Eircom storing passwords in the clear

gerryk

Guys... could you have a quick gander at this thread and comment, please.
As an eircom customer, I am somewhat concerned.

http://www.boards.ie/vbulletin/showthread.php?t=2056712698

eircom: Ant

gerryk wrote: »

Guys... could you have a quick gander at this thread and comment, please.
As an eircom customer, I am somewhat concerned.

http://www.boards.ie/vbulletin/showthread.php?t=2056712698

Hi gerryk,

Thanks for bringing this to our attention. I will certainly look into this. Please bear with us as it It may take a little time to check.

I will get back to you as soon as possible.

Regards,
Ant

gerryk

Cheers Ant.

teddy b123

gerryk wrote: »

Cheers Ant.

Any update?

Tow

If you just ring them up an say you forgot the password for xyz@eircom.net they will tell it to you. I did it a while back for an old company email address, armed with all the eircom bills ready to any answer security question etc, and none was asked.

MadsL

A week to comment on your information security policy?? This should be pinned up in big red letters on every CSRs desk. Do you realise how vunerable you are to social hacking by giving CSRs access to passwords? Secure password reset technology is hardly new.

Giblet

Amateur hour IT facilities it seems.

MagicRon

EIRCOM, have a read of http://www.neowin.net/news/gizmodo-twitter-account-hacked--thanks-to-apple

and then maybe
http://www.neowin.net/news/amazon-closes-security-hole-quietly

gerryk

Any news Ant?

eircom: Ant

gerryk wrote: »

Any news Ant?

Hi gerryk,

Just in response to your tweet. I don't have any firm information on this query yet. Generally it does take time, as this comes under operational and security matters.

Appreciate your contact on twitter and for bearing with us. As soon as I have further information I will expand here, as boards is a more feasible platform, given character restrictions.

Best Regards,
Ant

teddy b123

I was in touch with a manager in your technical support department who insists the system is secure
I was informed that only support staff have access to these passwords
These passwords are on an internal database
---(Which is connected to the frontend for password resets which are made online to be updated)
Every employee access to this database is recorded
A user that requests a password reset must have all their details verified
They are planning to implement a more secure way of sending out users passwords in the coming months

gerryk

teddy b123 wrote: »

I was in touch with a manager in your technical support department who insists the system is secure
I was informed that only support staff have access to these passwords
These passwords are on an internal database
---(Which is connected to the frontend for password resets which are made online to be updated)
Every employee access to this database is recorded
A user that requests a password reset must have all their details verified
They are planning to implement a more secure way of sending out users passwords in the coming months

Few comments on this.

1. as long as there are people in the loop, the system is not secure. I don't care how loyal, well trained and meticulous staff are, they are vulnerable to manipulation, and as such are a weakness.

2. passwords in the clear on any system is a vulnerability. I don't care if the system is buried in a mountain guarded by cerberus, it's a weakpoint if it's not encrypted using a one-way cypher.

3. best intentions are no substitute for system level enforcement. It doesn't matter how diligent you are, any access to a system can be manipulated.

Short answer, Eircom. It is not acceptable to retain passwords in the clear. If a password reset mechanism must be implemented, it should only be possible via an unspoofable means... e.g. a phone call from the number associated with the account, with the reset password SMSed to the mobile on record.

I understand that the aim is convenience to the user, but this is not an acceptable reason for exposing customers to potential data egress. Look at Mat Honan's hack for an example of how this sort of thing can escalate. There were no technical vulnerabilities exploited in this, it was all organisational and human... in short, social engineering and research breached the security of some of the biggest players in the business, Amazon and Apple. Please do the right thing, Eircom.

MadsL

gerryk wrote: »

Few comments on this.

1. as long as there are people in the loop, the system is not secure. I don't care how loyal, well trained and meticulous staff are, they are vulnerable to manipulation, and as such are a weakness.

2. passwords in the clear on any system is a vulnerability. I don't care if the system is buried in a mountain guarded by cerberus, it's a weakpoint if it's not encrypted using a one-way cypher.

3. best intentions are no substitute for system level enforcement. It doesn't matter how diligent you are, any access to a system can be manipulated.

Short answer, Eircom. It is not acceptable to retain passwords in the clear. If a password reset mechanism must be implemented, it should only be possible via an unspoofable means... e.g. a phone call from the number associated with the account, with the reset password SMSed to the mobile on record.

I understand that the aim is convenience to the user, but this is not an acceptable reason for exposing customers to potential data egress. Look at Mat Honan's hack for an example of how this sort of thing can escalate. There were no technical vulnerabilities exploited in this, it was all organisational and human... in short, social engineering and research breached the security of some of the biggest players in the business, Amazon and Apple. Please do the right thing, Eircom.

Awesome post. Listen to this man. Better yet, give him a job.

Your data centres in Clonshaugh and Citywest have ISO 27001 - crazy that you have this glaring hole in your consumer service end of things. Reminds me of the wireless routers on which you took so long to fix the security hole.

Ronan Kneafsey, Director, eircom Business said, “We are delighted to have achieved ISO 27001 for our two largest data centres, as it represents independent confirmation of eircom’s world-class managed services credentials. We provide highly secure managed services to some of the largest enterprises in the world, including secure hosting, and we continue to work hard to ensure we not only meet the most stringent security requirements of our clients, but that we also foster a “security culture” within eircom.

Really?

jreanor

This is just disgraceful but I am absolutely not surprised.

If you don't mind Ant I would like to ask you a question. Is it the belief of Eircom that it is completely beyond the realm of possibility that this database of plaintext password could fall into the wrong hands?

This seems to have been the stance of many companies who had their password database compromised. An example of a high profile case of this is Sony's famous hack last year (http://techland.time.com/2011/06/02/new-sony-hack-claims-one-million-user-passwords/).

Obviously everyone should have different passwords for every site they visit. But I have no doubt in my mind that many users use the same password for their eircom email address as for sites containing very sensitive information such as paypal or various social networks. In fact, I was guilty of exactly this for a time.

All it would take would be one pissed off employee or a determined hacker. There is no such thing a 100% secure system and judging by how eircom handles passwords I suspect it is not the only security vulnerability.

I also wonder if such naive security policies would be of interest to the data protection commissioner.

Eircom should take this issue very seriously before the media catch wind of this and you start losing customers.

gerryk

Two weeks and counting, guys.

gerryk

I understand that you (Ant/James etc) are at the mercy of those higher up with regard to making statements on this, but can you point out that if they aren't more forthcoming with information in the relative privacy of this thread, that they may have to defend their position in the public eye.

MagicRon

This thread has over 700 views - If you think that ignoring the concerns that your customers have brought up here will somehow make the questions go away, then you're seriously mistaken!

In light of the many hacks and user password exposures that have hit the media in recent times and the fact that it has been highlighted here now that one of Ireland's largest companies isn't handling passwords correctly (and that your agents are actually telling customer's the passwords with little customer verification ), we want to know exactly what is being done to rectify the concerns raised by your customers in this thread?

eircom: Ant

MagicRon wrote: »

This thread has over 700 views - If you think that ignoring the concerns that your customers have brought up here will somehow make the questions go away, then you're seriously mistaken!

In light of the many hacks and user password exposures that have hit the media in recent times and the fact that it has been highlighted here now that one of Ireland's largest companies isn't handling passwords correctly (and that your agents are actually telling customer's the passwords with little customer verification ), we want to know exactly what is being done to rectify the concerns raised by your customers in this thread?

Hi MagicRonm


Absolutely not ignoring this query. Both James and myself have sought further information. We will update as as soon as we can.

Apologies for the delay getting back to you.

Ant

Praetorian

My thread was ignored too!

RUCKING FETARD

Praetorian wrote: »

My thread was ignored too!

Games 17
Motors 16
Computers & Technology 15
IrelandOffline 11
Humour 9
Broadband 8
Star Trek 6
Battlestar Galactica & Caprica 6
Counter-Strike 4
After Hours 4
<li id="more_link">« Show Less
Commuting & Transport 3
Rock & Metal 3
Nets & Comms 3
Windows 3
English 2
Mobiles & PDAs 2
Feedback 2
Audio-Video Editing 1
Bargain Alerts 1
Golf 1
Soccer Access Requests 1
Graphics 1
GAA 1
Xbox 1
Racquet Sports 1
Forum Requests 1
Unreal 1
Design 1
Humanities 1
Half-Life 1
Overclocking & Modding 1
Wireless 1
Star Wars 1
Sci-Fi & Fantasy 1
Soccer 1

You've no Thread in Eircom??

Praetorian

RUCKING FETARD

http://www.boards.ie/vbulletin/showthread.php?p=80072936

gerryk

Ant, we're approaching a month since I asked this question. How long does it take to get a response from either your security team or your PR team? While I acknowledge that this is somewhat beyond your control, what is in your control is the ability to pass on a message to whoever needs to know, that if I don't get a response by the end of the week... I will "talk to Joe" or whatever other bloke on the radio is good at stirring the pot.

teddy b123

gerryk wrote: »

Ant, we're approaching a month since I asked this question. How long does it take to get a response from either your security team or your PR team? While I acknowledge that this is somewhat beyond your control, what is in your control is the ability to pass on a message to whoever needs to know, that if I don't get a response by the end of the week... I will "talk to Joe" or whatever other bloke on the radio is good at stirring the pot.

Gerryk,
Glad you're willing to fight this!
I spoke to a person at the data protection commissioners office and she said to email on the details but I'm sure Eircom would rather sort this without their involvement!

MagicRon

1230 views....That means that of nearly 90 pages of threads in Talk to Eircom board, this thread is the 15th most viewed ... and at this rate, will soon be the most viewed Talk to Eircom thread in this forum.

I think it is now time for you to come forward and accept that what you are doing is not right, tell us what you are going to do to change, and start working towards that change.

The alternative is continued public exposure on this issue -- probably beyond boards if you continue on like this...

colly10

It's pretty obvious that eircom don't take securing data seriously. If they did then this issue wouldn't occur or at least they'd consider the issue to be important enough to make a decision quickly on what will be done about it. If it was important then the eircom guys here would not be left waiting for a response.

It's not long since they failed to inform the data commissioners of the stolen laptops and they went along time using a wep key generator that allowed others to calculate the key generated off the SSID.

It's the last thing on their mind

gerryk

Ant, James... I'm pretty upset that this thread hasn't been given any serious consideration. I would have thought that Eircom, as an ISP, would have taken the security of their users more seriously, especially since recently a pretty high profile social engineering/identity theft attack left a well known journalist with his entire digital life erased. One of the key vulnerabilities in this was access to improperly protected email accounts. Tesco have also come under scrutiny for a similar lapse of judgement.

So... any final comments before I email George Hook and his ilk?

MagicRon

eircom: Ant wrote: »

Absolutely not ignoring this query.

Oh, really?

gerryk

This isn't going away, guys...

eircom: James

gerryk wrote: »

This isn't going away, guys...

Hi gerryk,

I see the lads had responded to your Tweet earlier. Just to put the latest info here for others, our online security team are constantly working on aspects of security. I hope you can understand that due to the nature of this as a security issue there is not a lot that we can post publicly.

Regards

James

MadsL

James, with respect. This is not a data protection issue - although I recognise that there is a Data Protection aspect.

This is a information security matter, and the DPC are not experts in that.

gerryk

MadsL wrote: »

James, with respect. This is not a data protection issue - although I recognise that there is a Data Protection aspect.

This is a information security matter, and the DPC are not experts in that.

Completely 100% correct. The driver behind your decisions should not be, in the first instance at least, regulatory compliance. It should be doing the right thing. Generally relgulatory compliance provides guidance to do the right thing, but as with anything smothered under layers of bureacracy, the message gets diluted or completely misreported.

The correct approach is to derive the right thing to do from first principles.

The right thing in this case it to eliminate vulnerabilities. The only correct way to do this is one way encryption, using a strong, salted hashing algorithm.

MadsL

I just want to iterate that there is a Data Protection aspect to this, in that eircom are obliged to keep personal data secure. And in fairness to them they do, as both data centres are ISO 27001 certified.

However customer care and and marketing are often departments where security is downgraded in favour of convenience.

A security audit by someone who knows what they are doing should highlight these issue, alternatively eircom could extend the scope of their ISO 27001 certification to cover customer services.

RUCKING FETARD

Meteor and eMobile plead guilty to data legislation breaches

gerryk

eircom: James wrote: »

Hi gerryk,

I see the lads had responded to your Tweet earlier. Just to put the latest info here for others, our online security team are constantly working on aspects of security. I hope you can understand that due to the nature of this as a security issue there is not a lot that we can post publicly.
Regards

James

Hi James... any news on this?

eircom: Tony

gerryk wrote: »

Two weeks and counting, guys.

Hi gerryk
I appreciate your patience in this. At the moment we have no further information to that posted by us earlier. Our security and operations teams are aware of this issue and all issues related to security. For the most part companies would be unlikely to publish their approach to security, however we hope to be able to get appropriate statement to at least answer your own and others concerns.
We have brought all the points and cases mentioned in your posts to the attention of all responsible for security and have been advised that systems and proceedures are in place to deal with these.
While I think it is unlikely that we will be able to disclose these proceedures ( due to security reasone) we hope to have more info on this.
Tony

gerryk

Hi Tony... thanks for the reply, albeit somewhat delayed. Procedures can be circumvented. I thought that was clear. As long as there is a human component, there is a clear vector for exploit. Sure, there are technical vulnerabilities too, but the whole idea is to lessen your attack surface.
I am pretty upset at your (Eircom's) unwillingness to accept that you have done the wrong thing while communicating assurances to rectify that. Instead, this is an obvious 'ignore it and it will go away' tactic. Sure, I may go away, from sheer frustration at not being taken seriously, but others won't, and this thing has every potential to backfire spectacularly for you. I mean, come on... your company is hugely in debt, and the only way that can be managed is through investment. Investment requires a modicum of confidence in your return, and I, were I a potential investor, would find this behaviour a good reason to spend my money elsewhere.
I don't expect anything further from you... I understand that personally, your hands are tied, but find the arrogance of your company in this matter, shocking, but, I suppose, not all that surprising.

eircom: Tony

gerryk wrote: »

Hi Tony... thanks for the reply, albeit somewhat delayed. Procedures can be circumvented. I thought that was clear. As long as there is a human component, there is a clear vector for exploit. Sure, there are technical vulnerabilities too, but the whole idea is to lessen your attack surface.
I am pretty upset at your (Eircom's) unwillingness to accept that you have done the wrong thing while communicating assurances to rectify that. Instead, this is an obvious 'ignore it and it will go away' tactic. Sure, I may go away, from sheer frustration at not being taken seriously, but others won't, and this thing has every potential to backfire spectacularly for you. I mean, come on... your company is hugely in debt, and the only way that can be managed is through investment. Investment requires a modicum of confidence in your return, and I, were I a potential investor, would find this behaviour a good reason to spend my money elsewhere.
I don't expect anything further from you... I understand that personally, your hands are tied, but find the arrogance of your company in this matter, shocking, but, I suppose, not all that surprising.

Hi gerryk
Thanks and I do understand that it is taking time and that you can hardly be expected to wait indefinitely for a response to the points raised. Really I cannot add more to posts earlier from Ant or James. The reality is that companies are cautious in issuing operational information and even more so when that information revolves around company security. I can assure you though that all relevant sections are aware of this issue and that the issue is definitely not being ignored.
As pointed out by MadsL our data centres are security certified and security audits carried out to protect this. Due to the number of recent data security breaches worldwide these audits have become an even more important element of good business practices
As stated by MadsLl ‘eircom are obliged to keep personal data secure’ and I can assure you this is of the highest priority for the company
I still hope to be able to provide further information or statement on this issue for you and others concerned.

Tony

MadsL

eircom: Tony wrote: »

Hi gerryk
Thanks and I do understand that it is taking time and that you can hardly be expected to wait indefinitely for a response to the points raised. Really I cannot add more to posts earlier from Ant or James. The reality is that companies are cautious in issuing operational information and even more so when that information revolves around company security. I can assure you though that all relevant sections are aware of this issue and that the issue is definitely not being ignored.
As pointed out by MadsL our data centres are security certified and security audits carried out to protect this. Due to the number of recent data security breaches worldwide these audits have become an even more important element of good business practices
As stated by MadsLl ‘eircom are obliged to keep personal data secure’ and I can assure you this is of the highest priority for the company
I still hope to be able to provide further information or statement on this issue for you and others concerned.

Tony

Can I also point out that as far as I am aware your ISO 27001 certification does not cover your customer services operations - merely your data centres at Clonshaugh and Citywest.

No-one is asking for operational information, just the publically issued statement and assurance that eircom no longer store passwords in the clear.

Now that can be done voluntarily or under investigation by the DPC. Eircom's choice. If that sounds like a threat, it isn't - it is merely the consequence of eircom failing to provide that assurance.

N64

In fairness if you cared about security, would you really use eircon.net in the first place?

MagicRon

Are call centre agents still able to see user's passwords?

gerryk

Hi guys... any updates?
Should I be talking to the DP commissioner instead of waiting for a reply from your security team.

With regard to your comment that companies would not disclose their security policies, many companies, for instance Lastpass, are so proud of 'doing the right thing' that they actively publicise their password storage policies. May I draw your attention to the following links?

https://lastpass.com/support.php?cmd=showfaq&id=1096
https://lastpass.com/support.php?cmd=showfaq&id=111635

MadsL

Gerry, I think you have a better shot with the DP. In fact I would urge you to make a complaint anyway as eircom's 'ignore it and it will go away' attitude is shocking.

DP legislation obliges companies to keep personal information secure.

Protection of Privacy of Individuals with regard to Personal Data

2. Collection, processing, keeping, use and disclosure of personal data.
2.-(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:
(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

http://www.dataprotection.ie/viewdoc.asp?DocID=796#2C

eircom: Tony

MadsL wrote: »

Gerry, I think you have a better shot with the DP. In fact I would urge you to make a complaint anyway as eircom's 'ignore it and it will go away' attitude is shocking.

DP legislation obliges companies to keep personal information secure.



http://www.dataprotection.ie/viewdoc.asp?DocID=796#2C

Hi guys

Without trying to sound smart-assed, large companies are careful about posting sensitive information without a full investigation into how this will affect the company. To be honest it makes no sense to confirm a company’s security policy on a public forum either way. However you can see from our previous post that we are not ignoring this issue. As we posted previously we have passed on your concerns to the correct channels and they are aware of the query. Given that this is a security issue I would expect that before any response was made available (one which would not impact security) a full investigation and signoff would be necessary.
I can assure you that designated call centre agents are trained and mandated to authenticate every customer before any account information is divulged.
We are only too happy to post any information available to us and are more than happy for you to take the query up with the DP.


Tony and James

MadsL

eircom: Tony wrote: »

Hi guys

Without trying to sound smart-assed, large companies are careful about posting sensitive information without a full investigation into how this will affect the company. To be honest it makes no sense to confirm a company’s security policy on a public forum either way. However you can see from our previous post that we are not ignoring this issue. As we posted previously we have passed on your concerns to the correct channels and they are aware of the query. Given that this is a security issue I would expect that before any response was made available (one which would not impact security) a full investigation and signoff would be necessary.
I can assure you that designated call centre agents are trained and mandated to authenticate every customer before any account information is divulged.
We are only too happy to post any information available to us and are more than happy for you to take the query up with the DP.


Tony and James

Thanks for the response. Could you let us know what progress has been made in three months on the issue and when a statement is expected. What stage is the investigation at?

Also who authenticates the call centre agents? Can they access information without the customer on the line?

eircom: Tony

MadsL wrote: »

Thanks for the response. Could you let us know what progress has been made in three months on the issue and when a statement is expected. What stage is the investigation at?

Also who authenticates the call centre agents? Can they access information without the customer on the line?

Hi Madsl
No problem. We do not have update on this and will have no further information on until full investigation has been concluded.
Regarding the second request, this information would not be made available publicly as this falls under operational procedures.
Tony

MadsL

eircom: Tony wrote: »

Hi Madsl
No problem. We do not have update on this and will have no further information on until full investigation has been concluded.

Not even a timescale?

Regarding the second request, this information would not be made available publicly as this falls under operational procedures.
Tony

Does it form part of the investigation?

eircom: Tony

MadsL wrote: »

Not even a timescale?



Does it form part of the investigation?

If they have one, they haven't advised me MadsL:( ....big companies take these things very seriously and in my experience time to complete investigations like this. The mods here regularly chase the issue so when response is available we will know pretty quicky.
Tony

MadsL

eircom: Tony wrote: »

If they have one, they haven't advised me MadsL:( ....big companies take these things very seriously and in my experience time to complete investigations like this. The mods here regularly chase the issue so when response is available we will know pretty quicky.
Tony

Thanks Tony.

Still no word on VAT eh?

(think you should send a link to these two threads to your marketing department, this isn't playing all that well with your customers)

eircom: Tony

MadsL wrote: »

Thanks Tony.

Still no word on VAT eh?

(think you should send a link to these two threads to your marketing department, this isn't playing all that well with your customers)

Believe me, when we pick up these issues we let everyone know...

eircom: Tony

MadsL wrote: »

Thanks Tony.

Still no word on VAT eh?

(think you should send a link to these two threads to your marketing department, this isn't playing all that well with your customers)

Hi MadsL

We will post any info on that subject here.... on our special Vat thread..
Have to keep things nice and neat.:D
Tony

tunedout

eircom: Tony wrote: »

Hi gerryk
For the most part companies would be unlikely to publish their approach to security, however we hope to be able to get appropriate statement to at least answer your own and others concerns.

I have 2 email accounts with eircom. And use a similar password with eircom as what I do with some of my other accounts online. It is very worrying for me if passwords can be seen openly by eircom staff.

Can you at least assure your customers that the passwords are now safer than what they were when you were asked 3 months ago?

You don't need to 'publish your approach to security' to reassure your customers of this much.