lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [month] [year] [list] 
Date: Sun, 1 Apr 2007 01:18:39 -0400
From: Aviram Jenik <aviram@...ondsecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: ISP in the UK Terminates Account after Full
	Disclosure

Short version:

beThere, a UK ISP distributed routers to customers with the telnet port open 
and a default administrator password. A bit embarrassing.
Sid, who discovered the hole, originally blogged about it on SecuriTeam blogs, 
which resulted in the ISP calling us within 24 hours to have Sid take down 
the password information (as if that can't be figured out by the average 
script kiddie), but a month and a half later the problem is still there. I 
guess we know where their priorities are.

What else didn't take them long to do? Terminating Sid's Internet account. 
Yeah, that'll teach him a lesson telling the world about security holes in 
beThere's service. Bad customer. Go bother someone else.

Oh, and the backdoor? Still there, thanks for asking.

My longer rant here:
http://blogs.securiteam.com/index.php/archives/860

And here's Sid's original disclosure:
http://blogs.securiteam.com/index.php/archives/826

- Aviram

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux