Feeds

ISP ejects whistle-blowing student

BeThere's damage control found lacking

Top 5 reasons to deploy VMware with Tegile

A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.

Alas, Karunaratne's February 22 posting originally included the specific password needed to carry out the attack - a tack from the "full disclosure" school of vulnerability reporting that is considered a no-no in many security circles. Less than 48 hours later, he removed the password information, but that didn't stop the ISP from exacting its retribution.

"We have carried out a full and diligent investigation into the alleged breach and your posting relating to it," a BeThere email informed Karunaratne. "Based on that investigation, we do not believe that there was (prior to your post) any such security breach. Therefore, the passwords could only have been obtained through illegal means (i.e. by hacking)."

Evidently, the mere tinkering with a modem constitutes "illegal means." That's a remarkable determination for any technology-related company, but especially so in this case given the niche that BeThere aims to fill: The ISP caters to power users by offering speeds as high as 24 Mbps down and 2.5 Mbps up.

The email went on to "reserve the right to institute legal proceedings" if Karunaratne accessed BeThere's network again or made additional publications that included passwords related to the ISP. BeThere also sought to prevent Karunaratne from going public with the termination. "This letter is confidential and we do not consent to any publication of the details of our dispute with you or this letter in any forum whatsoever," it warned.

(In a generous concession, it added: "We agree that you may disclose the contents of this letter to your legal counsel or advisor.")

Unfortunately, BeThere hasn't shown the same diligence in repairing the vulnerability, which remains unmitigated more than seven weeks after Karunaratne revealed it. The company says rolling out a patch in a way that doesn't disrupt subscribers' existing service takes time and that it expects to begin pushing out a fix in the next week or so.

The company has made no public disclosures of the vulnerability and has offered no temporary workarounds, again, managers say, because they don't want to do anything that will degrade customer experience.

The company says in a statement it canceled Karunaratne's account because he violated numerous terms of service, including failing to take reasonable steps necessary to prevent third parties from obtaining unauthorized access to the BeThere network.

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," Managing Director Dana Pressman said.

They say time heals all wounds, and for Karunaratne, a state of Zen-inspired acceptance has settled in, even if he has to surf the web at significantly slower speeds. "I knew that some companies treated security researchers very badly but I had no idea companies like that included major ISPs," he says. (Note: BeThere has only a fraction the number of subscribers of huge ISPs of BT or AT&T.) "I've learned just how ill-prepared some companies are and what they will do to make the problem go away." ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.