Internet facing database?
What sort of amateur Muppets are VM employing to build and secure their infrastrucure?
This stuff is just so basic they deserve the full wrath of GDPR. Bring. It On.
A Virgin Media server left facing the public internet contained more than just 900,000 people's "limited contact information" as the Brit cable giant's CEO put it yesterday. In fact, the marketing database also contained some subscribers' requests to block or unblock access to X-rated and gambling websites, unique ID numbers …
Just one by the down voting on this thread.
I went past a place I stayed at 5 years ago the other week, the VM street cab door was still broken.
We'd reported it numerous times over 10 years ago, says it all really, that annual inflation increase isn't for fixing the basics.
A place I rented a while back had a convenant on it saying you couldn't have a rooftop aerial.
The reason was there was a community aerial, with the cable run and maintained by Virgin Media.
It had broken 5 years before, and Virgin never fixed it despite many complaints/reports over the years.
You might be unsurprised to hear that this led to them getting the princely total of 0 customers when they tried to push their cable/internet services on that particular road.
Virgin Media are, and always have been, completely and utterly crap. They entice you in with sweet offerings, attempt to lock you in, and then leave your services to rot for as long as they think they can get away with.
That they'd have done the same with a database is no real surprise
TBF Sky are no better they're both now wned by large american cable providers that seek profit at all cost.
But VM was hamstrung from the start, formed by the rapid merger of NTL and Telewest followed in quick succession by virgin mobile, the company took on the worst parts of all three and really hasnt recovered.
I went past a place I stayed at 5 years ago the other week, the VM street cab door was still broken.
I got one near me finally fixed. I'd reported it a couple of times before, then figured I'd make a few calls from the cab using my trusty 284/2 portable phone. A couple of days later, it was fixed.
I got one fixed by telling them kids were storing what looked like fireworks in it...funny how quick they responded...are the content flamable.
Everything burns with an appropriate amount of thermite. Rest depends on the cab. Some will just contain a patch panel, others will have some active components which may include battery packs that may have some value if re-purposed.
Often I think the biggest hazard is to pedestrians. The one I got fixed was on the footpath, so when the green door swung open, it pretty much blocked the path. Not helped by idiots also parking on the footpath, or reduced street lighting making it quite a hazard in the dark.
Curious if fraud is much of a risk. I did wonder what'd happen if I tried patching a coax port to my place, but AFAIK the STB's still need to be registered. Butt-dialing would be a risk, as would being able to monitor calls, but that comes with the risk of detection and fairly hefty penalties. I should also mention that the calls I made were only to VM's fault line so they'd get the hint & fix it.
I had a mate in my late teens that used to do stuff like this...he also repaired a lot of damaged doors for the shits and giggles...always thought he'd up as an engineer or something...
...he works in recruitment.
Sort of makes sense because thinking back he was far better at being a twat than a techie.
I got thoroughly annoyed when they got into bed with TiVo. My TiVo then stopped functioning with EPG data and became far less useful. This was apparently due to VM having an exclusive deal. Sadly before I could get the alternative EPG up and running the box became irreparably damaged.
They probably changed standard. One of the EPG standards died out not that long ago...can't remember what it's called. HbbTV is the main standard now I think.
Basically, it's the way they embed static payloads into the broadcast stream.
I've always fancied having a poke around with the standard to see if it's possible to inject arbitrary payloads...from my understanding, most TVs / set top boxes are basically web browsers now. They're capable of running and displaying HTML5 and executing Javascript payloads and I'm fairly certain they don't verify the payloads. As long as you can intercept the DNS requests, you should in theory be able to redirect the requests sent by the devices to an arbitrary web server to grab your "custom" payload.
I'm astonished TVs / set top boxes don't get hacked to fuck.
As far as I know, there is no industry standard testing for security on TVs etc. They just test the compliance with various content delivery standards.
Around this area the green cabinets (that I assume are VM) have a "report a fault with this cabinet on 0870..." stickers on them. Since 1. 0870 is near enough £1/minute from a mobile (and not particularly cheap from a landline), 2. There's no indication the number is definitely VM, 3. There's no unique identification code on the box to make reporting the fault easy; I've never bothered reporting the various VM cabinets with doors that have been forced open. If the local scallywags causing a bunch of costly damage to the kit in the cabinet isn't motivation enough to deliver an easy fault reporting system then they're hardly likely to hurry out and fix the doors because some random Joe calls their profit centre 0870 number.
I did try to report a BT green cabinet once since that was at least a free call. I think the call centre droid's script would only cope with faults on a residential line and would only take the report on that basis. After the third attempt to make them understand it was one of their network cabinets I admitted defeat and just hung up.
This post has been deleted by its author
RE: their call centre staff..
A few weeks ago, when we had all those winter storms coming over, we had an impromptu hail shower one evening, with one very loud and very nearby lightning strike. This somehow managed to induce enough current in the Virgin cable to cause the "V6" TV box to rapidly stop working with a loud bang and bright blue flash. Oddly it didn't blow up the cable modem which is on the same bit of co-ax but on the other branch of the filter, which probably says either something about either the filter or the cable modem being more robust than the TV box, but I digress.
When I called the Indian call-centre the next day and explained that it had been struck by lightning, the conversation went something like this:
Me: "Hello, we had a thunderstorm last night and the TV box was struck by lightning and stopped working"
Indian call centre worker: "What error code is it showing on the TV"
Me: "There is no error. It was struck by lightning. It's dead"
ICCW: "Are there any lights showing on the box"
Me: "No. It's dead. There was a bright flash and a bang. It was struck by lightning"
ICCW: "Is it plugged in
etc.
To their credit, they did send a new box out pretty quickly, but it goes to show that not even a so-called Act of God will get a call-centre operative to deviate from their script.
This post has been deleted by its author
The manufacturer of your doorbell, unless it's Ring.
Your WiFi router password, unless it's a Virgin Media suppli... doh.
Some of your online account handles, until those accounts are hacked.
Your mother's maiden name, how quaint.
Your MI5 UID, mind you that's the same thing as a Facebook login these days so that's gone too.
Got customer data of any kind? Encrypt it at rest and ensure access via some key management system. Even plant it in the loud if you want but ensure your basic data storages d access policy is high enough to ensure my data you’ve collated without my knowledge is safe and secure.
In my experience most companies think they don't need to encrypt data because "To reach it they'd need to break into our network and then we'd be fscked anyway".
It takes time and money to make changes to insecure applications, which cuts into profits, share prices and ultimately exec bonuses.
"It takes time and money to make changes to insecure applications, which cuts into profits, share prices and ultimately exec bonuses."
So do GDPR fines.
I just hope there's an audit trail for the "I told you so" moment when manglement attempt to shit on staff who tried to do the right thing (and that those staff kept copies of the warnings they issued)
To reach it they'd need to break into our network and then we'd be fscked anyway
You might be surprised by the number of attacks that come from within a corporate network, especially if the organisation is large and doesn't treat its techies well. Any organisation that takes security seriously practises proper data hygiene both externally and internally (oo-er).
I avoided this by taking a carrot rectally at every mealtime. Or possibly not being a VM customer.
Or have I misunderstood this game and we aren't just throwing random bits of unrelated content into comments.
P.s. DNS over HTTPS won't stop VM's porn blocks, your requests to VM to remove blocked sites or your browser telling VM about your browsing history unless you have Javascript disabled/blocked.
It's fun calling it the porn filter but the fscking things block much more and aren't much good at stopping porn. First time I had one disabled it was keeping me from vital engagement with various beer sites. Most recently I discovered the 3UK filter has a love/hate relationship with the Internet Archive, as in sometimes it blocked it, other times it didn't, demonstrating how bloody useless the filters are!
"First time I had one disabled it was keeping me from vital engagement with various beer sites. "
I ran into it blocking the Sarracens rugby club website. Some might think that's vaguely pronographic but if you're trying to park around Watford you need to access that website to know the availability of public carparks on match days.
For some reason VM decided to block our Exchange server's HTTPS address. We only realised when a couple of different customers reported being unable to connect to their email when at home on wifi, yet had no problem when at work or using mobile data. Finally tracked down to them being VM customers, and after several weeks got VM to fix their glitch.
I doubt many scammers or government agencies give a damn if you visit MrsMigginsTeaRoom.com. They want to know which bank/porn site/online retailer you visited and they are generally dedicated sites. Whats more the internet is bigger than the web in case you didn't realise.
So let's see: security of processing (Article 32 GDPR), (data processing principles (Article 5 GDPR) and can probably throw in lawfulness of processing (Article 6 GDPR). Those 3 put together place Virgin Media in the higher fine bracket, i.e. £20m or 4% of global annual turnover.
Paris: since we lack a schadenfreude icon ...
The amount consumers get back isn't really the point in a GDPR case - the idea is to cause MAXIMUM POSSIBLE PAIN to the offending company, "pour encourager pour les autres"
We know that whatever ICO fine is announced will be negotiated down to "fuck all" behind closed doors but it's far harder for them to hide it in court discovery, avoid the litigation costs OR the commercial hurt that comes from exposure of the decisionmaking processes that led to this shit happening
Ideally you want to make the management so toxic that nobody will ever hire them again.
Unfortunately punitive damages are not permitted in such cases - they very rarely are in general, at least under English law, and class action (where permitted, but not in the UK) generally leads to compensation of fourpence per claimant. In reality, even the GDPR maximum fines are little more than an assumed cost of doing business to the large internet service providers.
A while back under the previous information commissioner I suggested that instead of fines there should be an official audit, officially specified remediation and re-audit to demonstrate fulfilment, all at the expense of the breached party. This was on the basis that it would do more good by actually fixing the problem. I also recommended the same approach in the US. The response from the UK was that it would be too expensive to implement, and from the US - silence.
Just as we now take for granted that software is crap that needs constant fixing, infosec in general is widely assumed to subsist in installation of a few appliances and reactive response in the aftermath of attack. As at Equifax, it's typically not even seen as necessary to maintain the appliances.
Unfortunately punitive damages are not permitted in such cases - they very rarely are in general, at least under English law, and class action (where permitted, but not in the UK) generally leads to compensation of fourpence per claimant. In reality, even the GDPR maximum fines are little more than an assumed cost of doing business to the large internet service providers.
The GDPR maximum fines are 2% or 4% of global annual turnover (I can't remember the exact criteria for whether it's 2% or 4%). The relevant word there is turnover, not profit. Now, I suspect VM's margins are more than 4%, but such a maximum fine really could be fairly described as punitive, and would certainly be hefty enough to wipe out any shareholder dividends and damage the share price. The trouble is, they'd probably just pass the cost onto the customers, unless the legislation explicitly prevents them from doing so.
"Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used."
Given that they know the security researchers accessed it what Virgin Media's CEO Lutz Schüler actually said last night was 'We have no logs for this server or for the network routing to it so have no way of knowing if, or how often, this information was accessed.'
"Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion
Is makes me think you really don't know how many times people have accessed it. I quick point though, it only takes one occasion to spill the info.
Turgensec also quibbled with the ISP's attempt to blame the security blunder on IT workers “incorrectly configuring” an internet-facing database. Rather, the database – which was filled with unencrypted plain-text records – was a sign of "systematic assurance process failure," Turgensec said.
Incorrectly configured public facing site = very stupid
Plain text records = FFS
Unencrypted = #Captainpicarddoublefacepalm