Events, news, technologies and products about cyber security
Sunday, February 9, 2014
[zdnet] Change your passwords: Comcast hushes, minimizes serious hack
Summary: Opinion: Comcast took a page from Snapchat's playbook to hush and downplay NullCrew FTS' successful hack on dozens of Comcast's servers — from an unpatched, easy-to-fix vulnerability dated December 2013 — which most likely exposed customer data
Are you a Comcast customer? Please change your password.
Comcast, the largest internet service provider in the United States, ignored news of the serious breach in press and media for over 24 hours — only when the Pastebin page was removed did the company issue a statement, and even then, it only spoke to a sympathetic B2B outlet.
During that 24 hours, Comcast stayed silent, and the veritable "keys to the kingdom" sat out in the open internet, ripe for the taking by any malicious entity with a little know-how around mail servers and selling or exploiting customer data.
Comcast customers have not been not told to reset their passwords. But they should.
Once NullCrew FTS openly hacked at least 24 Comcast mail servers, and the recipe was publicly posted, the servers began to take a beating. Customers in Comcast's janky, hard-to-find, 1996-style forums knew something was wrong, and forum posts reflected the slowness, the up and down servers, and the eventual crashing.
The telecom giant ignored press requests for comment and released a limited statement on February 7 — to Comcast-friendly outlet, broadband and B2B website Multichannel News.
Comcast said it is investigating a claim by a hacker group that claims to have broken into a batch of the MSO email servers, but believes that no personal subscriber data was obtained as a result.
"We're aware of the situation and are aggressively investigating it," a Comcast spokesman said. "We take our customers' privacy and security very seriously, and we currently have no evidence to suggest any personal customer information was obtained in this incident."
Not only is there a high probability that customer information was exposed — because direct access was provided to the public for 24 hours — but the vulnerability exploited by the attackers was disclosed and fixed in December 2013.
Just not by Comcast, apparently.
Vulnerability reported December 2013, not patched by Comcast
NullCrew FTS used the unpatched security vulnerability CVE-2013-7091 to open what was essentially an unlocked door for anyone access to usernames, passwords, and other sensitive details from Comcast's servers.
NullCrew FTS used a Local File Inclusion (LFI) exploit to gain access to the Zimbra LDAP and MySQL database — which houses the usernames and passwords of Comcast ISP users.
"Fun Fact: 34 Comcast mail servers are victims to one exploit," tweeted NullCrew FTS.
If you are a Comcast customer, you are at risk: All Comcast internet service includes a master email address.
Even if a customer doesn't use Comcast's Xfinity mail service, every Comcast ISP user has a master email account with which to manage their services, and it is accessible through a "Zimbra" webmail site.
This account is used to access payment information, email settings, user account creation and settings, and any purchases from Comcast's store or among its services.
In the first strike of what looks like it'll be a very successful campaign to cause pain and humiliation to big telecoms, NullCrew FTS accessed and exposed more than 22,000 usernames and passwords, and some credit card numbers belonging to the phone company's small business customers.
Establishing a signature game of cat and mouse with clueless support staff, NullCrew FTS contacted Bell customer support two weeks before its disclosure.
Like Comcast's robotic customer service responses to NullCrew FTS on Twitter, Bell's support staff either didn't know how to report the security incident upstream, had no idea what a hacking event was, or didn't take the threat seriously.
Bell also tried to play fast and loose with its accountability in the security smash and grab; it acknowledged the breach soon after, but blamed it on an Ottawa-based third-party supplier.
However, NullCrew FTS announced the company's insecurities in mid January with a public warning that the hackers had issued to a company support representative about the vulnerabilities.
NullCrew FTS followed up with Bell by posting a Pastebin link on Twitter with unredacted data.
A page from Snapchat's playbook
Just over a month ago, popular social media sharing app Snapchat was the subject of headlines and the target of public scorn when hackers (Gibson Security) posted multiple known exploitsafter warning the company about its security holes, and having the problems ignored.
Snapchat further attempted — badly — to ignore press and public when the hackers later published details about Snapchat's security holes (some which still call into question the validity of Snapchat's userbase) and released to the world a few very active Snapchat database exploits.