Hmmm. There was no vulnerability until the kid discovered it.

No, wait! There was no vulnerability until he proved that there was.

No--that's not right either. There was no vulnerability until BeThere stepped in it.

No, that can't be it . . . . I guess there just wasn't any vulnerability. Therefore there is no vulnerability . . . .

Didn't we already do this in quantum mechanics class? I'm getting a headache.

"I knew that some companies treated security researchers very badly but I had no idea companies like that included major ISPs," he says

Let me see, you didn't realise that publishing the exact method, along with the necessary passwords, to attack their network on a public forum would result in you being treated "badly".

In my mind they not only did they exercise considerable restraint by not prosecuting you, but also you're a bit of a muppet if you believe your actions are in any way related to the security industry.. unless by security researcher you mean someone who buggers up other people's systems.

Security researchers are in the business to make things more safe for everyone, not to undermine everyone's security.

Hopefully other ISPs will take note of your name and blacklist it.

I certainly wouldn't want to share an ISP with someone who publishes the exact details on how to hack into the cable modems on my network, and I'm pretty sure that this ISP's customers are less than impressed with your stupidity if they've heard what you've done.

It sounds like that kid wanted to make a name for himself with this and decided, rather unprofessionally, to show off in public- the whole overly cliched lone rogue 'hacker' against the large corporation bit, rather than the discreet professional type who works with the company not against it.

Speaking of restraint he's lucky not to get sued by the ISP.

One of the best ways to get security problems solved is by going public. Many of the top security researchers do it and no one (not even Cisco) threatens to take legal action against them.

It is no different from publicizing any severe threat. Organizations, whether corporations or government, very often ignore threats unless they are forced to do so by publicity.

And when the problem is disclosed, they try to shoot the messenger to divert attention from their own culpability.

Moreover, it is nonsense to claim that the ISP had a viable case to prosecute. This ISP was indulging in the usual corporate bluff. It had no case.

Prosecution is only viable if you can prove damages - not the possibility of damages, but actual losses.

There is no evidence of damage in this case.

If this young man can easily discern security problems, then this ISP is not doing its job.

Those are afraid of disclosure are usually rogues and knaves.

Indeed, this British ISP's tactics remind me of the Bush administration ...

The fact that this security hole has been made public and has still not been fixed after nearly 2 months shows the total lack of respect big companies have for protecting consumers.

I would much rather smack Be, especially as I'm with them, for not fixing this problem. They claim it would impact the service to users. That may be true, as these idiots did release a patch a while ago which promptly fucked up people's routers. They then sent out the old BIOS and told everyone who had already applied the knackered BIOS to downgrade and those who hadn't applied it not to. Muppets!

Lucky for me I just deleted their junk BIOS as soon as it hit my inbox.

While I agree with your sentiment, you are incorrect. Cisco *HAS* threatened legal action against at least one security researcher trying to show vulnerabilities in Cisco routers. There was a rather big "to do" about it at the Black Hat conference two years ago:

http://www.theregister.co.uk/2005/07/28/cisco_iss_sue_vuln_whistleblower/

http://www.theregister.co.uk/2005/07/29/cisco_settles_rogue_researcher_dispute/

That being said, this ISP needs to get its head out of the sand, admit to the problem, and fix it. To say that the vulnerability didn't exist until someone publicly disclosed it is just laughable. That's like saying that I can't prove I'm alive until I show you my birth certificate.

Some harsh comments - we don't know what was in the guys head, so it is dangerous to assume anything.

No it wasn't clever to post the password, not surprising he got bumped...BUT....

The company's failure to fix the problem, and the letter which they sent to the "hacker" show they are prepared to resort to some dubious tactics, but are not prepared to do their jobs properly.

I don't feel safe on Zen as I did before reading this if he is on there.

Summary:

Right to boot him off.

Wrong to try and sue him.

Wrong not to fix the hole.

Muppet was wrong to publish the password.

Any customer that joins Be after this would be the most wrong thing of all.

The one thing the kid should never have done was publish the passwords.

That is something that should never be made public. You can perfectly well publish a vulnerability and state "with the correct password" and still make your case.

If it is a true vulnerability, it should be trivial to document how to find the password, which is actually more important than the having the current password (from a security standpoint).

So, for publishing the passwords, I simply cannot help but agree with the ISP that terminated his account.

However, I find outrageous that the existing vulnerability is still not patched weeks after disclosure. I hardly find the excuse of "not disrupting customer experience" a valid one for leaving a gaping hole through which any blackhat has probably already dipped a finger or ten.

Disclosure is indeed the only thing that makes the big guys move, but it has to be responsibly done. That means it has to be a proof-of-concept, not an actual recipe to hack in (referring to the passwords here), and it should only be published after having alerted the primary party and given it a reasonable delay to fix it.

Of course, that's where the majority of the debate actually breaks down. For Microsoft, reasonable means two or three years. For me, it means two or three weeks, tops. We can't agree, and it seems that Be can't either.

I got my BeBox modem in March '06 and upon opening my initial config. backup in notepad immediately noticed several open ports and hidden user accounts, which I duly closed and informed Be* of my concerns, they replied a week later saying they had no problem with this.

He DID publish the password. While it completed the proof of vulnerability, it wasn't really necessary for the exposure. If he hadn't done I'd have absolutely no problem with what he did.

But all in all, he did a good thing; vulnerabilities in companies are generally ignored until the company is confronted with them. "Safety through obscurity" isn't a very good idea, honestly.

simple fix mind you:

Open the command promt, and enter the following commands

telnet 192.168.1.254

Username: Administrator [with a capital A]

Password: (blank by default, or what you previously set)

service system ifdelete name=HTTPs group=wan

service system ifdelete name=FTP group=wan

service system ifdelete name=TELNET group=wan

service system ifdelete name=PING_RESPONDER group=wan

saveall

exit

"One of the best ways to get security problems solved is by going public. Many of the top security researchers do it..."

But they don't publish the full information needed to exploit the vuln, do they? Just enough to prove it exists. He was wrong to provide the passwords; the full info should just have been sent to Be.

I must say from the point of view of someone who leaves security to the guys in IT who know and to my ISP and my software, going public dose seem like a truly dumb thing to do. Yes do it if you have reported the problem and the ISP (or whoever) has not fixed it after a period of time (Say two weeks or so, not 2 hours like some expect), but give them a chance. How would you like it if you went on a site and saw a blog about home security someone who live on your street, talking about your house:

"If you go round the back there is a window on the ground floor that is loose. Just give it a kick and your in. Dont worry, there are no houses overlooking and they dont have an alarm. They are out between X and Y. Im just doing this so that they get it fixed"?

Its the same thing.

I would think that in 2007 companies was aware of the fact that hiding security breeches like this from their customers is a bad idea. Things tends to get out in the clear, and who looks like the cow then? BeThere!

IMO, the interesting side of the story is not how the ISP threats Sid - that is only a side-effect. What is important is the fact that the company clearly have slept in the class. They need to wake up and understand that to "not degrade the customer experience" they have to be responsible. To take a propper cause of action. Actions that I cover over and over and over again on my blogg: http://www.roer.com/node/110

Why is it so hard to threat your customers with respect?

Kai

"unless by security researcher you mean someone who buggers up other people's systems."

The exploit AND fix where released out onto a public domain , to stop this from happening. Its better to pubically release a problem (And hopefully a fix ) and get pressure on the company in question to resolve it as soon as possible.

"Security researchers are in the business to make things more safe for everyone, not to undermine everyone's security."

If you send this problem directly to BeThere with the needed information , the guy would have probably got kicked off and still hushed

It's all very well for this person to post the information but surely what he should be punished for is not first researching the discovery.

as I understand it this has been known about for over a year already reading the Be forums there are various posts relating to this and providing the means to turn the feature off.

We should be using this example to prove that exams have become too easy and students are too lazy to read.

It's not like the information is hard to find, any dump of the routers details will contain the password.

For example (from the Be users forum!):

http://www.dontbethere.co.uk/forum/default.aspx?f=5&p=2&m=2873

If he had cracked a hashed password or something it might be understandable that Be were annoyed, but this was in plain text.

I was considering Be as an ISP, but obviously they are too incompetent if they can't fix a security issue in any sane time frame, especially as other posters have pointed out they have known about this for a long time.

To be honest the first thing I did when I set up my Be connection was Disable Telnet access... so I wouldn't avoid them because of this, just take precautions.

The best way to handle it is to post on EVERY forum you can find, if they dont close backdoors then they should be shown to be an ISP to BeAvoided

more previous comment on this case on the securiteam blog:

http://blogs.securiteam.com/index.php/archives/860

Its ok for the techie population who purchased this service, because they might have closed the telnet on the router immediately, however, for the majority of the (estimated) 14,000 users, malicious hackers. have, for the last two months, had access to their data.

Commenters on the blog on securiteam even provided a simple patch that would not 'disrupt subscribers' existing service'.

I think from the length of time that its taken the ISP to respond, and the action that it took against Sid, its pretty likely had this vulnerability been released privately to them, it could have taken a lot longer for them to respond, if they ever did.

http://www.digg.com/security/ISP_threatens_legal_act_and_cuts_off_service_to_whistle_blowing_student

They don't want to disrupt subscribers' service, and it seems they don't want to do anything to protect it either. <sarcasm>It's OK if 'hackers' can disrupt your service, as long as Be doesn't actively participate in the cause of the problem</sarcasm>.

Also, how laughable that the customers came up with a fix AND made it available before the provider could even get one that doesn't bump the boxes...

the fact that he released a password in this case is... pointless... it seems this information is in the public anyway, so those that would use this exploit already know it or know of ways to get it. it seems to me that those that are concerned that he layed out a guide to do this are focusing on the wrong thing. anyone that would use this effectively wouldn't need the help and those that are just snoopers would have found the information anyway by simply browsing the complaints/comments section of the Be user forums. seems like people that would be concerned about security researchers hacking away at the integrity of the ISP they share with them would be happy that someone is actually verifying the word of the ISP. it's become plain to see that ISPs are not concerned with security as long as their margins of profit are ensured. even when threatened, they focus on publicity control over fixing the real issues. only a delusional MCSE would be happy ignoring the fact that their ISP is lazy, that their security is pathetic and that they have no will to fix it because it would cut into their profit margin or cause a few more calls to their tech support.

I wouldn't mind betting that they tried to address this at the end of March, with the release of a new firmware for the BeBoxes. They packaged it up as giving the user more control over when and who could control the boxes remotely - ie. I imagine they added a checkbox that enabled and disabled these ports that normally remain open all the time. They didn't mention any vulnerabilities in the email, understandably so.

Reading between the lines, it looks like this vulnerability stems from those ports remaining open, if Chris Monk's fix above is anything to go by, and so that firmware upgrade would fix it.

However, a few days later they issued another email telling people not to upgrade, due to a performance hit with the new firmware. Whether this is true or there was another problem with it, doesn't matter - either way, it looks like Be are at least in the process of addressing it, and while it may not appear to be a quick fix to us, no one except for the developers knows how complex it may or may not be.

It doesn't matter which way you spin this, he broke the law. What he did falls under the Computer Misuse Act and he may be sued and he may even get a visit from Inspector Knacker. Everyone is equal under the law (supposedly) and given what he did was so deliberate, he can't really mitigate his way out of it.

"Some harsh comments - we don't know what was in the guys head, so it is dangerous to assume anything."

That's one of the wisest lines in these comments.

No, most of you do not know what was in his head or who he is. Those of us who do, know exactly what his motivations were: to ensure his network is secure. He's no brooding teen blackhat with attitude.

The rest of you have no idea. To those who criticise his actions, a question, are you happy for your ISP to totally wreck your home / business network security and leave gaping holes in your security?

If Sid hadn't found this vulnerability, then I guarantee someone less honest would have done.

Damn, I was just about to sign up with Be for my business broadband too!

Whats the story, is the vulnerability in the ISP-supplied router? I always use and maintain my own router, so that won't be a problem, however the ethical side of it worries me a bit...

This does remind me strongly of several years ago when I bought a Zyxel broadband modem/router, and it transpired that they were being shipped with permissive packet filters on the WAN side which left Telnet/FTP/HTTP ports open to the 'net, giving direct external access to the router management facilities. Most people didn't know to change the admin password from, you guessed it, '1234', so peoples supposedly secure routers were being easily hacked from the 'net. Zyxel took quite a while to patch that little problem.

My experience working in ISPs has brought about the idea that they have the impression of "of course we're going to get hacked and attacked, we're a public network", and as such are very reluctant to take a proper look at problems.

Definately time to change this attitude given the amount of script kiddies running about these days.

"

"If you go round the back there is a window on the ground floor that is loose. Just give it a kick and your in. Dont worry, there are no houses overlooking and they dont have an alarm. They are out between X and Y. Im just doing this so that they get it fixed"?

Its the same thing.

"

No its not the same thing, and if you want to use analogies, here's a better one:

If you go to this considerably sized city, which a single property developer built, you'll find that the property developer left a set of keys under every doormat - some people have removed them, but 14 thousand people still don't know they're there.

As bappy said; Sid did not have any malicious intent, that much is certain.

And whoever is trying to say this came out of a concentrated effort to compromise BeThere, you are completely mistaken - this came from someone else informing him they'd scanned his box and he had telnet running - and him simply investigating his config file and finding the details.

For anyone who wants to see the post where he disclosed it, it is here: http://blogs.securiteam.com/index.php/archives/826

I'm a Be customer, and rather shocked to say the least about this, especially since according to the forums at Be, it's been a known flaw for some time (months, if not years). Basically anyone with the Be provided modem have been susceptible to DNS poisoning etc for some time. I'm glad this guy revealed the flaw, as it pushed me to fix mine - publishing the passwords was foolish.

Disabling Telnet access from the web interface doesn't work. or rather only works to disable the "Administrator" account - the hidden ones still work. Someone has pointed out earlier how to apply the fix through the CLI. Another post on the Be forums has a fix that seems to be easier than entering the CLI - use the web interface to port forward the impacted ports to a dead local IP address.

There are bound to be other users out there who don't read El Reg, or the Be forums and are now sitting vulnerable. No idea or indication what will happen to address that one!

I'm a Be member, have been since the first trials. Couple of things I'd like to say:

First off, Be aren't a big ISP. Secondly, their service (for me and the many colleagues at work I've recommended it too) freakin love it. Its fast, they dont mind when you use it and how, low latency and 1.4 meg upload. If you dont mind that their customer services seems not very helpfull* + tech department seem a little naive, I'd not let this put you off.

The routers aren't ours, Be supply them. You dont have to use them, but you get no support if you dont.

Thomson write the firmware, its a very extensive and configurable from the command line and it makes a lot of sense for an ISP like Be to be able to tweak and diagnose problems in this manner. Sky do something similar.

The real problem is that the passwords for these hidden accounts are easily extracted from the config. That (imo) is a design WTF from Thomson, who took an absolute age to make a firmware with a web interface that supports IE 7 (iirc, this was the failed upgrade from before..).

Ideally, each unit should have had a unique salt built into the hardware. Would have cost about £0.10p. Be could then have loaded their config in plaintext; any following dumps would have passwords encrypted with the hardware salt.

I do think getting cut off was a bit harsh, although the guy clearly didnt help himself by not clearly outlining to Be that

a) there was a problem with their device

b) it should be fixed in a timely manner

and c) in <some time> I will disclose this information to buqtraq@securityfocus