S'kiddies find hacking BT all too easy
Visa and British Midland also hit
Hackers are exploiting the failure of firms to update systems even after falling victims to attacks.
Yesterday btworldwide.com, which runs of the s'kiddies favourite Web server IIS, was defaced by Prime Suspectz in an attack which followed hot on the heels of the defacement of search.bt.com on April Fool's Day.
That defacement, which ridiculed BT's slow rollout of ADSL, should have resulted in a review of Web site security but the defacement of another BT Web site shows that this hasn't yet taken place.
Paul Rogers, network security analyst at MIS, said that btworldwide.com didn't have all the latest security patches installed, so enabling the defacement to take place.
"Technicians may have forgotten to apply the latest security patches and this suggests that BT's security policy wasn't followed, or an adequate policy doesn't exist," said Rogers, who added that BT Cellnet's Web site is also insecure.
Rogers has warned BT that its customer details can be lifted from btcellnet.net because they can be viewed within having to enter a secure log-in, which should be in place. He added that BT were informed of the issue some months ago but it is yet to plug up the security loophole.
In a separate attack, Visa, which has issued guidance to Web site merchants on security and ecommerce, apparently hasn't taken note if its own advice if a defacement on its German site today is anything to go by. The defacement, which was recorded by defacement archive Alldas.de and can be seen here, features a message in Portuguese by hackers Reflux and Asouza which bragged that they are now able to buy Webcam with stolen credit card numbers.
Rogers dismissed this claim as pure braggadocio but said that attacks such as that on Visa and on a Web site that acts as a gateway to British Midland's booking system, recordedhere, hardly inspires consumer confidence in online security.
Several users who tried to book flights with British Midland on its site over the weekend were greeted by the message "HackeD By ZorD" instead. Would you be submit your credit card details to this site? ®