US West customers vulnerable to hackers
April 7, 2000
By Brian Livingston
What if you hired a private butler, only to discover that the nice old gentleman was quietly giving away copies of the keys to your house?
That's the experience some people are having with high-speed Internet access service on a digital subscriber line.
Customers using DSL from providers such as US West, which provides Internet access and local telephone service in 14 western states, may be open to attack from hackers.
US West allows home subscribers to install the DSL equipment themselves. The company supplies people with a router, a device made by Cisco Systems, that helps connect subscribers' computers to US West's network.
In most cases, subscribers to the DSL service, called US West.net, fail to set a password, a process that isn't mentioned in the US West "Quick Start" manual and is on page 19 of the main users guide.
Without password protection in the router, hackers can easily access it from anywhere on the Internet. This leaves a customer's US West Internet account wide open.
"This is a huge hole," says Bill Watts, a US West subscriber in Helena, Mont. "You can grab a US West.net user's login and password."
A hacker can use this account information to disable the DSL service entirely, read the customer's email, or take over the account to launch remote denial-of-service attacks that inundate a target computer system with packets of useless information.
A reporter watched as a 20-year-old computer programmer, who requested anonymity, easily discovered unguarded equipment in the homes and businesses of numerous US West customers.
When US West's equipment operates in this way, it suffers from all of the following problems:
� The equipment gives out the user's US West.net account name and password to any intruder who asks.
� With a subscriber's login name and password, an impersonator can access a victim's US West account, can try out the same password at banking sites, and more.
� Because a US West login name is usually made up of a person's first initial and last name, it's easy to determine the real name, address and phone number of most individuals. This can further help a hacker impersonate a victim.
Executives at WatchGuard Technologies, an Internet security firm, say protective "firewall" devices won't help in this case. The router must be installed outside of a firewall's security perimeter to work.
The problem has been brought to the attention of Colorado-based US West numerous times in recent months, as documented in Internet discussion groups that deal with this subject.
In an interview, the executive director of US West's MegaBit Services division, Matthew Rotter, said, "The end user is responsible for putting in that user ID and password."
He added that in newer versions of the Cisco router, "a default password is in there" to protect subscribers.
US West could end the risk from its wide-open routers via remote control. A small program run on the Internet by US West could find and re-program any of its unprotected equipment, according to WatchGuard Technologies' Steve Fallin.
Instead, the company mailed a letter to subscribers last fall that speaks in general terms about security issues but says nothing specific about setting passwords.
The letter refers customers to the US West.net Web site, but the site doesn't spell out the password problem, although it does provide a detailed fix if you know to look for it. Customers can fix the problem by following the directions at this site.
You may think you're safe using DSL because you haven't noticed a problem. But a hacker may already be enjoying total access to your Internet account.
http://www.news.com/Perspectives/Column/0,176,416,00.html?st.ne.per.gif.a
-- Martin Thompson (mthom1927@aol.com), April 10, 2000