Lax security jeopardises ISP's users:Hundreds of business Web sites vulnerable

A catalogue of poor security practices at company Web sites hosted by a leading Internet service provider (ISP) have put hundreds...

A catalogue of poor security practices at company Web sites hosted by a leading Internet service provider (ISP) have put hundreds of UK businesses at risk.

Simple software configuration errors have left sensitive systems information accessible on servers connected to Easynet's network. This could allow anyone with basic IT knowledge to view confidential files, change the contents of Web pages, or delete entire Web pages, security experts said.

The news should act as a wake-up call for IT directors and computer security staff working for every organisation with a Web site, whether hosted in-house or by an external ISP.

It will also come as an embarrassment to Easynet, which has won awards for its Internet services, and, with 30,000 business customers is ranked a the 12th largest ISP in Europe by market capitalisation.

A small firm of IT consultants, DDPlus, revealed the problem after it examined a range of servers on the Easynet network during a security audit for one of the ISP's customers.

DDPlus discovered that sensitive details, including confidential user names, files including credit card details, and an unencrypted database containing the user names of more than 1,700 Web sites belonging to past and current Easynet customers were accessible. Although the database was two years old a significant number of the passwords and user names were still valid, DDPlus said, leaving the internal workings of customers' Web sites exposed.

Easynet refused to comment on DDPlus' findings and could not say who was responsible for the errors. But in an earlier interview with Computer Weekly the company said that responsibility for Web site security may rest either with the ISP or its customers, depending on the hosting contract the customer chooses.

DDPlus said that configuration errors in at least six servers connected to the Easynet network had left sensitive systems details accessible over the Internet, including details of software services, network connections, shared files, and the user names of Easynet customers. Some of the servers, based at Easynet's Brick Lane datacentre in London, were administered by Easynet staff and appeared to be used for hosting multiple Web sites.

Peter Sommer, security expert at the London School of Economics, said, "These are the kind of mistakes people were making four or five years ago. It is not as if we are talking about some very clever exploit being downloaded on the machine. To be able to see this kind of data from the beginning is pure laziness."

DDPlus was able to show that it was possible to guess passwords used to control Easynet's customer Web sites, many of which were identical to their user names.

A password-cracking program downloaded from the Internet could crack the passwords in a matter of minutes. Such problems could easily have been prevented if the system had limited users to three attempts at typing in a password, security experts said.

Further investigations by DDPlus show that security problems are not confined to systems connected to the Easynet network. The security firm has discovered similar vulnerabilities to servers connected to the networks of six other ISPs.

Easynet has declined to take up an offer of further information and assistance in solving the problems from DDPlus. The consultancy said it first alerted Easynet to the problems by e-mail in July, but contacted Computer Weekly when it did not receive a reply.

DDPlus managing director Dinis Cruz said, "I was very surprised that all this information was openly available. It is so dangerous and revealing that we did not know how to react.

"We knew from our past experience that security can be lax, but this is the worst case we have seen," he said.

Additional research by Karl Cushing

Feature: Basic programming mistakes expose company Web sites >>

What steps should we take to improve Internet security? Tell us in an e-mail >> reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.

Read more on IT risk management