Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 63k members.


    Advertisement

    Results 1 to 4 of 4

    Major Security Holes Found at the Big Six UK Home Broadband ISPs

    This is a discussion on Major Security Holes Found at the Big Six UK Home Broadband ISPs within the Sky news and announcements forums, part of the SkyUser Announcements category; Major Security Holes Found at the Big Six UK Home Broadband ISPs - ISPreview UK A new report from security ...

    1. #1
      Scubbie's Avatar
      Scubbie is offline Sky User Moderator
      Exchange: 02392
      Broadband ISP: Sky Fibre Unlimited Pro
      Router: Sky Hub SR101
      Sky TV: Sky+HD box
      Join Date
      Mar 2010
      Location
      Near Portsmouth
      Posts
      26,836
      Thanks
      764
      Thanked 2,137 Times in 2,016 Posts

      Major Security Holes Found at the Big Six UK Home Broadband ISPs

      Major Security Holes Found at the Big Six UK Home Broadband ISPs - ISPreview UK
      A new report from security consultant Paul Moore has revealed that many of the United Kingdom’s major broadband ISPs, including BT, PlusNet, EE, Virgin Media, Sky Broadband and TalkTalk, have significant vulnerabilities in their systems that could be exploited by hackers. But some, such as EE and TalkTalk, did far worse than others.

      The audit used publicly available information and examined a number of different areas, albeit largely focused upon the email platform, website servers and HTML forms etc. used by all of the aforementioned Internet providers. Various aspects of each were then scored for support of various security features (or lack thereof) and a result returned.

      Overall the ISPs passed 87 of the checks, but there were 22 warnings and 84 failures in good security practice. However the only ISP to record a “critical issue” out of the group was TalkTalk, which had left itself exposed to a Database Credential Leak (the related database is now offline), which is hardly a surprise given their recent hacking scandal (here and here).

      In terms of “serious issues“, just one problem was found on Sky Broadband, while both EE and PlusNet were exposed to two issues and once again TalkTalk topped the table with a total of four series issues to its name. Happily both BT and Virgin Media escaped without any serious problems, although Paul Moore’s checking won’t pick up everything.

      Brief Summary of the Serious Issues


      Plusnet

      * Cross Site Request Forgery / My Account
      * RFC 2142 / Obtained Genuine TLS Certificate

      EE

      * Cross Site Request Forgery / My Account
      * RFC 2142 / Obtained Genuine TLS Certificate

      TalkTalk

      * TalkTalk Firmware update pages serve malware
      * Webmail credentials sent over HTTP post-breach
      * Account credentials sent over HTTP post-breach
      * Lied about periodicity of Information Commissioner’s Office auditing

      Sky

      * Cross Site Request Forgery / My Account

      Overall the best of the big six for security were BT (1st) and PlusNet (2nd), which Moore praised for being quick to respond to his initial email(s) and detailed in their updates. “I remain thoroughly impressed by their professional and remarkably candid approach and wouldn’t hesitate using either service in future,” said Moore.

      Similarly Sky Broadband, which came 3rd, also garnered praise for their quick response to the issue(s) raised and then making “significant improvements to their TLS deployment.” Sadly the results for the bottom three providers weren’t so good.

      Summary of Paul Moore’s Comments

      EE
      Just a few days after my initial email, EE arranged a conference call to discuss the issues. Less than a week later, EE forwarded a detailed spreadsheet which outlined how they intended to mitigate many of the issues raised. EE have since commissioned a source-code review.

      EE have not taken any mitigative action with reference to the CSRF exploit thus far, pending the results of a source audit. There has been little/no immediate improvement with reference to their poor Qualys scores, despite an estimated fix being just weeks away.


      Unfortunately, EE have one of the weakest overall deployments, saved only by their willingness to discuss these issues so candidly.


      Virgin Media

      Having been a Virgin Media customer for well over a decade, I’m acutely aware that trying to engage in any security-related discussion is virtually impossible, the sole exception being a SuperHub 2 vulnerability last year.

      Unfortunately, Virgin Media did not reply to numerous requests for comment. However, the results of this audit haven’t given any immediate cause for concern.


      TalkTalk

      Unfortunately, TalkTalk operate in a bubble of blissful ignorance. Their utterly shambolic approach to security, combined with a proclivity to make wild & demonstrably fallacious claims, places TalkTalk firmly in last place during this audit.

      A related report over at the BBC also includes a response from TalkTalk, which now claims to be integrating Paul Moore’s comments into their on-going security improvements. “We constantly run vulnerability checks using industry-standard third party tools. The vulnerability exploited by the hackers was not picked up by this testing, and if it had been, we would clearly have acted on that information straight-away to secure our system,” said a spokesperson for the ISP.

      The full report can be read online (here) and hopefully more ISPs will take notice of the issues raised, particularly since consumers are now paying closer attention to matters of security in the wake of TalkTalk’s hack. Hopefully in the future Paul Moore may be able to expand his checking to other providers, such as Vodafone, KC, Zen Internet and so forth.

      It’s also important to point out that nearly all of the problems identified by Moore are now being actively examined and hopefully fixed by the various providers.


    2. Advertisement
    3. #2
      pete.i's Avatar
      pete.i is offline Sky User Member
      Exchange: 01757
      Broadband ISP: Sky Fibre Unlimited
      Router: Sagem F@ST 2504
      Sky TV: Freesat/etc
      Join Date
      Jun 2007
      Posts
      246
      Thanks
      2
      Thanked 5 Times in 5 Posts

      Re: Major Security Holes Found at the Big Six UK Home Broadband ISPs

      I'm sorry but being the complete and utter cynic that I am I do not think that any of the internet service providers have any interest in our online safety whatsoever. They want our money and that is about it. Luckily nothing on my computers is that important that I need to worry and as we all know spending money on the web is fraught with dangers and it is, basically, up to you to ensure your on-line safety.

    4. #3
      Scubbie's Avatar
      Scubbie is offline Sky User Moderator
      Exchange: 02392
      Broadband ISP: Sky Fibre Unlimited Pro
      Router: Sky Hub SR101
      Sky TV: Sky+HD box
      Join Date
      Mar 2010
      Location
      Near Portsmouth
      Posts
      26,836
      Thanks
      764
      Thanked 2,137 Times in 2,016 Posts

      Re: Major Security Holes Found at the Big Six UK Home Broadband ISPs

      Whilst I may agree with you, there are a large proportion of people out there who have considerably less understanding and appreciation than you or I.

      They in turn will be more vulnerable to such security lapses.

      As for those who know a little more, it can get expensive and time consuming getting all those measures put in place to protect everything that we would like to do with our electronic devices. There comes a point where perhaps some other measures should be taken against the hackers and not for the likes of NSA and GCHQ to reward them with a job offer.

      Sky Fibre Unlimited Pro: Connected at 80,000 kbps / 20,000 kbps
      Previous ADSL2+ Speed 19999 kbps 1153 kbps, Line Attenuation 17.5 db 6.9 db, Noise Margin 7.5 dB 8.7 dB
      Speedtest: 17.15MB/s 0.97Mb/s Ping 31 ms

    5. #4
      pete.i's Avatar
      pete.i is offline Sky User Member
      Exchange: 01757
      Broadband ISP: Sky Fibre Unlimited
      Router: Sagem F@ST 2504
      Sky TV: Freesat/etc
      Join Date
      Jun 2007
      Posts
      246
      Thanks
      2
      Thanked 5 Times in 5 Posts

      Re: Major Security Holes Found at the Big Six UK Home Broadband ISPs

      Quote Originally Posted by Scubbie View Post
      Whilst I may agree with you, there are a large proportion of people out there who have considerably less understanding and appreciation than you or I.

      They in turn will be more vulnerable to such security lapses.


      As for those who know a little more, it can get expensive and time consuming getting all those measures put in place to protect everything that we would like to do with our electronic devices. There comes a point where perhaps some other measures should be taken against the hackers and not for the likes of NSA and GCHQ to reward them with a job offer.
      Oh I am with you there. I agree that there are a lot of people, probably the vast majority, out there I would think who have little or no understanding of the implications of bad internet security.. That doesn't alter my opinion that the internet sevice providers couldn't care less about mine, yours or their internet security. What, so called, security measures they have put in place have been mainly knee jerk reactions to possibly enforceable "suggestions" by government

     

     

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  
    SkyUser - Copyright © 2006-2014. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB
    RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION | SEO by vBSEO