Tuesday, April 17, 2007

UK ISP Disconnects Security Researcher for Revealing Vulnerability

Dan Goodin writes on The Register:

A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.

Alas, Karunaratne's February 22 posting originally included the specific password needed to carry out the attack - a tack from the "full disclosure" school of vulnerability reporting that is considered a no-no in many security circles. Less than 48 hours later, he removed the password information, but that didn't stop the ISP from exacting its retribution.

More here.


Post a Comment

<< Home