Forum Index | Search | Register (New User) | Login (Existing User) | Who's Online | FAQ | Main Site

User comments on ISPs
  >> PlusNet plc Previous thread View all threads Next thread


Register (or login) on our website and you will not see this ad.


These posts have been archived and can no longer be replied to or modified.
  Print Thread
Administrator seb
(founder) Sat 19-May-07 19:27:45
Print Post

Some advice to users affected by recent problems


[link to this post] 		 
(temporary sticky)

Hi,

The following is a post made by rsharma on his blog which covers some advice to users who may have been affected by the recent PlusNet problems.

Please note that the text is not endorsed by thinkbroadband or PlusNet but you may find it useful.. PN will be issuing a fuller report on this in the coming week so we'll probably replace it with that at the time.. The purpose of this sticky is to help users fix any issues arising from the incident.

(please don't e-mail me to say one or two links to Yahoo/Hotmail aren't correctly copied :-p)

seb

-----------------

Help Against Recent Security Problem
Source: http://pn-the-truth.blogspot.com/2007/05/help-against-recent-security-problem.html

Introduction

There has been much confusion in relation to the recent Plusnet email security breach and this entry in the blog will attempt to both clarify the issues and give you suggestions on ways you can try and get back to enjoying email again without all the spam (unwanted and unsolicited emails).

Background

There were two different problems that took place this week, but because of the way these have been communicated by Plusnet it has created much confusion and panic. Although the two problems are likely to be related to the same person (or group of people), it is important to understand that the problems are quite different and not everyone is affected by both.

Plusnet seem to be confident in that no personal data (except email) has been compromised. The servers that hold the personal data (e.g. banking) are on a different platform and the only system known to have been breached is the webmail one. Should this information change for any reason (I don't expect it to) I will update it here.

The first problem relates to trojans (Virus) and the second, the stealing of email addresses by spammers leading to increased spam in your email accounts. We will discuss them both below.

1. Trojan

This only applies to those that used the webmail feature to read emails online (between 5-11 May, 2007) and not to those that use an email program like Outlook or Thunderbird to collect their emails. If you don't use this feature, or didn't during the time period mentioned, you can skip to the next section.

At some point around 5 May, someone managed to breach PN's webmail servers. By doing so they modified the internet code on the page you visit when logging in to read your email.

By having gained the ability to change the page code, the spammers managed to put a new code on the webmail page you access and this hacked code was on PN's system from around 5 May until possibly 11 May. If you accessed your webmail account during that period it is likely that the page would have tried to install one or more trojan (Virus) on your PC.

If your PC was up-to-date with all the recent Microsoft patches and had an anti-virus program installed you are unlikely to be infected. It would be advisable to carry out a virus scan of your computer just to be sure.

More importantly, however, if you system wasn't patched and have any anti-virus software it might well have been compromised. The hackers, through the webmail pages, might have managed to install one or more trojans on your PC. One of these has the ability to monitor everything you type while using the PC and another to take control of your PC from elsewhere (solutions below).

The people identified in this group have been sent an email by PN - in relation to the trojan problem - but distinct to a second email sent to all customers about the wider scale issue of the stolen email addresses.

2. Stolen Email Addresses

Once PN's system was compromised, the hackers also managed to read and steal email addresses from the database. The problem is that even those that might not have used the webmail feature have been affected. This has been caused by a number of factors, including PN keeping the addresses of email accounts in the database from a number of years ago.

The email addresses that have been compromised are not limited to only those that have a valid email inbox on the webmail systems, but also those in your contacts, sent items and inbox folders. This roughly translates to anyone that has sent you an email or you have replied to possibly having had their email being compromised, even though they have never used the PN webmail or even be a PN customer. It goes without saying that this is a major and wide scale problem now.

It has even affected people who use their own domain name with their PN based email address set to forward to them, even though they haven't logged in to webmail for some time. It has been shown that even a single visit to this system in the last three years could have kept the details and created an entry in the database.

These emails are now out in the public domain, likely to exchange hands for money and will no doubt receive spam. You could put up with this or you can change your email address - the decision is yours - but be under no mistake, if you have already seen a deluge of spam it is unlikely to stop and there isn't much PN will be able to do to combat the problem.

Trojan Solution

Only if you accessed webmail for the period 5-11 May

The first thing you need to do is run Windows Update. If you don't have auto-update enabled you should by following these steps (Windows XP):


Go to Start > Control Panel > Automatic Update >
Enable automatic updates

You can also go to the Microsoft Update website and run a manual scan: Link



The next thing to do is run an anti-virus scan. If you don't own any, you should invest in one as it is a very essential bit of software. You can use free versions too & here are two such programs: AVG and Avast.

You can also run a scan through a free online service from Trend Micro (best run using Internet Explorer). It doesn't require you to download the software but this should not form part of the long term strategy on security.

Once you have completed the steps above, and should you find a trojan, I would advise you to think back to where you visited online and especially if you did any online shopping or banking. If you did, it might be an idea to go back and inform them and change your passwords on those sites too. You might also want to follow the instructions in the next section if you are receiving spam to your email account(s).

There is also a possibility (even if the trojan wasn't installed on your system) that the hackers managed to intercept the traffic between your computer and PN's email servers. By doing so they might have been able to record and read both your username and password and it is because of this you are being advised to change your password as soon as possible for any accounts used on webmail (advice in the next section).

Let's Not Panic

Even though I fully appreciate the problem with compromised emails, I'm not ignoring the gravitas of the situation when I say that some people seem to be in panic for no good reason.

Much of the panic is being caused due to confusion and a sudden influx of spam to their email. Plusnet's lack of guidance and poorly worded emails on the matter seem to have increased the confusion and anger some more. It is also likely that for many it is the inconvenience of the problem and the fact that through no fault on their part they are suffering, but not much good can come from procrastinating over what is done. Perhaps it is the feeling of having lost faith and trust in their ISP that is the cause of the anger, and this is certainly very understandable, but we need to find a solution foremost in order to be able to communicate with others via email again.

New Email Addresses

This information is applicable to anyone that believes their existing email address to have been compromised and in possession of the spammers.

The (preferred) solution is to create a new email account with gMail (part of Google and free, but you could try Hotmail or YahooMail instead). Once created, you can setup forwarding from your existing (or new) PN email account to gMail. The benefits of using this method are:

1. It allows you to have a robust webmail facility
2. You can download emails to your email client if you so wish
3. The spam filters are very good and you can create a spam box where these are collected
4. If you move ISPs, now or in the future, you won't be tied to the ISP or need to inform all your contacts of a change again
5. Lots of flexibility and advanced features for use
6. Access from anywhere in the world
7. It's free!

If you use this method, it would be best to give all your contacts the gMail address to contact you on and ask them to discard your old address. You can also setup forwarding from the old compromised PN account and delete it a couple of weeks later if you are happy that you have no need for it (Link).

The other solution is to create new email account(s) for yourself and your family members on PN's servers. If you were using [email protected], you could create another account as [email protected] (or anything else).

To do this go to Email Settings page and create a new account. Leave the old one for now so you can periodically check it for legitimate emails and delete it a week or two later. Don't forget to send your contacts the new address for use and ask them to discard the other one.

If you have decided to create a new PN email account, you will also need to use a good email program to access your emails (because PN have now removed webmail for an indefinite period).

I would recommend the use of Thunderbird (free) instead of Outlook because it has very good spam filter functionality built-in thereby saving you the hassle of installing another program that would be needed for the latter.

To install and configure Thunderbird follow the information in this link. If you decide to use Outlook, follow this link instead.

Please note: Sending emails using any of the above applications will only be possible when you are connected online using a PN connection. If that isn't suitable for your needs try the gMail suggestion above.

PN will also have setup an email account by default that will be in the format of [email protected]. This account is a catch all - it receives all emails sent to any name before the @ sign of your main account e.g. [email protected] (including all emails sent to postmaster@username). You can request (by raising a support ticket) PN delete emails sent to it automatically (blackhole). To do that use the 'Contact Us' link.

Plusnet also provide you with an anti-spam feature. Make sure it is activated (Link), but remember that the spam will not be automatically deleted, merely tagged as spam in the subject line of the email and delivered to you. If you are using gMail, Outlook or Thuderbird you can create some simple filters that will automatically move such emails to the spam folder or deleted items, allowing you check them at a later date (instructions can be found in the respective software help section).

Unless you used the webmail functionality during the period 5-11 May, there should be no reason to change your password, but doing so might be prudent given what has taken place this week. It doesn't necessarily imply you need do that for the main account (i.e. the one associated with your username) as per PN's email, unless you used that to access webmail.

I am, however, a believer in prevention being better than cure and would therefore recommend you change them all to be on the safe side. Don't forget, if you have started to receive spam to an email address, a change in password is not going to stop more spam being received and you will likely have to discard the account sooner or later.

Change your additionally created email account passwords from the Email Settings page. To change your main account password on the portal, follow this advice:


How do I change my login password?
Our Username and Password Security Guide has lots of useful information about basic password security. Customers who have been affected by the recent spam incident should ensure that your access passwords are updated. If you have forgotten your password you can use our password recovery tool.

Please note: if you change your main account password this will need to be updated in your router or modem and email software. If PN supplied you with the hardware, please use this link to find out on how to do this. If it isn't listed on that page, you might find it at this link instead or you can visit the website of the manufacturer.



There shouldn't really be a need for a new user account to be created or for panic, unless there is a specific reason for it. If you do, there are other possibilities including creating a free dial-up account with PN and using a new username instead (or even with the same one as now but with one of the other ISPs in the PN group e.g. Force9). Speak to PN on how to do that.

Further Reading and Links

1. Plusnet pages on email modification
2. Plusnet advice pages for the recent problems
3. More ideas and suggestions on ThinkBroadband Forum
4. Links to software and further explanations
5. Spam FAQ

If there are any questions that remain please feel free to ask them through the comments link below. I hope that the above information has allowed you to get some clarity on the issues and some easy solutions to a problem that no doubt might have left you confused.


---------------------------------------------



Sebastien Lahtinen
Co-Founder, thinkbroadband.com
[email protected]

personal blog - blog.seb.me.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
  Print Thread

Previous thread View all threads Next thread
Jump to