Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




188 posts

Master Geek
+1 received by user: 9

Subscriber

Topic # 75310 16-Jan-2011 14:23
Send private message

Anyone else see the Herald on Sunday story on Wireline being allegedly accessed?

Putting wireline into Google reveals that it is accessible over the Internet just like Vodafone Australia's billing system. In fact the parallels are amazing.

If this is true the people involved are probably looking at jail time.

What do people think? Is it a good idea to have your customers info accessible over the Internet without 2 factor authentication?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
25576 posts

Uber Geek
+1 received by user: 5357

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 427648 16-Jan-2011 14:31
Send private message

Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

854 posts

Ultimate Geek
+1 received by user: 125


  Reply # 427652 16-Jan-2011 14:43
Send private message

The second NZ Herald article provides a bit more context in my opinion.  If as Telecom are saying, it's "Telecom Retail"'s system, then why it is on the public internet confuses me.  VPNs etc (even for the likes of Orb etc) should be in front.  It'll never solve the problem, but it'd be a good start.

 
 
 
 


197 posts

Master Geek
+1 received by user: 2

Subscriber

  Reply # 427655 16-Jan-2011 14:54
Send private message

It doesn't surprise me in the slightest that CallPlus are involved



188 posts

Master Geek
+1 received by user: 9

Subscriber

  Reply # 427659 16-Jan-2011 15:08
Send private message

sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.

25576 posts

Uber Geek
+1 received by user: 5357

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 427667 16-Jan-2011 15:30
Send private message

savag3:
sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.


CallPlus already have reverse engineered directory that they've been using for ~10 years now. This is how they offer caller details now on thgeir billing system. This lastest "issue" is in no way related to this.

Many of the comments I've seen today indicate people have no idea what Wireline is. For the record I have a login which is essential for my line of work.


939 posts

Ultimate Geek
+1 received by user: 16

Trusted

  Reply # 427692 16-Jan-2011 16:54
Send private message

savag3:
sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.



For the sheer amount of people that have/need legitimate access to Wireline, a two-factor authentication system would be cost-prohibitive. Different users have different security access levels, too.




munchkin | Troll | Author | Artist | Citizen | Friend | Misanthrope

Join us in the Geekzone IRC channel!

 


All information contained in posts made by me shall be treated as PotatoZoo's own personal opinion unless otherwise specified.

 


Infrastructure Geek
4043 posts

Uber Geek
+1 received by user: 193

Trusted
Microsoft NZ
Subscriber

  Reply # 427820 16-Jan-2011 23:53
Send private message

The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot


i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


573 posts

Ultimate Geek
+1 received by user: 3

Trusted

  Reply # 427836 17-Jan-2011 03:37
Send private message

Regs: i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely


Indeed. s252(1) of the Crimes Act 1961:

Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system



60 posts

Master Geek


  Reply # 428127 17-Jan-2011 18:28
Send private message

I'd assume .... note that I have NO knowledge of telecom/slingshot/nzherald .... that they accessed the reporters own information ... which may be a bit of a fuzzy area ....

I agree its still wrong, but not sure about the case law if you use someone else's  system to access your own information ....
H

573 posts

Ultimate Geek
+1 received by user: 3

Trusted

  Reply # 428230 17-Jan-2011 21:48
Send private message

No, they accessed a third party login on a Telecom computer system. It doesn't matter who they looked up - does that mean it's okay for me to hack the Police computer so long as I only view my own file?

Telecom could also argue that without proper training for using the system they could've inadvertently damaged or accessed something they didn't mean to.

147 posts

Master Geek
Inactive user


  Reply # 428471 18-Jan-2011 15:42
Send private message

Regs:
The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot


i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely


Maybe someone should report it>

http://www.theorb.org.nz

Unless journalists have some sort of protection. 

Infrastructure Geek
4043 posts

Uber Geek
+1 received by user: 193

Trusted
Microsoft NZ
Subscriber

  Reply # 428550 18-Jan-2011 19:10
Send private message

tombrownzz:
Regs:
The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot


i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely


Maybe someone should report it>

http://www.theorb.org.nz

Unless journalists have some sort of protection. 


i cant see how journalists would have any sort of protection from this.  could you imagine a journo logging in and accessing your bank details?  would there be a list of sites they allowed to access versus one they're not allowed to access?

i should think its no different to obtaining a key to the front door of a building.  it doesnt matter how you got the key - if you have not been given permission to enter then its a crime if you do.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


3091 posts

Uber Geek
+1 received by user: 509

Trusted

  Reply # 430066 22-Jan-2011 23:47
Send private message

You would think that telecom (a tech company) would be rather good at protecting their network services from unauthorised users.

The NZTA requires a cisco vpn client to be installed and running on each mechanics computer's before they can access the warrent of fitness and car registration systems.
The vpn logon password changes each month and there is two levels - the vpn password and then the specific user's password so the mechanics staff have their own username / pass for tracking.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




954 posts

Ultimate Geek
+1 received by user: 138

UberGroup

  Reply # 430068 22-Jan-2011 23:53
Send private message

If they had a username and password for wireline what makes you think they couldn't get the VPN password aswell?

3091 posts

Uber Geek
+1 received by user: 509

Trusted

  Reply # 430073 23-Jan-2011 00:04
Send private message

They could - but there is less of a chance that they could exctract the SSL certificate and transfer it to an unauthorised computer that can run the vpn program.

SSL certificates, like usernames can have expiry dates.
With the NZTA their certificates expire every 12 months, and the vpn password once a month.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB killer app: Speed
Posted 17-Nov-2017 17:01


The case for RSS — MacSparky
Posted 13-Nov-2017 14:35


WordPress and Indieweb: Take control of your online presence — 6:30 GridAKL Nov 30
Posted 11-Nov-2017 13:43


Chorus reveals technology upgrade for schools, students
Posted 10-Nov-2017 10:28


Vodafone says Internet of Things (IoT) crucial for digital transformation
Posted 10-Nov-2017 10:06


Police and Facebook launch AMBER Alerts system in NZ
Posted 9-Nov-2017 10:49


Amazon debuts Fire TV Stick Basic Edition in over 100 new countries
Posted 8-Nov-2017 05:34


Vodafone VoIP transition to start this month
Posted 7-Nov-2017 12:33


Spark enhances IoT network capability
Posted 7-Nov-2017 11:33


Vocus NZ sale and broadband competition
Posted 6-Nov-2017 14:36


Hawaiki reaches key milestone in landmark deep-sea fibre project
Posted 4-Nov-2017 13:53


Countdown launches new proximity online shopping app
Posted 4-Nov-2017 13:50


Nokia 3310 to be available through Spark New Zealand
Posted 4-Nov-2017 13:31


Nest launches in New Zealand
Posted 4-Nov-2017 12:31


Active wholesale as Chorus tackles wireless challenge
Posted 3-Nov-2017 10:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.