Feeds

ISP ejects whistle-blowing student

BeThere's damage control found lacking

Top 5 reasons to deploy VMware with Tegile

A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.

Alas, Karunaratne's February 22 posting originally included the specific password needed to carry out the attack - a tack from the "full disclosure" school of vulnerability reporting that is considered a no-no in many security circles. Less than 48 hours later, he removed the password information, but that didn't stop the ISP from exacting its retribution.

"We have carried out a full and diligent investigation into the alleged breach and your posting relating to it," a BeThere email informed Karunaratne. "Based on that investigation, we do not believe that there was (prior to your post) any such security breach. Therefore, the passwords could only have been obtained through illegal means (i.e. by hacking)."

Evidently, the mere tinkering with a modem constitutes "illegal means." That's a remarkable determination for any technology-related company, but especially so in this case given the niche that BeThere aims to fill: The ISP caters to power users by offering speeds as high as 24 Mbps down and 2.5 Mbps up.

The email went on to "reserve the right to institute legal proceedings" if Karunaratne accessed BeThere's network again or made additional publications that included passwords related to the ISP. BeThere also sought to prevent Karunaratne from going public with the termination. "This letter is confidential and we do not consent to any publication of the details of our dispute with you or this letter in any forum whatsoever," it warned.

(In a generous concession, it added: "We agree that you may disclose the contents of this letter to your legal counsel or advisor.")

Unfortunately, BeThere hasn't shown the same diligence in repairing the vulnerability, which remains unmitigated more than seven weeks after Karunaratne revealed it. The company says rolling out a patch in a way that doesn't disrupt subscribers' existing service takes time and that it expects to begin pushing out a fix in the next week or so.

The company has made no public disclosures of the vulnerability and has offered no temporary workarounds, again, managers say, because they don't want to do anything that will degrade customer experience.

The company says in a statement it canceled Karunaratne's account because he violated numerous terms of service, including failing to take reasonable steps necessary to prevent third parties from obtaining unauthorized access to the BeThere network.

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," Managing Director Dana Pressman said.

They say time heals all wounds, and for Karunaratne, a state of Zen-inspired acceptance has settled in, even if he has to surf the web at significantly slower speeds. "I knew that some companies treated security researchers very badly but I had no idea companies like that included major ISPs," he says. (Note: BeThere has only a fraction the number of subscribers of huge ISPs of BT or AT&T.) "I've learned just how ill-prepared some companies are and what they will do to make the problem go away." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.