Reading between the lines

With regards to the spam incident that is affecting a number of people, myself included (I still have a number of dial-up accounts with plusnet that I keep for the email addresses) I'm starting to see some worrying information appear.

1. PlusNet admit that email addresses have been obtained illegally
2. PlusNet have performed wireless internet access updates

Sadly, this could be a TKMaxx situation all over again.

My concern is that it might not just be email addresses that have been accessed.

Can PlusNet update us on where they're at with their investigations?

I agree

I've not bothered to read the other thread once I saw stupid allegations. This sits squarely with plusnet for me. As a plusnet customer, a significant breach in security, which I believe this is, makes me not want to be a plusnet customer especially if there is a spinned response. Plusnet please continue to be open once your investigations are complete.

Have a large volume of spam now to our plusnet accounts.

PlusNet have stated they will release the details once the still on-going investigation has been completed and this is more likely to be the end of the week.

However, if this becomes a legal issue then they may be limited in what they can say as it may jepodise any criminal investigation that may then be in progress.

But they said it was now fixed, so how come no further information?

I have enough spam on the email addresses I put into the public I don't want nore on ones that are not.

From reading the updates about the wireless stuff I don't think it's related...

I think what everyone with any details held by PlusNet needs to know ASAP
is if if just emails that this involves, or if other data is also involved (or if they know)

http://usertools.plus.net/status/archive/1179167580.htm

"We regret that this has happened but are confident that we have resolved this issue and will monitor the situation closely to ensure that the effect is minimised and the issue does not reoccur."

That is what I don't understand , if they are confident it's been resolved, won't have the investigations have been completed.

It would be good if someone at PN were able to at least confirm personal information has not been stolen as part of whatever has ocurred here. It would set peoples minds at ease.

It's not fun having to deal with spam. But spam will be the least of ppls concerns if a lot more PN held data has escaped besides email addresses.

As has been said, we will make sure full details are available - There is no way we want to 'spin' a response.

If I could just ask that you don't read too much into the removal of Wireless and a couple of other things for the minute - Overnight we conducted some pretty serious screw tightening across the board, but what we are aware of relates solely to the Webmail platform.

As you can imagine, and I hope no one will read too much into this, none of us will be about too much today in the forum. Liam and the Comms guys are preparing an FAQ though and we will do our best to answer any questions you have there.

Thanks,

Ian

In reply to:

---

- Overnight we conducted some pretty serious screw tightening across the board, but what we are aware of relates solely to the Webmail platform.

---

But how does the Webmail platform affect the release of alias@nonPlusNet addresses which are held solely by PlusNet for billing and account contact type messages, and which have never been anywhere near the Webmail interface. If traces of these addresses are found on the Webmail database, how did they get there?

In reply to:

---

As you can imagine, and I hope no one will read too much into this, none of us will be about too much today in the forum.

---

Out of interest Ian, have many people at work today turned up in their brown trousers?

Rob

In reply to:

---

As Bob was saying yesterday, if anyone knows of an address that they don't believe has ever touched webmail then they should send him a PM with the details so we can check. From all of those yesterday, we didn't find any without a Webmail based explanation - The one I looked at personally had been sent an email by a Comms member of staff from Webmail (Presumably someone working from home and following up a forum thread). I'm presuming Bob is coming back to people who enquire about specific addresses with more detail, but if he hasn't yet please do bear with us - As you can imagine we are working to a tight plan today...

Ian

Hi Ian,

Please see the PM I just sent you.

Guys - I have to cut and run just now - Please don't think I don't want to be here, but as I say it's important we execute today to plan and I don't have a lot of time to be here right now. My priority is to make sure all customers get clear and accurate information about what happened as quickly as possible.

Ian

In reply to:

---

Please see the PM I just sent you.

---

and I've sent you a PM straight back!

Cheers Ian - I'm a bit stuck in the middle because Bob was handling these really - I'm passing on what he told me and I'm certain he will be able to come back and provide the details you need, but just not right now this second!

Cheers,

Ian

In reply to:

---

As Bob was saying yesterday, if anyone knows of an address that they don't believe has ever touched webmail then they should send him a PM with the details so we can check. From all of those yesterday, we didn't find any without a Webmail based explanation

---

I did that yesterday Ian. Apparently some were found on the Webmail database and some weren't, even though they received the SPAM. I don't know whether they were found later after Bob PM'd me back, and I didn't get an answer on the non-PlusNet alias held against my BB account contact details (not blaming Bob).

In reply to:

---

- The one I looked at personally had been sent an email by a Comms member of staff from Webmail (Presumably someone working from home and following up a forum thread).

---

That would appear to be a feasable explanation to link addresses the Webmail, but in my case I've never participated in the PlusNet forums.

Rob

Ian,

Thanks, I

In reply to:

---

Guys - I have to cut and run just now - Please don't think I don't want to be here, but as I say it's important we execute today to plan and I don't have a lot of time to be here right now.

---

Who is being executed?

Rob

They seem to have confirmed it to Andrew, see this front page news item. Of course I'd consider an email address that no-one but me has ever had any contact with (setup for testing purposes a couple of years ago) personal information But at least there's now been some confirmation that a wholesale breach of names, addresses, bank details etc has not occurred.

Quoting Ian Wild

"Overnight we conducted some pretty serious screw tightening across the board"

Why wasn't this done before, surely someones job there is to look after network security and be pro active about things, as a company you only ever seem to deal with an issue after there is a problem.

Personally I

In reply to:

---

Overnight we conducted some pretty serious screw tightening across the board, but what we are aware of relates solely to the Webmail platform.

---

Is it just me that saw the resemblance of Plusnet to Railtrack and the fiasco over maintenance of points?

That you have "conducted some pretty serious screw tightening" is an admission that some screws were seriously loose at Plusnet (take that as you will!).

Two questions:

Do Plusnet have a policy of conducting periodic security reviews of all their systems and procedures?

If so, when was the last review review of webmail?

Additionally if those screws could be tightened overnight then I'd imagine not a huge amount of work would have been needed to have been proactive about this work rather than reactive. And it looks as if multiple 'screws have been tightened' implying as well as the now known hole, others were found during investigation. It's great that they've done it now, but why is it PlusNet repeatedly can't put resources into ensuring these things don't happen in the first place? Amazing how this same company attitude has come back to haunt me even long after leaving as a customer because of it.

It would be interesting to get answers to those questions jelv, but they sound sorely like questions we've asked and never had adequately answered in the past. I hope I'm proved wrong though.

Also at 7.33pm last night it was "confident that we have resolved this issue"

But the "screw tightening" was done over night!

Would have thought the "screw tightening" would come before resolving the issue!

I've supplied them with a test email address that I can't remember having ever been used by webmail and it was only known by me. It was setup and used via IMAP/POP3 a couple of times a couple of years ago. It did have messages sent to it from an address that has been accessed via webmail, but those messages weren't set by webmail AFAIR. So there is a link to webmail but it's pretty tenuous.

Will be interesting to see how things pan out. Thankfully the non PlusNet e-mail address linked to my old account for communication/billing/etc (but never to any PlusNet email addresses) seems to be untouched. Unless of course any spam it has received has been intercepted en-route.

In reply to:

---

Thankfully the non PlusNet e-mail address linked to my old account for communication/billing/etc (but never to any PlusNet email addresses) seems to be untouched.

---

For me, these are exactly the addresses that are being hit.

they are obviously 2 years ahead of themselves.

Too be fair, you don't now you have a problem until you have a problem! A lot of fixes/patches are mainly after the horse has bolted unfortunately. I really don't think I company can say they are water tight anymore.

Its still a valid question to ask does plusnet feel it is doing all it can to protect our personnal information? Perhaps Ian, in the next few days, at do FAQ on how our information is looked after both internally and from external attack? Ian?

The nature of the "leak" would be informative.... external hack? system weakness, inside job etc...

I'm aware that they use several pieces of externally purchased/open source software. I'd be especially interested to know what policies and processes they have in place for monitoring resources for known problems with these pieces of software [Perhaps one for the FAQ Ian?]

I know for people I've done work for I maintain an asset list of software installed, what version, patches applied etc. and monitor applicable security lists/fora etc. to make sure that I know what vulnerabilities have been identified and take proactive steps to resolve them.

Of course - if they succumbed to a previously unknown vulnerability then I'm not sure what else I would have expected them to do - but if it turns out that this *was* a known apache/perl/atmail bug then some serious questions have to be asked.

Definitely.
I'd agree that some problems are only known after they have been exposed, but who exposes those and how people react are key. Work can (and is) put into hardening security by those who take it seriously. This ranges from the monitoring described right through to more proactive attempts to break a system. It's better for a friend to find a flaw than a foe. I wonder if PlusNet have ever had an impartial external assessment of their policies?

Hi Paddy,
I don't think this is an inside job due to the nature of the announcement...

"It has come to our attention that a number of customer email addresses have been obtained illegally by a third party."

To me a third party is someone other than
1st Party - Plusnet
2nd Party - customer(s)

The 3rd Party is yet to be confirmed.

3rd party could also be an ex-employee - which I'd pretty much class as an "Inside Job" ...

Given that it looks like it was Webmail that was compromised and that the platform runs publically-available software I'm guessing it was "just-another-hacker" who's been trying random atmail installs he could find and just "stumbled" across Plusnet ...

In reply to:

---

I don't think this is an inside job due to the nature of the announcement...

"It has come to our attention that a number of customer email addresses have been obtained illegally by a third party."

---

I think we can assume that in this case the third party being referred to is the spammer/s, therefore it could still possibly have involved an "insider".

Rob

Copy of email to be sent http://usergroup.plus.net/forum/index.php/topic,4761.msg62039.html#msg62039

Much ado about taking security seriously, but nothing to back it up, empty words with are contradicted by the last couple of days.

I shall wait and see the actual email that I receive by this does seem to be very poor and lacking in real information/help. For example:

1. The Trojan they refer to in the email seems to exploit a hole that was fixed in September last year and so anyone applying a Windows Update since then shouldn't be affected. A specific date would help people who don't update frequently.
2. Some advice on how to combat the spam would also be useful.

In reply to:

---

If I could just ask that you don't read too much into the removal of Wireless and a couple of other things for the minute - Overnight we conducted some pretty serious screw tightening across the board, but what we are aware of relates solely to the Webmail platform.

---

/me *sighs* not the first time this has happined has it ian? looks like your "screw tightening" the last time wasnt that tight after all!

its not the first time they have had to do some 'screw tightening' overnight - had a similar situation back in 2004.

its about time plusnet sack whoever is responsible for the serious (lack of) security within their network.

One would assume PlusNet are currently totally blocking all e-mail from the known sources of this outbreak or all that match the patterns of the outbreak. This is why they were able to say the problem has been 'resolved'. The problem is sadly not that easy to solve though.

If that is the case then it is not a fix for me because I am now tied to PN for my email unless I want to receive lots of spam as a result of their security lapse. Not good.

In reply to:

---

One would assume PlusNet are currently totally blocking all e-mail from the known sources of this outbreak or all that match the patterns of the outbreak.

---

They can't. The email addresses "stolen" don't necessarily have anything to do with PlusNet. My main email address that's been affected by this is a domain which isn't registered with PlusNet, PlusNet don't host the DNS, and they don't host the mail server for it so there is nothing they can do to fix this for me and many others I assume. I just have to live with the consequences

"Much ado about taking security seriously, but nothing to back it up, empty words"

That's a bit harsh. Haven't they already checked a few other things and improved security in other areas? Do you think they aren't taking this seriously?

I don't disagree that this is a fairly epic screw up, but they do, as far as I can see, seem to be taking it seriously.

Sorry, yes, I was referring to PlusNet tweaking their filtering software to deal with mail that goes through their mail servers. Obviously this is only part of the problem as addresses out of their control have been impacted here.

My point was the 'solution' in place is only partial and temporary. As they say, there's no point closing the barn door once the horse has bolted.

Although I appreciate the frustration as they say 'it happens'.

I had an email address used for personal matters and always careful how it was used. After many years one of the recipients forwarded the email or similar and soon I started receiving spam. It got so bad that I had to create a new address for myself and a second one for those whom I could not trust not to forward it on or people that send emails with everyone in the 'to' field.

To this day I have to check the old account because some of my friends or contacts that haven't been in touch with me for a long time might still be trying to use it to contact me. Later this month I will not be checking that email address at all. In just under 4 months that email now only receives junk mail in the region of around 200 a day.

The post on the usergroup forums suggests that this is being sent to people who may have been affected by the trojan (Presumably those that logged into a compromised server during the affected timeframe). It's not clear whether there will be another email to those addresses that have been compromised - could someone with the ability to post there perhaps ask for me ..

I'd also be interested to know when this has finished going out as I haven't received anything as of yet.

From the MS bulletin it looks like the patch was published on 7th August 2006 and the bulletin the following day and then updated on 12th September. So the patch should be have been installed for anyone downloading September's updates or later.

For combating spam there's a few things I can suggest. If the spam is going to a specific address that you don't use then you can use the Manage My Mail tool on the portal to create a redirect for that address and send it to the blackhole address [email protected]

If the spam is being sent to multiple addresses that aren't in use then you can blackhole the catch all address via the portal tool.

If you don't have the spam protection switched on then you can again do this via the portal and it will scan the mails for spam and mark the subject. Of the spams I'm receiving from this the spam protection is catching almost all of them.

Agreed, people should keep their computers up to date with patches.

Can you comment on whether PlusNet keep their webmail servers up to date with all patches and monitor all released vulnerabilities?

In reply to:

---

This email is related to customers who could have been affected by the trojan. The email addresses issue is wider than this and will be communicated seperately.

---

http://portal.plus.net/central/forums/viewtopic.php?t=55912

And for those affected that don't have PN email addresses???

Dave,

PlusNet spam protection is all well and good if the email addresses are hosted by PlusNet but one of my compromised account is the press contact for a charity whilst I undertook that post. This means that when the email address is updated to the new officer they will start receiving spam if they are not a PlusNet user. This is going to cost money and time for both me and the charity to change the email address and update the contacts. All because PN failed in their duty to keep my personal information secure!!! I used to think that PN was often wrongly maligned but this has really pushed me over the edge.

Dave,

And a further thing having just read the service status announcement it would appear that my account may have been compromised so I also now have to watch my bank for possible fraud.

Mark

Excellent - well spotted rsharma. It appears that the latest service status post from Phil is more like what I was expecting.

From what PlusNet has said I should get 2 emails - I await them

Edited by blewit (Tue 15-May-07 16:20:29)

"Haven't they already checked a few other things and improved security in other areas? Do you think they aren't taking this seriously?"

remember at least two things
1. This is not by any manner of means the first time
2. It was pointed out by customers, they did not find it. A trojan was sitting on them and they had no checks in place to ensure that this did not happen.

Dave

I'm not sure if it is still the case, but some of the original older accounts didn't have Spam and AV facilites (it was an extra cost option). If it is still the case, could this now be allowed on all accounts regardless of whether they originally qualified or not please.

I've asked about that, will let you know the answer when I get it.

Will you also be providing clear instructions or assistance for people to aid them moving to new email addresses? I don't mean to another provider as I can understand that not beiing something the company would encourage, but to new PlusNet addresses that have not been harvested? Just another thought of something practical that could be done to alleviate future problems for customers.

And possibly revisit some of the longstanding requests regarding security improvements such as adding SSL as an option for all communications with the mail servers.

So reading the latest announcement:

"This list was obtained from our Webmail platform and includes accounts that customers have used to login to Webmail, as well as some email addresses contained in customers' online address books, and addresses customers have sent to using our Webmail service.

and

One of six @Mail servers was attacked and it is possible that customers connected to this server during the incident, may have had their login details observed. Purely as a precaution we advise customers to change their account password by visiting our website..."

So not only is my address compromised but potentially some of my friends and colleagues 'private' addresses and my account details too, oh this goes from bad to worse!

What are the chances they also copied message contents while they were on there?

OIMO

This is something I've been concerned about too.
I suspect (but obviously have no proof) that whomever is behind this grabbed the entire database and has since filtered through it for email strings. I guess the alternative is they did the leg work on PlusNet's own servers and ran a query for all email address strings on the mail server itself, then dumped and outputted just those. For the sake of PlusNet and it's customers I hope they used the more elegant solution. But brute force often wins out...