* Posts by Tim Boothby

5 publicly visible posts • joined 6 Apr 2011

300 UK domains pilfered, MASSIVE security lapse blamed

Tim Boothby

Reckless negligence

The more I think about this, the more horrified I feel about this. A business's domain, dns and email are really, really critical to them.

Think about what you can do if you can mess with an organisation's DNS. You could set up an impostor website on their genuine domain to use in a phishing attack. You could alter their MX records and intercept all their inbound email. You could point their domain to any other website of your choice. You could proxy their website and intercept all communications to and from it.

Without any statement from 123-reg on this issue we only have this article for information, but if all three million domains they hosted were vulnerable to this,the potential for compromise of sensitive data here is staggeringly enormous.

They certainly have a duty to protect customers domains and DNS as these are the keys which protect much confidential information. It also sounds like customers with 123-reg hosted email boxes were vulnerable. I'd say the Information Commissioner should be very interested in this case.

For such a fundamental basic error to have gone unnoticed smacks of a company where security isn't even on the agenda. Had the developers had any security training, had there been any internal testing or external pen testing this would surely have been picked up. So it seems reasonable to conclude none of this is going on. One might also presume then that they don't have the information to properly investigate this, to determine what other customers might have been affected.

Given how important control of domains is, to have such a lack of security amounts to reckless negligence.

There is no comment from 123-reg - they haven't informed customers, haven't replied to my email asking for assurance. Haven't even issued a statement saying the issues are resolved. Haven't warned customers to check their DNS and MX records are correct.

I would say that Nominet and the other TLD registries are to an extent culpable here too. They should be setting out minimum levels of security for domain retailers which should at minimum include an independent penetration test of their systems and ideally ISO27001 certification.

I'm left wanting to move my domains away from 123, but being unsure if anyone else in the market is actually any better.

Very, very shabby.

Sky wins TV riot battle

Tim Boothby

Disagree

The BBC is the best funded broadcasting organisation in the world. It doen't necessarily need a lot of money as demonstrated by a lone Sky reporter who happened to live in the area going out on his bike with his iPhone and doing a better job.

Tim Boothby

Agree

Fully agree. The BBC were caught napping big time. Major story going off on their doorstep and they seemed to have nobody on the ground whatsoever.

Microsoft eyes Ubuntu and Debian love on Hyper-V

Tim Boothby

Good news, but glossing over some ommisions

It's great to hear MS widening their support for Linux on Hyper-V, but this article seems to overstate the effort going into this.

The latest release of their Hyper-V drivers is from July of last year. Their support for CentOS didn't come with any new drivers, they just now support the RHEL drivers that many people were already using on CentOS.

They don't even support the latest release of the supported distributions. RHEL 6 has been out some time but there are no drivers and it doesn't work. CentOS 6 will be out imminently and presumably in the same situation.

I get the impression this article was based on an MS press release and is putting an overly positive spin on the situation.

Email compromised at Epsilon

Tim Boothby

Just had an email from Crucial.com

"On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.

We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon's email system."