Internet service provider Easynet has filed a complaint to Scotland
Yard's Computer Crime Unit against a small firm of consultants
after it blew the whistle on serious security weaknesses in servers
on the provider's network.
Easynet has confirmed that it has sent a file of evidence about the
activities of security consultancy DDPlus to the police, after the
consulting firm uncovered security problems on servers belonging to
Easynet and its customers.
Computer Weekly revealed last month that Web sites belonging to
hundreds of Easynet customers may have been placed at risk by
server configuration errors which had left sensitive information,
including user names, on Web servers accessible from the Internet.
In a statement to Computer Weekly, the Internet service provider
said it had contacted detectives at the Computer Crime Unit
following concerns that DDPlus' activities may have breached the
Computer Misuse Act.
"Easynet takes any attempt to breach the security of its networks
extremely seriously. And to this end we have passed evidence to the
police concerning DDPlus. It is therefore inappropriate for us to
comment further," it said.
The complaint came after DDPlus, acting on its own initiative,
handed Easynet a dossier of computer files and a written
explanation showing how the firm had been able to exploit security
weaknesses on servers on Easynet's network in an attempt to help
the ISP to fix the problems.
The files show that DDPlus was able to view confidential files,
including databases of passwords and user names of 1,700 current
and former Easynet Web clients and of other leased-line customers.
"We think Easynet is making a mistake. We are trying to help them.
Since we have not done any damage to Easynet's servers, clients,
network or data, we feel that Easynet should be thanking us instead
of accusing us," said DDPlus managing director Dinis Cruz.
In an exchange of e-mails with DDPlus, Easynet's business
development director, Justin Fielder, claimed that the Easynet
servers accessed by DDPlus were old and about to be
de-commissioned. "The machines being taken out of service were only
vulnerable as they were removed from our patching and lockdown
schedule prior to being turned off but unfortunately the full
de-commissioning process was interrupted," said Fielder.
Easynet also claimed that the files viewed by DDPlus were old and
have "little relationship to current operations".
DDPlus has since e-mailed the firm evidence it found that user
names and passwords of Easynet customers contained in the files are
still in use.
Easynet said it was unable to comment further on its complaint.
Scotland Yard confirmed that it received the complaint last week.