cancel
Showing results for 
Search instead for 
Did you mean: 

Webmail Incident Report

Liam
Grafter
Posts: 2,083
Registered: 04-04-2007

Webmail Incident Report

Following the recent issue regarding the compromise of some customer email addresses, we have now published a detailed Incident Report, as promised, which is available for customers to read at the following URL :

http://community.plus.net/comms/2007/05/23/webmail-incident-report/

We would like to apologise to customers for delayed publication of this report.
115 REPLIES
Liam
Grafter
Posts: 2,083
Registered: 04-04-2007

Webmail Incident Report

*Bump*
smillie-world
Grafter
Posts: 62
Registered: 30-07-2007

Webmail Incident Report

Quote
We did think it would be unlikely for anyone to have run the type of query needed to extract this information without triggering certain alarm systems we have in place. (These are targeted at looking for unusual or large database queries).


So because it was thought unlikely does that mean it was considered but ignored of the basis of someone assuming it would never happen?
MacOS10
Grafter
Posts: 172
Thanks: 1
Registered: 30-07-2007

Webmail Incident Report

The report doesn't really tell us anything we don't know already - apart from the fact the perpetrators are probably Russian.

It also fails to assure us that any new mailboxes created from now on won't be affected with spam. I've held off creating replacement mailboxes until this report was published as I want to be 100% sure that my new email address will be spam-free. I expect the lawyers took that bit out as they couldn't guarantee it?

So I can change my username, but what about my domain that's hosted with PlusNet. I'm stuck with that, and thanks to PlusNet I'll now always receive spam to that (even if I move it elsewhere). I don't want to change this domain as it's based on my name, so I guess I'll just have to put up with it. OK, so PlusNet will offer me a free .uk domain, but I want to keep my .co.uk one - the one that I chose carefully and trusted to PlusNet to host safely and securely. I've been working on creating my website for the last 6 months and am nearly ready to upload it - I'm not starting this process again because I've had to change the domain name.

Finally...
Quote
We want to be regarded as an on-line business where security is placed at the forefront of everything we build.

That's easy to say - I'd love to believe it, but it seems unlikely after reading the timeline of events. If the attack happened sometime on 4th May, why did it take so long for PlusNet to take customers' reports that something was wrong with Webmail seriously and then act upon this information? I hope this sorry affair has shaken PlusNet to the core and kickstarted a complete change in attitude within the company - but somehow I think this will be soon forgotten and they'll go back to their old ways.
thecookhouse
Grafter
Posts: 72
Registered: 14-08-2007

Webmail Incident Report

Just wading my way through all the code (<!--[if !supportLists]-->a. <!--[endif]--> etc)
on the page to try to read the content (nice touch - glad so much trouble was taken in preparation). Hope to publish a response soon. Not quite sure exactly when but I hope to make some sort of hollow promise as to when this might appear later.

(And before someone says "it's a setting and your own fault", I am using a bog standard IE7 implementation and don't have any trouble anywhere else.)
echoecho
Dabbler
Posts: 20
Registered: 06-08-2007

Webmail Incident Report

Given that it was completed after most of us were asleep I'm willing to forgive a few typos and code errors ...

I'd love to look at this report in more detail this morning, but my work ISP routes via Germany, so I won't be able to look at it until later. Nevertheless on a quick perusal:

- No mention of whether actual emails were hacked. Just addresses are mentioned. GIven that a trojan was placed on WM04, can PN be sure that actual email data (and hence potentially third party usernames/password) were not open to the hackers?

- Still not much forward planning. The security structures are to be included on webmail servers going forward with possible new usernames, but what about existing spammed mydomain.co.uk addresses? Are owners of these going to be provided with new domains and perhaps some kind of reparation?

- I feel much of the "forward planning" in the reports was akin to locking the stable door after the horse had bolted.
Community Veteran
Posts: 1,160
Thanks: 1
Registered: 01-08-2007

Webmail Incident Report

The page didn't have any code on it when I looked around 7.30 this morning. Must be IE - I use Firefox.
Plusnet user since November 2003
Currently on Unlimited Fibre Extra and Unlimited UK & Mobile Calls
N/A

Webmail Incident Report

Yeah, looks fine in Firefox, but IE shows the code statements.
smillie-world
Grafter
Posts: 62
Registered: 30-07-2007

Webmail Incident Report

Both IE7 and IE6 are affected with the strange code stuff in the report.

Does this give us an indication as to the degree of competency PlusNet carried out the tests on the mail servers?

Did PlusNet not say this report was delayed becuase they wanted it to be right first time? Is this level of formatting "right"?
aldennis
Newbie
Posts: 4
Registered: 01-08-2007

Webmail Incident Report

Having waited quietly and patiently, and having finally got to read the report, a couple of things spring to mind:

i) With hindsight, it's easy to say, but surely one of the fundamentals of web security is minimising the volume of potentially vulnerable data and keeping it as far away from the vulnerable exterior of the platform as possible? If that's the case then why were transaction logs stored on the webmail server:
Quote
...webmail database, which contained the email addresses of customers who have used Webmail. ... and addresses customers had sent to and received from, using our Webmail service.

How far back did these logs go? Were they just recent (a few hours/days) or much longer? How often were they archived away from the webmail server before being purged?

ii) I can accept a log of "customers who have used Webmail" (i.e. login to webmail) and a log of "addresses customers had sent to" (i.e. compose in webmail), but my understanding was that webmail was just a web-front end for the email system. If that's the case then how can "addresses customers had ... received from" be stored? Surely the webmail system doesn't receive email itself and hence log it?

I still have a ticket open requesting confirmation that an address i'm being spammed on was in fact on the webmail server. It's particularly annoying because it's not even an address i've created or interacted with. Whereas my e-mail is <myFirstName>@<MySurname>.plus.com, the spam is coming from an incorrect contact e-mail for another plus net user whos username is <herFirstNameMySurname>, but she's put down a contact email of <herFirstName>@<MySurname>.plus.com - so I'm getting her spam too!! :x If only PlusNet had removed the incorrect contact details when I asked them too....

But anyway, thanks for what appears to be an honest report. Let's hope something comes of the police involvement. :?
Alan.
Community Veteran
Posts: 1,160
Thanks: 1
Registered: 01-08-2007

Webmail Incident Report

Quote
Both IE7 and IE6 are affected with the strange code stuff in the report.

Does this give us an indication as to the degree of competency PlusNet carried out the tests on the mail servers?

IE is a 'non-compliant' browser. If you write sloppy code it will work on it but 'good' code sometimes needs hacks to make it work properly on IE.
Plusnet user since November 2003
Currently on Unlimited Fibre Extra and Unlimited UK & Mobile Calls
sophos9
Grafter
Posts: 760
Registered: 12-09-2007

Webmail Incident Report

The report made interesting reading although I must admit to being slightly disappointed with the content, I understand this was written for the GP however where is the GEEK version

I guess my major concern as a customer is the internal security team and what seems (I may be wrong??) a reliance on industry standard tools, I can fully assure you that software like Nessus, Nikto and the like have significant issues unless you are significant experience

The ratio of using these tools to find an vulnerability is about 48%, the other 52% is bespoke applications/scripts.

What are the credentials of your security team, backgrounds and combined years experience - I need some confidence!!

Well I was right about those sneaky Russians and whilst I will get shot down for this, you really have to admire their abilities, they probably earned about a months wages out of this

If your systems were scanned successfully then why do you still suffer from the XST (Cross Site Tracing) vulnerability and you know the repercussions of this, would you like a PoC?
N/A

Webmail Incident Report

Quote
Quote
We did think it would be unlikely for anyone to have run the type of query needed to extract this information without triggering certain alarm systems we have in place. (These are targeted at looking for unusual or large database queries).


So because it was thought unlikely does that mean it was considered but ignored of the basis of someone assuming it would never happen?


When asked "who are your main customers?" most installers of domestic burglar alarms and security systems will usually reply "those who've just been burgled".
That's a good insight into how most Brits view security. Why do we expect PN to be different in a highly competitive ISP market where the choice is often between adding new features or more security ...the first is visible to customers, the second is not.

Security is an expensive game and is never 100% effective. Unlike govt depts, PN do not have an endless supply of taxpayers money to implement security, not that it's effective anyway (witness the recent NHS MTAS fiasco ...and wait until ID Cards are in circulation - ho ho).

A brief read of PN's report confirms what some of us thought from the start: the hack was not by a spotty teenager but probably an IT-savvy Russian gang who planned and executed it very professionally.
I'm not sure that PN could have secured their systems from that. Others may have a view that is not coloured by anger.
MacOS10
Grafter
Posts: 172
Thanks: 1
Registered: 30-07-2007

Webmail Incident Report

Quote
If your systems were scanned successfully then why do you still suffer from the XST (Cross Site Tracing) vulnerability and you know the repercussions of this, would you like a PoC?

For the benefit of non-techies (ie. me), can you please explain what this means? XST, PoC - what are they.

Are you saying that, despite PlusNet's best efforts, there are still gaping holes in their security systems? If so, I'm extremely worried and will be requesting my MAC today.

PlusNet, will you please employ sophos9 as he seems to know more about security than your "security team"!
sophos9
Grafter
Posts: 760
Registered: 12-09-2007

Webmail Incident Report

Steve, Hi

Through professional courtesy towards PN I should not really give out detail unless its in a "PoC" which is a proof of concept document, this doc outlines in detail the discovered vulnerability - this is what I get paid to do and value my time out of work (well get paid by a corporation Wink )

In this instance, imagine... You receive an email from PN with a link to the latest and greatest news, you click on it and goto a page looking exactly like a PN page however this one is loaded with malware, or your cookie with session credentials is hijacked... The email never came from PN, the site you are on is not actually PN's but a spoofed page however the link used a PN domain and redirected you (Cross site).

Now its not as simple as the paragraph above, several variables must be in place however there are some serious attackers out there who are good at their game

Don't fuss over this, I was only making PN aware - other majors suffer/ed from this inc Google etc...

Hope this helps