[Snap] Snap passwords not encrypted

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] Snap passwords not encrypted

1 | 2 | 3

3258 posts

Uber Geek
+1 received by user: 960

ID Verified

Trusted

#982095 7-Feb-2014 20:38

kornflake: how many of you work for an isp? u would be surprised, the old telecom wireline was mindblowing at the amount of person data was avilible, if you had the right type of login.

Yes me, and wireline was open to abuse if you so chose, but that was maintained by telecom wholesale and therefore ISPs had no control over what was locked down or not. Pretty sure one ISP got busted for mining info from it a few years back.

charsleysa

597 posts

Ultimate Geek
+1 received by user: 125

#982120 7-Feb-2014 22:03

Just FYI, reversible encryption (also known as 2 way encryption ) still counts as encryption and as long as there is a unique key for each password then you're fine.

Regards
Stefan Andres Charsley

HyperBlade

48 posts

Geek
+1 received by user: 9

#982176 8-Feb-2014 08:45

See this thread where Snap sent my password on a postit note to me. Jul 2012...
http://www.geekzone.co.nz/forums.asp?forumid=90&topicid=105817

It's poor form, if there was another ISP who offered same level of service and quality product and the difference was the approach they took to security it would be a no brainer to move away from snap.

Unfortunately there's not many other options at the moment.

The biggest concern is the reuse of the VDSL password and the snap website password (including access to phone stuff) I've raised it with them but haven't seen much progress on that front.

However I have noticed Snap are taking security more seriously, the remote login username and password they use to access the modem looks to be randomly generated for each customer now. This is a very good move.

But they are still doing the basics wrong.

jnimmo

1097 posts

Uber Geek
+1 received by user: 255

#982211 8-Feb-2014 10:38

That is why it is always a good idea to use different passwords around the place.
To be honest we don't have much choice but to trust our ISPs with every packet of data going through our connections anyway, which would I'm sure include many unencrypted passwords.
Agree they should be encrypting passwords but I imagine it would be a huge task to move to encrypting passwords (if they aren't), which would be sure to break some legacy systems.
Would have to be reversible encryption anyway so they could pre-provision devices, or generate a random password for customers.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9992

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#982228 8-Feb-2014 11:35

PPP is clear text anyway.

timmmay

20653 posts

Uber Geek
+1 received by user: 5166

Trusted

Lifetime subscriber

#983136 10-Feb-2014 08:18

Intercepting data in transit is potentially a lot more difficult than a scripting tool exploiting a known bug in some software to get a clear text password out of a database.

charsleysa

597 posts

Ultimate Geek
+1 received by user: 125

#983220 10-Feb-2014 11:11

Please correct me if I'm wrong, but doesn't PPP transit stay within the Snap network?

Regards
Stefan Andres Charsley

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

mercutio

1392 posts

Uber Geek
+1 received by user: 134

#983223 10-Feb-2014 11:19

charsleysa: Please correct me if I'm wrong, but doesn't PPP transit stay within the Snap network?

nah it hits the chorus network, and so is open to interception by the government, US etc... actually it'd still be open even if it was no Snap's network probably.

tbh i wouldn't worry, it's just like credit card numbers, they're also not encrypted. if someone really wanted to get a credit card number, they could generate one, if someone really wanted to break into your account they could generate a password with some hit and miss.

telecom are allowing passwordless logins. i think it's a false sense of security to think that a password on your dsl account is going to be of much benefit. that said accounting and authentication shouldn't use the same password.

charsleysa

597 posts

Ultimate Geek
+1 received by user: 125

#983224 10-Feb-2014 11:21

I thought it only hit the chorus network when the ISP has no handover at the exchange?

Regards
Stefan Andres Charsley

mercutio

1392 posts

Uber Geek
+1 received by user: 134

#983225 10-Feb-2014 11:22

charsleysa: I thought it only hit the chorus network when the ISP has no handover at the exchange?

nah it hits the chorus network to go to chorus dslams, chorus cabinets etc.

charsleysa

597 posts

Ultimate Geek
+1 received by user: 125

#983228 10-Feb-2014 11:27

Isnt that an isolated network from internet traffic as the cabinets are just compounding all those connections into one backbone that travels to the exchange which then is either handed over to the ISP or travels on the Chorus network to the closest ISP handover?
P.S. I am aware that the copper/cabinets/dslams are owned by chorus

Regards
Stefan Andres Charsley

mercutio

1392 posts

Uber Geek
+1 received by user: 134

#983231 10-Feb-2014 11:29

charsleysa: Isnt that an isolated network from internet traffic as the cabinets are just compounding all those connections into one backbone that travels to the exchange which then is either handed over to the ISP or travels on the Chorus network to the closest ISP handover?
P.S. I am aware that the copper/cabinets/dslams are owned by chorus

it's no different from the point of view of sniffing traffic.

charsleysa

597 posts

Ultimate Geek
+1 received by user: 125

#983234 10-Feb-2014 11:35

mercutio:
charsleysa: Isnt that an isolated network from internet traffic as the cabinets are just compounding all those connections into one backbone that travels to the exchange which then is either handed over to the ISP or travels on the Chorus network to the closest ISP handover?
P.S. I am aware that the copper/cabinets/dslams are owned by chorus

it's no different from the point of view of sniffing traffic.

That's if you have physical access to the isolated network, it's a lot easier to find exploits and weaknesses of a network that can be accessed from the internet than an isolated network.

Sure it probably doesn't make a difference for governments which can get warrants and the like but for unauthorised sniffing it does make a difference.

Regards
Stefan Andres Charsley

mercutio

1392 posts

Uber Geek
+1 received by user: 134

#983235 10-Feb-2014 11:36

charsleysa:
mercutio:
charsleysa: Isnt that an isolated network from internet traffic as the cabinets are just compounding all those connections into one backbone that travels to the exchange which then is either handed over to the ISP or travels on the Chorus network to the closest ISP handover?
P.S. I am aware that the copper/cabinets/dslams are owned by chorus

it's no different from the point of view of sniffing traffic.

That's if you have physical access to the isolated network, it's a lot easier to find exploits and weaknesses of a network that can be accessed from the internet than an isolated network.

Sure it probably doesn't make a difference for governments which can get warrants and the like but for unauthorised sniffing it does make a difference.

even with sniffing as long as anything sensitive is encrypted the most they can do is find out where your data is going, not what data is going there.

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#983237 10-Feb-2014 11:41

As already stated, PPP is plaintext auth. Therefore it MUST be decryptable, by definition. And there's more benefit to be had from allowing ISP employees to access it than not.

Using that password for other things as well is probably not advisable, however. In reality SNAP! shouldn't let you choose a PPP password but should allocate one, quite seperately to, say, your account login.

1 | 2 | 3