Wireline database compromised

Forums › Spark New Zealand (including Skinny and BigPipe) › Wireline database compromised

savag3

188 posts

Master Geek

#75310 16-Jan-2011 14:23

Anyone else see the Herald on Sunday story on Wireline being allegedly accessed?

Putting wireline into Google reveals that it is accessible over the Internet just like Vodafone Australia's billing system. In fact the parallels are amazing.

If this is true the people involved are probably looking at jail time.

What do people think? Is it a good idea to have your customers info accessible over the Internet without 2 factor authentication?

1 | 2

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#427648 16-Jan-2011 14:31

Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

nigelj

856 posts

Ultimate Geek

#427652 16-Jan-2011 14:43

The second NZ Herald article provides a bit more context in my opinion. If as Telecom are saying, it's "Telecom Retail"'s system, then why it is on the public internet confuses me. VPNs etc (even for the likes of Orb etc) should be in front. It'll never solve the problem, but it'd be a good start.

bender

220 posts

Master Geek

#427655 16-Jan-2011 14:54

It doesn't surprise me in the slightest that CallPlus are involved

savag3

188 posts

Master Geek

#427659 16-Jan-2011 15:08

sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#427667 16-Jan-2011 15:30

savag3:
sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.

CallPlus already have reverse engineered directory that they've been using for ~10 years now. This is how they offer caller details now on thgeir billing system. This lastest "issue" is in no way related to this.

Many of the comments I've seen today indicate people have no idea what Wireline is. For the record I have a login which is essential for my line of work.

munchkin

939 posts

Ultimate Geek

Trusted

#427692 16-Jan-2011 16:54

savag3:
sbiddle: Wireline is a primararily a provisioning system used for maintaining and logging job data for voice and broadband connection. IMHO there are no real security issues here, and the system was never compromised.

2 factor authentication wouldn't solve the problem of people using data that they're not supposed to. VPN's don't solve this either. Look at the number of Police cautioned or fired for unauthorised use of NIA in recent years.

A system which enables the reverse lookup of potentially unlisted phone numbers to names and addresses on the public internet is a serious security problem. The problem here is not isolated cases of people snooping like the Police sometimes have with NIA. From the article I would guess that hunderds of thousands of people's info has potentially been illegally accessed. Access on that scale would not have been possible had the site not been on the internet without 2 factor authentication.

For the sheer amount of people that have/need legitimate access to Wireline, a two-factor authentication system would be cost-prohibitive. Different users have different security access levels, too.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#427820 16-Jan-2011 23:53

The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot

i read that and my first thought is that HOS could be charged with illegally accessing a system. using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

willnz

573 posts

Ultimate Geek

Trusted

#427836 17-Jan-2011 03:37

Regs: i read that and my first thought is that HOS could be charged with illegally accessing a system. using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely

Indeed. s252(1) of the Crimes Act 1961:

Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system

hamistheman

82 posts

Master Geek

#428127 17-Jan-2011 18:28

I'd assume .... note that I have NO knowledge of telecom/slingshot/nzherald .... that they accessed the reporters own information ... which may be a bit of a fuzzy area ....

I agree its still wrong, but not sure about the case law if you use someone else's system to access your own information ....
H

willnz

573 posts

Ultimate Geek

Trusted

#428230 17-Jan-2011 21:48

No, they accessed a third party login on a Telecom computer system. It doesn't matter who they looked up - does that mean it's okay for me to hack the Police computer so long as I only view my own file?

Telecom could also argue that without proper training for using the system they could've inadvertently damaged or accessed something they didn't mean to.

tombrownzz

147 posts

Master Geek
Inactive user

#428471 18-Jan-2011 15:42

Regs:
The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot

i read that and my first thought is that HOS could be charged with illegally accessing a system. using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely

Maybe someone should report it>

http://www.theorb.org.nz

Unless journalists have some sort of protection.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#428550 18-Jan-2011 19:10

tombrownzz:
Regs:
The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot

i read that and my first thought is that HOS could be charged with illegally accessing a system. using someone elses username and password to gain access to a system you dont have access to is a crime regardless of whether you're a reporter or not surely

Maybe someone should report it>

http://www.theorb.org.nz

Unless journalists have some sort of protection.

i cant see how journalists would have any sort of protection from this. could you imagine a journo logging in and accessing your bank details? would there be a list of sites they allowed to access versus one they're not allowed to access?

i should think its no different to obtaining a key to the front door of a building. it doesnt matter how you got the key - if you have not been given permission to enter then its a crime if you do.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

raytaylor

4014 posts

Uber Geek

Trusted

#430066 22-Jan-2011 23:47

You would think that telecom (a tech company) would be rather good at protecting their network services from unauthorised users.

The NZTA requires a cisco vpn client to be installed and running on each mechanics computer's before they can access the warrent of fitness and car registration systems.
The vpn logon password changes each month and there is two levels - the vpn password and then the specific user's password so the mechanics staff have their own username / pass for tracking.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

Beccara

1469 posts

Uber Geek

ID Verified

#430068 22-Jan-2011 23:53

If they had a username and password for wireline what makes you think they couldn't get the VPN password aswell?

raytaylor

4014 posts

Uber Geek

Trusted

#430073 23-Jan-2011 00:04

They could - but there is less of a chance that they could exctract the SSL certificate and transfer it to an unauthorised computer that can run the vpn program.

SSL certificates, like usernames can have expiry dates.
With the NZTA their certificates expire every 12 months, and the vpn password once a month.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

1 | 2