Feeds

ISP ejects whistle-blowing student

BeThere's damage control found lacking

Seven Steps to Software Security

A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.

Alas, Karunaratne's February 22 posting originally included the specific password needed to carry out the attack - a tack from the "full disclosure" school of vulnerability reporting that is considered a no-no in many security circles. Less than 48 hours later, he removed the password information, but that didn't stop the ISP from exacting its retribution.

"We have carried out a full and diligent investigation into the alleged breach and your posting relating to it," a BeThere email informed Karunaratne. "Based on that investigation, we do not believe that there was (prior to your post) any such security breach. Therefore, the passwords could only have been obtained through illegal means (i.e. by hacking)."

Evidently, the mere tinkering with a modem constitutes "illegal means." That's a remarkable determination for any technology-related company, but especially so in this case given the niche that BeThere aims to fill: The ISP caters to power users by offering speeds as high as 24 Mbps down and 2.5 Mbps up.

The email went on to "reserve the right to institute legal proceedings" if Karunaratne accessed BeThere's network again or made additional publications that included passwords related to the ISP. BeThere also sought to prevent Karunaratne from going public with the termination. "This letter is confidential and we do not consent to any publication of the details of our dispute with you or this letter in any forum whatsoever," it warned.

(In a generous concession, it added: "We agree that you may disclose the contents of this letter to your legal counsel or advisor.")

Unfortunately, BeThere hasn't shown the same diligence in repairing the vulnerability, which remains unmitigated more than seven weeks after Karunaratne revealed it. The company says rolling out a patch in a way that doesn't disrupt subscribers' existing service takes time and that it expects to begin pushing out a fix in the next week or so.

The company has made no public disclosures of the vulnerability and has offered no temporary workarounds, again, managers say, because they don't want to do anything that will degrade customer experience.

The company says in a statement it canceled Karunaratne's account because he violated numerous terms of service, including failing to take reasonable steps necessary to prevent third parties from obtaining unauthorized access to the BeThere network.

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," Managing Director Dana Pressman said.

They say time heals all wounds, and for Karunaratne, a state of Zen-inspired acceptance has settled in, even if he has to surf the web at significantly slower speeds. "I knew that some companies treated security researchers very badly but I had no idea companies like that included major ISPs," he says. (Note: BeThere has only a fraction the number of subscribers of huge ISPs of BT or AT&T.) "I've learned just how ill-prepared some companies are and what they will do to make the problem go away." ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.