Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


savag3

188 posts

Master Geek


#75310 16-Jan-2011 14:23
Send private message

Anyone else see the Herald on Sunday story on Wireline being allegedly accessed?

Putting wireline into Google reveals that it is accessible over the Internet just like Vodafone Australia's billing system. In fact the parallels are amazing.

If this is true the people involved are probably looking at jail time.

What do people think? Is it a good idea to have your customers info accessible over the Internet without 2 factor authentication?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #427648 16-Jan-2011 14:31
Send private message

Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

 
 
 

Shop Mighty Ape for electronics, games, computers books and more (affiliate link).
nigelj
856 posts

Ultimate Geek


  #427652 16-Jan-2011 14:43
Send private message

The second NZ Herald article provides a bit more context in my opinion.  If as Telecom are saying, it's "Telecom Retail"'s system, then why it is on the public internet confuses me.  VPNs etc (even for the likes of Orb etc) should be in front.  It'll never solve the problem, but it'd be a good start.

bender
219 posts

Master Geek


  #427655 16-Jan-2011 14:54
Send private message

It doesn't surprise me in the slightest that CallPlus are involved



savag3

188 posts

Master Geek


  #427659 16-Jan-2011 15:08
Send private message

sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #427667 16-Jan-2011 15:30
Send private message

savag3:
sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.


CallPlus already have reverse engineered directory that they've been using for ~10 years now. This is how they offer caller details now on thgeir billing system. This lastest "issue" is in no way related to this.

Many of the comments I've seen today indicate people have no idea what Wireline is. For the record I have a login which is essential for my line of work.


munchkin
939 posts

Ultimate Geek

Trusted

  #427692 16-Jan-2011 16:54
Send private message

savag3:
sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.



For the sheer amount of people that have/need legitimate access to Wireline, a two-factor authentication system would be cost-prohibitive. Different users have different security access levels, too.

Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #427820 16-Jan-2011 23:53
Send private message

The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot


i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely






willnz
573 posts

Ultimate Geek

Trusted

  #427836 17-Jan-2011 03:37
Send private message

Regs: i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely


Indeed. s252(1) of the Crimes Act 1961:

Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system



hamistheman
82 posts

Master Geek


  #428127 17-Jan-2011 18:28
Send private message

I'd assume .... note that I have NO knowledge of telecom/slingshot/nzherald .... that they accessed the reporters own information ... which may be a bit of a fuzzy area ....

I agree its still wrong, but not sure about the case law if you use someone else's  system to access your own information ....
H

willnz
573 posts

Ultimate Geek

Trusted

  #428230 17-Jan-2011 21:48
Send private message

No, they accessed a third party login on a Telecom computer system. It doesn't matter who they looked up - does that mean it's okay for me to hack the Police computer so long as I only view my own file?

Telecom could also argue that without proper training for using the system they could've inadvertently damaged or accessed something they didn't mean to.

tombrownzz
147 posts

Master Geek
Inactive user


  #428471 18-Jan-2011 15:42
Send private message

Regs:
The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot


i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely


Maybe someone should report it>

http://www.theorb.org.nz

Unless journalists have some sort of protection. 

Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #428550 18-Jan-2011 19:10
Send private message

tombrownzz:
Regs:
The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot


i read that and my first thought is that HOS could be charged with illegally accessing a system.  using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely


Maybe someone should report it>

http://www.theorb.org.nz

Unless journalists have some sort of protection. 


i cant see how journalists would have any sort of protection from this.  could you imagine a journo logging in and accessing your bank details?  would there be a list of sites they allowed to access versus one they're not allowed to access?

i should think its no different to obtaining a key to the front door of a building.  it doesnt matter how you got the key - if you have not been given permission to enter then its a crime if you do.




raytaylor
3859 posts

Uber Geek

Trusted

  #430066 22-Jan-2011 23:47
Send private message

You would think that telecom (a tech company) would be rather good at protecting their network services from unauthorised users.

The NZTA requires a cisco vpn client to be installed and running on each mechanics computer's before they can access the warrent of fitness and car registration systems.
The vpn logon password changes each month and there is two levels - the vpn password and then the specific user's password so the mechanics staff have their own username / pass for tracking.




Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here


Beccara
1467 posts

Uber Geek

ID Verified

  #430068 22-Jan-2011 23:53
Send private message

If they had a username and password for wireline what makes you think they couldn't get the VPN password aswell?

raytaylor
3859 posts

Uber Geek

Trusted

  #430073 23-Jan-2011 00:04
Send private message

They could - but there is less of a chance that they could exctract the SSL certificate and transfer it to an unauthorised computer that can run the vpn program.

SSL certificates, like usernames can have expiry dates.
With the NZTA their certificates expire every 12 months, and the vpn password once a month.




Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

One New Zealand Extends 3G Switch-off Date
Posted 11-Apr-2024 08:56


Amazon Echo Hub Review
Posted 10-Apr-2024 18:57


Epson Launches New Versatile A4 Desktop Scanners
Posted 10-Apr-2024 15:31


Motorola Mobility Launches New Android Phones in New Zealand
Posted 10-Apr-2024 14:59


Logitech G Unveils the PRO X 60 Gaming Keyboard
Posted 9-Apr-2024 19:01


Logitech Unveils Signature Slim Keyboard and Combo
Posted 9-Apr-2024 13:33


ExpressVPN Launches Aircove Go Portable Router With Built-in VPN
Posted 26-Mar-2024 21:25


Shure MoveMic Review
Posted 25-Mar-2024 12:47


reMarkable 2 Launches at JB Hi-Fi New Zealand
Posted 20-Mar-2024 08:36


Samsung Galaxy S24 Ultra review
Posted 19-Mar-2024 11:37


Google Nest Wifi Pro Review
Posted 16-Mar-2024 11:28


Samsung Galaxy A55 5G and Galaxy A35 5G
Posted 12-Mar-2024 12:41


Cricut EasyPress Mini Zen Blue launches at Spotlight New Zealand
Posted 12-Mar-2024 12:32


Logitech Introduces MX Brio Webcam
Posted 12-Mar-2024 12:24


HP Unveils Broadest Consumer Portfolio of AI-Enhanced Laptops
Posted 3-Mar-2024 18:09









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac