Offensive e-mail from Plusnet

Just got an e-mail from Plusnet about their security issue on webmail.

It included an offensive paragraph attempting to lecture to me on security issues:

"This incident has highlighted the importance of keeping systems as secure as possible. It is important to ensure that you always have the latest operating system updates and patches installed. Windows users can obtain these by visiting Windows Update, which is linked to from the Tools menu of Internet Explorer. We always recommend the use of fully up-to-date third-party anti-virus, firewall and Internet security software, particularly for Microsoft Windows users."

When will Plusnet stop trying to upset its customers???

seems like reasonable advice put over in balanced tones to me.

You, I and I would hope most of the posters here take security very seriously.

Plusnet will see the consequences of people who do not on a daily basis from the problems of people with compromised PCs which start spewing out spam or trying to attack other users in the same subnet.

That paragraph was aimed at them.

Correct me if I am wrong but this whole issued stemmed from Plusnet and flaws in their security.

Now while I agree with the paragraph in the email i think the circumstances in which it was sent is a little ironic and to me is trying to absolve Plusnet of responsibility.

People in glass house and all that....

Edited by deleted (Thu 17-May-07 09:45:22)

" that you always have the latest operating system updates and patches installed."

No sense these people, they could have used inclusive stuff, like 'that we always' rather than 'that you always', which gives the sermon type feel to these comments. 6foot above contradiction as used to be said about preachers.

Hi,

While I understand where you're coming from... but...users, where possible should alway help themselves by at least having patched installed and anti-virus software.

The blame game doesn't always help and usually isn't the whole story.

For example, say the issue is with the atmail software plusnet use and that's how "they" got in to the system. Who's fault is that? PlusNet or atmail? PlusNet bought the product and no-doubt assume it's secure. atmail write their code and make it as secure as they can, *at the time*.

But look:
http://terra.calacode.com/mail/docs/changelog.html

"5.03 Release - 16th May 2007"
Added session check to xxxxx.xxx when redirecting URL's, validate a user session is logged in to prevent spam abuse via URL redirects.

Now, if plusnet don't upgrade to this version... yep, they'd be at fault but as you can see, the above was only released yesterday!

Users have to really take some resposabilty here, myself included and I do.

What's important is that both ISP and users learn from this and not just pull each other to pieces about it.

... and perhaps that patch is as a result of the attack on Plusnet.

In reply to:

---

and perhaps that patch is as a result of the attack on Plusnet

---

Make sense. So, not really PlusNet's fault... coding error possibly.. but more likely some malware group just tried to do something un-expected, found a hole in the software and had a field day.

For interest, atmail seems pretty secure really:
http://secunia.com/search/?search=atmail&sort_by=title

Internet Explorer:
http://secunia.com/search/?search=internet+explorer&w=0

FireFox:
http://secunia.com/search/?search=firefox&w=0

Windows XP:
http://secunia.com/search/?search=windows+xp&w=0

Keeping software up-do-date sounds good

Cheers,

Steve

It could be, but this wasn't spam abuse via redirects. They compromised the backend database.

I agree with the sentiment, but it is a good time to remind users of security, especially as the previous Trojan would not impact anyone who had Windows up to date.

I didn't find the email offensive.

The security issues paragraph was just sound advice, not all of the plusnet customers are technically aware as most people on here. I think it would have been wrong if they had not put that paragraph in.

If plusnet are upsetting you then you need to consider if they are the ISP for you. I'm seriously considering moving somewhere else because of the email issue

Jelv it is unlikely since PN were running @mail4.01 (according to the about section a couple of days ago). This was based on perl scripts rather than the php v5.x branch that this patch belongs to.

I think this amply demonstrates why the message needs to be repeatedly hammered home!

I think "offensive" is a bit strong, although I have to admit to raising my eyebrows slightly when I got to that bit!

Whilst I accept it was no doubt intended as a precaution for those customers who otherwise might not have known, it does seem to carry a slight implication of fault on the customer's part. If I didn't know any better (as a lot of customers won't, I'm guessing), I could be left with the impression it was somehow my set-up that's to blame.

T.

The trojan issue is mainly down to the customer. If their machines had been patched or had an updated anti-virus software they wouldn't have been affected by at least one compromise. I wonder how many machines were out of date.

In reply to:

---

The trojan issue is mainly down to the customer

---

But the e-mail entirely fails to make this distinction. In fact, it doesn't even mention an issue with any trojan. It only talks about spam, so as I say, if I didn't know any better, I might be left with the impression they are saying this is my fault. Why else would they be saying it highlights the need for me to do something?

(My machine is up to date, and I don't have any trojan, by the way, before anyone jumps in to say it IS my fault!)

T.

I fail to see what is offensive about the email. It's not really their security issue - if users had the relevenat updates/patches and up-to-date Virus Scanners installed, there would not have been a problem! Plusnet are simply pointing out what customers can do to minimise any future risks.

Week after week I get callouts to customers that have no Virus Scanner installed what-so-ever.

It's definitely sensible to drill into people's heads that they need to take security seriously and protect themselves.

But it is somewhat a case of the pot calling the kettle black when a major ISP has been caught with their pants down, distributed a trojan to customers, not told those customers for a week, and released details of potentially tens of thousands of email addresses from themselves and other ISPS to spammers.

Yes, security breaches will always happen. After all, the only totally secure computer system is one not plugged into a network, turned off, encased in concrete and dropped to the bottom of the sea (and even then someone could still break into it if they really wanted to). But many people have been pointing out flaws in PlusNet's security for years and the webmail platform is known to be old, out of date and poorly maintained.

Maybe if they'd phrased things a little differently 'Due to recent problems we've learnt how important it is to be pro-active about security and our changing our approach, maybe it's about time you do to' rather than 'yes we do everything we can and are really good about security and take our security very seriously so you should follow our excellent example'.

>It's not really their security issue

How is them being "hacked" not their security issue?

Grrr!

There are good reasons for not keeping PC's up to date with the latest Microduff patches. I have several machines on the office network that don't get updated. Because of the stupid way windows works with DLLs when you download an update it can and does break a working program. Sometimes the only fix is to roll back the patches.

And it isn't just MS updates that cause this. I downloaded the latest development system from Microchip this week. The install insisted I shut down Eudora because it needed to change DLLs Eudora was using. How carp is that? This time Eudora survived, previously it has broken at this point.

We've put together 2 brand new dual core AMD machines for CAD using XP sp2 and latest updates. Constant crashes. I'm now reinstalling XP sp2 and not allowing updates to see if that fixes the problem.

I sure hope those office PCs are not connected to the internet in any shape or form. If your system is not up-to-date with the latest patches, you're asking for trouble and inviting people into your machine/network.

Anyway I'm sure you couldn't be one of those attacking plus.net for their lapses in security after reading this

I think it's the ideal time to drill the message down peoples throats about ensuring their systems are up-to-date. These trojans are being loaded into legit hacked websites / servers all over the place now. If plusnet didn't get you, there's a very good chance another site would have infected you in the end.

Sorry that should have read It's not just their security issue!

Was typing reply in a hurry ;(

Oh definitely. If you're running an unpatched system you would have been gotten in the end. Users who have been infected with the Trojan must take their share of the responsibility. But so must PlusNet.

Gotten in the end - definitely...

From the BBC website - http://news.bbc.co.uk/1/hi/technology/6645895.stm

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC.
Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to "in-depth analysis".

About 450,000 were capable of launching so-called "drive-by downloads", sites that install malicious code, such as spyware, without a user's knowledge.

A further 700,000 pages were thought to contain code that could compromise a user's computer, the team report.

To address the problem, the researchers say the company has "started an effort to identify all web pages on the internet that could be malicious".

Being an office network it's secured by a Linux firewall and anti virus software at the server level. Also users don't log into Windows as admins which I believe (possibly wrongly coz it's windows) stops most stuff installing. However how I manage network security is not my point.

The point is a lot of people have good reason not to keep windows up to date even though they know the risks. Also a lot of people don't have the choice as MS have discontinued updates to 95, 98 and ME, yep they are still in use in the real world.

I have no problem blaming an ISP for poor security any more than I have a problem blaming MS. They are the professionals, most of us aren't. Every time I have a computer problem I'm fixing for free something a professional was paid to get right in the first place.

The biggest problem here, which granted is not Plusnet's fault, I would bet a

Even the illegal copies of windows get security updates.

Only the high risk updates - All the others are blocked. afaik

I think non risk updates are blocked eg updates to media player, but i think (but not sure) that the security ones are for all. Think it's one Tuesday every month.

Create a directory called the same as the exe but with .local appended to the name in the same directory as the app (eg notepad.exe.local) and put any DLLs that must be a certain version in that directory. Windows will then use this directory for the applications DLLs even if the app tries to explicitly load from the windows directory.

Ian

Thanks. That's a new one to me.

The amount of agro this could have saved over the years.

The problem is if you allow auto updates MS load Windows Genuine Advantage, WGA, onto the PC and you get regular nag screens. Not that that should stop people updating just run a program such as WGAfixer after the updates. You learn these dirty tricks when you help Jo Public with their PC's.

It was there with Windows 2000 but you had to create a file rather than a directory and then it would load the DLLs from the application directory (this still works with XP but the directory method is tidier).

Ian

> Correct me if I am wrong but this whole issued stemmed from Plusnet and flaws in their security.

It's PN's fault they allowed their webmail system to be compromised.

It's user's fault they haven't updated their own operating systems which allowed a trojan to take control. I assume this could have come from any website they visited.

seb