cancel
Showing results for 
Search instead for 
Did you mean: 

PlusNet in the news

Community Veteran
Posts: 5,322
Thanks: 467
Fixes: 1
Registered: 21-03-2011

PlusNet in the news

Oops PN is getting some stick on security...http://www.theregister.co.uk/2015/11/25/plusnet_still_delivering_passwords_plaintext/
Now Zen, but a +Net residue.
26 REPLIES
Community Veteran
Posts: 13,921
Thanks: 514
Fixes: 7
Registered: 01-08-2007

Re: PlusNet in the news

I must admit, that doesn't sound good.
I need a new signature... i'm bored of the old one!
Community Veteran
Posts: 18,545
Thanks: 191
Registered: 12-08-2007

Re: PlusNet in the news

Community Veteran
Posts: 7,914
Thanks: 594
Fixes: 8
Registered: 02-08-2007

Re: PlusNet in the news

Amazing the number of posts on that link, no doubt PN have done a fair amount of work on this but it was raised over a year ago so there must be some sort of time scale for when this work will be completed ?
Community Veteran
Posts: 4,596
Thanks: 751
Fixes: 3
Registered: 06-11-2014

Re: PlusNet in the news

After the horse has bolted in a talktalk-esque manner? Huh
nanotm
Pro
Posts: 5,671
Thanks: 108
Fixes: 1
Registered: 11-02-2013

Re: PlusNet in the news

yeah when the people at the top realise they need to take the mail servers offline for 48 hours to push the new updates and pay for a lot of overtime as a serious priority .....
this story though isn't about the ssl implementations with the mail service its about the way in which PlusNet uses the same login password for the member centre and the broadband service instead of using two separate ones which can then be stored in a different fashion to update the way the website gives out password resets or reminders .....
just because your paranoid doesn't mean they aren't out to get you
Community Veteran
Posts: 1,136
Thanks: 2
Registered: 30-07-2007

Re: PlusNet in the news

This comes up every now and then whenever someone is shocked their password was recoverable.
The usual story is that the passwords are stored with reversible encryption, and that any access to an account's password is logged.
So, if the database was breached (apparently impossible because it's not directly connected to the internet), then it would be useless without knowing the key with which the passwords were encrypted.
We can only hope that it's not one key for all passwords, but each password is encrypted with it's own key (which isn't just the account name, because that would be dumb).
Hopefully the self-service retrieval system has to authenticate itself, and the user to whatever back-end system stores these encrypted passwords.
F9 member since 4 Sep 1999
F9 ADSL customer since 27 Aug 2004
DLM manages your line the same way DRM manages your rights.
Look at all the pretty graphs! (now with uptime logging!)
KitFox
Grafter
Posts: 75
Registered: 23-12-2009

Re: PlusNet in the news

Not only as they getting stick but they really appear to deserve it, ignoring advice from the security industry on best practices leaves plusnet potentially on the recieving end of civil suits for any losses incurred if it can be showed their security wasnt up to scratch.
Failling to listen to advice about industry standards & good practices regarding security is a pretty good indication of not having 'adequate' security as the DPA requires
Using unhashed & unsalted passwords is just a bad idea, it helps to expose data which can help attackers build up a picture about you based on the words you use to form your passwords.  Did you use something out of a favourite book?  Is it recognisable to someone with an interest in the genre that book relates to for example & did you use any other words from that book in other passwords?  It wouldnt take some of the 'hacking crews' that exist long to create a dictionary of that book to brute force an attack and thats just one basic example
As for ignoring CESG well the less said the better really, it smacks of lunacy really or perhaps a devil may attitude some might even call incompetence.  
Whats wrong with doing what everyone else does & sending you a one use time limited link (ie that is only valid for 12/24hours or other time frame of your choice) for allowing a password reset after validating the person requesting the link is the account holder either by sending to the registered email or validating security questions on a secure form?
btw how is the process towards secure email servers going?  Even hotmail/outlook has passed Plusnets ability to provide 'secure' email at the moment, answers on a postcard please as thats what all email to & from a plusnet email account is until an envelope (security) is placed around it
I sound harsh, yes but what is it going to take Plusnet for security to not be a dirty word?  We've seen countless breaches in the last 2 years. let alone the last 5 that in some cases have led to companies going broke/bankrupt & yet you still persist as though 'security by obscurity' is still a viable approach, it isnt!  What will it take?  An act of god?  
P.S.  Not having being attacked or having a major leak of data is not an excuse or justification for lax security btw

Addition:
avatastic > Passwords should NOT be recoverable at all, that is indeed a bad thing to see.  What should be possible is for a correctly audited & account priviledged admin user to do, is RESET a requested password
nanotm
Pro
Posts: 5,671
Thanks: 108
Fixes: 1
Registered: 11-02-2013

Re: PlusNet in the news

there ignoring the problem though about CHAP, every user has the account details on their router and the server has the same details, there in plain text and if not present you don't get an internet connection.....your website account password is the same password as your chap password, if you request a password reset you loose your internet access which means your offline unless you have a secondary internet connection method to retrieve your reset email.
CESG guidelines need to specify there should be a difference between the chap and website credentials and until that becomes possible you wont find this system being changed at any point in the near future, if for no other reason than it would require changing the entire service provision and backend connection system, currently your passwords are more secure being stored as they are on the backend server than if they did what stalk stalk did and stored them as separate details on the webserver
the only way round it would be to remove the requirement for passwords from CHAP and doing that also removes the account tracking that GCHQ requires ISP's to provide, so far from a simple change GCHQ/CESG need to figure out what the priority is, double lock the user details in an offline data vault and have CHAP running in blank mode or CHAP authenticating and the system stay as it is, clearly they cant have it both ways /
just because your paranoid doesn't mean they aren't out to get you
Community Veteran
Posts: 18,545
Thanks: 191
Registered: 12-08-2007

Re: PlusNet in the news

CESG, CHAP - could someone explain please?
Moderator
Moderator
Posts: 17,250
Thanks: 904
Fixes: 104
Registered: 11-01-2008

Re: PlusNet in the news

CHAP = Challenge Handshake Authentication Protocol, it's what happens when your router connects with the ISP to validate your credentials. Virgin don't use this iirc.
CESG is a group within GCHQ
Will Moderate For Thanks
KitFox
Grafter
Posts: 75
Registered: 23-12-2009

Re: PlusNet in the news

Nanotm > Ok then if the problem is the CHAP spec and how it authenticates each router(user) then the answer is quite simple, use a different password for the broadband connection & the member centre website!  easily done and if the broadband password is exposed or compromised then at least your account will still be (hopefully) under your control for you to do something about it
nanotm
Pro
Posts: 5,671
Thanks: 108
Fixes: 1
Registered: 11-02-2013

Re: PlusNet in the news

yes they could In theory add a new column into the customer database titled website password, and alter the website login to look at the new field but that might not be possible depending on the size of the database, the password recovery system will still not use the email token process without a major overhaul of the service and it might not work anyway if they don't have the ability to pass that token outside the plusnet mail system.
I have no doubt that at some point they will change the current system to something different, but I also wouldn't advocate doing what everyone else does because that will also make it less secure, 90% of the best practice is not following the crowd....
just because your paranoid doesn't mean they aren't out to get you
Community Veteran
Posts: 18,545
Thanks: 191
Registered: 12-08-2007

Re: PlusNet in the news

Quote from: dvorak
CHAP = Challenge Handshake Authentication Protocol, it's what happens when your router connects with the ISP to validate your credentials. Virgin don't use this iirc.
CESG is a group within GCHQ

@dvorak, thank you for the explanation. Maybe we should ask posters when they first use initials to explain them so we know what they are talking about.
nanotm
Pro
Posts: 5,671
Thanks: 108
Fixes: 1
Registered: 11-02-2013

Re: PlusNet in the news

or you could read the article and understand a tiny bit about broadband service then you wouldn't need to ask .....
just because your paranoid doesn't mean they aren't out to get you