A catalogue of poor security practices at company Web sites hosted
by a leading Internet service provider (ISP) have put hundreds of
UK businesses at risk.
Simple software configuration errors have left sensitive systems
information accessible on servers connected to Easynet's network.
This could allow anyone with basic IT knowledge to view
confidential files, change the contents of Web pages, or delete
entire Web pages, security experts said.
The news should act as a wake-up call for IT directors and computer
security staff working for every organisation with a Web site,
whether hosted in-house or by an external ISP.
It will also come as an embarrassment to Easynet, which has won
awards for its Internet services, and, with 30,000 business
customers is ranked a the 12th largest ISP in Europe by market
capitalisation.
A small firm of IT consultants, DDPlus, revealed the problem after
it examined a range of servers on the Easynet network during a
security audit for one of the ISP's customers.
DDPlus discovered that sensitive details, including confidential
user names, files including credit card details, and an unencrypted
database containing the user names of more than 1,700 Web sites
belonging to past and current Easynet customers were accessible.
Although the database was two years old a significant number of the
passwords and user names were still valid, DDPlus said, leaving the
internal workings of customers' Web sites exposed.
Easynet refused to comment on DDPlus' findings and could not say
who was responsible for the errors. But in an earlier interview
with Computer Weekly the company said that responsibility for Web
site security may rest either with the ISP or its customers,
depending on the hosting contract the customer chooses.
DDPlus said that configuration errors in at least six servers
connected to the Easynet network had left sensitive systems details
accessible over the Internet, including details of software
services, network connections, shared files, and the user names of
Easynet customers. Some of the servers, based at Easynet's Brick
Lane datacentre in London, were administered by Easynet staff and
appeared to be used for hosting multiple Web sites.
Peter Sommer, security expert at the London School of Economics,
said, "These are the kind of mistakes people were making four or
five years ago. It is not as if we are talking about some very
clever exploit being downloaded on the machine. To be able to see
this kind of data from the beginning is pure laziness."
DDPlus was able to show that it was possible to guess passwords
used to control Easynet's customer Web sites, many of which were
identical to their user names.
A password-cracking program downloaded from the Internet could
crack the passwords in a matter of minutes. Such problems could
easily have been prevented if the system had limited users to three
attempts at typing in a password, security experts said.
Further investigations by DDPlus show that security problems are
not confined to systems connected to the Easynet network. The
security firm has discovered similar vulnerabilities to servers
connected to the networks of six other ISPs.
Easynet has declined to take up an offer of further information and
assistance in solving the problems from DDPlus. The consultancy
said it first alerted Easynet to the problems by e-mail in July,
but contacted Computer Weekly when it did not receive a
reply.
DDPlus managing director Dinis Cruz said, "I was very surprised
that all this information was openly available. It is so dangerous
and revealing that we did not know how to react.
"We knew from our past experience that security can be lax, but
this is the worst case we have seen," he said.
Additional research by Karl Cushing
Feature: Basic programming mistakes expose company Web sites
>>
What steps should we take to improve Internet security?
Tell us in an e-mail >>CW360.com
reserves the right to edit and publish answers on the Web site.
Please state if your answer is not for publication.