needs to know, that if I don't get a response by the end of the week... I will "talk to Joe" or whatever other bloke on the radio is good at stirring the pot.

Gerryk,
Glad you're willing to fight this!
I spoke to a person at the data protection commissioners office and she said to email on the details but I'm sure Eircom would rather sort this without their involvement!

MagicRon

1230 views....That means that of nearly 90 pages of threads in Talk to Eircom board, this thread is the 15th most viewed ... and at this rate, will soon be the most viewed Talk to Eircom thread in this forum.

I think it is now time for you to come forward and accept that what you are doing is not right, tell us what you are going to do to change, and start working towards that change.

The alternative is continued public exposure on this issue -- probably beyond boards if you continue on like this...

colly10

It's pretty obvious that eircom don't take securing data seriously. If they did then this issue wouldn't occur or at least they'd consider the issue to be important enough to make a decision quickly on what will be done about it. If it was important then the eircom guys here would not be left waiting for a response.

It's not long since they failed to inform the data commissioners of the stolen laptops and they went along time using a wep key generator that allowed others to calculate the key generated off the SSID.

It's the last thing on their mind

gerryk

Ant, James... I'm pretty upset that this thread hasn't been given any serious consideration. I would have thought that Eircom, as an ISP, would have taken the security of their users more seriously, especially since recently a pretty high profile social engineering/identity theft attack left a well known journalist with his entire digital life erased. One of the key vulnerabilities in this was access to improperly protected email accounts. Tesco have also come under scrutiny for a similar lapse of judgement.

So... any final comments before I email George Hook and his ilk?

MagicRon

eircom: Ant wrote: »

Absolutely not ignoring this query.

Oh, really?

gerryk

This isn't going away, guys...

eircom: James

gerryk wrote: »

This isn't going away, guys...

Hi gerryk,

I see the lads had responded to your Tweet earlier. Just to put the latest info here for others, our online security team are constantly working on aspects of security. I hope you can understand that due to the nature of this as a security issue there is not a lot that we can post publicly.

Regards

James

MadsL

James, with respect. This is not a data protection issue - although I recognise that there is a Data Protection aspect.

This is a information security matter, and the DPC are not experts in that.

gerryk

MadsL wrote: »

James, with respect. This is not a data protection issue - although I recognise that there is a Data Protection aspect.

This is a information security matter, and the DPC are not experts in that.

Completely 100% correct. The driver behind your decisions should not be, in the first instance at least, regulatory compliance. It should be doing the right thing. Generally relgulatory compliance provides guidance to do the right thing, but as with anything smothered under layers of bureacracy, the message gets diluted or completely misreported.

The correct approach is to derive the right thing to do from first principles.

The right thing in this case it to eliminate vulnerabilities. The only correct way to do this is one way encryption, using a strong, salted hashing algorithm.