KC engineer 'exposed unencrypted spreadsheet with phone numbers, user IDs, PASSWORDS' Hull's dominant telco, KC, is investigating revelations of what appears to be poor handling of the company's customer data. This comes after a recent sign-up claimed one of its engineers had unwittingly exposed a customer spreadsheet containing the telephone numbers, user IDs and unencrypted passwords of all its subscribers. …
The security of our customers’ information is of primary importance to us and we are aware of and take very seriously our obligations under the Data Protection Act. We investigate any alleged data security incidents promptly and thoroughly, and we act quickly to make any improvements such investigations identify.
Even funnier is this nice bit of sophistry: "I can assure you that all of our laptops are encrypted, password-protected and fitted with tracking technology and the facility to remotely wipe data."
That's great, but irrelevant, because in this case unauthorised third party access is not the problem, it's the authorised operator's access to sensitive data he ought not be authorised to access.
Or in simple terms: "He works for us" is not good enough I'm afraid. I'm sure banks employ engineers too, but that doesn't mean those engineers get the keys to the vault, even if they're the ones who installed it.
If these numpties are representative of the sort of people responsible for securing sensitive data, I can understand why the ICO has such a difficult job.
"Did you see the bit about the same password being used to access email? Would you want some random engineer knowing your email password?"
They don't even NEED the password, this is the problem, I mean if you're the sysadmin for the mail server, I'm sure you can read anyones inbox unless the messages are PGP encrypted.
... then allow me to enlighten you...
The issue is that this engineer now has credentials for accessing thousands of customer's email accounts. If the customer has been lazy (and most will be), he probably also has access to theiR facebook / twitter accounts as well...
There is no excuse for holding passwords in clear text - even back at base - nevermind on a remote worker's laptop.
"The issue is that this engineer now has credentials for accessing thousands of customer's email accounts."
And other engineers can just read your plaintext email on the server without any passwords or some email admins can 'impersonate' a user/email address and read your email in the web mail interface. Whine about that one.
"If the laptop in question does indeed have hard drive encryption installed then I really don't see what the issue is?"
The engineer had no need to have the file at his disposal. He should only have had access to the record of the specific customer in question, not the entire customer base. If he's scrolling through data on a spreadsheet there's no way to record and audit what records he has looked at and to confirm that the access was done for a genuine purpose.
It the report is true, it's a clear breach of the DPA. If you can't see the problem, I really hope you're not responsible for any data I might appear in.
I think a number of commentards here have missed the bit about this being the network logon credentials which are normally assigned by the ISP rather than them being the user's own password (even if they are also the default passwords used for the email service).
One does wonder how some of these commentards expect the ISP to tell you the credentials you need to log onto their network if they are never allowed to use clear text.
> It the report is true, it's a clear breach of the DPA.
Anon, could you please provide details as to how this is a "clear breach of the DPA"? Specific sections being violated along with commentary would be particularly appreciated. Thanks very much.
> If you can't see the problem, I really hope you're not responsible for any data I might appear in.
It would be much helpful if you could give us some insight, so you're not left at the mercy of your hopes.
I must admit that while I can see an obvious problem from an information security perspective, it is the contravention of the Data Protection Act 1998 that eludes me. Having raised the point with such certainty, I have no doubt that you will be kind enough to expound the intricacies of it to us, for which I would be indebted.
Ok, so can someone please provide an explanation of how this practice might be in breach of the Data Protection Act?
I am not asking whether it is a good idea, professional, etc., to carry around a list of usernames and passwords related to customers. I am asking whether someone else familiar with the DPA would like to provide their input, seeing as the journo who wrote the piece did not see fit to enlighten us on this particular aspect.
Many thanks.
>> Ok, so can someone please provide an explanation of how this practice might be in breach of the Data Protection Act?
The principles of the act are listed here: http://ico.org.uk/for_organisations/data_protection/the_guide/the_principles
At the very least, principle 3 would appear to be being breached.
Industry standards state that passwords shall not be stored except as a hashed output.
Passwords are not 'encrypted' in the usual, reversible fashion per these standards; this is why all reputable outfits will not be able to tell you what your password was when you forget it.
When you log in, the login process hashes your password through the same one-way function and compares the sausage-meat result to the stored sausage-meat result; if they match, then you've put in the correct password.
"Cor, but wot if summat else makes t' same hash?" I hear you object--that's called a hash collision, and that's why they come out with new hash functions from time to time.
The long and short of it is that even if you trust these people's laptop setup--which, given their very basic misunderstanding of how passwords are to be stored is far from guaranteed--they STILL should not have passwords available for customer accounts, ever.
The correct way that reputable outfits use is to use the engineer's credentials to get to a restricted page on which the customer then inputs a password for their specific account, and then tell the customer to change it themselves once the engineer leaves.
And that, lad, is why everyone jumped on the 'downvote' button.
"Industry standards state that passwords shall not be stored except as a hashed output."
Hmmm, if all ISP were to follow this 'Industry Standard' then I wonder how they could tell you the password so you can connect your router to their network. After all it is normal practise for these passwords to be fixed by the ISP and not user changeable.
Nudge, nudge, wink, wink, want to know the password for the giffgaff APN? I've successfully managed to reverse the hash they've used and the password is: "password".
"Of course they might have rainbow tables and can figure it out."
The (good) thing is, rainbow tables are often of little or no use against a half-decent hashing routine. Decent sized crypto-random salts and stretching (and therefore also multiple iterations), as a basic minimum, helps quite a bit in this respect.
The bad thing is, a lot of code I have seen over years fails to implement even basic precautions such as salts and stretching which probably means rainbow tables will be of some use for a while yet.
It's little wonder I've stopped all but the most difficult on-line transactions and gone back to cheques.
With the NSA, CGHQ etc spying, unscrupulous suppliers divulging my email address and other personal data and their irresponsible employees losing customer data including passwords (or losing disks or the briefcases containing them on public transport), operating system manufactures—Microsoft—making O/S code that requires neverending security patches (i.e. inherently as holey as a Swiss cheese) not to mention going to bed with the NSA etc., virus writers and exploit experts threatening to devastate my data, and governments that don't give a damn about privacy etc., etc., I'm beginning to think the internet is pretty useless except for perhaps a bit of wild-west entertainment or comic relief.
Yes, it was too good to last.
—
you're going to bed with the NSA...
Frankly, I can't think of much worse.
Now, I know I'm renowned for long sentences; so I'm letting you off with a reasonable excuse. According to MS word, this sentence has 107 words (its grammar checker peters out after 68).
Shakespeare it certainly ain't, but that sentence is entirely consistent in its punctuation. There's a comma before operating system and the next matching comma is after NSA etc. Between them there's a pair of opening and closing [em] dashes followed by a pair of opening and closing brackets, both of which have consistent parsing. Thus, after parsing, MS is the subject of the phrases within the two commas.
I know that if I converted the sentence into a True/False truth table (something I was forced to learn years ago in formal logic) then I could formally prove this. However, I do not intend to so do. As truth tables are fine in say Boolean electronic logic circuits but a real PIA when applied to grammar for detailed reasons too complex explain here. (And for me, doing grammar truth tables is effectively penance and thus to be avoided.)
A consequence of doing formal logic is that I usually get the punctuation correct. 'Tis unfortunate however that study made little or no improvement to my writing style.
Thank you for winding me up, that's one of the great joys of El Reg.
P.S.: In future, I'll endeavour (but not promise) to keep my sentences fewer than the MS-imposed limit.
;-)
"It's little wonder I've stopped all but the most difficult on-line transactions and gone back to cheques."
Bad move. Cheques are being phased out over the next 4 years:
Bad move. Cheques are being phased out over the next 4 years...
Did not know that.
Ahh, but not here in the great godforsaken southern land—not yet anyway! (It usually takes us about 5 or 10 years to catch up to the UK but inevitably we do (we're so predictable at it that if you guys copyrighted your business and government practices/rules, I'd reckon the UK could live off the royalties we'd have to pay you).) ;-)
It's not news that the banks don't like cheques; they have to get off their arses and physically exchange bits of paper, which is a pain compared to line items on a computer screen. Despite the fact that they've had to do it for hundreds of years, those opportunistic, customer-service-shy pariahs won't miss a tick. (Note: bills of exchange go back to at least Roman times.)
In that article Auntie Beeb makes the point that cheques will be phased out by October 2018, but only if adequate alternatives are developed, it doesn't say what they are. So what happens when someone (a) doesn't have a mobile or POTS telephone, (b) has no internet connection and or (c) no credit card? Not having one of these three is usually a reasonable indicator that the person may not have the others. Whilst the numbers are small, in a country the size of the UK, this still amounts to many hundreds of thousands of people.
Also in the article there's a mention that the cheque's predecessor was the bill of exchange. In the paperwork sense, there's bugger-all difference between a bill of exchange and a cheque. For all sorts of reasons I cannot see how the banks can kill off everything from bills of exchange to money orders etc., etc., especially if they originate from outside the UK. That would essentially presuppose that cash was gone and that every place/country had a totally cashless banking system.
Funny isn't it, that the banks are prepared to phase out cheques before there's a secure system to replace it—i.e.: before there's a secure internet (a la this article/my post etc.)
Jolly Roger icon ==> Banks' logo!
"Funny isn't it, that the banks are prepared to phase out cheques before there's a secure system to replace it—i.e.: before there's a secure internet (a la this article/my post etc.)"
We wouldn't want a truly secure internet, especially if it involves using passport details or driver's license details to post on a forum, it's bad enough that some places expect you to use Facebook for authentication.
It's even worse than that - most checks have full account details printed at the bottom, making it fairly trivial to spoof the whole thing... The only saving grace is that it's not digital, but even then, most banks provide digital images of your checks...
Re: The only saving grace is that it's not digital, but even then, most banks provide digital images of your checks...
I've yet to receive any digital images of cheques I've issued. Years back AMEX used to send out copies of all payment slips they had received, however, since they went digital with only account access, copies of transaction documents are no longer provided as standard.
The trouble is that UK banks are starting to accept and process digital images of cheques thereby avoiding the handling of physical paper and customers having to make special trips to a branch just to pay cheques in (I'm a little surprised how few banks promote postal submission of payments)...
"Bad move. Cheques are being phased out over the next 4 years:"
And are being replaced by a cheque-like system which works in much the same way for the user but is much more efficient for the banks to process, because although the number of cheques are falling, the remaining ones are really difficult to find alternatives to - for instance paying annual subs to local sports clubs which typically don't have a phone line or means of making card or electronic payments (unless they've got a web-savvy member and the Treasurer is willing to sift though statements checking who has and hasn't paid), and where the Treasurer would far rather have a small stack of cheques to pay in than having to store £5k on behalf of the club until they can get to the bank...
Similarly for clubs, there is no solution yet to replace double-signature cheques (other than a cheque-like replacement). I've yet to see a double-PIN debit card that requires authority from multiple signatories to withdraw cash.
Verizon USA FIOS routers have a backdoor for tech support, which is well-documented. But recently, when I logged into my Verizon web account to check my billing balance, I saw that my WIFI WPA2 password was recorded there in plain text, I switched ISP. It is just unbelievable how any ISP could surreptitiously harvest my WiFi password into their database. To say nothing of the threat to my WiFi network, knowing my WPA2 password would make social engineering of my internal network passwords much, much, easier.
And yes, I know Google does it with Android devices. I have given those devices their own DMZ.
This post has been deleted by its author
I'm not seeing the risk.
Presumably your web account is userid and password protected? Presumably you don't have said userid and password printed on a poster mounted outside your front door?
I'm not sure what you mean by 'social engineering' your internal network passwords - social engineering requires an individual to be tricked into revealing something they shouldn't have done. Why does knowing your WiFi passcode make that easier? And why not just set the router to not allow new, unknown devices to connect?
he probably uses a long password in a particular format that would make it easy to guess (social engineer) his other passwords. ever heard of the process of combining several memorable words to make a long password? 12 letters is better than 6
https://www.facebook.com/pages/Spotted-Farnborough-and-Aldershot/594550087237217?hc_location=timeline
I'm not sure about enterprise grade stuff, but on ADSL/FTTC links the Openreach bod doesn't actually deal with the router. With ADSL he simply checks the line's good and you use the info the ISP sent you (either by letter or Email). With FTTC their duty finishes once they've installed your VDSL modem, and those connections authenticate on the line so there aren't any login details
I imagine like a lot of things it would be: This is your default password, change it as soon as possible.
From the story:
We asked Hill if the engineer in question had advised him to immediately change his password manually, or if the system would prompt him to input a new one within a short time of the account going live.
"He handed me a card with my user ID and password on it that I watched him complete. Underneath that box it says: 'You will need this for logging in to KCOnline'. No mention of changing the password there either," the Reg was told.
How do other ISPs do it these days when they send engineers out to do the install?
When I last dealt with BT Broadband, there was a test username & password you could use. All it would allow you to do it get a private IP address and redirect all traffic to one server to access a page which said something like "It works".
It was a useful feature for both BT engineers and users.
User ID and password sent out by post several days before the install. Engineer sets stuff up, invites customer to enter id and password. SSID and WiFi password stored on paper card or sticker on router.
Most ISPs don't require the router to authenticate to the network because it can be matched to the telephone number of the line it's connected to.
It's a broadband access password, not your banking password, linked to a phone number not your identity. A landline phone number is no more personal than your broadband IP address.
We need to educate people to which passwords are important and which are not. Peolple have so many passwords for things with no security need that they can't remember them, so they write them down and include bank passwords and pins!!!
You can't access bb routers from outside the LAN by default and if a user is going to config their router to do do, they can change the password.
That's what I thought; KC's broadband division, Eclipse, uses an ISP assigned username (that looks like an email address, but isn't) and ISP assigned password to authenticate the ADSL connection.
The user's account with Eclipse has a completey different set of credentials that are chosen by the user.
I'm presuming that the engineers have access to the ADSL connection parameters to help them fix problems like the user resetting his router to factory settings.
This is a bit of a non-story, helped along by KC's poor response to the customer.
The problem is if you don't change the password and use that account as part of registration details for other accounts like utilities (Gas,Elec,water,broadband), banking etc. A third party having full access to that email account could then have the secure passwords for those other accounts, banking utilities etc, reset and changed to passwords of their choosing. This gives an attacker greater exposure to the victims online activities, increasing the potential harm, & the attackers chances of elevating the attack to assets of further value.
KC should ensure the passwords used for online activities are changed on first use.
If using a one use password, i don't think an unencrypted password file on an encrypted file system/store accessed by a password protected machine that prevents copying of said file & is for use only by authorised personal (enforced by centralised password and account control) would be a problem.
The issue is passwords need to be relayed to the customer and have to be decoded at some point. limiting use of the password would be customer/engineer friendly too.
Encrypt?
My local authority sent out an Excel spreadsheet of the budget allocation for all schools under it's control.
The default worksheet had a box in which you typed in a school's reference number which then caused the display of the relevant school's data on the blank form.
A quick investigation of the workbook, resulted in hidden worksheets being uncovered and all school's data (held on a hidden worksheet) becoming fully visible.
Suspect if KC had pulled a similar trick, the customer would of been none the wiser...
My router has a MAC address (Information for Window cleaners: this has nothing to do with Apple, it is the "theoretically" unique hardware address of the router) which is used to "authenticate" me ... I have two houses and both have ADSL from the same provider, I can take one router to the other house and plug it in but it won't work ... the MAC address is linked to my endpoint (I did try, techy as I am).
Now, I have an ISP email account but only Window cleaners use those - do you really expect your ISP to allow you to use it 10 years after you have moved to another ? Who knows ... The password is in a letter I received from the ISP some years ago stored away, the account is probably gathering SPAM for all I care.
I use a netscape.net address since ~1995 - because I learned how to count at school (it allowed the largest free mailbox at the time) and it supports IMAP.
I think I would cancel the contract immediately if the engineer had my email password on his lappy .... imagine, a cute blondie in her 20s and an engineer who wants to date her ... shit, he can read her email.
This is sooooo wrong, the company should go tits up now and the cto trialed ... I say cto, but mean whoever allowed this to happen should be liable, personally, in court and made accountable.
>the MAC address is linked to my endpoint
Obviously using ISP provided routers and probably consumer grade services.
Where the ISP doesn't supply routers or supports third-party routers (ie. most business grade providers), it is the username that is linked to the endpoint/circuit. I'm not sure who in the local loop-exchange/LLU-ISP/Reseller chain sets up the linkage, but certainly I've not been able to use an ISP/Reseller provided username and password on a different circuit/physical line to the one it has been allocated to. But then KC may do things differently...
Plus as others have pointed out without a valid username and password for a line, there is no static IP address and/or internet access. This is in part because until you have authenticated with your ISP/Reseller the LLU provider, your line has been connected to, is unable to properly provision your internet service.
What is probably confusing some people is that they see only one provider when in fact several different organisations are involved. Example 1, to provision a BT Business line involves: BT OpenReach (physical line and exchange connections), BT Wholesale (LLU operator and service provider) and BT Business (ISP). Example 2, to provision an O2 Business line involves: BT OpenReach (physical line and exchange connections), Sky (O2/BE LLU operator and service provider) and O2 Business (ISP).
I remember a couple of years ago needing support from BT configure their brain dead business router to allow me to set up my static IP addresses correctly. It really confused the support engineer that the password for the router was not the one on their records. He was having me double check the serial number on the router and all sorts.
I forgot my password and had to call them. I thought i'd have to go through some email reset type thing, but the tech on the helpdesk just told me what my password was!
It did occur to me that any staff on the helpdesk can therefore check my emails and even use my account details to set up a router and browse the interent... all being logged against me.
This is the type of thing that can happen when there is no competition in an area. KC have the monopoly!
>If you think someone who speaks to people all day could give two shits about looking into your emails about amazon newsletters and junk mail.
How much are 15000 legitimate email addresses/passwords worth on the black market?
Can you plug a USB stick into your workstation or send out encrypted zip files?
I mean, ppl who get sacked might have a copy reader to sell...
So no, no matter what, A COMPANY SHOULD NEVER HAVE YOUR EMAIL PASSWORD AVAILABLE, À way to reset it, certainly, but no more. This is simply basic security policy - please leave IT If you disagree, you should not be in the industry - I heard they are looking for window cleaners in Hull.
...that the passwords listed in this document aren't just the generic, totally not important, randomly generated passwords that the ISP gives you in order to connect your ADSL? Because I would find it very odd if an ISP linked your ISP email with your ADSL log in.
But whatever. Outrage brigade is out in full force I see.
So basically he and doubtless dozens of other engineers, can log into anyone's kit and access anyone's account and the company thinks that laptop security is the real problem here?! Jesus wept what a bunch of...
If you're in that area and have any choice at all, I'd seriously think about dumping this bunch of cowboys and finding someone else to supply you! Christ I'd trust a bunch of GCSE IT students to do a better job of running an ISP than this lot.
This post has been deleted by its author
Eclipse and Karoo are separate entities within Kcom so there's little likelihood of the issue affecting both ISPs. This isn't a DPA breach or a disaster, but it does show an underlying problem that needs addressing, you should never store user databases in plaintext, not on encypted disks, not on paper, not in secure data centers. Giving if to field engineers is a really bad call.
Why people are under the illusion that ISPs knowing their email passwords is some kind of scandal is a mystery though. Of course they do. Sky knows what programs you watch, LG tv's report home with the filenames of videos you want on your network (seen midgetpr0n.mkv lately?) OpenDNS knows every single site you browse, companies you've never heard of who provide transit to your ISPs routinely analyze your email messages to cut down on bandwidth wasted by spam, Facebook, Twitter, Google+, YouTube support can access every single thing you have ever posted or written on their sites. ISP support being able to check your email account is no different, it's not some conspiracy to spy on you. If a company provides support for a service which you subscribe to in some way, then they have access to your account. Support doesn't work without it.
I had to do some work for a client business that used an X25 connection for transmitting card details for payment purposes, having been requested to attend site by the financial institution responsible for the X25 connection and the encryption of the card details....
Never before and never since have I seen such a string of zeros.....
Last year I had KCs 100Mbps fibre installed and they were having trouble logging the new router on to the system.
Turns out the username off the database was wrong and only I knew it. They had about five attempts before they succumbed and tried my advice.Much chuckling from me.
Passwords supplied by KC are thirteen random numbers/letters. User supplied passwords can be anything.
The account password does work with the default email address e.g. smith888@smith888.karoo......
but if the user configures an alias e.g. fred@smith888.karoo.... he can generate a password that will not be on the KC engineers laptop. Multiple user log-ons are not allowed by the system.
One user I recently visited had their password on a post it note on the monitor. Another had their password behind the adjustable screen on their desk phone.
Then there was the time I watched a lady in the shop queue pay by card, cover her hand when entering the pin, whilst mouthing the digits.
I have decided to change my username and password as admin and password1 may no longer be secure.
Wonder if the engineer's spreadsheet was saved in the cloud?
I once phoned the customer support for a fairly large Dutch company. During the support call they checked some personal info such as name, address (not unreasonable) ... and also my password...
The attempts of the support-person to read my random-generated password aloud as a word was somewhat amusing.
Many moons ago I had a problem logging in to my "My NTL"/"My Virgin Media" (can't remember if it was before or after the re-branding). Anyway, the helpful person in Philippines / India was able to tell me my password - and this was one I had changed some time in the even more dim and distant past. I remember this because the password was a rather, uh, strange combination of words and the person commented on it.
and been in the sad postion where they brought a company I worked for, all I can say is, about time and my gaging order has not been broken either !!!
Not anononymouse as I know more about the law now than I did when they shafted me.
Actually I lied, its not all I can say, I can also say, "what goes around..." and then laugh
In Your Face Kingston Comunications!!!
I have witnessed the exact same thing as the OP when the KC engineer set up my FTTH.
I went and changed my password after he left; although I am sure that my new password will be listed the next time this spread sheet is generated for the engineers. At least I know that my ISP password does not match anything else, and I never use their Karoo email account!
"She added: "I can assure you that all of our laptops are encrypted, password-protected and fitted with tracking technology and the facility to remotely wipe data.""
OK. This remote tracking technology. Does this include hardware that connects to the mobile phone network. Or any network that is not the customer's WiFi network? If it connects via the mobile network is the SIM removable?
My point is that they are relying on technology that may or may not be reliable to keep their customer data secure when they could secure it relatively easily by doing something we do at work. At work, we deal with a lot of user profiles. We generate random passwords for all new users, then request that users change that password upon first log in. The system will allow us to look up the original password and, if necessary, reset the user's current password to that, but will not allow us to look up the user's current password.
The system is not infallible by any stretch, but it does ensure that the user has some idea if one of us has tried to log in as them as we would need to reset the password first.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
